Author moonflow
Bored. A skillful string was found during a blog visit:
Code:
000102030405060708090A0B0C0D0E0F
00: 526172211A0700CF907300000D000000
10: 20171000077b77420902b00ba00000038
20: 010000024fdbc8236965393c1d330600
30: 20001000043432e45584500f010a96708
40: 150D10BE0D66F3DA083C2BF0286D0DC9
50: C0DAD1D42D4A87588829C86BF07D437B
60: 5234BF0A88FC3B5221CD8FC4363F09B5
70: EA1D375068762F51D4BF078484C0CC99
80: 09F479EA3C7AAC33D266424AE7C063CB
90: B82A07A1F75AD73AE402E209FC1323C0
A0: C588C60E76B3611CEE160D58C7829C0A
B0: 6443DFB6411E8EA14B24BA9B1E65D9FB
C0: 43A17725D3AA512F512C4319C74F903F
D0: 127f15da6dbf6e0%fbe7377a4d9d3b
E0: E110E155C8AB8B847ED52B853B11DB22
F0: 7836B5F57F44C44F28C43D7B00400700
Then I was confused by reading the compilation of the reply from x bull below. How can I become that?
I was curious, And then I began to struggle. I asked many people. Finally, I came to my eye. Of course, after knowing some details, the actual process will be clear.
This is just a trick. Please float the old bird ......
1. First paste all the data except the first line and the offset values into WinHex.
Code:
52 61 72 21 1A 07 00 CF 90 73 00 00 0D 00 00 Rar !... Too many s ......
00 00 00 00 77 B7 74 20 90 2B 00 BA 00 00 00 38... w · t +... 8
01 00 00 02 4F DB C8 23 68 65 39 3C 1D 33 06 00... O ~è # he9 <..
20 00 00 00 43 43 2E 45 58 45 00 F0 10 A9 67 08... CC. EXE. Large.©G.
15 0D 10 BE 0D 66 F3 DA 08 3C 2B F0 28 6D 0D C9... small. fóú.. <+ small (m. É
C0 DA D1 D4 2D 4A 87 58 88 29 C8 6B F0 7D 43 7B À ún trans-J trans X trans)?} C {
52 34 BF 0A 88 FC 3B 52 21 CD 8F C4 36 3F 09 B5 R4 large. ü U; R! Ímä6 ?. Μ
EA 1D 37 50 68 76 2F 51 D4 BF 07 84 84 C0 CC 99 large. 7Phv/Q large numbers.™
09 F4 79 EA 3C 7A AC 33 D2 66 42 4A E7 C0 63 CB. Pretty y release <z Release 3 release fBJ çà c Release
B8 2A 07 A1 F7 5A D7 3A E4 02 E2 09 FC 13 23 C0 clerk *. Alias alias Z ×: ä. â. ü. # À
C5 88 C6 0E 76 B3 61 1C EE 16 0D 58 C7 82 9C 0A too large. v too a. too. x c too large.
64 43 DF B6 41 1E 8E A1 4B 24 BA 9B 1E 65 D9 FB dC too large A. Too large K $ ° ›. e too large
43 A1 77 25 D3 AA 51 2F 51 2C 43 19 C7 4F 90 3F C %w % Ó ?q/Q, C. ço =?
82 4F 15 DA 6D BF 6E 03 97 FB E7 37 7A 4D 9D 3B running O. úm running n.-ç ç7zm running;
E1 10 E1 55 C8 AB 8B 84 7E D5 2B 85 3B 11 DB 22 á. áuè «‹„~ Else + ...;. Else"
78 36 B5 F5 7F 44 C4 4F 28 C4 3D 7B 00 40 07 00 x6 μm däo (ä= {.@..
It can be found that there is a Rar sign at the beginning, and CC. EXE can be found in the middle. Save the token as A. rar file.
2. decompress the rarfile to obtain CC. EXE.
3. Use LordPE to view the PE information of the CC. EXE. The program entry point is 000000F8. take into account that the quick alignment is equal to the file alignment, open CC directly in WinHex. find the EXE file and go to "000000F8". Copy all the characters from "000000F8" to "end" and copy them to WinHex. Name hehe. bin
4. I used to go to Linux and have a look at it with hexdump.
Code:
[Root @ localhost ~] # Hexdump-C hehe. bin
00000000 60 e8 0e 00 00 00 8b 44 24 0c 05 b8 00 00 00 ff | '...... D $ ...... |
00000010 00 33 c0 c3 5e 64 a1 30 00 00 00 05 00 08 00 |. 3... ^ d.0. ...... |
00000020 8b f8 a5 a5 a5 50 33 c0 64 ff 30 64 89 20 cc | ...... P3.d. 0d... |
00000030 58 64 a3 00 00 00 00 83 c4 04 61 c3 00 00 00 | Xd ...... a ...... |
5. Use ndisasm to operate the character.
Code:
[Root @ localhost ~] # Ndisasm-u hehe. bin> hehe.txt
6. Finally, the following scenario is obtained, which is basically consistent with the assembly code of x in the blog.
Code:
[Root @ localhost ~] # Cat hehe.txt | more
00000000 60 pushad
00000001 E80E000000 call dword 0x14
00000006 8B44240C mov eax, [esp + 0xc]
0000000A 05B8000000 add eax, 0xb8
0000000F FF00 inc dword [eax]
00000011 33C0 xor eax, eax
00000013 C3 ret
00000014 5E pop esi
00000015 64A130000000 mov eax, [fs: 0x30]
10000001b 0500080000 add eax, 0x800
00000020 8BF8 mov edi, eax
00000022 A5 movsd
00000023 A5 movsd
00000024 A5 movsd
00000025 A5 movsd
00000026 50 push eax
00000027 33C0 xor eax, eax
00000029 64FF30 push dword [fs: eax]
2017002c 648920 mov [fs: eax], esp
2017002f CC int3
00000030 58 pop eax
00000031 64A300000000 mov [fs: 0x0], eax
00000037 83C404 add esp, byte + 0x4
2017003a 61 popad
2017003b C3 ret
Because I don't have enough knowledge, I don't know if it is in this way. It's just a reference. If time is limited, it's just here. Thank you.