用OD载入,停在:
0119E014 > B8 00000000 mov eax, 0
0119E019 60 pushad
0119E01A 0BC0 or eax, eax
0119E01C 74 68 je short 0119E086
0119E01E E8 00000000 call 0119E023
0119E023 58 pop eax
0119E024 05 53000000 add eax, 53
0119E029 8038 E9 cmp byte ptr [eax], 0E9
0119E02C 75 13 jnz short 0119E041
0119E02E 61 popad
0119E02F EB 45 jmp short 0119E076
0119E031 DB2D 37E01901 fld tbyte ptr [119E037]
0119E037 FFFF ??? ; 未知命令
0119E039 FFFF ??? ; 未知命令
0119E03B FFFF ??? ; 未知命令
0119E03D FFFF ??? ; 未知命令
运行脱壳脚本
[LEFT]
0071976C 6A 28 push 28 脚本运行完到这
0071976E 68 101D7500 push 00751D10
00719773 E8 98030000 call 00719B10
00719778 33FF xor edi, edi
0071977A 57 push edi
0071977B FF15 18A07200 call dword ptr [72A018]
00719781 66:8138 4D5A cmp word ptr [eax], 5A4D
00719786 75 1F jnz short 007197A7
00719788 8B48 3C mov ecx, dword ptr [eax+3C]
0071978B 03C8 add ecx, eax
0071978D 8139 50450000 cmp dword ptr [ecx], 4550
00719793 75 12 jnz short 007197A7
00719795 0FB741 18 movzx eax, word ptr [ecx+18]
00719799 3D 0B010000 cmp eax, 10B
0071979E 74 1F je short 007197BF
007197A0 3D 0B020000 cmp eax, 20B
007197A5 74 05 je short 007197AC
007197A7 897D E4 mov dword ptr [ebp-1C], edi
007197AA EB 27 jmp short 007197D3
007197AC 83B9 84000000 0>cmp dword ptr [ecx+84], 0E
007197B3 ^ 76 F2 jbe short 007197A7
007197B5 33C0 xor eax, eax
007197B7 39B9 F8000000 cmp dword ptr [ecx+F8], edi
007197BD EB 0E jmp short 007197CD
007197BF 8379 74 0E cmp dword ptr [ecx+74], 0E
007197C3 ^ 76 E2 jbe short 007197A7
007197C5 33C0 xor eax, eax
007197C7 39B9 E8000000 cmp dword ptr [ecx+E8], edi
007197CD 0F95C0 setne al
007197D0 8945 E4 mov dword ptr [ebp-1C], eax
007197D3 897D FC mov dword ptr [ebp-4], edi
007197D6 6A 01
push 1
007197D8 FF15 60A37200 call dword ptr [72A360] ; MSVCR71.__set_app_type
007197DE 59 pop ecx
007197DF 830D E0BA1901 F>or dword ptr [119BAE0], FFFFFFFF
007197E6 830D E4BA1901 F>or dword ptr [119BAE4], FFFFFFFF
//酷似VC6的入口代码
007197ED FF15 5CA37200 call dword ptr [72A35C] ; MSVCR71.__p__fmode
007197F3 8B0D D8BA1901 mov ecx, dword ptr [119BAD8]
007197F9 8908 mov dword ptr [eax], ecx
007197FB FF15 58A37200 call dword ptr [72A358] ; MSVCR71.__p__commode[/LEFT]
拿一个VC++的程序来参考下:
00401F10 D> 55 push ebp
00401F11 8BEC mov ebp,esp
00401F13 6A FF push -1
00401F15 68 E8394000 push 4039E8 ①
00401F1A 68 96204000 push 402096 ②
00401F1F 64:A1 00000000 mov eax,dword ptr fs:[0]
00401F25 50 push eax
00401F26 64:8925 00000000 mov dword ptr fs:[0],esp
00401F2D 83EC 68 sub esp,68
00401F30 53 push ebx
00401F31 56 push esi
00401F32 57 push edi ; ntdll.7C930738
00401F33 8965 E8 mov dword ptr ss:[ebp-18],esp
00401F36 33DB xor ebx,ebx
00401F38 895D FC mov dword ptr ss:[ebp-4],ebx
00401F3B 6A 02 push 2
00401F3D FF15 4C334000 call dword ptr ds:[40334C] ; msvcrt.__set_app_type
00401F43 59 pop ecx ; kernel32.7C816FD7
00401F44 830D 6C514000 FF or dword ptr ds:[40516C],FFFFFFFF
00401F4B 830D 70514000 FF or dword ptr ds:[405170],FFFFFFFF
00401F52 FF15 48334000 call dword ptr ds:[403348] ; msvcrt.__p__fmode
确定OEP:007197AB
下面开始补OEP,在补OEP的过程中,有两个push数据需要从堆栈中找出。
看了很多文章,都只是直接给出堆栈里面的数据,可是怎么从堆栈找并没给出,想向大牛们求教,
怎样从堆栈找出①和②的数值?
看我脱的过程对吗?有没有出错,请指出。谢谢
[课程]Linux pwn 探索篇!
