Location>code7788 >text

Hands off upx

Popularity:890 ℃/2024-09-19 11:18:10
Happy New Year!
Shell Check, Shelled, UPX

X32dbg opens the file to view the initial breakpoints

Click PUSHAD to follow up, CTRL+* to set EIP, start F8 step over, look for the address of the ESP register that turns red for the first time individually

The memory window at this point

walk over (i.e. start walking)

The first time I stepped through I noticed that the ESP single turned red, and right-clicked to follow up on the memory window

Then breakpoint at the hexadecimal number of the first address

Then F9 to run the program, after running it, find the POPAD near the location where it stops, then note down the address of the JMP jump, which is the address of the place where the breakpoint is, and click on the xdbg above where it comes with the shell removal and repair tools



Enter the address of the breakpoint in the OEP column of the IAT information below.

Click on dump, that is, shelling, save the shelled file, and then click on IAT information where the IAT is automatically searched, and then click on Get Imported

Click on Repair Dump again

Open the file after shelling, this step is to repair the damaged file after shelling.

The file that is automatically generated when you are done is the successful shelled file

Shelling Success