004B4BC4 /$ 833D 00366100 01 cmp dword ptr [613600], 1
004B4BCB |. 75 05 jnz short 004B4BD2
004B4BCD |. E8 907D0000 call 004BC962
004B4BD2 |> FF7424 04 push dword ptr [esp+4]
004B4BD6 |. E8 0F7C0000 call 004BC7EA
004B4BDB |. 68 FF000000 push 0FF
004B4BE0 |. E8 95320000 call 004B7E7A
004B4BE5 |. 59 pop ecx
004B4BE6 |. 59 pop ecx
004B4BE7 \. C3 retn
********************************* 这里应该是OEP的真正地址 :)
004B4BE8 52 db 52 ; CHAR 'R'
004B4BE9 97 db 97
004B4BEA 4A db 4A ; CHAR 'J'
004B4BEB 03 db 03
004B4BEC 75 db 75 ; CHAR 'u'
004B4BED 90 nop
004B4BEE 16 db 16
004B4BEF 32 db 32 ; CHAR '2'
004B4BF0 F5 db F5
004B4BF1 9A db 9A
004B4BF2 FA db FA
004B4BF3 B4 db B4
004B4BF4 B3 db B3
004B4BF5 03 db 03
004B4BF6 AC db AC
004B4BF7 39 db 39 ; CHAR '9'
004B4BF8 F4 db F4
004B4BF9 63 db 63 ; CHAR 'c'
004B4BFA 20 db 20 ; CHAR ' '
004B4BFB 3B db 3B ; CHAR ';'
004B4BFC ED db ED
004B4BFD F6 db F6
004B4BFE 5E db 5E ; CHAR '^'
004B4BFF 74 db 74 ; CHAR 't'
004B4C00 1F db 1F
004B4C01 BA db BA
004B4C02 6F db 6F ; CHAR 'o'
004B4C03 23 db 23 ; CHAR '#'
004B4C04 14 db 14
004B4C05 E4 db E4
004B4C06 F6 db F6
004B4C07 07 db 07
004B4C08 06 db 06
004B4C09 35 db 35 ; CHAR '5'
004B4C0A 5C db 5C ; CHAR '\'
004B4C0B 4A db 4A ; CHAR 'J'
004B4C0C DA db DA
004B4C0D 70 db 70 ; CHAR 'p'
004B4C0E 89 db 89
004B4C0F 17 db 17
004B4C10 DA db DA
004B4C11 . 3BFF cmp edi, edi
004B4C13 . D5 09 aad 9
004B4C15 . B0 E9 mov al, 0E9
****************************************** 这里以下是正常的VC7代码,前面的被stolen了,
004B4C17 . 8B46 04 mov eax, dword ptr [esi+4]
004B4C1A . A3 20366100 mov dword ptr [613620], eax
004B4C1F . 8B56 08 mov edx, dword ptr [esi+8]
004B4C22 . 8915 24366100 mov dword ptr [613624], edx
004B4C28 . 8B76 0C mov esi, dword ptr [esi+C]
004B4C2B . 81E6 FF7F0000 and esi, 7FFF
004B4C31 . 8935 18366100 mov dword ptr [613618], esi
004B4C37 . 83F9 02 cmp ecx, 2
004B4C3A . 74 0C je short 004B4C48
找一个VC7的程序来:
00618693 6A 60 push 60
00618695 68 E8156C00 push 006C15E8
0061869A E8 81420000 call 0061C920
0061869F BF 94000000 mov edi, 94
006186A4 8BC7 mov eax, edi
006186A6 E8 35E3FFFF call 006169E0
006186AB 8965 E8 mov dword ptr [ebp-18], esp
006186AE 8BF4 mov esi, esp
006186B0 893E mov dword ptr [esi], edi
006186B2 56 push esi
006186B3 FF15 88D06900 call dword ptr [69D088]
006186B9 8B4E 10 mov ecx, dword ptr [esi+10]
006186BC 890D FC917200 mov dword ptr [7291FC], ecx
*******补以上的代码
006186C2 8B46 04 mov eax, dword ptr [esi+4]
006186C5 A3 08927200 mov dword ptr [729208], eax
006186CA 8B56 08 mov edx, dword ptr [esi+8]
006186CD 8915 0C927200 mov dword ptr [72920C], edx
006186D3 8B76 0C mov esi, dword ptr [esi+C]
问题1: 我试着补入,但是补到最后空间不够了,是怎么一回事啊?
问题2:这应该是VC7的程序吧,我是根据这一段 33 C0 39 B1 E8 00 00 00 0F 95 C0 89 45 E4 6A 01汇编代码 找到的这段代码? 如果是,为什么空间不够我补代码的?
[课程]Android-CTF解题方法汇总!
