以下是我脱壳的全部过程,不知道是OD有问题还是脱壳的时候出错,小弟愚笨请大哥大姐们帮看看到底是什么地方出了问题.........
忽略所有异常,隐藏OD
下断bp OpenMutexA Shift+F9跳到这里
7C80EA1B > 8BFF MOV EDI,EDI ; ntdll.7C930738
7C80EA1D 55 PUSH EBP
7C80EA1E 8BEC MOV EBP,ESP
7C80EA20 51 PUSH ECX
7C80EA21 51 PUSH ECX
7C80EA22 837D 10 00 CMP DWORD PTR SS:[EBP+10],0
7C80EA26 56 PUSH ESI
7C80EA27 0F84 66530300 JE kernel32.7C843D93
堆栈
0012F798 00648DB8 /CALL 到 OpenMutexA 来自 VDC.00648DB2
0012F79C 001F0001 |Access = 1F0001
0012F7A0 00000000 |Inheritable = FALSE
0012F7A4 0012FDD8 \MutexName = "E3C::DA7242FFE9"
0012F7A8 7C930738 ntdll.7C930738
然后Ctrl+G 表达方式:00401000
00401000 0000 ADD BYTE PTR DS:[EAX],AL
00401002 0000 ADD BYTE PTR DS:[EAX],AL
00401004 0000 ADD BYTE PTR DS:[EAX],AL
00401006 0000 ADD BYTE PTR DS:[EAX],AL
00401008 0000 ADD BYTE PTR DS:[EAX],AL
0040100A 0000 ADD BYTE PTR DS:[EAX],AL
0040100C 0000 ADD BYTE PTR DS:[EAX],AL
0040100E 0000 ADD BYTE PTR DS:[EAX],AL
00401010 0000 ADD BYTE PTR DS:[EAX],AL
00401012 0000 ADD BYTE PTR DS:[EAX],AL
00401014 0000 ADD BYTE PTR DS:[EAX],AL
00401016 0000 ADD BYTE PTR DS:[EAX],AL
00401018 0000 ADD BYTE PTR DS:[EAX],AL
0040101A 0000 ADD BYTE PTR DS:[EAX],AL
0040101C 0000 ADD BYTE PTR DS:[EAX],AL
跳到这,然后将以上部分代码改为:
00401000 60 pushad
00401001 9C pushfd
00401002 68 DCFB1200 push 12FDD8 //前面堆栈显示的值 ; ASCII "E3C::DA7242FFE9"
00401007 33C0 xor eax,eax
00401009 50 push eax
0040100A 50 push eax
0040100B E8 2FDB407C call kernel32.CreateMutexA
00401010 9D popfd
00401011 61 popad
00401012 - E9 04DC407C jmp kernel32.OpenMutexA
在00401000 60 pushad处新建EIP 然后Shift+F9再次中断在取消断点
继续下断he GetModuleHandleA+5 Shift+F9跳到这里
7C80B6A6 837D 08 00 CMP DWORD PTR SS:[EBP+8],0
7C80B6AA 74 18 JE SHORT kernel32.7C80B6C4
7C80B6AC FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C80B6AF E8 C0290000 CALL kernel32.7C80E074
7C80B6B4 85C0 TEST EAX,EAX
7C80B6B6 74 08 JE SHORT kernel32.7C80B6C0
7C80B6B8 FF70 04 PUSH DWORD PTR DS:[EAX+4]
7C80B6BB E8 7D2D0000 CALL kernel32.GetModuleHandleW
下面是每一次F9时候堆栈显示的情况:
0012EF20 /0012EF3C
0012EF24 |77F45BD8 返回到 SHLWAPI.77F45BD8 来自 kernel32.GetModuleHandleA
0012EF28 |77F4501C ASCII "KERNEL32.DLL"
0012EF2C |00000001
0012EF30 |77F40000 SHLWAPI.77F40000
0012EF34 |00000000
0012EF38 |0000133E
0012EF3C ]0012EF50
0012EF40 |77F452DD 返回到 SHLWAPI.77F452DD 来自 SHLWAPI.77F45BB5
0012EF44 |00000000
0012EF48 |00000001
0012EF4C |77F40000 SHLWAPI.77F40000
0012EF50 ]0012EF70
0012EF54 |77F45242 返回到 SHLWAPI.77F45242 来自 SHLWAPI.77F45265
0012EF58 |77F40000 SHLWAPI.77F40000
0012F738 /0012F7A0
0012F73C |00647EF3 返回到 VDC.00647EF3 来自 kernel32.GetModuleHandleA
0012F740 |00000000
0012F744 |0012F750
0012F748 |00DF20E6
0012F74C |006C6E04 VDC.006C6E04
0012F750 |00000000
0012F754 |006A1000 ASCII "PDATA000"
0012F758 |0012F700
0012F75C |00E0F536
0012F760 |00E0565D
0012F764 |00688090 VDC.00688090
0012F768 |00688094 VDC.00688094
0012F76C |00681384 VDC.00681384
0012F770 |006C6E04 VDC.006C6E04
。。。。这次F9 OD就挂了
[课程]Linux pwn 探索篇!