Discover edi x12, include the articles, news, trends, analysis and practical advice about edi x12 on alibabacloud.com
[Debugging environment]: WinXP, Ollydbg1.10C, WinHex, LordPE, UPXAngela, ImportREC ---------------------------------[Shelling Process ]: In fact, this article is just an Ollydbg version of UPX in "encryption and decryption" 2nd.It is very convenient for Ollydbg1.10C and UPXAngela to remove the upx dll.---------------------------------1. Get the relocated table RVA and OEP Code :--------------------------------------------------------------------------------003B8100 807C24 08 01 cmp byte ptr ss:
, dword ptr ds: [403236]; the first address of the user name is to esi00401627 8D3D 58324000 lea edi, dword ptr ds: [403258]; place the calculated User Name0040162D B9 0A000000 mov ecx, 0A; ecx = 1000401632 0FBE041E movsx eax, byte ptr ds: [ESI + EBX]; eax = the first character of the user name00401636 99 CDQ00401637 F7F9 idiv ecx; division operation, eax = 122/10 = 12 = ch, edx (remainder) 122% 10 = 200401639 33D3 xor edx, EBX; abnormal or operate ed
0x73727363FindProcess:Mov edi, espLea esi, dword ptr [ebx + 0x1fc]Push 0x4Pop ecxRepe cmpsbJecxz go2Mov ebx, dword ptr [ebx + 0xa0]Sub ebx, 0xa0Jmp FindProcessGo2:Pop edxMov edx, dword ptr [ebx + 0x50]FindThread:Movzx ecx, byte ptr [edx-0x86]Dec ecxJecxz go3Mov edx, dword ptr [edx]Jmp FindThreadGo3:Mov eax, dword ptr [ebx + 0x18]Mov ebp, espSub esp, 0x40Push edxMov 3, eax Push 0x10Pop ecxXor eax, eaxLea edi
Once the original program encounters a 0-byte file, it will be suspended. Here I added the seh error handling code, which perfectly solved the problem! . 386 . Model flat, stdcall Option Casemap: None Include windows. inc Include user32.inc Includelib user32.lib Include kernel32.inc Includelib kernel32.lib . Data? Hfile dd? Hmapfile dd? Lpfile dd? . Const Szerr DB "is not a valid 32-bit program! ", 0 Szok db "is an executable file! ", 0 Szno DB "failed to open the file! ", 0 Szname DB "D:. EXE
This is even a boring time to track part of Kingsoft Ranger's code, and write the complete code according to the program process with the compilation. Let's be a trainer! 0041ec32/. 55 push EBP; Use EBP to read the stack and find external parameters. Therefore, save EBP first.0041ec33 |. 8bec mov EBP, esp; Use EBP to read the stack, so that ESP is constantly changing0041ec35 |. 51 push ECx0041ec36 |. 56 push ESI0041ec37 |. 57 push EDI; values of the a
will break down the BPX shell_policyicona breakpoint and use F12 to check if the software is called and the parameters are used! First come to the following: Here is where the software is called at startup: * Possible reference to string resource id = 00114: "CCProxy"|: 00408770 6a72 push 00000072: 00408772 51 push ECx: 00408773 c681_f0000000005 mov byte PTR [esp + 000024f4], 05: 0040877b e8c0890100 call 00421140: 00408780 83c408 add ESP, 00000008: 00408783 50 push eax: 00408784 8d4c2414 Lea EC
:--------------------------------------------------------------------------------Xchg ah, AlRol eax, 10Xchg ah, AlAdd eax, ESI-------------------------------------------------------------------------------- Locate at 003b826d, disconnect at mov Al, byte ptr ds: 003b825e of [EDI], run F9, and disconnect Code :--------------------------------------------------------------------------------003b825e 8a07 mov Al, byte ptr ds: [
int goo(int a, int b){return a + b;}void foo(){int a[] = {1, 2, 3};int result = goo(a[1], a[2]);printf("result: %d", result);} Compile in vs2010 Foo function assembly: 00EB3890 push ebp 00EB3891 mov ebp,esp 00EB3893 sub esp,0E4h 00EB3899 push ebx 00EB389A push esi 00EB389B push edi 00EB389C lea edi,[ebp-0E4h] 00EB38A2 mov ecx,39h
three elements point. The decompiling of 00f57f60 address is as follows: Classsizeres staticobj; @ 0 00f57f60 push EBP 00f57f61 mov EBP, ESP 00f57f63 sub ESP, 0c0h 00f57f69 push EBX 00f57f6a push ESI 00f57f6b push EDI 00f57f6c Lea EDI, [ebp-0C0h] 00f57f72 mov ECx, 30 h 00f57f77 mov eax, 0 cccccccch 00f57f7c rep STOs dword ptr es: [EDI]
virtual function of the subclass is called through the constructor of the parent class, and this virtual function may fail to access data members of the subclass. Let's take a look at the compiled code generated by vc7.1 to easily understand this behavior. This is the c190 constructor: 01 000000fe0 push EBP 02 000000fe1 mov EBP, esp 03 000000fe3 sub ESP, 0cch 04 00426fe9 push EBX 05 00426fea push ESI 06 00426feb push EDI 07 00426fec push
