-
-
[原创] KCTF 2019 Q3 第二题 Simpower91 3.0
-
2019-9-24 22:09
-
版本逐步加强,KCTF Q3 来到第三版。
【第一版】Simpower91 1.0
【第二版】Simpower91 2.0
【第三版】Simpower91 3.0
在 00477DDC Hi_TAntiDebug_anti7 的函数中引入了七种反调试机制。整体防护比前两个有所加强。
估计下一个版本就需要搞它的TVirtualMachine和TSimInstructions,
这里我们尝试利用第二版得到的攻击思路,直接用frida捕获相关信息。
这是我们第二版关注的东西(这就跟挖洞的人喜欢找敏感函数一样),
frida简单的脚本fh.py参考文末,
这里我们运行样例,key前面的部分Simpower91根据第一版或第二版可以直接搜内存得到。
key后面部分我们可以结合fh.py做跟踪测试,这里给了正确的key,
可以自行比对错误尾部key时,frida的输出情况。
后面是整个追踪情况,当尾部key错误时,其输出不会这么多,毕竟当内部比对错误后就停止执行了,
我们关注一些比较敏感的操作内容,如下,其搬动了一个样例Image自身内的地址
其实际位于特权指令clts触发的异常调用后面
当我们输入错误的key,如
Simpower91123a时,
会依次取出尾部tail_key:=123a进行计算,如先取'1'(0x31)计算得到0xB0
然后与0xE0比较,实际是上述0x499577地址处的 0xE0,0xB2,0xB1,0xB0四个字节
由于其计算逻辑与之前版本不变,所以可以得到tailkey为a321,
即key为 Simpower91a321
crackme2019Q3D7.exe baseAddr: 0x400000
[+] New addr=0x465764
[!] Ctrl+D on UNIX, Ctrl+Z on Windows/cmd.exe to detach from instrumented program.
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70009","ebx":"0x4f70009","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 01 00 0c 00 00 f0 ................
00000030 00 00 00 00 00 00 00 00 30 00 00 00 01 00 00 00 ........0.......
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 02 ................
00000050 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x22d80d0","ecx":"0x4","edx":"0x22d8100","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f7006d","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 00 c0 2c 00 ..,.
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 00 00 00 00 17 01 00 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 01 01 00 17 11 01 f0 ................
00000030 00 00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 01 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x22d80d0","ecx":"0x1","edx":"0x2cc002","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 00 .
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 01 00 00 00 02 00 00 f0 00 00 00 00 ................
00000010 00 00 00 00 ef ff ff ff 02 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 17 01 00 f0 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x19bb5f","ecx":"0x1","edx":"0x22d80d0","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 00 .
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 08 00 00 00 01 00 00 00 02 00 00 f0 00 00 00 00 ................
00000010 00 00 00 00 ef ff ff ff 02 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 ................
00000030 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 01 02 ................
00000050 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010 6a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 j...............
00000020 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................
00000050 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 08 00 00 00 01 00 00 00 14 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 44 03 00 00 01 00 00 00 00 00 00 00 ....D...........
00000020 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 ................
00000030 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 01 02 ................
00000050 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010 5d 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]...............
00000020 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................
00000050 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 01 00 02 00 00 f0 ................
00000030 00 00 00 00 00 00 00 00 e4 ff ff ff 02 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x22d80d0","ecx":"0x4","edx":"0x19bb54","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 54 c7 2f 02 T./.
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010 6d b1 f6 ff 00 00 00 00 00 00 00 00 00 00 00 00 m...............
00000020 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................
00000050 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 08 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 ................
00000030 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
00000010 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 L...............
00000020 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................
00000050 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 00 00 00 00 15 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 ................
00000030 00 00 00 00 77 95 49 00 00 00 00 00 00 00 00 00 ....w.I.........
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 02 ................
00000050 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x22d80c0","ecx":"0x4","edx":"0x22d89b0","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 77 95 49 00 w.I.
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 00 00 00 00 17 01 00 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 01 01 00 15 11 01 f0 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 01 02 ................
00000050 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x22d80d0","ecx":"0x1","edx":"0x499577","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 e0 .
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 01 00 00 00 02 00 00 f0 00 00 00 00 ................
