vfp&exeNc 9.0 DEMO 脱到第三层
004CF920 > 60 PUSHAD
;载入点
004CF921 E8 01000000 CALL vfpenc9.004CF927
004CF926 6358 E8 ARPL WORD PTR DS:[EAX-18],BX
004CF929 0100 ADD DWORD PTR DS:[EAX],EAX
004CF92B 0000 ADD BYTE PTR DS:[EAX],AL
004CF92D 7A 58 JPE SHORT vfpenc9.004CF987
004CF92F 2D 0D104000 SUB EAX,vfpenc9.0040100D
004CF934 8D90 C1104000 LEA EDX,DWORD PTR DS:[EAX+4010C1]
004CF93A 52 PUSH EDX
004CF93B 50 PUSH EAX
004CF93C 8D80 49104000 LEA EAX,DWORD PTR DS:[EAX+401049]
004CF942 5D POP EBP
004CF943 50 PUSH EAX
004CF944 8D85 65104000 LEA EAX,DWORD PTR SS:[EBP+401065]
004CF94A 50 PUSH EAX
004CF94B 64:FF35 0000000>PUSH DWORD PTR FS:[0]
004CF952 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
004CF959 CC INT3
004CF95A 90 NOP
004CF95B 64:8F05 0000000>POP DWORD PTR FS:[0]
004CF962 83C4 04 ADD ESP,4
004CF965 C3 RETN
004CF966 EB 11 JMP SHORT vfpenc9.004CF979
004CF968 59 POP ECX
004CF969 8D9D 00104000 LEA EBX,DWORD PTR SS:[EBP+401000]
004CF96F 53 PUSH EBX
004CF970 5F POP EDI
004CF971 2BFA SUB EDI,EDX
004CF973 57 PUSH EDI
; 记下EDI,就是JMP EAX了
004CF974 8A03 MOV AL,BYTE PTR DS:[EBX]
004CF976 3007 XOR BYTE PTR DS:[EDI],AL
004CF978 43 INC EBX
004CF979 47 INC EDI
004CF97A ^ E2 F8 LOOPD SHORT vfpenc9.004CF974
; 单步走几个循环就可以了
004CF97C 58 POP EAX
004CF97D 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX
004CF981 61 POPAD
004CF982 FFE0 JMP EAX
; EAX就是上面记下的EDI
004CF984 C3 RETN
004CD001 60 PUSHAD
;JMP EAX 就是这儿了,这儿下断,F9,以下的命令序列要变,,,,,可以DUMP下来了,用ASPPACK脱掉
004CD002 E8 03000000 CALL vfpenc9.004CD00A
004CD007 8AB3 EC5C4555 MOV DH,BYTE PTR DS:[EBX+55455CEC]
004CD00D C3 RETN
004CD00E 92 XCHG EAX,EDX
004CD00F 59 POP ECX
004CD010 2D 0D10AB5D SUB EAX,5DAB100D
004CD015 36:7D 3E JGE SHORT vfpenc9.004CD056 ; 多余的前缀
004CD018 EF OUT DX,EAX ; I/O 命令
004CD019 BF 038FD166 MOV EDI,66D18F03
004CD01E 8099 1C4083E0 7>SBB BYTE PTR DS:[ECX+E083401C],72
004CD025 8985 6510C99D MOV DWORD PTR SS:[EBP+9DC91065],EAX
004CD02B 72 60 JB SHORT vfpenc9.004CD08D
004CD02D FF35 0F856503 PUSH DWORD PTR DS:[365850F]
004CD033 64:89A8 852E040>MOV DWORD PTR FS:[EAX+42E85],EBP
载入ASPPACK脱掉的,仿第一步继续
0048D543 > $ 60 PUSHAD
0048D544 . E8 00000000 CALL UnPack[2.0048D549
0048D549 $ 5D POP EBP
0048D54A . 81ED 06104000 SUB EBP,UnPack[2.00401006
0048D550 . 8D85 56104000 LEA EAX,DWORD PTR SS:[EBP+401056]
0048D556 . 50 PUSH EAX
0048D557 . 64:FF35 00000>PUSH DWORD PTR FS:[0]
0048D55E . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
0048D565 . CC INT3
0048D566 . 90 NOP
0048D567 . 64:8F05 00000>POP DWORD PTR FS:[0]
0048D56E . 83C4 04 ADD ESP,4
0048D571 . 74 05 JE SHORT UnPack[2.0048D578
0048D573 . 75 03 JNZ SHORT UnPack[2.0048D578
0048D575 . EB 07 JMP SHORT UnPack[2.0048D57E
0048D577 . 59 POP ECX
0048D578 > 8D9D 00104000 LEA EBX,DWORD PTR SS:[EBP+401000]
0048D57E > 53 PUSH EBX
0048D57F . 5F POP EDI
0048D580 . 2BFA SUB EDI,EDX
0048D582 . 57 PUSH EDI
0048D583 > 8A03 MOV AL,BYTE PTR DS:[EBX]
0048D585 . 3007 XOR BYTE PTR DS:[EDI],AL
0048D587 . 43 INC EBX
0048D588 . 47 INC EDI
0048D589 .^ E2 F8 LOOPD SHORT UnPack[2.0048D583
0048D58B . 58 POP EAX
0048D58C . 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX
0048D590 . 61 POPAD
0048D591 . FFE0 JMP EAX
0048D4AC 55 DB 55
; 这儿了,分析一下,或直接DUMP下来,OK,但分析发现,DUMP下来的东西看了有点头痛,呵呵
0048D4AD 8B DB 8B
0048D4AE EC DB EC
0048D4AF 83 DB 83
0048D4B0 C4 DB C4
0048D4B1 F0 DB F0
0048D4B2 B8 DB B8
0048D4B3 F5 DB F5
0048D4B4 3F DB 3F ; CHAR '?'
0048D4B5 4E DB 4E ; CHAR 'N'
0048D4B6 10 DB 10
0048D4B7 A8 DB A8
0048D4B8 50 DB 50 ; CHAR 'P'
0048D4B9 07 DB 07
0048D4BA 72 DB 72 ; CHAR 'r'
0048D4BB A9F84000 DD UnPack[2.0040F8A9
0048D4BF 50 DB 50 ; CHAR 'P'
0048D4C0 64 DB 64 ; CHAR 'd'
0048D4C1 A7 DB A7
0048D4C2 B6 DB B6
0048D4C3 E8 DB E8
0048D4C4 15 DB 15
[课程]Linux pwn 探索篇!
上传的附件: