Shelling and cracking basics: knowledge of the shell

(2 customer reviews)

Category:

Let me tell you about the knowledge of the software shell

What is a shell

In order to protect their software from being cracked and modified, many software usually packs and encrypts the code to increase the difficulty of cracking, so as to achieve the purpose of protecting the software.

First of all, everyone should understand the concept of “shell”. In some computer software, there is a program specifically responsible for protecting the software from illegal modification or decompilation. They generally run before the program, gain control, and then complete their task of protecting the software. For example, everyone knows walnuts. If you want to eat the meat inside, you must first open the hard shell outside of the walnut. Similarly, if you want to see the internal logic code of a program, you must remove the shell. .

The author of the program compiled the software and compiled it into an exe executable file. Some copyright information needs to be protected, such as the name of the author. The author does not want this information to be changed by others, that is, to protect the software from being cracked, it is usually protected by packing. Usually need to make the program smaller, reduce the size of the program, reduce the memory capacity, so as to facilitate the use. Therefore, some software is needed that can compress exe executable files, such as shelling and unpacking software such as Trojan horses to avoid anti-virus software.

Why shelling

Unpacking is to be able to learn the programming logic of a software to achieve the purpose we want. If we do not unpack, we will not be able to understand the logic of the software, we will not be able to get the source code, and we will not be able to crack a software, and this article will not be available.
When we get a piece of software and want to understand its programming logic, we need to disassemble it. Of course, if there is a shell, it must be shelled first (some software can also be cracked without shelling). If we need to analyze a virus or Trojan horse, we also need to unpack it. If the virus Trojan horse is not packed, it will be killed by anti-virus software. . . .

Some common shells

1, aspack shell
2.caspr
2. Upx shell
3. PEcompact shell
and many more…

If we want to unpack, we need to use some assembly instructions. This is a must. If we don’t understand assembly instructions, then the software cannot be unpacked.

Below I will introduce some of the main assembly instructions needed for cracking

 

1. Data transmission instructions
─────────────────────────────────────
They transfer data between memory and registers, registers and input and output ports.

1. General data transfer instructions.
MOV transfer words or bytes.
MOVSX is sign extended first, and then transmitted.
MOVZX first zero-extend, then transmit.
PUSH pushes the word onto the stack.
POP pops words off the stack.
PUSHA pushes AX, CX, DX, BX, SP, BP, SI, DI into the stack in sequence.
POPA pops DI, SI, BP, SP, BX, DX, CX, AX from the stack in turn.
PUSHAD pushes EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI into the stack in sequence.
POPAD pops EDI, ESI, EBP, ESP, EBX, EDX, ECX, EAX from the stack in sequence.
BSWAP swaps the order of bytes in 32-bit registers
XCHG exchange words or bytes. (At least one operand is a register, segment registers cannot be used as operands)
CMPXCHG compares and exchanges operands. (The second operand must be the accumulator AL/AX/EAX)
XADD exchange first and then accumulate. (The result is in the first operand)
XLAT byte lookup table conversion.
── BX points to the beginning of a 256-byte table, and AL is the index value of the table (0-255, that is
0-FFH); Return AL is the table lookup result. ([BX+AL]->AL)

2. The input and output ports transmit commands.
IN I/O port input. (Syntax: IN accumulator, {port number│DX})
OUT I/O port output. (Syntax: OUT {port number│DX}, accumulator)
When the input and output ports are designated by immediate mode, the range is 0-255; when designated by the register DX,
Its range is 0-65535.

3. Destination address transfer instruction.
LEA loads the effective address.
Example: LEA DX, string; save the offset address to DX.
LDS transmits the target pointer and loads the contents of the pointer into DS.
Example: LDS SI, string; save the segment address: offset address to DS: SI.
LES transfers the target pointer and loads the contents of the pointer into ES.
Example: LES DI,string; Save the segment address: offset address to ES:DI.
LFS transfers the target pointer and loads the pointer content into FS.
Example: LFS DI, string; save the segment address: offset address to FS:DI.
LGS transmits the target pointer and loads the pointer content into GS.
Example: LGS DI, string; save the segment address: offset address to GS:DI.
LSS transmits the target pointer and loads the pointer content into SS.
Example: LSS DI,string; Save the segment address: offset address to SS:DI.

4. Flag transfer instruction.
LAHF flag register transfer, the flag is loaded into AH.
SAHF flag register transfer, load the contents of AH into the flag register.
The PUSHF flag is pushed onto the stack.
The POPF flag is popped from the stack.
The PUSHD 32-bit flag is pushed onto the stack.
The POPD 32-bit flag is popped from the stack.

 

2. Arithmetic operation instructions
─────────────────────────────────────
ADD addition.
ADC with carry addition.
INC plus 1.
ASCII code adjustment for AAA addition.
Decimal adjustment for DAA addition.
SUB subtraction.
SBB with borrow subtraction.
DEC minus 1.
NEC negate (subtract from 0).
CMP comparison. (The two operands are subtracted, only the flag bit is modified, and the result is not returned).
ASCII code adjustment for AAS subtraction.
Decimal adjustment of DAS subtraction.
MUL unsigned multiplication.
IMUL integer multiplication.
For the above two, the result is returned to AH and AL (byte operation), or DX and AX (word operation),
ASCII code adjustment for AAM multiplication.
DIV unsigned division.
IDIV integer division.
The above two, the results are returned:
Quotient returns AL, remainder returns AH, (byte operation);
Or the quotient returns AX, and the remainder returns DX, (word operation).
ASCII code adjustment for AAD division.
CBW byte is converted to word. (Extend the sign of the byte in AL to AH)
CWD words are converted to double words. (Extend the sign of the word in AX to DX)
CWDE words are converted to double words. (Extend the character number in AX to EAX)
CDQ double word extension. (Extend the sign of the word in EAX to EDX)

 

3. Logic operation instructions
─────────────────────────────────────
AND operation.
OR operation.
XOR exclusive OR operation.
NOT negate.
TEST test. (The two operands are ANDed, only the flag bit is modified, and the result is not returned).
SHL logical shift left.
SAL arithmetic shift left. (=SHL)
SHR logical shift right.
SAR arithmetic shift right. (=SHR)
ROL rotates to the left.
ROR rotates to the right.
RCL is shifted to the left through a round of carry.
RCR is shifted to the right through a round of carry.
The above eight shift instructions can be shifted up to 255 times.
When shifting once, the operation code can be used directly. For example, SHL AX, 1.
When shifting> 1 time, the number of shifts is given by the register CL.
Such as MOV CL,04
SHL AX,CL

4. String instructions
─────────────────────────────────────
DS: SI source string segment register: source string index.
ES: DI target string segment register: target string index.
CX Repeat counter.
AL/AX scan value.
D flag 0 means that SI and DI should be automatically incremented during repeated operations; 1 means that they should be automatically decremented.
The Z flag is used to control the end of the scan or comparison operation.
MOVS serial transmission.
(MOVSB ​​transmits characters. MOVSW transmits words. MOVSD transmits double words.)
CMPS string comparison.
(CMPSB comparison character. CMPSW comparison word.)
SCAS string scan.
The content of AL or AX is compared with the target string, and the comparison result is reflected in the flag bit.
LODS load string.
Load the elements (words or bytes) in the source string into AL or AX one by one.
(LODSB transmits characters. LODSW transmits words. LODSD transmits double words.)
STOS saves the string.
It is the reverse process of LODS.
REP Repeat when CX/ECX<>0.
REPE/REPZ Repeat when ZF=1 or the comparison result is equal, and CX/ECX<>0.
REPNE/REPNZ Repeat when ZF=0 or the comparison result is not equal, and CX/ECX<>0.
REPC repeats when CF=1 and CX/ECX<>0.
REPNC repeats when CF=0 and CX/ECX<>0.

5. Program transfer instructions
─────────────────────────────────────
1>Unconditional branch instruction (long branch)
JMP unconditional branch instruction
CALL procedure call
RET/RETF process returns.
2>Conditional transfer instruction (short transfer, within the distance of -128 to +127)
(If and only if (SF XOR OF)=1, OP1<OP2)
Transfer when JA/JNBE is not less than or not equal to.
JAE/JNB is greater than or equal to transfer.
JB/JNAE is less than transfer.
JBE/JNA is less than or equal to transfer.
The above four items test the results of unsigned integer operations (marks C and Z).
JG/JNLE is greater than transfer.
JGE/JNL is greater than or equal to transfer.
JL/JNGE is less than transfer.
JLE/JNG is less than or equal to transfer.
The above four items test the results of signed integer operations (marks S, O and Z).
JE/JZ equals transfer.
JNE/JNZ is not equal to time transfer.
Transfer when JC has a carry.
Transfer when JNC has no carry.
Transfer when JNO does not overflow.
Transfer when JNP/JPO parity is odd.
Transfer when the JNS sign bit is “0”.
JO overflow transfer.
Transfer when JP/JPE parity is even.
Transfer when the JS sign bit is “1”.
3>Cycle control instruction (short transfer)
Loop when LOOP CX is not zero.
Loop when LOOPE/LOOPZ CX is not zero and the flag Z=1.
Loop when LOOPNE/LOOPNZ CX is not zero and the flag Z=0.
JCXZ Transfer when CX is zero.
JECXZ ECX is transferred when it is zero.
4>Interrupt instruction
INT interrupt instruction
INTO overflow interrupt
IRET interrupt return
5>Processor control instructions
The HLT processor pauses and does not continue until an interrupt or reset signal occurs.
WAIT makes the CPU enter the waiting state when the chip lead TEST is high.
ESC switches to the external processor.
LOCK blocks the bus.
NOP No operation.
STC sets the carry flag.
CLC clears the carry flag.
The CMC carry flag is inverted.
STD sets the direction flag bit.
CLD clears the direction flag bit.
STI sets the interrupt enable bit.
CLI clear interrupt enable bit.

