Reverse Fundamentals: introduction to manual software shelling Technology

Time:2021-11-25

preface:

Hello, I’m Jay Chou

Here are some notes and articles on manual shelling of their own learning software, hoping to give some help to children’s shoes who learn the reverse and shelling of new software.

1 some concepts

1.1 shelling

The full name of shelling should be executable program resource compression, which is a common means to protect files. The shelled program can be run directly, but the source code cannot be viewed. You can view the source code only after shelling.

Shelling is the use of special algorithms to compress and encrypt the resources in exe and DLL files. The effect is similar to winzip, but the compressed file can run independently. The decompression process is completely hidden and is completed in memory. After they are attached to the original program and loaded into the memory through the windows loader, they are executed before the original program to obtain the control right. During the execution process, the original program is decrypted and restored. After the restoration is completed, the control right is returned to the original program to execute the original code part. After adding the shell, the original program code generally exists in the encrypted form in the disk file and is only restored in memory during execution, which can effectively prevent the cracker from illegally modifying the program file and prevent the program from being statically decompiled.

The types of shells are usually divided into compressed shells and encrypted shells. The feature of compressed shell is to reduce the volume of software, and encryption protection is not the focus. There are many kinds of encryption shells, and different shells have different emphases. Some shells simply protect programs, while others provide additional functions, such as providing registration mechanism, usage times, time limit, etc.

1.2 OEP

OEP: (original entry point), the entry point of the program. Software shelling generally hides the real OEP of the program (or uses a fake OEP). We need to find the real OEP of the program before we can complete shelling.

Generally, when using dynamic debugging tools such as OllyDbg, the shelling program will stop in the preprocessing block of the shell. That is, before decompressing or decrypting the original code block of the program, after running the self shelling module of the program, it will stay at the OEP position before the program is shelled. This is the best time for dump program. When shelling, the int3 breakpoint is set at the real OEP to capture the complete recovery state of the program code segment. Therefore, finding the correct OEP of the shelling program has also become the first priority in manual shelling.

1.3 IAT

IAT: (import address table) to import the address table. Since the import function is a function called by the program but its execution code is not in the program, the code of these functions is located in one or more DLLs. When the PE file is loaded into memory, the windows loader loads the DLL and connects the instruction calling the import function with the actual address of the function (dynamic connection). This operation needs to be completed by importing the table. The imported address table indicates the actual address of the function. Most shelling software will rebuild the import address table when running, so obtaining the correct import address table of shelling program is also a key problem in manual shelling operation.

2 some shelling methods

2.1 single step tracking method

The principle of single step tracking method is to completely walk through the self shelling process of the program through OllyDbg’s single step (F8), single step entry (F7) and run to (F4), skip some fragments of cyclic recovery code, and use single step entry to ensure that the program will not skip OEP. In this way, after the software automatic shelling module runs, it can reach the OEP and dump the program.

2.2 ESP law method

ESP law is a sharp tool for shelling and one of the most frequently used shelling methods.

The principle of ESP law lies in the rational utilization of stack balance in the program. In the process of self decryption or self decompression of the program, many shells will first stack the current register content, such as using PUSHAD. After decompression, the previous register value will be out of the stack, such as using POPAD. Therefore, when the register is out of the stack, the program code is often automatically restored, and the hardware breakpoint is triggered. Then, in the current position of the program, it is easy to reach the correct OEP position with only a little single step tracking.

2.3 memory image method (secondary breakpoint method)

Memory mirroring method is to enter the virtual memory section of the program through the ALT + m shortcut key of OD when the shell program is loaded. Then, by adding two memory one-time breakpoints, the correct OEP position of the program is reached.

The principle of memory mirroring method is that for the program resource segment and the breakpoint under the code segment, when the program is self decompressed or self decrypted, it will first access the resource segment to obtain the required resources, and then turn back to the program code segment after the automatic shelling is completed. At this time, the program will stop at the OEP at the next memory one-time breakpoint.

2.4 one step to OEP

The so-called shelling method to reach the OEP in one step is to find the assembly instruction closest to the OEP according to the characteristics of the shelled, then lower the int3 breakpoint and dump the program when the program reaches the OEP. For example, for some compressed shells, the POPAD instruction is very close to the OEP or magic jump. Therefore, using the search function of OllyDbg, you can search the feature assembly code of the shell to achieve the effect of reaching the OEP at the breakpoint in one step.

2.5 last anomaly method

The principle of the last exception method is that the program may trigger countless exceptions during self decompression or self decryption. If the location of the last program exception can be located, it may be very close to the completion position of automatic shelling. Now, for the last exception shelling, you can use the exception counter plug-in of OllyDbg to record the number of exceptions first, then reload, and automatically stop at the last exception.

2.6 simulation tracking method

The principle of simulation tracking method is to use the conditional breakpoint under OllyDbg. SFX is equivalent to a self decompression segment. At the end of the self decompression segment (when the value of EIP is transferred to the code segment), it is very close to OEP, but this tracking method will be time-consuming.

2.7 “SFX” method

“SFX” method makes use of the OEP search function of OllyDbg. You can choose to stop the program directly at the OEP found by OD. At this time, the self decompression has been completed and you can dump the program directly.

