0x1 seek OEP

OEP Eight methods … It's not specific here …

0x2 Shell program IAT

If the program cannot run normally after shelling （XP Environmental Science ）, It may be because the import table is corrupted , Need manual repair .

adopt PC Study of file format , You can know the import table RVA In the optional header DataDirectory Array

The picture shows the shelling program DESCRIPTOR The migration 18008, size 64

Locate according to the information in the section header IAT In the 6 A section .aspack in

Through the known virtual offset and physical offset of the node, we can calculate DESCRIPTOR Location in file .

offset = A008

Find the location of the exported table , You can know that two DLL file , Can be calculated separately Name and IAT The migration

NAME(1) = 9FC8
NAME(2) = A044

IAT(1) = 9FB8
IAT(2) = A04F

Of course, if it's right PC The head doesn't understand , Can use PE View To view the .

In this way, you can clearly see the functions imported by the shelled program at startup

0x3 The principle of runtime compression

There may be questions , Why do you need to repair manually after shelling IAT.

IAT It is mainly used for DLL Relocation of files ,IAT Compared with 16 position dos Program You no longer need to include library files , Instead, map in the form of a table . If IAT inaccurate , Then the program cannot execute the functions of the related Library .

The compression shell compresses the section , hold IAT Change to shell itself IAT, In the last step of decompression, it will be restored IAT Make the program run normally , Therefore, shelling needs to be done IAT Repair of .

adopt OD Check the after run program IAT.

Compared with the shell program IAT, After running the shell program, the real IAT Much more , If we only shelled , Instead of IAT Repair of （ As shown in the figure below ）

programmatic IAT Is damaged

0x4 IAT Repair

Use ImportREC Tools , Load in OEP The program process

Correctly filled IAT Information

Get... In memory IAT Information , Then delete the invalid function and transfer it to the shelled program , The program can run normally .

0x5 Shelling program cannot be in WIN7 The above platforms are running

windows vista / win7 The system starts to use ASLR Technology prevents overflow attacks . Make each loader load to a random virtual address .ASLR Rely on the relocation table to locate , about EXE Procedure , Relocation is optional , By closing ASLR Can solve .

take 40 81 Change it to 00 81