00000010 00 00 00 00 ee ff ff ff 02 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 17 01 00 f0 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x19bb5e","ecx":"0x1","edx":"0x22d80d0","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 e0 .
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 00 00 00 00 17 01 00 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 01 01 00 15 11 01 f0 ................
00000030 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 01 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x22d80d0","ecx":"0x1","edx":"0x499578","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 b2 .
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 01 00 00 00 02 00 00 f0 00 00 00 00 ................
00000010 00 00 00 00 ed ff ff ff 02 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 17 01 00 f0 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x19bb5d","ecx":"0x1","edx":"0x22d80d0","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 b2 .
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 00 00 00 00 17 01 00 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 01 01 00 15 11 01 f0 ................
00000030 00 00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 01 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x22d80d0","ecx":"0x1","edx":"0x499579","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 b1 .
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 01 00 00 00 02 00 00 f0 00 00 00 00 ................
00000010 00 00 00 00 ec ff ff ff 02 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 17 01 00 f0 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x19bb5c","ecx":"0x1","edx":"0x22d80d0","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 b1 .
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 00 00 00 00 17 01 00 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 01 01 00 15 11 01 f0 ................
00000030 00 00 00 00 00 00 00 00 03 00 00 00 01 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 01 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x22d80d0","ecx":"0x1","edx":"0x49957a","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 b0 .
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 01 00 00 00 02 00 00 f0 00 00 00 00 ................
00000010 00 00 00 00 eb ff ff ff 02 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 17 01 00 f0 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x19bb5b","ecx":"0x1","edx":"0x22d80d0","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 b0 .
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 01 00 02 00 00 f0 ................
00000030 00 00 00 00 00 00 00 00 e4 ff ff ff 02 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x22d80d0","ecx":"0x4","edx":"0x19bb54","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 54 c7 2f 02 T./.
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 1b 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 01 00 17 11 01 f0 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 01 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x22d8144
Context : {"pc":"0x465764","sp":"0x19369c","eax":"0x1936a8","ecx":"0x4","edx":"0x22fc754","ebx":"0x22d8144","esp":"0x19369c","ebp":"0x1936b8","esi":"0x22d80d0","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 61 33 32 31 a321
[+] return to : 0x22d8144
Context : {"pc":"0x465764","sp":"0x19369c","eax":"0x22d80d0","ecx":"0x4","edx":"0x1936b0","ebx":"0x22d8144","esp":"0x19369c","ebp":"0x1936b8","esi":"0x22d80d0","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 00 00 00 00 ....
[+] return to : 0x22d8144
Context : {"pc":"0x465764","sp":"0x19369c","eax":"0x22d80d0","ecx":"0x1","edx":"0x1936a8","ebx":"0x22d8144","esp":"0x19369c","ebp":"0x1936b8","esi":"0x22d80d0","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 61 a
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 02 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 ................
00000030 00 00 00 00 7f 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x193a8a
Context : {"pc":"0x465764","sp":"0x1936a0","eax":"0x22d80d0","ecx":"0x4","edx":"0x1936b0","ebx":"0x4","esp":"0x1936a0","ebp":"0x1936b8","esi":"0x22d80d0","edi":"0x22d8144","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 e0 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 0d 00 00 00 00 00 00 00 15 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 15 11 01 f0 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 02 ................
00000050 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x0
Context : {"pc":"0x465764","sp":"0x1936a8","eax":"0x22d80c0","ecx":"0x4","edx":"0x1936b0","ebx":"0x4","esp":"0x1936a8","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 00 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 00 00 00 00 15 01 00 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 01 01 00 02 00 00 f0 ................
00000030 00 00 00 00 00 00 00 00 ee ff ff ff 02 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 01 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x22d80c0","ecx":"0x1","edx":"0x19bb5e","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 e0 .
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 08 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 15 11 01 f0 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 02 ................
00000050 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
00000010 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R...............
00000020 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................
00000050 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 01 00 02 00 00 f0 ................
00000030 00 00 00 00 00 00 00 00 e4 ff ff ff 02 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x22d80d0","ecx":"0x4","edx":"0x19bb54","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 54 c7 2f 02 T./.
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 1b 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 01 00 17 11 01 f0 ................
00000030 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 01 02 ................
