最后有一个循环:
00372444 8B3A mov edi,dword ptr ds:[edx]
00372446 0BFF or edi,edi
00372448 75 02 jnz short 0037244C
0037244A EB 65 jmp short 003724B1
0037244C 03BD B4020000 add edi,dword ptr ss:[ebp+2B4]
00372452 83C2 05 add edx,5
00372455 8BF2 mov esi,edx
00372457 56 push esi
00372458 FF95 A8020000 call dword ptr ss:[ebp+2A8]
0037245E 0BC0 or eax,eax
00372460 75 07 jnz short 00372469
00372462 56 push esi
00372463 FF95 AC020000 call dword ptr ss:[ebp+2AC]
00372469 0FB64E FF movzx ecx,byte ptr ds:[esi-1]
0037246D 03F1 add esi,ecx
0037246F 8BD6 mov edx,esi
00372471 8BF0 mov esi,eax
00372473 42 inc edx
00372474 8B0A mov ecx,dword ptr ds:[edx]
00372476 83C2 04 add edx,4
00372479 51 push ecx
0037247A 0FB602 movzx eax,byte ptr ds:[edx]
0037247D 0BC0 or eax,eax
0037247F 75 14 jnz short 00372495
00372481 42 inc edx
00372482 52 push edx
00372483 8B02 mov eax,dword ptr ds:[edx]
00372485 50 push eax
00372486 56 push esi
00372487 FF95 A4020000 call dword ptr ss:[ebp+2A4]
0037248D 8907 mov dword ptr ds:[edi],eax
0037248F 5A pop edx
00372490 83C2 04 add edx,4
00372493 EB 13 jmp short 003724A8
00372495 42 inc edx
00372496 52 push edx
00372497 52 push edx
00372498 56 push esi
00372499 FF95 A4020000 call dword ptr ss:[ebp+2A4]
0037249F 8907 mov dword ptr ds:[edi],eax
003724A1 5A pop edx
003724A2 0FB642 FF movzx eax,byte ptr ds:[edx-1]
003724A6 03D0 add edx,eax
003724A8 42 inc edx
003724A9 83C7 04 add edi,4
003724AC 59 pop ecx
003724AD ^ E2 CA loopd short 00372479
003724AF ^ EB 93 jmp short 00372444
这里向上是一个循环。向下就到了oep
003724B1 8B85 BC020000 mov eax,dword ptr ss:[ebp+2BC]
003724B7 83F8 01 cmp eax,1
003724BA 75 27 jnz short 003724E3
003724BC 8BBD C4020000 mov edi,dword ptr ss:[ebp+2C4]
003724C2 03FD add edi,ebp
003724C4 8DB5 4D020000 lea esi,dword ptr ss:[ebp+24D]
003724CA 8B07 mov eax,dword ptr ds:[edi]
003724CC 0BC0 or eax,eax
003724CE 75 02 jnz short 003724D2
003724D0 EB 11 jmp short 003724E3
003724D2 25 FFFFFF7F and eax,7FFFFFFF
003724D7 8BDE mov ebx,esi
003724D9 2BD8 sub ebx,eax
003724DB 8958 FC mov dword ptr ds:[eax-4],ebx
003724DE 83C7 08 add edi,8
003724E1 ^ EB E7 jmp short 003724CA
003724E3 64:FF35 30000000 push dword ptr fs:[30]
003724EA 58 pop eax
003724EB 85C0 test eax,eax
003724ED 78 0F js short 003724FE
003724EF 8B40 0C mov eax,dword ptr ds:[eax+C]
003724F2 8B40 0C mov eax,dword ptr ds:[eax+C]
003724F5 C740 20 00100000 mov dword ptr ds:[eax+20],1000
003724FC EB 1C jmp short 0037251A
003724FE 6A 00 push 0
00372500 FF95 A8020000 call dword ptr ss:[ebp+2A8]
00372506 85D2 test edx,edx
00372508 79 10 jns short 0037251A
0037250A 837A 08 FF cmp dword ptr ds:[edx+8],-1
0037250E 75 0A jnz short 0037251A
00372510 8B52 04 mov edx,dword ptr ds:[edx+4]
00372513 C742 50 00100000 mov dword ptr ds:[edx+50],1000
0037251A 89AD 58020000 mov dword ptr ss:[ebp+258],ebp
00372520 8B85 C8020000 mov eax,dword ptr ss:[ebp+2C8]
00372526 0385 B4020000 add eax,dword ptr ss:[ebp+2B4]
0037252C FFE0 jmp eax
此处eax是oep
但是用impt找不到输入信息,还望高手指教。
[课程]Linux pwn 探索篇!