用PEID查壳如下:
OD载入停在这里:
00598B23 > E8 00000000 CALL J-ComDeb.00598B28
00598B28 60 PUSHAD
00598B29 E8 4F000000 CALL J-ComDeb.00598B7D
00598B2E ^ 71 D8 JNO SHORT J-ComDeb.00598B08
00598B30 AC LODS BYTE PTR DS:[ESI]
00598B31 07 POP ES ; 修改段寄存器
00598B32 CE INTO
00598B33 EA 27AA736B D9B>JMP FAR BDD9:6B73AA27 ; 长跳转
F8至 00598B29 E8 4F000000 CALL J-ComDeb.00598B7D
ESP定律 hr 0012FFA0;
命令行bp VirtualProtect,Shift+F9;
Shift+F9两下,断在这里:
7C801AD4 > 8BFF MOV EDI,EDI
7C801AD6 55 PUSH EBP
7C801AD7 8BEC MOV EBP,ESP
7C801AD9 FF75 14 PUSH DWORD PTR SS:[EBP+14]
7C801ADC FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C801ADF FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C801AE2 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C801AE5 6A FF PUSH -1
7C801AE7 E8 75FFFFFF CALL kernel32.VirtualProtectEx
7C801AEC 5D POP EBP
7C801AED C2 1000 RETN 10
返回至
0059FBA3 8B15 84C65A00 MOV EDX,DWORD PTR DS:[5AC684]
0059FBA9 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0059FBAC 0342 08 ADD EAX,DWORD PTR DS:[EDX+8]
0059FBAF 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
0059FBB2 C705 14C95A00 0>MOV DWORD PTR DS:[5AC914],0
继续Shift+F9,返回,停在这里:
0059FFFC 85C0 TEST EAX,EAX
0059FFFE 75 0A JNZ SHORT J-ComDeb.005A000A
005A0000 B9 0B0000EF MOV ECX,EF00000B
005A0005 E8 5F2D0000 CALL J-ComDeb.005A2D69
005A000A 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
005A000D 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
005A0010 8B02 MOV EAX,DWORD PTR DS:[EDX]
005A0012 8901 MOV DWORD PTR DS:[ECX],EAX
005A0014 8D4D F4 LEA ECX,DWORD PTR SS:[EBP-C]
005A0017 51 PUSH ECX
005A0018 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
005A001B 52 PUSH EDX
005A001C 6A 04 PUSH 4
将005A0012 8901 MOV DWORD PTR DS:[ECX],EAX 以NOP填充
修改后代码:
0059FFFC 85C0 TEST EAX,EAX
0059FFFE 75 0A JNZ SHORT J-ComDeb.005A000A
005A0000 B9 0B0000EF MOV ECX,EF00000B
005A0005 E8 5F2D0000 CALL J-ComDeb.005A2D69
005A000A 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
005A000D 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
005A0010 8B02 MOV EAX,DWORD PTR DS:[EDX]
005A0012 90 NOP
005A0013 90 NOP
005A0014 8D4D F4 LEA ECX,DWORD PTR SS:[EBP-C]
005A0017 51 PUSH ECX
005A0018 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
005A001B 52 PUSH EDX
005A001C 6A 04 PUSH 4
删除bp VirtualProtect断电,F9运行4次,停在这里:
0057F014 5D POP EBP ; J-ComDeb.0057F013
0057F015 BB EDFFFFFF MOV EBX,-13
0057F01A 03DD ADD EBX,EBP
0057F01C 81EB 00F01700 SUB EBX,17F000
0057F022 83BD 7D040000 0>CMP DWORD PTR SS:[EBP+47D],0
0057F029 899D 7D040000 MOV DWORD PTR SS:[EBP+47D],EBX
0057F02F 0F85 C0030000 JNZ J-ComDeb.0057F3F5
0057F035 8D85 89040000 LEA EAX,DWORD PTR SS:[EBP+489]
0057F03B 50 PUSH EAX
0057F03C FF95 090F0000 CALL DWORD PTR SS:[EBP+F09]
删除硬件断点,下拉至0057F41A C3 RETN处F4;
F8返回,停在这里:
00401480 /EB 10 JMP SHORT J-ComDeb.00401492
00401482 |66:623A BOUND DI,DWORD PTR DS:[EDX]
00401485 |43 INC EBX
00401486 |2B2B SUB EBP,DWORD PTR DS:[EBX]
00401488 |48 DEC EAX
00401489 |4F DEC EDI
0040148A |4F DEC EDI
0040148B |4B DEC EBX
0040148C |90 NOP
0040148D -|E9 98E04C00 JMP 008CF52A
下拉至004014D4 /E9 4F6F0C00 JMP J-ComDeb.004C8428处F4
F8跳向OEP:
004C8428 55 PUSH EBP
004C8429 8BEC MOV EBP,ESP
004C842B 83C4 F4 ADD ESP,-0C
004C842E 53 PUSH EBX
004C842F 56 PUSH ESI
004C8430 57 PUSH EDI
004C8431 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
004C8434 8B46 10 MOV EAX,DWORD PTR DS:[ESI+10]
004C8437 83E0 01 AND EAX,1
Dump后无法运行,使用ImportREC 1.7c修复有部分无效,本人新手,请各位指点看哪里出了问题,或帮忙脱下此程序。
改程序如下:
J-ComDebug.part1.rar
J-ComDebug.part2.rar
[课程]Linux pwn 探索篇!