 

In fact, the ones we used above mainly include some assignment instructions and some jump instructions, most of which we don’t use at present.

The main focus of this lesson is the following instructions:

MOV transfer words or bytes.
MOVSX is sign extended first, and then transmitted.
MOVZX first zero-extend, then transmit.
PUSH pushes the word onto the stack.
POP pops words off the stack.
PUSHA pushes AX, CX, DX, BX, SP, BP, SI, DI into the stack in sequence.
POPA pops DI, SI, BP, SP, BX, DX, CX, AX from the stack in turn.
PUSHAD pushes EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI into the stack in sequence.
POPAD pops EDI, ESI, EBP, ESP, EBX, EDX, ECX, EAX from the stack in sequence.
ADD addition.
ADC with carry addition.
INC plus 1.
SUB subtraction.
SBB with borrow subtraction.
DEC minus 1.
NEC negate (subtract from 0).
CMP comparison. (The two operands are subtracted, only the flag bit is modified, and the result is not returned).
DIV unsigned division.
IDIV integer division.
AND operation.
OR operation.
XOR exclusive OR operation.
NOT negate.
TEST test. (The two operands are ANDed, only the flag bit is modified, and the result is not returned).
JMP unconditional branch instruction
CALL procedure call
RET/RETF process returns.
Transfer when JA/JNBE is not less than or not equal to.
JAE/JNB is greater than or equal to transfer.
JB/JNAE is less than transfer.
JBE/JNA is less than or equal to transfer.
JG/JNLE is greater than transfer.
JGE/JNL is greater than or equal to transfer.
JL/JNGE is less than transfer.
JLE/JNG is less than or equal to transfer.
JE/JZ equals transfer.
JNE/JNZ is not equal to time transfer.
Transfer when JNC has no carry.
Transfer when JNO does not overflow.
Transfer when JNP/JPO parity is odd.
Transfer when the JNS sign bit is “0”.
NOP No operation.

Here are most of the assembly instructions we need to learn to crack. There may be some omissions, which is inevitable.

The following are the methods of shelling, which are summarized.

Our unpacking tool is currently based on OD. The shelling knowledge taught in this lesson may not remove all shells.

What is OEP

OEP is the entry point of the original program, which is the entry point where the shell transfers control of the program to the source program. So the purpose of our unpacking is to find the entry point of the source program, which is OEP.

 

1. Single-step tracking method

The most basic method of shelling is the single-step tracking method. The single-step tracking method is to use the single instruction execution function of OD to execute step by step, and some instructions need to be skipped during single-step tracking. For example, the instruction to jump back. Finally find OEP and dump it from OD.
Single-step tracking steps:
1. Use OD to load the file to be unpacked. If a compression prompt appears, select “Do not analyze code”;
2. Track down all the way to achieve a downward jump in execution;
3. When the program jumps up, click on the next code of the jump back and press the “F4” key on the keyboard to skip the jump back instruction;
4. When the program is first loaded, if there is a CALL instruction nearby, it must be followed up in the CALL, otherwise the program will be easy to run, and the program will easily enter the shell.
5. When encountering a popad command or a long jump command, pay attention, because the destination of the popad command and the long jump command is probably OEP.
6. Use OD to dump the program, and repair it if the program is damaged.
================================================= ======

2, ESP law

ESP law can take off most of the compression shell.

ESP law steps:
1. Load the program to be unpacked into the OD, and press the “F8” key on the keyboard to track one step at a time. At this time, if you see whether the value of the ESP register in the register window on the right of the OD turns red, If it is found that the value of the ESP register turns red.
2, execute the command hr esp in the command line window of OD, esp is the value of the ESP register that turns red, of course, hr esp is also possible, press Enter after entering the command;
3. Press “F9” to let the program run;
4. Hold down’F7′ and walk down a few steps to see OEP.
5. Repair
================================================= ======

3, the second breakpoint method

The second breakpoint is to clear two breakpoints in the section, and the OEP can be found after the two breakpoints.

