【目 标】: Forgot / Hexer made of deformation Telock
[Tu]: Olydbg1.1
[Renuction]: Of course, you have to take off its clothes: D
[Operation Platform]: WinXP Pro SP1
[Author]: loveboom [dfcg] [fcg]
[Related Links]: Attachment is
[Brief Description]: Oh, take a few days to see Forgot in the "Announcement of a Skin Product", so I will go in and see it, I don't look at it, I will restart N times, I will restart when I look at my machine!
[Detailed Procedure]:
Since I don't take my machine, I don't take any light, I am sorry, I am too sorry, I will open the OD setting:
Ignore the abnormality in addition to the 'Invalid or Privileged Instruction' and the bottom of the other full hook, don't invoke your OD, because the shell "forgot?"
Fortunately, Forgot does not have DRX this time, it may be more difficult.
First, in PEID's UserDB, the sign is first, so that you have a photo next time.
Plus in UserDB:
[Telock V0.98B1 <-> Modifly by Forgot / HEXER]
Signature = 9c 6a 03 73 0b EB 02 75 75
EP_ONLY = FALSE
This will take a little later and forgot :)
Stocked with OD to stop in the entrance:
00462862> ^ / E9 99D7FFFF JMP D1.00460000; EP
00462867 0000 Add byte PTR DS: [EAX], Al
Press F9 to appear abnormal:
004607E5 8DC0 LEA EAX, EAX; here is abnormal
004607E7 74 03 JE SHORT D1.004607EC
After abnormal, we will go off BP getModuleHandlea, huh, he hasn't checked this there is no CC here. It is broken -> Shift F9 is broken:
77E5AD86> 837C24 04 00 CMP DWORD PTR SS: [ESP 4], 0; break here
77E5AD8B 0F84 37010000 JE KERNEL32.77E5AEC8
If you disconcend "still things" (cancel the breakpoint), press Alt F9 to perform the user code:
00460E97 0BC0 or EAX, EAX; return to the program
00460E99 75 07 JNZ SHORT D1.00460EA2
After returning to the user code, press CTRL B to find 85FF74 is also looking:
004617E4 85FF Test EDI, EDI; Looking here is here
004617E6 74 0F JE SHORT D1.004617F7
At 4617E4, he 4617E4 (hardware access breakpoint), and the F9 is running and it is abnormal.
77E53887 5E POP ESI
77E53888 C9 Leave
At 77E53887, he will be abnormally three times, and the fourth time we just have the hardware breakpoint:
004617E4 85FF TEST EDI, EDI; NTDLL.ZWsetInformationthreadthread
004617E6 74 0F Je Short D1.004617F7004617E8 FF95 191F4000 Call DWORD PTR SS: [EBP 401F19]
Oh, I saw it, I thought about it. Here we put EDI to fill 0. This kind, no need to worry about it.
Again, after still, let's take a step, press Ctrl B again 61C685:
00461EF7 61 POPAD
00461EF8 C685 E1314000 0> MOV BYTE PTR SS: [EBP 4031E1], 0
00461EFF 74 24 Je Short D1.00461F25; this is what we are looking for, here will have all IAT
Turn 00461EFF to EB24, which is JMP 00461F25, and then the back F9 has an exception. At this time, don't hurry to press SHIFT F9 and then run again.
00462336 8DC0 LEA EAX, EAX; abnormal
00462338 EB 01 JMP SHORT D1.0046233B
There are two ways after abnormalities that can quickly go to the program's OEP.
The first ESP method:
After abnormal, the HR 12FFA4 is broken, which is interrupted here:
004623B0 874424 FC XCHG DWORD PTR SS: [ESP-4], EAX;
004623B4 83EC 04 SUB ESP, 4
After disconnect the breakpoint, press Ctrl F9 to return, then press the F8 to the entry:
00462422 5F POP EDI
00462423 C3 RETN
......
0044CA98 55 PUSH EBP; OEP!
0044CA99 8BEC MOV EBP, ESP
0044CA9B 83C4 F0 Add ESP, -10
The second paragraph breakpoint:
Open the memory page, press F2 on the following segment:
Memory Map, Item 18
Address = 00401000
SIZE = 0004C000 (311296.)
Owner = d1 00400000
Section = .bjfnt
Contains = code
TYPE = IMAG 01001004
Access = rw
Initial Access = RWE
Then Shift F9 goes to the entrance:
0044CA98 55 PUSH EBP; OEP!
0044CA99 8BEC MOV EBP, ESP
When I arrive here, I will no longer say more, and this shell is more than "interest" to my computer, so I decided to "shelter robot". Haha!
CODE:
MsGyn setting: Open exception item by Alt O, in addition to the countdown first and third items, all other hooks, this script is only useful for the modification of Forgot / Hexer, to continue? "
CMP $ Result, 0
Je lblret
Var Addr
VAR CBASE
VAR CSIZE
GMI EIP, Codebase
Mov CBase, $ ResultGMI EIP, CODESIZE
Mov CSIZE, $ RESULT
Start:
Run
LBL1:
GPA "getModuleHandlea", "kernel32.dll"
BP $ Result
ESTO
LBL2:
BC $ RESULT
RTU
Find EIP, # 85ff74 ?? ff95 #
CMP $ Result, 0
Je lblabort
Mov Addr, $ Result
BPHWS Addr, "X"
LBL3:
EOB LBL4
Run
ESTO
ESTO
ESTO
LBL4:
BPHWC Addr
Mov EDI, 0
Find EIP, # 61c685 #
CMP $ Result, 0
Je lblabort
Mov Addr, $ Result
Add Addr, 8
Mov [addr], # EB #
LBL5:
Run
LBL6:
BPRM CBASE, CSIZE
ESTO
End:
BPMC
CMT EIP, "OEP!"
Msg "script by loveboom [dfcg] [fcg], thank you for using my script!"
LBLRET:
RET
lblabort:
"Error" error, the script will end, maybe the target program is not the mod pattern of Forgot / Hexer Telock plus shell: (! "
RET
Greetz:
Fly, Jingulong, Yock, TDASM, David, AHAO, VCASM, UFO (Brother), ALAN (Sister), All of my friends and you!
By LoveBoom [DFCG] [FCG]
Email: bmd2chen@tom.com
