UPX壳,脱后显示borland c++ 1999,OD加载后提示,入口点超出范围,代码段可能被压缩。一共5个区段,最后一个是.rsrc前面的4个名称空白。
看以前帖子,改BaseOfCode为第一区段的voffset
BaseOfData为第二区段的voffset
我查看到程序第二区段的voffset是BaseOfCode,第三区段的voffset是BaseOfData我不知道改还是不改了。
用stud_pe2.2中查到的BaseOfCode、BaseOfData改完后又提示不是PE文件。
OD载入后代码
004015C4 > /EB 10 JMP SHORT mlts.004015D6
004015C6 |66:623A BOUND DI,DWORD PTR DS:[EDX]
004015C9 |43 INC EBX
004015CA |2B2B SUB EBP,DWORD PTR DS:[EBX]
004015CC |48 DEC EAX
004015CD |4F DEC EDI
004015CE |4F DEC EDI
004015CF |4B DEC EBX
004015D0 |90 NOP
004015D1 -|E9 98604F00 JMP 008F766E
004015D6 \A1 8B604F00 MOV EAX,DWORD PTR DS:[4F608B]
004015DB C1E0 02 SHL EAX,2
004015DE A3 8F604F00 MOV DWORD PTR DS:[4F608F],EAX
004015E3 52 PUSH EDX
004015E4 6A 00 PUSH 0
004015E6 E8 E53C0F00 CALL <JMP.&KERNEL32.GetModuleHandleA>
004015EB 8BD0 MOV EDX,EAX
004015ED E8 D2440E00 CALL mlts.004E5AC4
004015F2 5A POP EDX
004015F3 E8 30440E00 CALL mlts.004E5A28
004015F8 E8 07450E00 CALL mlts.004E5B04
004015FD 6A 00 PUSH 0
004015FF E8 C05A0E00 CALL mlts.004E70C4
00401604 59 POP ECX
00401605 68 34604F00 PUSH mlts.004F6034
0040160A 6A 00 PUSH 0
0040160C E8 BF3C0F00 CALL <JMP.&KERNEL32.GetModuleHandleA>
00401611 A3 93604F00 MOV DWORD PTR DS:[4F6093],EAX
00401616 6A 00 PUSH 0
00401618 E9 9FE80E00 JMP mlts.004EFEBC
0040161D > E9 EE5A0E00 JMP mlts.004E7110
00401622 33C0 XOR EAX,EAX
00401624 A0 7D604F00 MOV AL,BYTE PTR DS:[4F607D]
00401629 C3 RETN
0040162A A1 93604F00 MOV EAX,DWORD PTR DS:[4F6093]
0040162F C3 RETN
00401630 60 PUSHAD
00401631 BB 0050B0BC MOV EBX,BCB05000
00401636 53 PUSH EBX
00401637 68 AD0B0000 PUSH 0BAD
0040163C C3 RETN
0040163D B9 B4000000 MOV ECX,0B4
00401642 0BC9 OR ECX,ECX
00401644 74 4D JE SHORT mlts.00401693
00401646 833D 8B604F00 0>CMP DWORD PTR DS:[4F608B],0
0040164D 73 0A JNB SHORT mlts.00401659
0040164F B8 FE000000 MOV EAX,0FE
00401654 E8 D7FFFFFF CALL mlts.00401630
00401659 B9 B4000000 MOV ECX,0B4
0040165E 51 PUSH ECX
0040165F 6A 08 PUSH 8
00401661 E8 823C0F00 CALL <JMP.&KERNEL32.GetProcessHeap>
00401666 50 PUSH EAX
00401667 E8 0C3D0F00 CALL <JMP.&KERNEL32.HeapAlloc>
0040166C 0BC0 OR EAX,EAX
0040166E 75 0A JNZ SHORT mlts.0040167A
00401670 B8 FD000000 MOV EAX,0FD
00401675 E8 B6FFFFFF CALL mlts.00401630
0040167A 50 PUSH EAX
0040167B 50 PUSH EAX
0040167C FF35 8B604F00 PUSH DWORD PTR DS:[4F608B]
00401682 E8 69EA0E00 CALL mlts.004F00F0
00401687 FF35 8B604F00 PUSH DWORD PTR DS:[4F608B]
0040168D E8 72EA0E00 CALL mlts.004F0104
00401692 5F POP EDI
00401693 C3 RETN
00401694 B9 B4000000 MOV ECX,0B4
00401699 0BC9 OR ECX,ECX
0040169B 74 19 JE SHORT mlts.004016B6
0040169D E8 26EA0E00 CALL mlts.004F00C8
004016A2 A3 8B604F00 MOV DWORD PTR DS:[4F608B],EAX
004016A7 83F8 00 CMP EAX,0
004016AA ^ 73 91 JNB SHORT mlts.0040163D
004016AC B8 FC000000 MOV EAX,0FC
004016B1 E8 7AFFFFFF CALL mlts.00401630
004016B6 C3 RETN
004016B7 833D 8B604F00 0>CMP DWORD PTR DS:[4F608B],0
004016BE 72 28 JB SHORT mlts.004016E8
004016C0 FF35 8B604F00 PUSH DWORD PTR DS:[4F608B]
004016C6 E8 15EA0E00 CALL mlts.004F00E0
004016CB 0BC0 OR EAX,EAX
004016CD 74 19 JE SHORT mlts.004016E8
004016CF 50 PUSH EAX
004016D0 6A 08 PUSH 8
004016D2 E8 113C0F00 CALL <JMP.&KERNEL32.GetProcessHeap>
004016D7 50 PUSH EAX
004016D8 E8 A13C0F00 CALL <JMP.&KERNEL32.HeapFree>
004016DD FF35 8B604F00 PUSH DWORD PTR DS:[4F608B]
004016E3 E8 24EA0E00 CALL mlts.004F010C
004016E8 C3 RETN
[课程]Linux pwn 探索篇!