PESPIN V0.7 Shell (End)
[Objective]: Win98's Notepad and a MASM program written casually
[Tu]: Olydbg1.1
[Renuctor]: Complete the task shelling shell and repair in the last article
[Operation Platform]: WinXP Pro SP1
[Author]: loveboom [dfcg] [fcg]
[Related Links]: See the attached
[Brief Description]: I have seen that I have already made only half of the work last time, so our task is stripping convince "she" (repair).
[Detailed Procedure]:
Last time we said how to go to the key code, so I don't talk about it here. If you haven't seen it, you can go to see my last article, say that by the previous one, we went to the key code (this time The program is different from the last time, but the key code is the same, LoadLibrarya is broken, came here:
[Code]
0040C887 60 pushad; finally here
0040C888 EB 04 JMP Short VC.0040C88E
0040C88A CB RETF; FAR RETURN
0040C88B EB 04 JMP Short VC.0040C891
[/ Code]
Now clear a little spam code, after cleaning, look at the code here:
[Code]
0040C918 8BBD 792B4000 MOV EDI, DWORD PTR SS: [EBP 402B79]
0040C91E 3BC7 CMP EAX, EDI
0040c920 76 35 Jbe Short VC.0040C957
After finding it, change it to JMP XXXX
0040C922 03BD 7D2B4000 Add EDI, DWORD PTR SS: [EBP 402B7D]
......
0040c950 50 Push EAX
0040C951 FF95 C4394000 Call DWORD PTR SS: [EBP 4039C4]
0040c957 EB 01 JMP Short VC.0040C95A
0040c959 90 NOP
0040C95A 894424 1C MOV DWORD PTR SS: [ESP 1C], EAX
This is changed here to MOV SS: [EDX], EAX, move into the correct functions
0040C95E 61 POPAD
[/ Code]
After all of the above changes, you should pay attention, now there are two cases, corresponding to VC / Delphi, and MASM (VB do not say, quite simple, don't change it above). Let's talk about VC first / Delphi This situation:
It will be seen when the first RET is not far away.
VC / DELPHI solution:
[Code]
0040c962 0BC0 or Eax, EAX
0040C964 C3 RETN; this is RET
0040C965 EB 01 JMP Short VC.0040C968
0040c967 90 NOP
0040c968 57 Push EDI
0040C969 51 PUSH ECX
0040C96A 90 NOP
0040C96B 90 NOP0040C96C 90 NOP
0040C96D 90 NOP
0040C96E 90 NOP
0040c96f 90 NOP
0040c970 90 NOP
0040c971 90 NOP
0040c972 90 NOP
0040C973 BF 4FE24000 MOV EDI, VC.0040E24F
0040C978 EB 01 JMP Short VC.0040C97B
0040C97A 90 NOP
0040C97B B9 7F020000 MOV ECX, 27F
0040C980 EB 01 JMP Short VC.0040C983
0040c982 90 NOP
0040C983 3917 CMP DWORD PTR DS: [EDI], EDX
0040C985 74 0A Je Short VC.0040C991
0040c987 47 Inc EDI
0040c988 ^ E2 f9 loopd short vc.0040c983
0040C98A EB 01 JMP Short VC.0040C98D
0040c98c 90 NOP
0040C98D 8902 MOV DWORD PTR DS: [EDX], EAX
Here is to do it, so you have to nop.
0040C98F EB 25 JMP Short VC.0040C9B6
0040c991 90 NOP
0040c992 90 NOP
0040c993 90 NOP
0040c994 90 NOP
0040c995 90 NOP
0040c996 90 NOP
0040c997 90 NOP
0040c998 90 NOP
0040c999 90 NOP
0040C99A 807F FF 00 CMP BYTE PTR DS: [EDI-1], 0
0040C99E 74 11 Je Short VC.0040C9B1
0040C9A0 807F FF E9 CMP BYTE PTR DS: [EDI-1], 0E9
Here is a program that is judged is MASM.
