跳过壳后进入程序第一行,按F8程序自动跳入下面的区段
0047EBF2 |. BF 4EE640BB mov edi, BB40E64E
0047EBF7 |. BB 0000FFFF mov ebx, FFFF0000
0047EBFC |. 3BC7 cmp eax, edi
0047EBFE |. 74 0D je short 0047EC0D
0047EC00 |. 85C3 test ebx, eax
0047EC02 |. 74 09 je short 0047EC0D
0047EC04 |. F7D0 not eax
0047EC06 |. A3 94884C00 mov dword ptr [4C8894], eax
0047EC0B |. EB 60 jmp short 0047EC6D
0047EC0D |> 56 push esi
0047EC0E |. 8D45 F8 lea eax, dword ptr [ebp-8]
0047EC11 |. 50 push eax ; /pFileTime
0047EC12 |. FF15 20F14900 call dword ptr [49F120] ; \GetSystemTimeAsFileTime
0047EC18 |. 8B75 FC mov esi, dword ptr [ebp-4]
0047EC1B |. 3375 F8 xor esi, dword ptr [ebp-8]
0047EC1E |. FF15 44F24900 call dword ptr [49F244] ; [GetCurrentProcessId
0047EC24 |. 33F0 xor esi, eax
0047EC26 |. FF15 88F24900 call dword ptr [49F288] ; [GetCurrentThreadId
0047EC2C |. 33F0 xor esi, eax
0047EC2E |. FF15 18F34900 call dword ptr [49F318] ; [GetTickCount
0047EC34 |. 33F0 xor esi, eax
0047EC36 |. 8D45 F0 lea eax, dword ptr [ebp-10]
0047EC39 |. 50 push eax ; /pPerformanceCount
0047EC3A |. FF15 64F14900 call dword ptr [49F164] ; \QueryPerformanceCounter
0047EC40 |. 8B45 F4 mov eax, dword ptr [ebp-C]
0047EC43 |. 3345 F0 xor eax, dword ptr [ebp-10]
0047EC46 |. 33F0 xor esi, eax
0047EC48 |. 3BF7 cmp esi, edi
0047EC4A |. 75 07 jnz short 0047EC53
0047EC4C |. BE 4FE640BB mov esi, BB40E64F
0047EC51 |. EB 0B jmp short 0047EC5E
0047EC53 |> 85F3 test ebx, esi
0047EC55 |. 75 07 jnz short 0047EC5E
0047EC57 |. 8BC6 mov eax, esi
0047EC59 |. C1E0 10 shl eax, 10
0047EC5C |. 0BF0 or esi, eax
0047EC5E |> 8935 90884C00 mov dword ptr [4C8890], esi
0047EC64 |. F7D6 not esi
0047EC66 |. 8935 94884C00 mov dword ptr [4C8894], esi
0047EC6C |. 5E pop esi
0047EC6D |> 5F pop edi
0047EC6E |. 5B pop ebx
0047EC6F |. C9 leave
0047EC70 \. C3 retn
最后这个retn是转到未跳入前的下一行。
而脱壳后dump出来的程序F8是转到下一行。呃~~~
看下面的示意图吧
代码:
壳……
1.……
2.……
3.……
……
……
……
……
……
(神秘区段)(不知道是在哪儿的)
未脱壳的是从(壳……)处F8来到(1……)然后F8来到(神秘区段)一路F8最后RETN处F8来到(2……)
而dump出来的是从(1……)F8来到(2……)
我相信这下大家都明白了吧????
1……这是个CALL CALL的地址也不是(神秘区段)的地址
谁能解释下这事什么意思啊?
有高手么?帮忙啊!
[课程]Linux pwn 探索篇!