3 some shelling practices

The following is a summary of how to use the above methods, and try to manually take off the shelling notes of these common shells.

3.1 upx shelling notes

First, conduct shell detection:

Reverse Fundamentals: introduction to manual software shelling Technology

First, throw the program into olly ice. You can see:

Reverse Fundamentals: introduction to manual software shelling Technology

Then try to use the ESP theorem here: that is, when the ESP is changed for the first time, set the hardware word access breakpoint for the ESP address, so that you can jump to the normal entry of the program after the code is restored by the upx algorithm.

Reverse Fundamentals: introduction to manual software shelling Technology

Then, F5 runs and does not directly jump to the big jump position at the program entrance, but you can see that the big jump of upx is in front of you:

Reverse Fundamentals: introduction to manual software shelling Technology

Therefore, the entry point of the restored program is 0x00445151 (you can also see the big jump position by walking down one step and F4 slightly going back.) then go to the big jump position and jump to the entrance of the normal program:

Reverse Fundamentals: introduction to manual software shelling Technology

Then remove the hardware breakpoint and use the dump function of loadpe to dump the target program:

Reverse Fundamentals: introduction to manual software shelling Technology

Correct the image size first, and then select complete shelling to obtain the program of dump in the first step, and then use importrec to repair the OEP of dump program. The information of OEP can be queried through the dump function of OD or directly filled in 45151:

Reverse Fundamentals: introduction to manual software shelling Technology

Fill the correct entry address into importrec, and then automatically search IAT information:

Reverse Fundamentals: introduction to manual software shelling Technology

Then click get input table to get the program function input table after IAT correction, and then click Show Invalid function. Happily, it is found that there is no invalid function, so you can directly repair the transfer file.

Reverse Fundamentals: introduction to manual software shelling Technology

Select the dump file just dumped in the first step to repair. After the repair, the shelling is completed:

Reverse Fundamentals: introduction to manual software shelling Technology

Here, for the compressed shell upx, the ESP law is directly used, which makes it easy to find the OEP and dump program.

4.2 telock shelling notes

Here is a telock shell:

Reverse Fundamentals: introduction to manual software shelling Technology

1. First use the simplest last exception method: first throw the program into ollyice and set the exception option in OD debugging options,

Reverse Fundamentals: introduction to manual software shelling Technology

Only retain the memory illegal access exception, and then use the exception counter plug-in to clear the breakpoint setting before use:

Reverse Fundamentals: introduction to manual software shelling Technology

After the program runs normally, reload the program, and then select the second step to stop before the last exception:

Reverse Fundamentals: introduction to manual software shelling Technology

Then use Alt + m to go to the memory window and execute Shift + F9 for the memory breakpoint under the code section of the main program:

Reverse Fundamentals: introduction to manual software shelling Technology

In this way, the program is interrupted at the correct OEP, and you can choose to delete the analysis from the module to display the assembly code of normal analysis. Then use the loadpe dump program and correct the program image size. However, when using importrec v1.6f fix, enter the correct OEP and obtain the function input table information, you will find invalid pointers. After repairing with method 1, it can be completely repaired with method 3

Reverse Fundamentals: introduction to manual software shelling Technology

Click fix dump again to repair the program from the previous dump and complete the shelling:

Reverse Fundamentals: introduction to manual software shelling Technology

2. Use the secondary memory breakpoint method: first load the program, ignore all exception types, then set the memory breakpoint in the IData section, and then shift + F9:

Reverse Fundamentals: introduction to manual software shelling Technology

After stopping, set the memory breakpoint in the code section again and execute Shift + F9 again to directly reach the correct OEP:

Reverse Fundamentals: introduction to manual software shelling Technology

Then loadpe dump and repair IAT. The repair method is the same as method 1.

3. After finding magic jump and repairing the function table, dump the program: add memory breakpoints (IData and code) in the first two steps, and then locate the correct OEP of the program

Reverse Fundamentals: introduction to manual software shelling Technology

Then, if you use loadpe dump to repair, it will be the same as the first two. Here, first use importrec to obtain the pointer address of the first position of the function input table.

Reverse Fundamentals: introduction to manual software shelling Technology

Then, the function pointer offset address is 0x005512c, which is 0x045512c after adding the base address. At this time, the hardware accesses the double word breakpoint at this position. After re Shift + F9 ignores the exception execution, the CRC verification error of telock will be triggered due to the breakpoint:

Reverse Fundamentals: introduction to manual software shelling Technology

Therefore, the CRC check must be bypassed before it can be successfully executed to the hardware breakpoint. Therefore, first pause the program, and then use Alt + F9 to return the user code. After clicking the OK button, the program pauses at the location where ExitProcess is called:

Reverse Fundamentals: introduction to manual software shelling Technology

Now look for a jump that can skip this exit (CRC judgment jump), and then modify and skip:

Reverse Fundamentals: introduction to manual software shelling Technology

The location that should be modified is found, but it will be recovered if it is re run after modification, so first write down the jump address, 0x00469622. After rerunning, set the memory breakpoint in IData, stop Shift + F9, and then Ctrl + G to find the modification point and modify it. After modification, set the previous hardware breakpoint, so that CRC verification error will not be triggered.

After countless times of Shift + F9, the pointer can be seen in the register window and can be displayed normally:

Reverse Fundamentals: introduction to manual software shelling Technology

Then, press F8 to find magic jump… Look at Xiaosheng dada’s video screen to get the location of magic jump by analyzing the suspected CRC jump:

Reverse Fundamentals: introduction to manual software shelling Technology

Here, write down the address of magic jump as 0x0046973b, then empty the UDD file, delete the hardware breakpoint, run the program again, then stop the memory breakpoint under IData, then Ctrl + G find the location of magic jump, and modify the jump:

Reverse Fundamentals: introduction to manual software shelling Technology

Then, the memory breakpoint under the code segment:

Reverse Fundamentals: introduction to manual software shelling Technology

Then, execute Shift + F9, and stop to reach the position of OEP:

Reverse Fundamentals: introduction to manual software shelling Technology

At this time, the dump program, IAT table has been repaired, and the shelled program can be obtained directly:

Reverse Fundamentals: introduction to manual software shelling Technology

Here, two other shelling methods are tried, and after the CRC verification is repaired by finding the OEP in advance, the repaired program of IAT is directly dumped.

3.3 pencrypt shelling notes

Reverse Fundamentals: introduction to manual software shelling Technology

First throw the program into olly ice, and then the program stops here. It looks strange:

Reverse Fundamentals: introduction to manual software shelling Technology

Well, reload the program, try to use the last exception method without ignoring all exceptions, and then use the exception counter plug-in. The program stops at the last exception:

Reverse Fundamentals: introduction to manual software shelling Technology

If you press F8 at this time, the program will trigger exception handling, and then you can’t get to the OEP again. At this time, you need to take a look at the stack data:

Reverse Fundamentals: introduction to manual software shelling Technology

At this time, you need to lower the breakpoint F2 at 0040ccd7, and then shift + F9. You can skip this pit:

Reverse Fundamentals: introduction to manual software shelling Technology

The next step is F8 + F4, all the way to OEP:

Reverse Fundamentals: introduction to manual software shelling Technology

After shelling with loadpe and repairing with importrec, although there is no invalid pointer, it still cannot run:

Reverse Fundamentals: introduction to manual software shelling Technology

At this time, use the function of rebuilding PE with loadpe:

Reverse Fundamentals: introduction to manual software shelling Technology

Reverse Fundamentals: introduction to manual software shelling Technology

Then you can run normally:

Reverse Fundamentals: introduction to manual software shelling Technology

This shell uses the shelling method of one-step tracking, skips the program “trap” all the way, and finally reaches OEP. And using the reconstruction function of loadpe, the program is reconstructed, and finally the whole process of shelling the encrypted shell is completed.

3.4 notes on FSG deformed shell shelling

First, conduct shell detection:

Reverse Fundamentals: introduction to manual software shelling Technology

Using the ESP law, first throw the program into ollyice, F8 single step to observe the ESP change. When the ESP changes for the first time, set the memory hardware access word breakpoint at the address corresponding to the ESP, and then shift + F9 run. After the program stops, cancel the hardware breakpoint and F8 single step:

Reverse Fundamentals: introduction to manual software shelling Technology

Skip the backward jump (loop) with F4, and then continue to look down until here:

Reverse Fundamentals: introduction to manual software shelling Technology

Under this JMP, F4, the program will run and fly. It indicates that the program code has been released in this loop, so look up to see if there is a conditional jump in this loop. In this way, it is easy to find the location of magic jump, and then we enter or Ctrl + G to 00402666. It is found that it is indeed an OEP. Re analyze it, and then F2 break point to let the program go to OEP:

Reverse Fundamentals: introduction to manual software shelling Technology

If it is fsg1.33, directly use the loadpe dump file, and then use importrec to repair it, you can shell normally. However, when using importrec to repair here, an invalid pointer will appear:

Reverse Fundamentals: introduction to manual software shelling Technology

Cut (or delete) this pointer directly here, and then repair the transferred file. It is found that it cannot be opened normally:

! [insert picture description here](https://img-blog.csdnimg.cn/6…
process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBA5Luj56CB54as5aSc5pWy,size_12,color_FFFFFF,t_70,g_se,x_16)

Then throw the repaired program into ollyice and run it directly with F9:

Reverse Fundamentals: introduction to manual software shelling Technology

Here is a hidden pile added by the deformation shell, which will cause the program to exit abnormally. Here, directly drop NOP or change the previous JLE (verification) to JMP, and then save the modification as a file. Then you can run

Reverse Fundamentals: introduction to manual software shelling Technology

Recommended Today

Apache sqoop

Source: dark horse big data 1.png From the standpoint of Apache, data flow can be divided into data import and export: Import: data import. RDBMS—–>Hadoop Export: data export. Hadoop—->RDBMS 1.2 sqoop installation The prerequisite for installing sqoop is that you already have a Java and Hadoop environment. Latest stable version: 1.4.6 Download the sqoop installation […]