0040C9A4 ^ 75 E7 JNZ Short VC.0040C98D
0040C9A6 83C7 04 Add EDI, 4
0040C9A9 2BC7 SUB EAX, EDI
0040C9AB 8947 FC MOV DWORD PTR DS: [EDI-4], EAX
0040C9AE EB 06 JMP Short VC.0040C9B6
0040C9B0 90 NOP; here is flower instruction, NOP
0040C9B1 8907 MOV DWORD PTR DS: [EDI], EAX; Program for the vc / delphi plus case, this is the most important
0040C9B3 EB 01 JMP Short VC.0040C9B6
0040C9B5 90 NOP
0040C9B6 59 POP ECX
[/ Code]
And after many tracking, each jump to the IAT is the real IAT location, so we must find a way to change it, run to 0040C9B1, just EDI is the housing IAT, EDX is true IAT,
After getting this information, it will do a lot, turn the 0040C9B1 to a place to jump to an idle place, write our own code, I found 4113f0, after finding the place, change the code of 0040c9b1 to:
[Code]
0040C9B1 / E9 3A4A0000 JMP VC.004113F0
[/ Code]
Write a few lines of code at 4113f0:
[Code]
004113f0 60 pushad
004113f1 9c pushfd
004113f2 bb 00104000 MOV EBX, VC.00401000; CodeBase
004113f7 b9 00400000 MOV ECX, 4000; CODESIZE
004113FC 8b13 MOV EDX, DWORD PTR DS: [EBX]
004113fe 3BD7 CMP EDX, EDI
00411400 75 0C JNZ Short VC.0041140E
00411402 8B17 MOV EDX, DWORD PTR DS: [EDI]
00411404 8913 MOV DWORD PTR DS: [EBX], EDX
00411406 83c3 04 Add EBX, 4
00411409 83e9 03 SUB ECX, 3
0041140c EB 03 JMP Short VC.00411411
0041140e 83c3 01 Add EBX, 1
00411411 ^ E2 E9 Loopd Short VC.004113FC
00411413 9D POPFD
00411414 61 POPAD
00411415 ^ E9 9CB5FFFF JMP VC.0040C9B6; After finding it, go back to the old place
[/ Code]
The role of the above code is to find the address of the shell IAT in the CODE segment, and then replace it with the value in that address. Ok, now look at how the effect, go off HR 12FFA4 at 12FFA4, disconnect After filled with the OEP to 10cc, then the AutoSearch- get, how, you can find, IAT, look at the Simple look at Stolen Code:
[Code]
0040d088 55 push ebp; *****
0040d089 EB 01 JMP Short VC.0040D08C
0040D08B 90 NOP0040D08C 8BEC MOV EBP, ESP; *****
0040D08E EB 01 JMP Short VC.0040D091
0040d090 90 NOP
0040d091 83ec 44 SUB ESP, 44; *****
0040d094 EB 01 JMP Short VC.0040D097
0040d096 90 NOP
0040d097 56 Push ESI; *****
0040d098 EB 01 JMP Short VC.0040D09B
0040D09A 90 NOP
0040d09b ff15 19e34000 Call DWORD PTR DS: [40E319]; *****
; Vc.004063e4 Here you should pay attention to Call DWORD PTR DS: [4063E4]
0040D0A1 EB 01 JMP Short VC.0040D0A4
0040D0A3 90 NOP
0040D0A4 8BF0 MOV ESI, EAX; *****
0040D0A6 EB 01 JMP Short VC.0040D0A9
0040D0A8 90 NOP
0040D0A9 8A00 MOV Al, Byte Ptr DS: [EAX]; *****
0040D0AB EB 01 JMP Short VC.0040D0AE
0040D0AD 90 NOP
0040D0AE 3C 22 CMP Al, 22; *****
0040d0B0 EB 01 JMP Short VC.0040D0B3
0040d0b2 90 NOP
0040D0B3 - E9 2740fffffff JMP vc.004010df; lotus code is not much, it is finally put the control right back to the procedure.
[/ Code]
Pick up the shell, then dump, fixdump will get it ..
Ok, now VC / Delphi has been done, let's take a look at MASM.