00000050 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x22d8144
Context : {"pc":"0x465764","sp":"0x19369c","eax":"0x1936a8","ecx":"0x4","edx":"0x22fc755","ebx":"0x22d8144","esp":"0x19369c","ebp":"0x1936b8","esi":"0x22d80d0","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 33 32 31 00 321.
[+] return to : 0x22d8144
Context : {"pc":"0x465764","sp":"0x19369c","eax":"0x22d80d0","ecx":"0x4","edx":"0x1936b0","ebx":"0x22d8144","esp":"0x19369c","ebp":"0x1936b8","esi":"0x22d80d0","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 00 00 00 00 ....
[+] return to : 0x22d8144
Context : {"pc":"0x465764","sp":"0x19369c","eax":"0x22d80d0","ecx":"0x1","edx":"0x1936a8","ebx":"0x22d8144","esp":"0x19369c","ebp":"0x1936b8","esi":"0x22d80d0","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 33 3
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 02 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 ................
00000030 00 00 00 00 7f 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x193a8a
Context : {"pc":"0x465764","sp":"0x1936a0","eax":"0x22d80d0","ecx":"0x4","edx":"0x1936b0","ebx":"0x4","esp":"0x1936a0","ebp":"0x1936b8","esi":"0x22d80d0","edi":"0x22d8144","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 b2 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 0d 00 00 00 00 00 00 00 15 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 15 11 01 f0 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 02 ................
00000050 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x0
Context : {"pc":"0x465764","sp":"0x1936a8","eax":"0x22d80c0","ecx":"0x4","edx":"0x1936b0","ebx":"0x4","esp":"0x1936a8","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 00 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 00 00 00 00 15 01 00 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 01 01 00 02 00 00 f0 ................
00000030 00 00 00 00 00 00 00 00 ed ff ff ff 02 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 01 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x22d80c0","ecx":"0x1","edx":"0x19bb5d","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 b2 .
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 08 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 15 11 01 f0 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 02 ................
00000050 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
00000010 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?...............
00000020 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................
00000050 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 01 00 02 00 00 f0 ................
00000030 00 00 00 00 00 00 00 00 e4 ff ff ff 02 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x22d80d0","ecx":"0x4","edx":"0x19bb54","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 54 c7 2f 02 T./.
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 1b 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 01 00 17 11 01 f0 ................
00000030 00 00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 01 02 ................
00000050 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x22d8144
Context : {"pc":"0x465764","sp":"0x19369c","eax":"0x1936a8","ecx":"0x4","edx":"0x22fc756","ebx":"0x22d8144","esp":"0x19369c","ebp":"0x1936b8","esi":"0x22d80d0","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 32 31 00 00 21..
[+] return to : 0x22d8144
Context : {"pc":"0x465764","sp":"0x19369c","eax":"0x22d80d0","ecx":"0x4","edx":"0x1936b0","ebx":"0x22d8144","esp":"0x19369c","ebp":"0x1936b8","esi":"0x22d80d0","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 00 00 00 00 ....
[+] return to : 0x22d8144
Context : {"pc":"0x465764","sp":"0x19369c","eax":"0x22d80d0","ecx":"0x1","edx":"0x1936a8","ebx":"0x22d8144","esp":"0x19369c","ebp":"0x1936b8","esi":"0x22d80d0","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 32 2
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 02 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 ................
00000030 00 00 00 00 7f 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x193a8a
Context : {"pc":"0x465764","sp":"0x1936a0","eax":"0x22d80d0","ecx":"0x4","edx":"0x1936b0","ebx":"0x4","esp":"0x1936a0","ebp":"0x1936b8","esi":"0x22d80d0","edi":"0x22d8144","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 b1 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 0d 00 00 00 00 00 00 00 15 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 15 11 01 f0 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 02 ................
00000050 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x0
Context : {"pc":"0x465764","sp":"0x1936a8","eax":"0x22d80c0","ecx":"0x4","edx":"0x1936b0","ebx":"0x4","esp":"0x1936a8","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 00 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 00 00 00 00 15 01 00 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 01 01 00 02 00 00 f0 ................
00000030 00 00 00 00 00 00 00 00 ec ff ff ff 02 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 01 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x22d80c0","ecx":"0x1","edx":"0x19bb5c","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 b1 .
