m2ts to mov

; Tag_next: Pop ebx; Get critical module Base address mov esi, DWORD ptr fs: [0x30]; mov esi, [esi + 0x0c]; mov esi, [esi + 0x1c]; mov esi, [esi]; mov edx,

................0180 00 00 00 8B FC 1E 57 8b-f5 CB 00 00 00 00 00 00 ...... W .........0190 00 00 00 00 00 00 00 00-00 00 00 00 00 00 ................01a0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 ................01b0 00 00 00 00 2C 44 63-b5 D7 B5 D7 00 00 80 01 ......, DC ........01c0 01 00 0b Fe 7f FD 3f 00-00 00 3f 04 7d 00 00 00 ......?...?.}...01d0 41 Fe 0C Fe FF 7E 04-7d 00 7d 9B E5 01 00 00 .....~.}.}.....01e0 00 00 00 00 00 00 00-00 00 00 00 00 00 00 ................01f0 00 00 00 00 00

Compare the four types of Interrupt commands that are common in data segments and additional segments and in Assembly1. input two strings of the same length from the keyboard, put them into the data segment and the additional segment, and use the string comparison command to compare the two strings in the Data Segment and the additional segment. If the two strings are the same, output Y, otherwise, N is output. This program has been debugged for a long time and has two problems. One is the use o

Chapter 3rd Register (Memory Access) 3.1 Storage of in-memory words The CPU uses 16-bit registers to store a word, high 8 bits hold the upper byte, low 8 bits hold the lower byteA character unit is a memory unit that holds a font data, consisting of two contiguous memory units, a high-bit byte of the font data in a higher address memory unit, and a low byte in the lower address memory unit that holds the font data.The word cell with the starting address n is called the N address Word cell, fo

; Get critical module Base address mov esi, DWORD ptr fs: [0x30]; mov esi, [esi + 0x0c]; mov esi, [esi + 0x1c]; mov esi, [esi]; mov edx, [esi + 0x08]; Gets

. The following is the defined bytecode. Each instruction identifier corresponds to one byte. /** Opcode enum */enum OPCODES {MOV = 0xa0, // The mov instruction bytecode corresponds to 0xa0 XOR = 0xa1, // The xor instruction bytecode corresponds to 0xa1 CMP = 0xa2, // The cmp command bytecode corresponds to 0xa2 RET = 0xa3, // the ret command bytecode corresponds to 0xa3 SYS_READ = 0xa4, // The read system

() =0;};classTestA: Publictest{ Public: TestA () {printf ("testa::testa\n"); } Virtual~TestA () {printf ("testa::testa\n"); } Virtual voidProinter () {printf ("Derive Class testa::pointer\n"); } Virtual voidpointf () {printf ("Derive Class TestA::P ointf\n"); }};int_tmain (intARGC, _tchar*argv[]) {TestA*ptest=NewTestA; PTest-pointf (); PTest-Prointer (); DeletepTest; return 0;}Open the exe file with Ida and display it in flowchart mode:Run to the place where new is called:One layer aft

Chapter 2 direct addressing table 16.1 describes the unit length label Assume cs: code Code segment A db 1, 2, 3, 4, 5, 6, 7, 8 B dw 0 Start: Mov si, 0 Mov cx, 8 S: Mov al, a [si] Mov ah, 0 Add B, ax Inc si Loop s Mov ax, 4c00h Int 21 h Code ends End start The numbers a

