Simple Shell ENCRYPTPE 2003.5.18
[Observation]: Win98's Notepad
[Tu]: Olydbg1.1 (DIY Version), Lordpe, ImportRec1.6F
[Renuction]: Of course it is offset
[Operation Platform]: Windows 2000 ADV
[Author]: loveboom [dfcg]
[Related Links]: Don't remember, go to search yourself.
[Brief Description]: Today is a little time, it is also a trick, don't want yourself too sad. So I played, I don't know the same difference and fly, I haven't seen fly, I don't say that fly is not written, but I feel that if I can take off, I will see someone else's article. I can learn something. If you have no ability to take off, you will first take it again (thank you very much for fly to give me such a good article). This shell is more fun. If possible, it is best to read the article after you.
[Detailed Procedure]:
Set:
Cancel INT3 exceptions, else select two exception addresses with 0EDFADE and C0000008 (Invalid Handle).
After the shell is used, I find it with PEID. It is UPX, but I am so dizzy, but I am addressed. Of course, I know it is "counterfeit". So my Petools will also "know" a shell.
The first step is to find OEP:
This step is not difficult. After the eighth int 3 is abnormal, the memory Code is broken, so that the entrance is at the entrance.
Second step repair input table
After the second SHIFT F9, the next MR getProcaddress is correct if it is found to be like this:
0012FECC 004061B4 ASCII "6E"
0012FED0 785C0000 OFFSET Shell32. # 465
0012FED4 00000202
0012FED8 77E69AC1 kernel32.GetProcAddress
0012FEDC 711A41BE RETURN TO V1200351.711A41BE FROM V1200351.71126CF4
0012Fee0 785C0000 OFFSET Shell32. # 465
0012Fee4 00cfc77c ascii "Dragfinish"
0012fee8 0012FEF4 Pointer to Next SEH Record
If you are like this, you will be the third SHIFT F9, and Mr getProcaddress is:
0012FF90 0040D29A / Call to getProcaddress from notepad.0040d298
0012FF94 71120000 | HMODULE = 71120000 (V1200351)
0012ff98 0040d170 / procnameorordinal = "encryptpe_init"
After the break is broken, I will arrive here:
7119D310 8B00 MOV EAX, DWORD PTR DS: [EAX]
7119D312 3C CC CMP AL, 0CC
7119D314 74 14 Je Short V1200351.7119D32A
Press F9 once interrupt in the system, now look at the address of the current stack:
0012FEDC 711A41BE / CALL TO GETPROCADDRESS FROM V1200351.711A41B9
0012FEE0 785C0000 | HMODULE = 785C0000 (Shell32)
Directly at 711A41BE, press F9 to stop, see this code not far from:
711A41FE 8B55 B8 MOV EDX, DWORD PTR SS: [EBP-48]
711A4201 E8 E2F0FFFF CALL V1200351.711A32E8 / / Here
711A4206 E9 B7010000 JMP V1200351.711A43C2711A420B 8B45 FC MOV EAX, DWORD PTR SS: [EBP-4]
After following up, we have to find IAT, this is not difficult, see the code first.
711A32E8 55 PUSH EBP
711A32E9 8BEC MOV EBP, ESP
711A32EB 83C4 F8 Add ESP, -8
711A32EE 53 PUSH EBX
711A32EF 56 PUSH ESI
711A32F0 57 Push EDI
711A32F1 8BF9 MOV EDI, ECX; NOTEPAD.004063F8
// Directly to 4063f8 (Value of ECX) in the data window, you can see the location and size of the IAT.
711A32F3 8955 FC MOV DWORD PTR SS: [EBP-4], EDX
I have been pressing F8 to come here:
711A3379 8908 MOV DWORD PTR DS: [EAX], ECX
711A337B 8BC3 MOV EAX, EBX
711A337D 83C0 0B Add Eax, 0B
711A3380 8BCA MOV ECX, EDX
711A3382 83C1 05 Add ECX, 5
711A3385 334D FC XOR ECX, DWORD PTR SS: [EBP-4] / / Here [EBP-4] = Correct API
// So this is changed here to MOV ECX, DWORD PTR SS: [EBP-4]
711A3388 8908 MOV DWORD PTR DS: [EAX], ECX
711A338A 8955 F8 MOV DWORD PTR SS: [EBP-8], EDX / / Member of IAT here
// Since changed here to NOP.
711A338D 85FF TEST EDI, EDI
711A338F 74 29 Je Short V1200351.711A33BA
711A3391 33D2 XOR EDX, EDX
After the change is changed, the MD deletes the internal storage point. After pressing F9, press SHIFT F9 until all decompressed completion (it is easy to see the status bar). After completing, Ctrl P opens the Patches window. Here you can see the code we change, double-click the code and "Qingfang" (antigen code), which will not let the shell you have changed.
After pressing SHIFT F9, you will find that all API repairs will be repaired after you go to the entrance. Now use Lordpe Dumped and remove the housing (if you are Delphi programs, you can't run the program), fix the input table, Rebuilder can be used. The shell is also finished.
Dedicated to my dear DFCG, I hope it can be thriving!
Thank All of My Friends, Best Wish for you!
THANKS:
Fly Hui Yock, Jingulong, Er brother, TDASM, all friends who have cared for support or help me! Thank you!
