|
windbg 写入内存 Memory access error in 'ed b2dac000 0'
补充一下, 我用虚拟机学习的。 |
|
请问用OD反汇编一部分是加密的怎么处理
可是问题是,一反汇编,好象连壳的代码好象都是加密的,就是说一进去只经过几句指令,下面的代码就加密了,都不知道怎么脱呀??? |
|
菜鸟求救
是要写一个解释器 |
|
菜鸟求助
只测试注入的文件能不能打开,用OD |
|
菜鸟求助
如果这段代码把_m1:设在_main处,注入代码的记事本就会提示不是win32程序,不知道哪里错了。 |
|
菜鸟求助
.386 .model flat,stdcall option casemap:none include include\windows.inc include include\kernel32.inc include include\user32.inc includelib lib\kernel32.lib includelib lib\user32.lib .data hFile dd 0 szCaption db "test",0 szMessage db "success",0 szMessage1 db "fail",0 szFileName db "test.exe",0 szUser32 db "user32.dll",0 szApiName db "MessageBoxA",0 .code _main: push 02h push offset szFileName call _lopen mov hFile,eax sub esp,1000h mov edi,esp push 1000h push edi push hFile call _lread mov eax,[edi+3ch] add edi,eax assume edi:ptr IMAGE_NT_HEADERS mov eax,[edi].OptionalHeader.ImageBase mov aOldBase,eax mov eax,[edi].OptionalHeader.AddressOfEntryPoint mov aOldEntryPoint,eax movzx eax,[edi].FileHeader.NumberOfSections dec eax mov ecx,28h mul ecx add eax,sizeof IMAGE_NT_HEADERS add eax,edi mov ebx,eax assume ebx:ptr IMAGE_SECTION_HEADER mov [ebx].Characteristics,0e0000020h mov eax,[ebx].Misc.VirtualSize push eax add eax,[ebx].VirtualAddress mov [edi].OptionalHeader.AddressOfEntryPoint,eax add [ebx].Misc.VirtualSize,offset _m2-offset _m1 mov eax,[ebx].Misc.VirtualSize mov ecx,[edi].OptionalHeader.FileAlignment cdq div ecx inc eax mul ecx mov [ebx].SizeOfRawData,eax mov eax,[ebx].Misc.VirtualSize mov ecx,[edi].OptionalHeader.SectionAlignment cdq div ecx inc eax mul ecx add eax,[ebx].VirtualAddress mov [edi].OptionalHeader.SizeOfImage,eax push offset szUser32 call LoadLibraryA push offset szApiName push eax call GetProcAddress mov aMessageBoxA,eax pop eax add eax,[ebx].PointerToRawData mov edi,esp push FILE_BEGIN push eax push hFile call _llseek push offset _m2-offset _m1 push offset _m1 push hFile call _lwrite push FILE_BEGIN push 0 push hFile call _llseek push 1000h push edi push hFile call _lwrite add esp,1000h push hFile call _lclose push MB_OK or MB_ICONINFORMATION push offset szCaption push offset szMessage push 0 call MessageBoxA ret _m1: call _r _r: pop ebp sub ebp,offset _r push MB_OK or MB_ICONINFORMATION lea eax,szMsg1[ebp] push eax lea eax,szMsg1[ebp] push eax push 0 call aMessageBoxA[ebp] mov eax,aOldBase[ebp] add eax,aOldEntryPoint[ebp] push eax ret szMsg1 db "退出",0 aMessageBoxA dd 0 aOldEntryPoint dd 0 aOldBase dd 0 _m2: end _main 我也是刚学罗老板的书,不懂搞头的大了,得罪的地方请大哥原谅。 |
|
菜鸟问题
这年头,不想回答问题就算了,还添乱。我说的是2楼 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值