Happy New Year!
Shell Check, Shelled, UPX
X32dbg opens the file to view the initial breakpoints
Click PUSHAD to follow up, CTRL+* to set EIP, start F8 step over, look for the address of the ESP register that turns red for the first time individually
The memory window at this point
walk over (i.e. start walking)
The first time I stepped through I noticed that the ESP single turned red, and right-clicked to follow up on the memory window
Then breakpoint at the hexadecimal number of the first address
Then F9 to run the program, after running it, find the POPAD near the location where it stops, then note down the address of the JMP jump, which is the address of the place where the breakpoint is, and click on the xdbg above where it comes with the shell removal and repair tools
Enter the address of the breakpoint in the OEP column of the IAT information below.
Click on dump, that is, shelling, save the shelled file, and then click on IAT information where the IAT is automatically searched, and then click on Get Imported
Click on Repair Dump again
Open the file after shelling, this step is to repair the damaged file after shelling.
The file that is automatically generated when you are done is the successful shelled file
Shelling Success
Shell Check, Shelled, UPX
X32dbg opens the file to view the initial breakpoints
Click PUSHAD to follow up, CTRL+* to set EIP, start F8 step over, look for the address of the ESP register that turns red for the first time individually
The memory window at this point
walk over (i.e. start walking)
The first time I stepped through I noticed that the ESP single turned red, and right-clicked to follow up on the memory window
Then breakpoint at the hexadecimal number of the first address
Then F9 to run the program, after running it, find the POPAD near the location where it stops, then note down the address of the JMP jump, which is the address of the place where the breakpoint is, and click on the xdbg above where it comes with the shell removal and repair tools
Enter the address of the breakpoint in the OEP column of the IAT information below.
Click on dump, that is, shelling, save the shelled file, and then click on IAT information where the IAT is automatically searched, and then click on Get Imported
Click on Repair Dump again
Open the file after shelling, this step is to repair the damaged file after shelling.
The file that is automatically generated when you are done is the successful shelled file
Shelling Success