这个壳很简单,FSG的。。。用模拟跟踪就搞定了。。。我在看OD时发现了这个窍门(也不知道是不是可以)所以请大家来看看
00404B58 > BE A4014000 mov esi,1_33.004001A4 载入后停在这里,不管它往下拉
00404B5D AD lods dword ptr ds:[esi]
00404B5E 93 xchg eax,ebx
00404B5F AD lods dword ptr ds:[esi]
00404B60 97 xchg eax,edi
00404B61 AD lods dword ptr ds:[esi]
00404B62 56 push esi
00404B63 96 xchg eax,esi
00404B64 B2 80 mov dl,80
00404B66 A4 movs byte ptr es:[edi],byte ptr ds:[>
00404B67 B6 80 mov dh,80
00404B69 FF13 call dword ptr ds:[ebx]
00404B6B ^ 73 F9 jnb short 1_33.00404B66
00404B6D 33C9 xor ecx,ecx
00404B6F FF13 call dword ptr ds:[ebx]
00404B71 73 16 jnb short 1_33.00404B89
00404B73 33C0 xor eax,eax
00404B75 FF13 call dword ptr ds:[ebx]
00404B77 73 1F jnb short 1_33.00404B98
00404B79 B6 80 mov dh,80
00404B7B 41 inc ecx
00404B7C B0 10 mov al,10
00404B7E FF13 call dword ptr ds:[ebx]
00404B80 12C0 adc al,al
00404B82 ^ 73 FA jnb short 1_33.00404B7E
00404B84 75 3C jnz short 1_33.00404BC2
00404B86 AA stos byte ptr es:[edi]
00404B87 ^ EB E0 jmp short 1_33.00404B69
00404B89 FF53 08 call dword ptr ds:[ebx+8]
00404B8C 02F6 add dh,dh
00404B8E 83D9 01 sbb ecx,1
00404B91 75 0E jnz short 1_33.00404BA1
00404B93 FF53 04 call dword ptr ds:[ebx+4]
00404B96 EB 26 jmp short 1_33.00404BBE
00404B98 AC lods byte ptr ds:[esi]
00404B99 D1E8 shr eax,1
00404B9B 74 2F je short 1_33.00404BCC
00404B9D 13C9 adc ecx,ecx
00404B9F EB 1A jmp short 1_33.00404BBB
00404BA1 91 xchg eax,ecx
00404BA2 48 dec eax
00404BA3 C1E0 08 shl eax,8
00404BA6 AC lods byte ptr ds:[esi]
00404BA7 FF53 04 call dword ptr ds:[ebx+4]
00404BAA 3D 007D0000 cmp eax,7D00
00404BAF 73 0A jnb short 1_33.00404BBB
00404BB1 80FC 05 cmp ah,5
00404BB4 73 06 jnb short 1_33.00404BBC
00404BB6 83F8 7F cmp eax,7F
00404BB9 77 02 ja short 1_33.00404BBD
00404BBB 41 inc ecx
00404BBC 41 inc ecx
00404BBD 95 xchg eax,ebp
00404BBE 8BC5 mov eax,ebp
00404BC0 B6 00 mov dh,0
00404BC2 56 push esi
00404BC3 8BF7 mov esi,edi
00404BC5 2BF0 sub esi,eax
00404BC7 F3:A4 rep movs byte ptr es:[edi],byte ptr >
00404BC9 5E pop esi
00404BCA ^ EB 9D jmp short 1_33.00404B69
00404BCC 8BD6 mov edx,esi
00404BCE 5E pop esi
00404BCF AD lods dword ptr ds:[esi]
00404BD0 48 dec eax
00404BD1 74 0A je short 1_33.00404BDD
00404BD3 79 02 jns short 1_33.00404BD7
00404BD5 AD lods dword ptr ds:[esi]
00404BD6 50 push eax
00404BD7 56 push esi
00404BD8 8BF2 mov esi,edx
00404BDA 97 xchg eax,edi
00404BDB ^ EB 87 jmp short 1_33.00404B64
00404BDD AD lods dword ptr ds:[esi]
00404BDE 93 xchg eax,ebx
00404BDF 5E pop esi
00404BE0 46 inc esi
00404BE1 AD lods dword ptr ds:[esi]
00404BE2 97 xchg eax,edi
00404BE3 56 push esi
00404BE4 FF13 call dword ptr ds:[ebx]
00404BE6 95 xchg eax,ebp
00404BE7 AC lods byte ptr ds:[esi]
00404BE8 84C0 test al,al
00404BEA ^ 75 FB jnz short 1_33.00404BE7
00404BEC FE0E dec byte ptr ds:[esi]
00404BEE ^ 74 F0 je short 1_33.00404BE0
00404BF0 79 05 jns short 1_33.00404BF7
00404BF2 46 inc esi
00404BF3 AD lods dword ptr ds:[esi]
00404BF4 50 push eax
00404BF5 EB 09 jmp short 1_33.00404C00
00404BF7 FE0E dec byte ptr ds:[esi]
00404BF9 - 0F84 61C5FFFF je 1_33.00401160 拉到这里,真正的OEP,请问朋友们到了这里怎么办?
[课程]Linux pwn 探索篇!