拿到一个脱壳机,用PEid查壳显示dbpe 2.x
可是我用OD跟了下,感觉不是dbpe(因为在我印象中dbpe的anti比较恐怖,动不动hard reboot)
IAT加密比较好看,到OEP后看到的IAT是这样的,壳代码根据序号来解密API
7FF8AC4B 68 63000000 PUSH 63
7FF8AC50 68 B9D3F87F PUSH 7FF8D3B9
7FF8AC55 C3 RETN
7FF8AC56 68 64000000 PUSH 64
7FF8AC5B 68 B9D3F87F PUSH 7FF8D3B9
7FF8AC60 C3 RETN
7FF8AC61 68 65000000 PUSH 65
7FF8AC66 68 B9D3F87F PUSH 7FF8D3B9
7FF8AC6B C3 RETN
7FF8AC6C 68 66000000 PUSH 66
7FF8AC71 68 B9D3F87F PUSH 7FF8D3B9
7FF8AC76 C3 RETN
7FF8AC77 68 67000000 PUSH 67
7FF8AC7C 68 B9D3F87F PUSH 7FF8D3B9
7FF8AC81 C3 RETN
7FF8AC82 68 68000000 PUSH 68
7FF8AC87 68 B9D3F87F PUSH 7FF8D3B9
7FF8AC8C C3 RETN
7FF8AC8D 68 69000000 PUSH 69
7FF8AC92 68 B9D3F87F PUSH 7FF8D3B9
7FF8AC97 C3 RETN
7FF8AC98 68 6A000000 PUSH 6A
7FF8AC9D 68 B9D3F87F PUSH 7FF8D3B9
7FF8ACA2 C3 RETN
7FF8ACA3 68 6B000000 PUSH 6B
7FF8ACA8 68 B9D3F87F PUSH 7FF8D3B9
7FF8ACAD C3 RETN
[课程]Linux pwn 探索篇!