Simple deformity of cross-pendant standard double process
[Observation]: Word Cleaner V2.0
[Tu]: Olydbg1.1 (DIY Version), Lordpe, ImportRec1.6F
[Renuction]: Of course it is shelling
[Operation Platform]: WinXP Pro SP1
[Author]: loveboom [dfcg] [fcg]
【Related Links】:
Www.wordcleaner.com
[Brief Description]: This is the case I first take off ARM. If there is any deficiencies, please advise the boss.
Today, I just had a little time, I went to Exteools to turn it, I found that the cattle LOWNOISE wrote an article about ARM, so I took a look, I feel too complicated after reading, so I learned according to the article written by the cow. I will learn. This trick is.
[Detailed Procedure]:
Setting: Ignore all exceptions and add C000001e.
Starting from:
Loaded back here
004f0000> 60 pushad; EP
004f0001 E8 00000000 Call WordClea.004F0006
004F0006 5D POP EBP
004f0007 50 Push EAX
Now go to BP OpenMutexa, and run the program, which will stop at the entrance to OpenMutexa
77E62391> 55 PUSH EBP
77E62392 8BEC MOV EBP, ESP
77E62394 51 PUSH ECX
After stopping the breakpoint, the codebase section finds a few words (default IMGBase is 400000), I chose 401000, so I wrote such a few words:
00401000 60 pushad
00401001 9C PUSHFD
00401002 68 C8FB1200 PUSH 12FBC8; ASCII "5D4 :: DAA2FD56DE"
00401007 33C0 XOR EAX, EAX
00401009 50 Push EAX
0040100A 50 Push EAX
0040100B E8 B5A6A577 CALL KERNEL32.CREATEMUTEXA
00401010 9D POPFD
00401011 61 POPAD
00401012 - E9 7A13A677 JMP KERNEL32.OpenMutexa
00401017 90 NOP
Note 00401002 Where is the value of the line? Take a look at the stack. Yes, it is the value in the stack.
0012F588 004D4FC2 / Call to openmutexa from wordclea.004d4fbc
0012F58C 001F0001 | Access = 1f0001
0012F590 00000000 | Inheritable = false
0012F594 0012FBC8 / MUTEXNAME = "5D4 :: DAA2FD56DE"
After writing, press CTRL * to reposition the start of 401000, after positioning, don't worry, let's go down, first, after it is broken, press F9 to fly a few times, the process takes note of the changes of the stack. 0012DAC8 004D76D8 / Call to getModuleHandlea from wordclea.004d76d2
0012DACC 00000000 / PMODULE = NULL
......
0012BEB8 00E56714 / Call to getModuleHandlea from 00e5670E; the fifteenth f9 stops here (refer to the stack)
0012BEBC 0012BFF4 / PMODULE = "Advapi32.dll"
The last time here:
0012C144 00E6E3B0 / Call to getModuleHandlea from 00e6e3aa
0012C148 00000000 / PMODULE = NULL
After you here, first HD getModuleHandlea removes hardware breakpoints. After removing, Alt F9 is executed to return.
00E6E3B0 3985 BCE9FFFF CMP DWORD PTR SS: [EBP-1644], EAX; WordClea.00400000
00e6e3b6 75 0f jnz short 00e6e3c7
00e6e3b8 C785 B8E9FFFF 0> MOV DWORD PTR SS: [EBP-1648], 0E80200
00e6e3c2 E9 C4000000 JMP 00e6E48B
00e6e3c7 83A5 90E7FFFF 0> And DWORD PTR SS: [EBP-1870], 0
00E6E3CE C785 8CE7FFFF 0> Mov DWORD PTR SS: [EBP-1874], 0E80800
00e6e3D8 EB 1C JMP Short 00e6e3f6
00E6E3DA 8B85 8CE7FFFF EAX, DWORD PTR SS: [EBP-1874]
00e6e3e0 83c0 0C Add Eax, 0C
00E6E3E3 8985 8CE7FFFFFFF DWORD PTR SS: [EBP-1874], EAX
00e6e3e9 8B85 90E7FFFFFF EAX, DWORD PTR SS: [EBP-1870]
00e6e3ef 40 Inc EAX
00E6E3F0 8985 90E7FFFFM DWORD PTR SS: [EBP-1870], EAX
00E6E3F6 8B85 8CE7FFFF EAX, DWORD PTR SS: [EBP-1874]
00E6E3FC 8338 00 CMP DWORD PTR DS: [EAX], 0; ****
00e6e3ff 0F84 86000000 JE 00E6E48B
00E6E405 8B85 8CE7FFFFEV EAX, DWORD PTR SS: [EBP-1874]
00e6e40b 8b40 08 MOV Eax, DWORD PTR DS: [EAX 8]
After returning, press F4 directly to the * of the *, after reaching the destination, modify the value of [EAX] is 0, so you can skip the encryption of IAT. After the modification, after the CODE section F2 is broken, it is of course running, and the result of the run is directly to OEP, not bad. Memory Map, Item 23
Address = 00401000
SIZE = 000c9000 (823296.)
Owner = WordClea 00400000
Section = .text
TYPE = IMAG 01001002
Access = r
Initial Access = RWE
Arrive at the destination:
00414100 68 F4414100 Push WordClea.004141F4
0040360D E8 EEffff Call WordClea.00403600; JMP To Msvbvm60.thunrtmain
Hurry up Dump Full, after DUMP, use IMP to Cut some invalid stuff. If it is Win2k, you can run it without fix dump. It's good to take a shell! leave.
WARNING:
Remember to get the annoying guy during debugging (
Remove virus firewall Ruixing)
, It is ugly to die!
L
Greetz:
Fly.jingulong, Yock, Tdasm.david.ahao.ufo (brother) .alan (Sister) .all of my friends and you!
By LoveBoom [DFCG] [FCG]
Email: bmd2chen@tom.com
