好友
阅读权限40
听众
最后登录1970-1-1
|
楼主|
小生我怕怕
发表于 2008-9-24 08:46
在来玩一次ESP定律法
━━━━━━━━━━━━━━━━━━━━━━━━━━
004087A2 >9Cpushfd //OD载入
004087A360pushad //这次执行esp定律或者命令行输入 hr esp
004087A4E8 00000000 call UnPackMe.004087A9
004087A95Dpop ebp
004087AA83ED 07 sub ebp,7
004087AD8D8D 36FEFFFF lea ecx,dword ptr ss:[ebp-1CA]
━━━━━━━━━━━━━━━━━━━━━━━━━━
0040C5FF83C5 04 add ebp,4//esp定律后停在此处
0040C602891407mov dword ptr ds:[edi+eax],edx
0040C605^ E9 9DFFFFFF jmp UnPackMe.0040C5A7//f8单步到此,跳转向上跳,让他跳
0040C60A8B55 00 mov edx,dword ptr ss:[ebp]
0040C60D83C5 02 add ebp,2
━━━━━━━━━━━━━━━━━━━━━━━━━━ //下面的jmp跳到了这里
0040C5A78A06mov al,byte ptr ds:[esi]
0040C5A983EE FF sub esi,-1
0040C5AC0FB6C0movzx eax,al
0040C5AFFF2485 71C14000 jmp dword ptr ds:[eax*4+40C171] //f8单步到此,跳转向上跳,让他跳
━━━━━━━━━━━━━━━━━━━━━━━━━━
0040C07680E0 3C and al,3C //经过那个jmp我们来到这里
0040C0798B1407mov edx,dword ptr ds:[edi+eax]//此时我们直接在段尾设置F2访问中断
0040C07C83ED 04 sub ebp,4 //紧跟着shift+f9运行
0040C07F8955 00 mov dword ptr ss:[ebp],edx//注意要删除硬件断点
0040C082E9 95050000 jmp UnPackMe.0040C61C
0040C0878A45 00 mov al,byte ptr ss:[ebp]
0040C08A8A4D 02 mov cl,byte ptr ss:[ebp+2]
0040C08D83ED 02 sub ebp,2
0040C090D2E0shl al,cl
0040C09266:8945 04mov word ptr ss:[ebp+4],ax
0040C0969Cpushfd
0040C0978F45 00 pop dword ptr ss:[ebp]
0040C09AE9 7D050000 jmp UnPackMe.0040C61C
0040C09F8B45 00 mov eax,dword ptr ss:[ebp]
0040C0A266:8B55 04mov dx,word ptr ss:[ebp+4]
0040C0A683C5 06 add ebp,6
0040C0A966:8910 mov word ptr ds:[eax],dx
0040C0ACE9 F6040000 jmp UnPackMe.0040C5A7
0040C0B166:8B45 00mov ax,word ptr ss:[ebp]
0040C0B583ED 02 sub ebp,2
0040C0B866:0145 04add word ptr ss:[ebp+4],ax
0040C0BC9Cpushfd
0040C0BD8F45 00 pop dword ptr ss:[ebp]
0040C0C0E9 57050000 jmp UnPackMe.0040C61C
0040C0C589E8mov eax,ebp
0040C0C783ED 02 sub ebp,2
0040C0CA66:8945 00mov word ptr ss:[ebp],ax
0040C0CEE9 49050000 jmp UnPackMe.0040C61C
0040C0D389ECmov esp,ebp
0040C0D559pop ecx
0040C0D659pop ecx
0040C0D75Apop edx
0040C0D85Dpop ebp
0040C0D95Fpop edi
0040C0DA5Dpop ebp
0040C0DB5Bpop ebx
0040C0DC9Dpopfd
0040C0DD5Epop esi
0040C0DE58pop eax
0040C0DFC3retn//在此设置F2访问中断,紧跟着shift+f9运行
0040C0E08B45 00 mov eax,dword ptr ss:[ebp]//然后在单步一下通过上面的retn直接返回到OEP
0040C0E38B55 04 mov edx,dword ptr ss:[ebp+4]
0040C0E683C5 08 add ebp,8
━━━━━━━━━━━━━━━━━━━━━━━━━━
0040170055push ebp //运行lordpe把程序dump,在运行lmportRCE修复完工
004017018BECmov ebp,esp
004017036A FF push -1
0040170568 00254000 push UnPackMe.00402500
0040170A68 86184000 push UnPackMe.00401886 ; jmp to msvcrt._except_handler3
0040170F64:A1 00000000mov eax,dword ptr fs:[0]
0040171550push eax
0040171664:8925 0000000>mov dword ptr fs:[0],esp [/hide] |
|