-click a menu and choose search> all reference text strings and click: Of course, it is more convenient to use the above super string reference + plug-in. However, our goal is to be familiar with some ollydbg operations. I will try to use the built-in functions of ollydbg with less plug-ins. Now, in another dialog box, right-click it, select the "Search Text" menu item, and enter "Wrong serial, try again !" The start WORD "wrong" (note that the search content is case-sensitive) to find one:

current folderDelete the del.txt file from the folder.; Display the default stringCseg segmentAssume Cs: cseg, DS: cseg, SS: csegMain proc nearMainstart:Call vstart; start of virus codeVstart:Pop Si; get the current addressMoV bp, Si; save current addressPush SiMoV ah, 9Add Si, offset message-offset vstart; display default stringMoV dx, SiInt 21 hPop SiAdd Si, offset yuan4byte-OFFSET vstart; get the first four bytes in the original programMoV Di, 100 h; destination addressMoV ax, DS: [Si]; Star

choose search> all reference text strings and click: Of course, it is more convenient to use the above super string reference + plug-in. However, our goal is to be familiar with some ollydbg operations. I will try to use the built-in functions of ollydbg with less plug-ins. Now, in another dialog box, right-click it, select the "Search Text" menu item, and enter "Wrong serial, try again !" The start WORD "wrong" (note that the search content is case-sensitive) to find one: Right-click the str

First chapter Detection point 1.11) (8KB = 8 * 1024x768 = 2^13) 2) 0 10233) 8*1024 (1 byte = 8 bit, computer in bytes) 4) 1024^3 1024^2 1024 5) 2^6 1 2^4 2^2 (KB = 2^10 Mb = 2^20 Gb = 2^30) 6) 1 1 2 2 47) 512 256 (8086 Register is a 16-bit register, can read two bytes at a time, 80386 is 32-bit register) 8) binaryChapter II Detection point 2.11) AX = F4a3hax = 31a3hax = 3123hAX = 6246hBX = 826ChCX = 6246hAX = 826ChAX = 04d8hax = 0482hAX = 6c82hax = d882ha X = D888hax = D810hax = 6246h2)

create a process001b: 77e7df83 call [NTDLL! Ntcreateprocess]... In fact, the four processes of NTDLL. dll in Windows 2000 Server build 2195 are system services with the service ID of 64 h, 2bh, 18 h, and 29h. For more information about System Service, see Let's continue to look at the ntcreateprocess process: : U ntdll! Ntcreateprocess // user State, which is commonly referred to as the native APINtdll! Ntcreateprocess001b: 77f92d2c mov eax, 0000002

:1000000000040052d :240052d: -Push%RBP340052E: - theE5 mov%rsp,%RBP4 400531: - the7d F8 mov%rdi,-0x8(%RBP)//Save the value of a5 400535: - the theF0 mov%rsi,-0x10(%RBP)//Save the value of B6 400539: -8b $F8 mov-0x8(%RBP),%Rax740053d:8bTenMOV (%rax),%edx//Take the value of a and deposit into the register edx84

. * Referenced by a (U) nconditional or? Onditional Jump at Address:|: 004974CF?|: 004974E8 8D85B0FEFFFF lea eax, dword ptr [ebp + FFFFFEB0]: 004974EE 8B8E90060000 mov ecx, dword ptr [esi + 00000690] * Possible StringData Ref from Code Obj-> "file read/write error, for some reason (for example, virus infection)"-> "Changed the loveletter31.exe file to ensure security of your computer"->"All, the program will automatically exit! We recommend that you d

Compilation of getting started Study Notes (6) -- si, di, Dual Loop, compilation of si Getting started with crazy summer vacation Study Notes (6) -- si, di, dual cycle Reference: Chapter 7th of Assembly Language 1. and or commands, and [bx + idata] And or. [Bx + idata] This can be written. In some cases, it is more convenient. [Bx + idata] can also be written as idata [bx] For example, replace 'abcde' and 'fghig' with uppercase letters (uppercase and lowercase letters in ASCII are only

Vc6.0 /////////////////// --- D:/Simon/try/wqer/1.C restart --------------------------------------------------------------------------------------------------------1:2:3:4:5:6:7: int I = 0x10;8: int arr_ I [5] = {0x11, 0x12, 0x13, 0x14, 0x15 };9:10: int main ()11 :{0040d360 push EBP0040d361 mov EBP, ESP0040d363 sub ESP, 7ch0040d366 push EBX0040d367 push ESI0040d368 push EDI0040d369 Lea EDI, [ebp-7Ch]0040d36c mov