00B7E6BB FF15 C4C0B800 call dword ptr ds:[B8C0C4] ; kernel32.GetModuleHandleA
00B7E6C1 3985 B0E9FFFF cmp dword ptr ss:[ebp-1650],eax
00B7E6C7 75 0F jnz short 00B7E6D8
00B7E6C9 C785 ACE9FFFF 4002B900 mov dword ptr ss:[ebp-1654],0B90240
00B7E6D3 E9 C4000000 jmp 00B7E79C
00B7E6D8 83A5 84E7FFFF 00 and dword ptr ss:[ebp-187C],0
00B7E6DF C785 80E7FFFF 5008B900 mov dword ptr ss:[ebp-1880],0B90850
00B7E6E9 EB 1C jmp short 00B7E707
00B7E6EB 8B85 80E7FFFF mov eax,dword ptr ss:[ebp-1880]
00B7E6F1 83C0 0C add eax,0C
00B7E6F4 8985 80E7FFFF mov dword ptr ss:[ebp-1880],eax
00B7E6FA 8B85 84E7FFFF mov eax,dword ptr ss:[ebp-187C]
00B7E700 40 inc eax
00B7E701 8985 84E7FFFF mov dword ptr ss:[ebp-187C],eax
00B7E707 8B85 80E7FFFF mov eax,dword ptr ss:[ebp-1880]
00B7E70D 8338 00 cmp dword ptr ds:[eax],0
00B7E710 0F84 86000000 je 00B7E79C<=====是那个magic jmp吗?我怎么就找不到OEP呢?
00B7E716 8B85 80E7FFFF mov eax,dword ptr ss:[ebp-1880]
00B7E71C 8B40 08 mov eax,dword ptr ds:[eax+8]
00B7E71F 83E0 01 and eax,1
00B7E722 85C0 test eax,eax
00B7E724 74 25 je short 00B7E74B
00B7E726 A1 DCB8B900 mov eax,dword ptr ds:[B9B8DC]
00B7E72B 8B0D DCB8B900 mov ecx,dword ptr ds:[B9B8DC] ; ServerDv.004D1260
00B7E731 8B40 58 mov eax,dword ptr ds:[eax+58]
00B7E734 3341 7C xor eax,dword ptr ds:[ecx+7C]
00B7E737 8B0D DCB8B900 mov ecx,dword ptr ds:[B9B8DC] ; ServerDv.004D1260
00B7E73D 3341 3C xor eax,dword ptr ds:[ecx+3C]
00B7E740 25 80000000 and eax,80
00B7E745 85C0 test eax,eax
00B7E747 74 02 je short 00B7E74B
00B7E749 ^ EB A0 jmp short 00B7E6EB
00B7E74B 8B85 84E7FFFF mov eax,dword ptr ss:[ebp-187C]
00B7E751 8B0D 0876B900 mov ecx,dword ptr ds:[B97608]
00B7E757 8B15 DCB8B900 mov edx,dword ptr ds:[B9B8DC] ; ServerDv.004D1260
00B7E75D 8B0481 mov eax,dword ptr ds:[ecx+eax*4]
00B7E760 3342 20 xor eax,dword ptr ds:[edx+20]
00B7E763 8B0D DCB8B900 mov ecx,dword ptr ds:[B9B8DC] ; ServerDv.004D1260
00B7E769 3341 3C xor eax,dword ptr ds:[ecx+3C]
00B7E76C 8B0D DCB8B900 mov ecx,dword ptr ds:[B9B8DC] ; ServerDv.004D1260
00B7E772 3341 04 xor eax,dword ptr ds:[ecx+4]
00B7E775 8B0D DCB8B900 mov ecx,dword ptr ds:[B9B8DC] ; ServerDv.004D1260
00B7E77B 3341 30 xor eax,dword ptr ds:[ecx+30]
00B7E77E 3985 B0E9FFFF cmp dword ptr ss:[ebp-1650],eax
00B7E784 75 11 jnz short 00B7E797
00B7E786 8B85 80E7FFFF mov eax,dword ptr ss:[ebp-1880]
00B7E78C 8B40 04 mov eax,dword ptr ds:[eax+4]
00B7E78F 8985 ACE9FFFF mov dword ptr ss:[ebp-1654],eax
00B7E795 EB 05 jmp short 00B7E79C
00B7E797 ^ E9 4FFFFFFF jmp 00B7E6EB
00B7E79C 80A5 A4E9FFFF 00 and byte ptr ss:[ebp-165C],0
00B7E7A3 A1 9CBCB900 mov eax,dword ptr ds:[B9BC9C]
00B7E7A8 8A80 66350000 mov al,byte ptr ds:[eax+3566]
00B7E7AE 8885 F4D3FFFF mov byte ptr ss:[ebp-2C0C],al
00B7E7B4 0FB685 F4D3FFFF movzx eax,byte ptr ss:[ebp-2C0C]
00B7E7BB 85C0 test eax,eax
00B7E7BD 74 23 je short 00B7E7E2
00B7E7BF 8B85 A0E9FFFF mov eax,dword ptr ss:[ebp-1660]
00B7E7C5 3B85 BCFDFFFF cmp eax,dword ptr ss:[ebp-244]
00B7E7CB 72 15 jb short 00B7E7E2
00B7E7CD 8B85 A0E9FFFF mov eax,dword ptr ss:[ebp-1660]
00B7E7D3 3B85 C4FDFFFF cmp eax,dword ptr ss:[ebp-23C]
00B7E7D9 73 07 jnb short 00B7E7E2
00B7E7DB C685 A4E9FFFF 01 mov byte ptr ss:[ebp-165C],1
00B7E7E2 8B85 A8E9FFFF mov eax,dword ptr ss:[ebp-1658]
00B7E7E8 40 inc eax
00B7E7E9 8985 A8E9FFFF mov dword ptr ss:[ebp-1658],eax
00B7E7EF 8B85 3CEBFFFF mov eax,dword ptr ss:[ebp-14C4]
00B7E7F5 0385 A0E9FFFF add eax,dword ptr ss:[ebp-1660]
00B7E7FB 8985 B4E9FFFF mov dword ptr ss:[ebp-164C],eax
00B7E801 8B85 B4E9FFFF mov eax,dword ptr ss:[ebp-164C]
00B7E807 8985 98E9FFFF mov dword ptr ss:[ebp-1668],eax
00B7E80D 0FB685 A4E9FFFF movzx eax,byte ptr ss:[ebp-165C]
00B7E814 85C0 test eax,eax
00B7E816 74 2E je short 00B7E846
00B7E818 8B85 A8E9FFFF mov eax,dword ptr ss:[ebp-1658]
如果可以的话,看看软件,看看怎么找到OEP,说一下,怎么弄就可以,看雪的精华和论坛上的文章都看过啦!这个我觉得不大一样。能不能帮个忙。
包里的那个1.exe文件就是目标文件
点击下载
[课程]Linux pwn 探索篇!