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 08 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 15 11 01 f0 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 02 ................
00000050 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
00000010 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ,...............
00000020 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................
00000050 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 01 00 02 00 00 f0 ................
00000030 00 00 00 00 00 00 00 00 e4 ff ff ff 02 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x22d80d0","ecx":"0x4","edx":"0x19bb54","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 54 c7 2f 02 T./.
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 1b 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 01 00 17 11 01 f0 ................
00000030 00 00 00 00 00 00 00 00 03 00 00 00 01 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 01 02 ................
00000050 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x22d8144
Context : {"pc":"0x465764","sp":"0x19369c","eax":"0x1936a8","ecx":"0x4","edx":"0x22fc757","ebx":"0x22d8144","esp":"0x19369c","ebp":"0x1936b8","esi":"0x22d80d0","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 31 00 00 49 1..I
[+] return to : 0x22d8144
Context : {"pc":"0x465764","sp":"0x19369c","eax":"0x22d80d0","ecx":"0x4","edx":"0x1936b0","ebx":"0x22d8144","esp":"0x19369c","ebp":"0x1936b8","esi":"0x22d80d0","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 00 00 00 00 ....
[+] return to : 0x22d8144
Context : {"pc":"0x465764","sp":"0x19369c","eax":"0x22d80d0","ecx":"0x1","edx":"0x1936a8","ebx":"0x22d8144","esp":"0x19369c","ebp":"0x1936b8","esi":"0x22d80d0","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 31 1
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 02 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 ................
00000030 00 00 00 00 7f 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x193a8a
Context : {"pc":"0x465764","sp":"0x1936a0","eax":"0x22d80d0","ecx":"0x4","edx":"0x1936b0","ebx":"0x4","esp":"0x1936a0","ebp":"0x1936b8","esi":"0x22d80d0","edi":"0x22d8144","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 b0 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 0d 00 00 00 00 00 00 00 15 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 15 11 01 f0 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 02 ................
00000050 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x0
Context : {"pc":"0x465764","sp":"0x1936a8","eax":"0x22d80c0","ecx":"0x4","edx":"0x1936b0","ebx":"0x4","esp":"0x1936a8","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 00 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 00 00 00 00 15 01 00 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 01 01 00 02 00 00 f0 ................
00000030 00 00 00 00 00 00 00 00 eb ff ff ff 02 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 01 02 ................
00000050 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x22d80c0","ecx":"0x1","edx":"0x19bb5b","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 b0 .
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 08 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 15 11 01 f0 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 02 ................
00000050 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
00000010 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................
00000050 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 0c 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 01 00 02 00 00 f0 ................
00000030 00 00 00 00 00 00 00 00 d8 7f ff ff 01 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 02 ................
00000050 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x193b48
Context : {"pc":"0x465764","sp":"0x1936ac","eax":"0x22d80d0","ecx":"0x4","edx":"0x1936b4","ebx":"0x22d8144","esp":"0x1936ac","ebp":"0x1936b8","esi":"0x4","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 48 3b 19 00 H;..
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 09 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................
00000050 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x1936c4
Context : {"pc":"0x465764","sp":"0x1936b0","eax":"0x193b14","ecx":"0x4","edx":"0x1936b4","ebx":"0x22d8144","esp":"0x1936b0","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 48 3b 19 00 H;..
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 0d 00 00 00 00 00 00 00 16 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 16 11 01 f0 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 02 ................
00000050 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x0
Context : {"pc":"0x465764","sp":"0x1936a8","eax":"0x22d80c8","ecx":"0x4","edx":"0x1936b0","ebx":"0x4","esp":"0x1936a8","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 00 00 00 00 ....
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 00 00 00 00 15 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 ................
00000030 00 00 00 00 88 97 49 00 00 00 00 00 00 00 00 00 ......I.........
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 02 ................
00000050 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x22d80c0","ecx":"0x4","edx":"0x22d89b0","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 88 97 49 00 ..I.
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 01 00 00 00 00 00 00 00 17 11 01 f0 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 01 00 14 11 01 f0 ................
00000030 00 00 00 00 00 00 00 00 38 03 00 00 01 00 00 00 ........8.......
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 02 ................
