table of Contents
@
1 to get the current packers, with exeinfo / PeID look at information
It can be seen very old shell FSG.
analysis:
Entry Point : 000000154Familiar known structure of PE, the entry point (code) to rub the PE header.Since WIN10 in (was limited) PE header can not have code execution, only on WIN7 its previous machine, this program can be executed. So use a virtual machine to take off this very old case, can not run on the current (I) win10 machine.
PE 2 using the following structure was observed LordPE
Click to view the segment information:
analysis:
There are two findings section, regard the sections were wiped out; and the virtual size of the first segment, although 0x17000 but the actual size (the size of the file) is 0
3 Use OD debug this program tries to find OEP
3.1 Open the housing positioned OD
Nop instructions cause damage with flowers disassemble resolved correctly after adding comments, tags - " FSG shell "
Analysis : We found that came in, the shell has long been ready all the data in the register of 0x4219D8 location address, the address of the current location to save the environment into the current ESP register, it will be able POP stack operations, operating shell save the good data . Why can not we see it before the operation? After writing shell when the re-analysis
3.2 try to find OEP
Single-step operation
Encountering the first call (the core of the operation character)
0x000400160:
CALL DWORD PTR DS:[EBX]
;此时EBX是 0x4219dc --- [EBX]:是0x4001e8 ```Enter 0x4001e8:
A substantially lower binding appreciated that the call algorithm
analysis:
This string copy algorithm (pale under observation) irreversible (A-> B, B-> A can not be recovered) a copy of the algorithm, but incomplete information, it may not be important. We can first ignore the copy cycle ----- "Skip this copy algorithm: our past behind each jmp / call click of the mouse will not jump back to look like until you found it. Or you install highlighting plugin (asmHighLight.dll): As we analyze the core function of this call is to copy the address to 0x400160 sentence opcode, then click of the mouse to see the back where no highlight color on top, it will generally find it You can skip this part of the algorithm.
Then we find the final highlight in a shell of code later. In fact, this unconditional jump flow This is the last sentence of the section of our algorithm.
After the jump string copy algorithm, we have found that only 10 to the line. Jump directly to the breakpoint key line, we directly to OEP.
Then we found jump to OEP is this sentence:
4 Dump
After entering the import function, we ordered a few jumping-point data and found no abnormalities (abnormal data) and so on.
OllyDump OD plug directly provided, dump locally.
analysis:
In fact, observation address, the entry point is nothing wrong with these heads. If you did not click the shelling
5 Repair IAT
As used herein impREC to repair IAT
We found Find out here IAT incomplete information, it would need to observe the IAT table if there is an exception.
analysis:
By function shift found here, the table can quickly locate the IAT.
For example rva here for B000. Then another virtual address space is 40B000, in the OD was observed as follows:
We slide down, found:
The two outliers stop parsing impREC: we the normal interval of 0000000:
After we changed again with impREC parsed IAT table now looks like completed
Finally, click to repair dump we just use OD, dump out the program
6 of our testing procedures after shelling
yes!!!