Today I will introduce the experiment of shelling analysis. Shells, in nature, plants use shells to protect their seeds, animals use shells to protect their bodies, etc. Similarly, in some computer software, there is also a program that is specially responsible for protecting the software from being illegally modified or decompiled. After they are attached to the original program and loaded into the memory through the Windows loader, they get the control right before the execution of the original program. During the execution process, the original program is decrypted and restored. After the restoration, the control right is given to the original program to execute the original program. part of the code. After the shell is added, the original program code generally exists in an encrypted form in the disk file, and is only restored in the memory during execution, so that it can effectively prevent crackers from illegally modifying the program file, and at the same time can Prevents programs from being statically decompiled. Since this program has many similar functions with the shell in nature, based on the naming rules, such a program is called a "shell".
Then with the shell added, can we not directly reverse it?
Yes, and there are several types of shells.
According to the functional characteristics of shells, shells can be divided into compression shells and encryption shells. Compression shells focus on compressing volume, while encryption shells focus on encryption. The starting point of the two is different. Common compressed shells include upx, ASPack, etc. Common encrypted shells include ASProtect, Armadillo, etc. Different shells require different operations to remove.
Dadong: First enter the experimental link ["CTF
REVERSE Exercise: Unpacking Analysis"] (https://www.hetianlab.com/expc.do?ec=ECID172.19.104.182014111410053900001&pk_campaign=freebuf-wemedia
).
Title description:
There is a CrackMe6.exe program in the C:\Reverse\6 directory of the host. This program is packed with the upx program. Please try to manually unpack it and write a detailed analysis report. It is required that the program after shelling can run normally.
Now to start the operation, first run the C:\Reverse\6\CrackMe6.exe program, prompting that the program needs to be unpacked, and the running interface of the program is shown in the figure below:
He said it was an upx shell, could it be a lie to us, is there any software to judge the shell?
Of course there is. Didn’t you mention the PEID program before? Not only can it judge whether there is a shell, but it can even determine what type of shell it is. Use PEiD to load the program and check what shell has been added to CrackMe6.exe. The main interface of PEiD The display is as shown in the figure below:
The prompt information is " UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus &
Laszlo ", it can be preliminarily concluded that the program has been added to the UPX shell.
Let's try to use IDA to analyze this packaged program, and IDA pops up such a warning prompt, as shown in the figure:
Usually popping up such a prompt means that the program has been packed. At this time, it is best not to use IDA to analyze it directly, because it is difficult to understand the internal execution logic of the program through the static analysis of IDA.
At this time, we still use OD to unpack, and use OD to load the CrackMe6.exe program. The disassembly window of OD stays on a pushad instruction. We press F8 to single-step to the next instruction, and then the register on the right Select the ESP register in the window (you can see that the value of the ESP register is
0012FFA4 ), and click the right mouse button, and select "follow in the data window" in the pop-up right-click menu, as shown in the figure:
In the data window below the disassembly instruction window, select the four bytes starting from 0012FFA4, and click the right mouse button, and select "Breakpoint" - "Hardware Access" - "Dword" menu in the pop-up right-click menu item, as shown in the figure:
Next, press F9 to run the program. After the program runs for a period of time, the OD will automatically break. At this time, we first delete the hardware breakpoint set before, and then select "Debug" - "Hardware Breakpoint" in the menu item to delete our Set the hardware breakpoint, as shown in the figure:
Now press F7 to perform single-step tracking until it runs to the instruction 0043FD24. Of course, there is a loop here that is troublesome. We can directly press F4 at 0043FD24 (F4 means running to the line where the cursor is located), and then F7 single-step tracking again , came to 004094F8.
0043FD17 8D4424 80 lea eax, dword ptr [esp-80]
0043FD1B 6A 00 push 0
0043FD1D 39C.4 cmp esp, eax
0043FD1F ^ 75 FA jnz short 0043FD1B
0043FD21 83EC 80 sub esp, -80
0043FD24 - E9 CF97FCFF jmp 004094F8
Now click the right mouse button in the disassembly instruction window, select the "Dump debugged
process" menu item, and select the "Dump" button in the pop-up OllyDump window to save the file. Note that 94F8 here is the entry point information of the program. We save the program as dumped.exe, as shown in the figure:
Continue the experiment Now open the ImportREC program on the desktop, first select C:\Reverse\6\crackme6.exe in the process list, then fill in 94F8 in OEP (that is, a piece of information found in OD), and then click "IAT
AutoSearch" button, and then click the "GetImports" button, you can see the program's input table information.
Click the "Show
Invalid" button on the right to see if there are invalid input form items. Invalid input table items are preceded by a question mark (?), and can be deleted using the right-click menu if any. There are no invalid input table items here, so select the "Fix
Dump" button to repair our dumped.exe and get the dumped_.exe program.
Now the unpacking and repair operations of the program have been completed. Use PEiD to check the dumped.exe program, and you can see the message "Microsoft Visual C++ 6.0
", and the dumped.exe program can also run normally. So far, the unpacking is complete.
Check the shell of the ped.exe program, and you can see the message "Microsoft Visual C++
6.0", and the dumped.exe program can also run normally, and the unpacking is completed.
at last
For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. It can be said that it is the most scientific and systematic learning route, and it is no problem for everyone to follow this general direction.
At the same time, there are supporting videos for each section corresponding to the growth route:
Of course, in addition to supporting videos, various documents, books, materials & tools have been sorted out for you, and they have been classified into categories for you.
Due to the limited space, only part of the information is displayed. Friends in need can [click the card below] to get it for free: