Shulou(Shulou.com)05/31 Report--

What is the principle of ESP's law? I believe many inexperienced people don't know what to do about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Preface of 0x00

Idle during the epidemic is also idle, in the reverse of some software under the deep understanding of ESP's law, and then want to write an article to record and share.

ESP's law, also known as stack balance law, is one of the most frequently used shelling methods, which is often used by both beginners and veterans. As far as I know, ESP's law was discovered by a foreign bull, but there is no way to prove it (no relevant information has been found).

0x01 pre-knowledge

Stack

A stack is a piece of space allocated in memory. Inserting a new element into a stack, also known as push, is placed on top of the top element of the stack, making it a new top element; removing an element from a stack is also called pop, which removes the top element of the stack so that its adjacent elements become new top elements.

Call

Equivalent to a function call in a high-level language. When the call instruction is executed, two steps are performed: push the address of the next instruction into the stack, and then jump to that address. Equivalent to:

Push ip jmp near ptr address ret & & retf

Corresponding to the call instruction, take the address pointed to in the current ESP register off the stack and jump to that address. Equivalent to:

Example of pop ip#retpop IPpop CS#retf0x02 operation

This is a 32-bit Mini Program I wrote with a shell as an example of the application of esp's law. This is a more mechanical method, but we can have a perceptual understanding of esp's law.

First of all, check the shell with Exeinfo Pe and find that it is the nspack shell.

Then use od to load the program, step into, as shown by the arrow to find that the ESP register turns red.

Right-click to select the register for data window to follow. Then select the hardware breakpoint under any character in the data window (byte,word,dword is OK).

After f9 runs, f8 continuously steps through to find the OEP (the entry point of the program). Select the address and right-click to select the debug process with OllyDump, and then shell (if you find that the program cannot be opened, you can try to check the rebuild input table).

Then use Exeinfo Pe to check the shell, and the shell has been removed.

Detailed explanation of 0x03 principle

First of all, the shell is essentially a subroutine, which first acquires control and compresses the program when the program is running. At the same time hide the program's real OEP. Most viruses are based on this principle to prevent them from being scanned by antivirus software.

Type of shell:

Extract-> run extract-> run-> extract.-> run extract decoder | encoded code- > decode-> exc Run the virtual machine

The purpose of shelling is to find the real OEP (entry point).

The essence of ESP's law we are talking about is stack balance, as follows:

Let's take a look at the registers at the entrance of the Mini Program that has been shelled.

EAX 00000000ECX 004E820D offset r1.EDX 004E820D offset r1.EBX 0036C000ESP 0072FF74EBP 0072FF80ESI 004E820D offset r1.EDI 004E820D offset r1.EIP 004E820D r1.

Then there is the case of the registers when it comes to OEP.

EAX 0072FFCCECX 004E820D offset r1.EDX 004E820D offset r1.EBX 0036A000ESP 0072FF74EBP 0072FF80ESI 004E820D offset r1.EDI 004E820D offset r1.EIP 00401500 r1.00401500

We found that only the values of the EIP and EAX registers have changed, while EAX holds the address of the OEP. Why?

Because in the process of self-decryption or self-decompression of the program, most shells will first stack the current register state, such as using pushad, and after decompression, the previous register values will be removed from the stack, such as using popad. Therefore, when the register is off the stack, the program code is often restored, and the hardware breakpoint is triggered (this is why we want to go down the hardware breakpoint), and then in the current position of the program, only some single-step operation is needed to reach the correct OEP position.

Scope of application of 0x04

I have summed up a relatively small method, that is, after loading the program, only the contents of the esp register change, then the program can probably use ESP's law (if there is an error, thank you for correction).

Almost all of the compression shell, some early encryption shell (this is the summary of the information collected on the Internet, through my own practice, basically accurate).

After reading the above, have you mastered the principle of ESP's law? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.