天哪。NP太WS了……最小保护还有乱序……看得我头大
本来想休息会,玩会ZP,还有乱序……
怒了,做了个脚本,效果不错……就是编程习惯太差,效率一般,各位海涵。
查看方法:查看--》记录
使用说明:
1 可修改脚本里的“反汇编长度”以增长反汇编长度
!!!2 一定要使文件名中没有数字……谢谢
【更新】
2009.8.17
[+]增加CALL乱序的解决办法
[-] 除去脚本结束后EAX,EBX数值改变的BUG
//////////////////////////////////////////////////
// Comment : 反JMP乱序
// Environment : WinXP SP2,OllyDbg V1.10,OllyScript V1.56
// Author : NONAME剑人
// WebSite : http://www.unpack.cn
// Date : 2009-08-06 20:35
//////////////////////////////////////////////////
var 反汇编长度,myeip,temp,newadd,temp2,temp3
var eeax,eebx
var kkkk
var ifcall,calltemp
mov calltemp,0
//设置
mov 反汇编长度,10 //请自行修改
mov ifcall,1 //是否跟进CALL,0为否,1为是,请自行修改
//!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
//!!!!!!!!使用前请务必将程序名改为不带数字的!!!!!!!!!
//!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
//======================
//初始化操作
lc
mov myeip,eip
alloc 5
mov newadd,$RESULT
mov eeax,eax
mov eebx,ebx
//======================
//======================
//进入正题
redo:
opcode myeip ;得到代码
//======================
scmp $RESULT,"EB",2
je YESJMP
scmp $RESULT,"E9",2
je YESJMP
cmp ifcall,0
je coun_1
;判断跳转
scmp $RESULT,"E8",2
je YEScall
coun_1:
jmp countinue1 ;CASE 无跳转
YEScall: ;call的单独处理
mov calltemp,1
jmp YESJMP
YESJMP: ;CASE 有跳转
mov temp,$RESULT_1
mov [newadd],temp
mov temp,newadd
jxx_1:
mov al,[temp]
cmp al,30
jb jxx_goon
cmp al,39
ja jxx_goon
readstr [temp],8
mov temp3,$RESULT
atoi temp3,10
mov temp3,$RESULT
jmp jxx_over
jxx_goon:
cmp al,0
inc temp
jnz jxx_1
msg "出现问题?"
mov eax,eeax
mov ebx,eebx
ret
jxx_over:
mov myeip,temp3
jmp redo
countinue1:
itoa myeip
add $RESULT,":"
mov eax,calltemp
cmp eax,1
jnz next_1
log "已进入CALL",$RESULT
mov calltemp,0
next_1:
log $RESULT_1,$RESULT
add myeip,$RESULT_2
inc kkkk
cmp kkkk,反汇编长度
jb redo
mov eax,eeax
mov ebx,eebx
ret
[课程]Linux pwn 探索篇!