[Code]
00405918 8BBD 792B4000 MOV EDI, DWORD PTR SS: [EBP 402B79]
0040591E 3BC7 CMP EAX, EDI
00405920 76 35 Jbe Short Masm.00405957
Here is the same as JMP XXXX
00405922 03BD 7D2B4000 Add EDI, DWORD PTR SS: [EBP 402B7D]
00405959 90 NOP
0040595A 894424 1C MOV DWORD PTR SS: [ESP 1C], EAX
This is changed here to MOV SS: [EDX], EAX
0040595E 61 POPAD
......
0040598D 8902 MOV DWORD PTR DS: [EDX], EAX; here is also NOP
[/ Code]
Let's pay attention to it, MASM will take this path:
[Code]
0040599A 807F FF 00 CMP BYTE PTR DS: [EDI-1], 0
0040599E 74 11 Je Short Masm.004059B1
004059A0 807F FF E9 CMP BYTE PTR DS: [EDI-1], 0e9
If it is MASM's IAT and another pattern, MASM's program turns a remote jump.
004059A4 ^ 75 E7 JNZ Short Masm.0040598D
004059A6 83C7 04 Add EDI, 4
If it is a remote jump, it will be here, "explain"
004059A9 2BC7 SUB EAX, EDI
004059AB 8947 FC MOV DWORD PTR DS: [EDI-4], EAX
004059AE EB 06 JMP Short Masm.004059B6
004059B0 90 NOP
004059B1 8907 MOV DWORD PTR DS: [EDI], EAX
[/ Code]
Take a look at the code re-analyzing analysis of the above, it can be found that [EDI-1] is the address of the original program, [EDI 1] is the address of the correct IAT, so we will write a few lines of code again, this is more Easy.
Change to this:
[Code]
004059A6 66: C747 FF FF25 MOV WORD PTR DS: [EDI-1], 25FF
004059AC 8957 01 MOV DWORD PTR DS: [EDI 1], EDX
004059AF EB 05 JMP Short Masm.004059B6
004059B1 8907 MOV DWORD PTR DS: [EDI], EAX
004059B3 EB 01 JMP Short Masm.004059B6
004059B5 90 NOP
004059B6 59 POP ECX
004059B7 5F POP EDI
004059B8 C3 RETN
[/ Code]
Oh, change to the way HR 12FFA4 to Stolen Code:
[Code]
00406088 6A 00 Push 0
0040608A EB 01 JMP Short Masm.0040608D
0040608C 90 NOP
0040608D 68 97604000 Push Masm.00406097
00406092 - E9 2FB0FFFF JMP Masm.004010C6
00406097 A3 00304000 MOV DWORD PTR DS: [403000], EAX
0040609C EB 01 JMP Short Masm.0040609F
0040609E 90 NOP
0040609F 68 A9604000 Push Masm.004060A9
004060A4 - E9 35B0FFFF JMP Masm.004010de; jmp to comctl32.initcommontrols004060A9 6A 00 PUSH 0
004060AB EB 01 JMP Short Masm.004060AE
004060AD 90 NOP
004060ae 68 962628e1 push e1282696
004060B3 810424 98E9171F Add DWORD PTR SS: [ESP], 1F17E998
004060BA 6A 00 Push 0
004060BC EB 01 JMP Short Masm.004060BF
004060BE 90 NOP
004060BF 6A 65 PUSH 65
004060C1 EB 01 JMP Short Masm.004060C4
004060C3 90 NOP
004060C4 FF35 00304000 Push DWORD PTR DS: [403000]
004060CA EB 01 JMP Short Masm.004060CD
004060cc 90 NOP
004060 CD 68 D7604000 Push Masm.004060D7
004060D2 - E9 F5AFFFFFFFFFEMP MASM.004010CC
004060D7 6A 00 Push 0
004060d9 EB 01 JMP Short Masm.004060dc
004060db 90 NOP
004060dc 68 E6604000 Push Masm.004060E6
004060E1 - E9 daaffff jmp masm.004010c0
[/ Code]
I will not talk more about the specific code here, I can understand it.
Ok, I'm here, I have to go to the end, collect it!
Greetz:
Fly, Jingulong, Yock, TDASM, David, AHAO, VCASM, UFO (Brother), ALAN (Sister), All of my friends and you!
By LoveBoom [DFCG] [FCG]
Email: bmd2chen@tom.com
