经过高手们的指点 把脱壳过程整理如下
1.找OEP入口
2.脱壳
3.执行exe
第一步.看看是什么壳
第二步.脱壳
在这个部分的OEP入口Dump了
第三步.Dump后,看脱壳后的信息
不知道为什么是“什么也没发现” 实际已经脱壳成功
第四步.执行exe
exe文件 在这_____
qqnmtf.zip_____
------------------------------------------------------------------------------------------------------------------------------------
0042BC49 . 50 push eax
0042BC4A . 68 F8884200 push 004288F8 ; http://192.168.0.10/login_s.asp?
0042BC4F . FF15 8C104000 call dword ptr [<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
0042BC55 . 8B16 mov edx, dword ptr [esi]
0042BC57 . 8BD8 mov ebx, eax
0042BC59 . F7DB neg ebx
0042BC5B . 1BDB sbb ebx, ebx
0042BC5D . 6A 00 push 0
0042BC5F . F7DB neg ebx
0042BC61 . 68 D3000000 push 0D3
0042BC66 . 56 push esi
0042BC67 . F7DB neg ebx
0042BC69 . FF92 C8030000 call dword ptr [edx+3C8]
0042BC6F . 50 push eax
0042BC70 . 8D45 9C lea eax, dword ptr [ebp-64]
0042BC73 . 50 push eax
0042BC74 . FF15 58104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
0042BC7A . 8D4D 88 lea ecx, dword ptr [ebp-78]
0042BC7D . 50 push eax
0042BC7E . 51 push ecx
0042BC7F . FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaLateI>; MSVBVM60.__vbaLateIdCallLd
0042BC85 . 83C4 10 add esp, 10
0042BC88 . 50 push eax
0042BC89 . FF15 28104000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarMove
0042BC8F . 8BD0 mov edx, eax
0042BC91 . 8D4D B4 lea ecx, dword ptr [ebp-4C]
0042BC94 . FF15 58114000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0042BC9A . 50 push eax
0042BC9B . 68 A0884200 push 004288A0 ; http://192.168.0.10/u_s.asp?action=show
0042BCA0 . FF15 8C104000 call dword ptr [<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
0042BCA6 . F7D8 neg eax
0042BCA8 . 1BC0 sbb eax, eax
0042BCAA . 8D55 B0 lea edx, dword ptr [ebp-50]
0042BCAD . F7D8 neg eax
0042BCAF . F7D8 neg eax
0042BCB1 . 23D8 and ebx, eax
0042BCB3 . 8D45 B4 lea eax, dword ptr [ebp-4C]
0042BCB6 . 52 push edx ; ntdll.KiFastSystemCallRet
0042BCB7 . 50 push eax
0042BCB8 . 6A 02 push 2
0042BCBA . FF15 14114000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
0042BCC0 . 8D4D 98 lea ecx, dword ptr [ebp-68]
0042BCC3 . 8D55 9C lea edx, dword ptr [ebp-64]
0042BCC6 . 51 push ecx
0042BCC7 . 52 push edx ; ntdll.KiFastSystemCallRet
0042BCC8 . 6A 02 push 2
0042BCCA . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObjList
0042BCD0 . 8D85 78FFFFFF lea eax, dword ptr [ebp-88]
0042BCD6 . 8D4D 88 lea ecx, dword ptr [ebp-78]
0042BCD9 . 50 push eax
0042BCDA . 51 push ecx
0042BCDB . 6A 02 push 2
0042BCDD . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0042BCE3 . 83C4 24 add esp, 24
0042BCE6 . 66:85DB test bx, bx
0042BCE9 0F84 A0050000 je 0042C28F
[课程]Linux pwn 探索篇!