By axis 2007-03-28 Http://www.ph4nt0m.org General jump address of windows in simplified Chinese: (2 k/XP/2K3) 0x7ffa45f3 JMP ECx \ xFF \ xe1 0x7ffa4967 jmp ebp \ xFF \ xe5 0x7ffa4a1b jmp ebx \ xFF \ xe3 0x7ffa6773 push EBX, retn \ x53 \ xc3 (0x7ffa6772 is pop EDX) 0x7ffd1769 -- 0x7ffd1779 JMP eax \ xFF \ xe0 0x7ffc01b0 pop ESI, retn \ x5e \ xc3 0x7ffa54cf 0x7ffaf780 JMP edX \ xFF \ xe2 7ffa1571 58 pop eax7ffa1572 BF 58c058c2 mov EDI, c258c0587ffa1
bug correction used in the code, see the article "GDI + for VCL basics-GDI + and VCL". (8.8.18)Data Type: Type // Image data structure compatible with the GDI + tbitmapdata Structure Timagedata = packed record Width: longword; // The image width. Height: longword; // Image Height Stride: longword; // The length of the scanned line of the image in bytes. Pixelformat: longword; // unused Scan0: pointer; // image data address Reserved: longword; // Reserved End; Pimagedata = ^ timaged
constant Stack (Stack Space ). Why does tail recursion achieve constant stack space? We use the famous fibonacci series as an example to illustrate this. The implementation method of the fibonacci series is generally like this. int FibonacciRecur (int n) {if (0 = n) return 0; if (1 = n) return 1; return FibonacciRecur (n-1) + FibonacciRecur (n-2);} but note that this implementation method is not tail recursion, because the last action of tail recursion must be called itself, the final action he
Before analyzing set_base in Linux, we defined; EAX is TSS0 offset address;ebx are kernel_base address 0x10000;ecx is Gdt_address;edi 0x20set_base:addl%ebx,%eax; EAX = eax + ebx = 0x10000 + TSS0 offset address addl%ecx,%edi; EDI = edi + ECX = gdt_address + Tss0_sel MOVW%ax, 2 (%edi
parameters are ejected, here is not, really strange!Then we'll track into the dark alley and see what he's done!37:int __stdcall fnstandardcall (int arg1, short arg2, char arg3, void *arg4): {00401200 push ebp00401201 MOV ebp,esp00401203 sub esp,50h00401206 push ebx00401207 push esi00401208 push edi00401209 Lea edi,[ebp-50h]0040120c mov ecx,14h00401211 mov eax,0cccccccch00401216 re P STOs DWORD ptr [Edi
convert the value in Edx:eax to a decimal output form string, which is familiar, as in the previous example!; For example: edx=0,eax=01234567h, the converted string is:; -> ' 19088743 ', 0OUTEDXEAX proc uses ebx esi edi,lpstringMOV edi,lpstring points to the address where the results are storedMOV esi,lpstringmov ecx,10 converted into decimal. While eax!=0 | | Edx!=0Push EAXMOV Eax,edxXOR Edx,edxdiv ECXMOV
: Manual construction Stack Practice-How to manually construct the call stack ============ first illustrate the characteristics of the stack with a few pictures to help you understand. 1. Stack to low address growth. 2. Press the data into the stack, in the case of the stack. 3. Read the full textView the command summary for the disassembly code of the function in windbg: Command ========== U. U $ip the two commands above are the same effect, and disassemble the 8 commands on the current $IP add
simple.The main function first calls ProcCommandLine () to analyze the command line, obtain the Service Group to be started, and then calls SvcHostOptions () to query the options of the Service Group and all services of the Service Group, use a Data Structure svcTable to save the DLL of these services and their services, call the PrepareSvcTable () function to create the SERVICE_TABLE_ENTRY structure, and direct all processing functions SERVICE_MAIN_FUNCTION to one of your own functions FuncSer
Article Title: linux memory management initialization. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source. ENTRY (startup_32) /* * Set segments to known values. */ Cld Lgdt boot_gdt_descr-_ PAGE_OFFSET/* set the segment register */ Movl $ (_ BOOT_DS), % eax Movl % eax, % ds Movl % eax, % es Movl % eax, % fs Movl % eax, % gs /* * Clear BSS first so that there are
data members of the subclass.Let's take a look at VC7.1The generated assembly code can easily understand this behavior.This is the C190 constructor:01 00426FE0 push ebp 02 00426FE1 mov ebp,esp 03 00426FE3 sub esp,0CCh 04 00426FE9 push ebx 05 00426FEA push esi 06 00426FEB push edi 07 00426FEC push ecx 08 00426FED lea edi,[ebp+FFFFFF34h] 09 00426FF3 mov ecx,33h 10 00426FF8 mov eax ,0CCCCCCCCh 11 00426FFD rep
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
