[Housing Shell] Find the real entry (OEP) - General ESP Law
Author: LenusFROM:. Poptown.gamewan.com/bbsE-MAIL:meila2003@163.com1 Preface to see many friends in the forum do not know what is ESP's law, what is the scope of the ESP, ESP principle what the law is, How to use ESP law? I saw me in "" The results of the survey found that everyone is very interested in the law of ESP, of course, because it is really easy to use, now I will tell you what is ESP law, what is the principle! BTW: After reading the manual shelling, it will be more helpful to you later. Download in the following address: http://www.jetdown.com/down/down.asp? Id = 37350 & no = 12. Preparing knowledge Before we start discussing the law of ESP, I will give you some simple assembly knowledge. 1.Call This command is a compilation basic directive for the access subroutine. Maybe you said, this I have long known! Don't worry, please continue to finish. What is the true meaning of CALL? We can understand this: 1. Press the address of the next line of the program to the stack; 2. JMP to the subroutine address of the Call. For example: 00401029. E8 DA240A00 CALL 004A35080040102E. 5A POP EDX After executing 00401029, the program will press 0040102e into the stack, then JMP to 004A3508 address! 2. Ret and Call correspond to RET. For RET we can understand: 1. Add the address pointed to by the current ESP out of the stack; 2.JMP to this address. This completes the process of calling a subroutine. Where is the key place here: If we want to return to the parent program, when we perform the stack operation in the stack, be sure to ensure that the ESP points to the address we press in the stack before the RET of the stack. This is also the famous "stack balance" principle! 3. The principle of the narrow ESP law ESP law is the principle of "stack balance".
Let's take a look at the entrance to the program! 1. This is the value of each register when adding the entrance of the UPX shell! EAX 00000000ECX 0012FFB0EDX 7FFE0304EBX 7FFDF000ESP 0012FFC4EBP 0012FFF0ESI 77F51778 ntdll.77F51778EDI 77F517E6 ntdll.77F517E6EIP 0040EC90 note-upx.
0012FFA4 77F517E6 returns to ntdll.77F517E6 from ntdll.77F78C4E // EDI 0012FFA8 77F51778 returns to ntdll.77F51778 from ntdll.77F517B5 // ESI0012FFAC 0012FFF0 // EBP0012FFB0 0012FFC4 // ESP0012FFB4 7FFDF000 // EBX0012FFB8 7FFE0304 // EDX0012FFBC 0012FFB0 // ECX0012FFC0 00000000 / / EAX So this time, tell us the hardware access breakpoint of the ESP's 0012FFA4 on the tutorial. That is to say, when the program is to access these stacks, the value of the original register is restored, and when you are going to jump to the OEP, OD helps us to interrupt. So we stop at 0040EE10! Summary: We can assume the shell as a subroutine, when the case decompresses the code and decompressed, he must do it to follow the principle of stack balance, let ESP execute to OEP, make ESP = 0012FFC4.4. General meaning Many people will ask if many people have finished reading the tutorial: Is the law of ESP 0012FFA4, the application scope of ESP law can only be a compression shell! My answer is: NO! After reading it, you will know if you use 0012ffa8, the ESP law is not only used for compressed shells. He can also be used for encryption shells! ! ! First, tell you an experience is also the fact --- When the PE file starts, it is the first line of code that enters the shell. The value of the register is always the value above, don't believe you try it yourself! And when arriving at OEP, the most programs are all stacks! (In addition to the program written by BC, BC is generally putting down in the following sentence) Now, according to the above ESP principle, we know that most shells are eSP = 0012FFC4 when running to OEP.
This is the first sentence of the program is to write the 0012FFC0! Finally, we have got a generalized ESP law, and we can stop in the second sentence of OEP as long as the hardware is written in 0012ffc0! ! Let's take an example below, take the first article! After loading OD, here is here: 0040D042 N> B8 00d04000 MOV Eax, Notepad.0040D000 // This 0040d047 68 4C584000 Push Notepad.0040584C0040D04C 64: FF35 00000000 Push DWORD PTR FS: [0] // First Hardware Interrupt, F90040D053 64: 8925 00000000 MOV DWORD PTR FS: [0], ESP0040D05A 66: 9C PUSHFW0040D05C 60 PUSHAD0040D05D 50 PUSH EAX Direct to 0012FFC0 hardware write breakpoint, F9 run. (Note hardware interrupt) at 0040D04C first hardware interrupt, F9 continues! 0040d135 A4 MOVS BYTE PTR ES: [EDI], BYTE PTR DS: [ESI] // Access Exception, no matter where he Shift F9 continues 0040d136 33c9 XOR ECX, ECX0040D138 83FB 00 CMP EBX, 00040D13B ^ 7e A4 Jle Short Notepad.0040D0E1 Secondary hardware interrupt. 004058B5 64 DB 64 // break here 004058B6 89 DB 89004058B7 1D DB 1D004058B8 00 dB 00004058B9 00 DB 00] Nor, F9 continues! 004010cc /. 55 push eBP004010CD |. 8bec Mov EBP, ESP // Break here, haha, arrived! (If there is a flower directive, you can display it with Ctrl A.) 004010CF |. 83ec 44 SUB ESP, 44004010D2 |. 56 Push ESI Quick! Not addiction, in one example.
The second article of shelling is can't discover the above method, the program is running directly! Nothing, we are using another way! Loaded, stop here, hide OD with plugins! 0040dbd6 n> ^ / E9 25E4FFFF jmp note_tel.0040c000 // stop here 0040dbdb 0000 add byte PTR DS: [EAX], Al0040dbdd 0038 Add byte Ptr DS: [EAX], BH0040DBDF A4 MOVS BYTE PTR ES: [EDI], byte PTR DS: [ESI] 0040DBE0 54 PUSH ESP F9 running, then skip anomalies with Shift F9 here: 0040D817 ^ / 73 DC JNB Short Note_tel.0040d7f5 // Here 0040D819 CD20 64678F06 vxdcall 68f67640040d81f 0000 add byte PTR DS: [EAX], Al0040D821 58 POP EAX here to write to the 0012FFC0 hardware! (Type HW 12FFC0 in the command line) SHIFT F9 Skip abnormality, then come to the second row of OEP: (analyze Ctrl A) 004010CC /. 55 Push EBP004010CD |. 8bec Mov EBP, ESP // here 004010CF | 83EC 44 sub esp, 44004010D2 | 56 push esi004010D3 | FF15 E4634000 call dword ptr ds:.. [4063E4] 004010D9 | 8BF0 mov esi, eax004010DB | 8A00 mov al, byte ptr ds:.. [eax] 004010DD | 3C 22 CMP Al, 22, so we easily get two encrypted slices of the OEP problem! 5. Summary Now we can answer some questions easily. What is the principle of 1.esp? Stack balance principle. What is the scope of application of 2.ESP? Almost all compression shells are partially added. As long as it is in JMP to OEP, the shell of ESP = 0012FFC4, theoretically we can use it. But when the break is broken, when the check is broken, it will break OD to disconnect, which requires a lot of summary and more accumulation. Welcome to share your experience and us.