00000050 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
[+] return to : 0x474ea5
Context : {"pc":"0x465764","sp":"0x1936b4","eax":"0x22d80d0","ecx":"0x4","edx":"0x22d242c","ebx":"0x22d8144","esp":"0x1936b4","ebp":"0x1936b8","esi":"0x193a8a","edi":"0x4f70068","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 0c 00 3c 05 ..<.
[+] return to : 0x474ec0
Context : {"pc":"0x465764","sp":"0x1936cc","eax":"0x22d897c","ecx":"0x64","edx":"0x4f70004","ebx":"0x4f70004","esp":"0x1936cc","ebp":"0x1936f8","esi":"0x193a8a","edi":"0x22d07e4","eip":"0x465764"}
Data dump src :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010 90 d3 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................
00000050 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 ....
(另外,tail_key,即id的长度需要为要求的长度4时,才会有上述frida相关内存操作输出,否则长度不满足时已经退出)
from __future__ import print_function
import frida
import sys
def on_message(message, data):
print("[%s] => %s" % (message, data))
def main(target_process):
session = frida.attach(target_process)
script = session.create_script("""
// Find base address of current imported jvm.dll by main process fledge.exe
var baseAddr = Module.findBaseAddress('crackme2019Q3D7.exe');
console.log('crackme2019Q3D7.exe baseAddr: ' + baseAddr);
var SetAesDeCrypt0 = resolveAddress('0x465764'); // Here we use the function address as seen in our disassembler
Interceptor.attach(SetAesDeCrypt0, { // Intercept calls to our SetAesDecrypt function
// When function is called, print out its parameters
onEnter: function (args) {
console.log('');
//console.log('[+] Called SetAesDeCrypt0' + SetAesDeCrypt0);
//console.log('[+] Ctx: ' + args[0]);
//console.log('[+] Input: ' + args[0]); // Plaintext
console.log('[+] return to : ' + args[1]); // This pointer will store the de/encrypted data
//console.log('[+] Len: ' + args[2]); // Length of data to en/decrypt
//console.log('Context information:');
console.log('Context : ' + JSON.stringify(this.context));
//console.log('EAX:='+this.context.eax);
//console.log('EAX+0xF0:='+(this.context.eax.toInt32()+0xF0));
//console.log('ECX:='+this.context.ecx);
//console.log('EDX:='+this.context.edx);
dumpAddr('src', ptr(this.context.edx), this.context.ecx.toInt32());
//this.outptr = args[2]; // Store arg2 and arg3 in order to see when we leave the function
//this.outsize = args[3].toInt32();
},
// When function is finished
//onLeave: function (retval) {
// dumpAddr('Output', this.outptr, this.outsize); // Print out data array, which will contain de/encrypted data as output
// console.log('[+] Returned from SetAesDeCrypt0: ' + retval);
//}
});
function dumpAddr(info, addr, size) {
if (addr.isNull())
return;
console.log('Data dump ' + info + ' :');
var buf = addr.readByteArray(size);
// If you want color magic, set ansi to true
console.log(hexdump(buf, { offset: 0, length: size, header: true, ansi: false }));
}
function resolveAddress(addr) {
var idaBase = ptr('0x400000'); // Enter the base address of jvm.dll as seen in your favorite disassembler (here IDA)
var offset = ptr(addr).sub(idaBase); // Calculate offset in memory from base address in IDA database
var result = baseAddr.add(offset); // Add current memory base address to offset of function to monitor
console.log('[+] New addr=' + result); // Write location of function in memory to console
return result;
}
""")
script.on('message', on_message)
script.load()
print("[!] Ctrl+D on UNIX, Ctrl+Z on Windows/cmd.exe to detach from instrumented program.\n\n")
sys.stdin.read()
session.detach()
if __name__ == '__main__':
if len(sys.argv) != 2:
print("Usage: %s <process name or PID>" % __file__)
sys.exit(1)
try:
target_process = int(sys.argv[1])
except ValueError:
target_process = sys.argv[1]
main(target_process)[培训]内核驱动高级班,冲击BAT一流互联网大厂工 作,每周日13:00-18:00直播授课
最后于 2019-9-25 11:31
被HHHso编辑
,原因:
|
|
|---|---|
|
|
|