Steps of the second breakpoint method:
1. Load the program to be unpacked into the OD, click the “Debug Settings” command under the “Options” menu of OD, switch to the “Exception” tab in the pop-up “Debug Options” dialog box, and check this All check boxes under the tab ignore all exceptions;
2. Press “ALT+M” to open the memory window of OD, or click M in the window;
3. Find the “.rsrc” section in the OD memory window, click on the section and then press “F2” to move to the next breakpoint on the section;
4. Press “Shift+F9” to let the program run to the breakpoint, and then open the memory window of OD again, this time in the “.code” section above the “.rsrc” section (sometimes other sections Name, such as “.text”, “.codes”) the next breakpoint;
5. Press “shift+F9” to let the program run to the second breakpoint, and then single-step tracking can come to the OEP.
6. Repair
================================================= ======

 

4, the last abnormal method

The last exception method shelling is very simple,

The last abnormal method steps:
1. Load the program to be unpacked into the OD, click the “Options” menu of the OD, click the “Debug Settings” command in the pop-up menu, and then switch to “Exceptions” in the “Debug Options” dialog box that pops up. “Tab, cancel all check boxes under this tab, and don’t ignore any exceptions;
2. Press “Shift+F9” continuously to run the program, and record the number of keystrokes X;
3. Back to OD, press and hold the “Ctrl+F2” key combination to reload the program, and press the “Shift+F9” key combination X-1 times;
4. Find “SE handle” or “SE handler” in the lower right corner of the OD window, and record the memory address here;
5. Follow the memory address recorded in the previous step in the disassembly window of OD, and place a breakpoint at this memory address;
6. Press “Shift+F9” to let the program run to the breakpoint under the previous step, and press “F2” to cancel the breakpoint here;
7. Use single-step tracking to find OEP.
8. Shelling repair
================================================= ======

5. Analog tracking method

Analog tracking method, as the name implies, is to simulate single-step tracking to find the address of the OEP.
Simulation tracking method steps:
1. Load the program to be unpacked into the OD. First, simply track the program to see the general flow of the shell and whether there are traps such as hidden piles that hinder us from unpacking;
2. Press “ALT+F9” to open the memory window of OD, find the line of “SFX, input table, resource”, and record the memory address of this line;
3. Execute the command “tc eip (memory address recorded in the previous step)” in the command line window of OD, and slowly trace to OEP after the command is executed.
4. Repair
================================================= ======

6, SFX automatic shelling method

SFX automatic shelling method can quickly and effectively remove the shell of the program.
SFX automatic shelling method steps:
1. Set OD to ignore all exceptions;
2, select the “byte mode tracking actual entry” option in the “SFX” tab of the OD “Debug Options” dialog box and confirm;
3. Load the program to be unpacked into OD. After the program is loaded, it will stop directly at OEP.
4. Repair

================================================= ======

7. Exit Sign Law

The exit flag method is that when a program is loaded, there is such an instruction at the beginning, pushad, this instruction means to save all the registers, combined with the knowledge of the second lesson, we can know that popad is to restore all the registers. We found the popad directly, and walked down a few steps to come to OEP.
Exit marking method shelling steps:
1. Load the program to be unpacked into OD, click “Find” → “All Commands” in the right-click menu of the OD disassembly window, enter “popad” in the pop-up input box and press the “Find” button;
2. Try to trace all the “popad” commands found one by one, because there may be more than one popad in the shell, so we need to try one by one to trace the correct popad.
3. Shelling repair
================================================= ======

8. Use shelling script to assist shelling

When shelling, using shelling script to assist shelling can improve the efficiency of shelling. More because of convenience. The shelling script is a text document saved by masters who record their manual shelling steps to facilitate their own or others shelling.
But it is not recommended for novices, because we must first understand the unpacking method, and then write or use other people’s scripts after proficiency.
================================================= ======

9. Use shelling tools

The shelling tool is actually the same as the shelling script, the tool is written according to the shelling script.
There are many shelling tools, here only introduce the most practical automatic shelling machine-Super Patrol Shelling Tool.
The working method of Super Patrol Shelling Tool:
The super patrol shelling tool will automatically detect the shell header added by the program to be shelled, so as to determine which shell program is used to pack the shelling program. If the super patrol shelling tool supports the shelling of the shell, it can easily remove the shell of the program; if it does not support the shelling of the shell, it will give us a simple and clear prompt.

2 reviews for Shelling and cracking basics: knowledge of the shell

  1. Veda

    I have found very interesting your article.It’s pretty
    worth enough for me. In my view, if all website owners and blogggers made good content as you did,
    the web will be a lot more useful than ever before.

    Here is my blog post :: <a href="[Link deleted]Wireless Security Cameras of 2020

  2. Gudrun

    Hello, I enjoy reading all of ylur article. I lik to
    write a little comment to support you.

    Visit my blog post: <a href="[Link deleted]security systems usa

Add a review

Your email address will not be published. Required fields are marked *