Home > Cloud Computing > Cloud Security

IAT encryption manual search (iawen)

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Old articles in the past are available today. Let's move them together!
For the sample, see the attachment!

The PEid shell display is: Microsoft Visual C ++ 6.0
However, after loading with OD, a prompt is displayed:


After confirmation, the OD stops:

0103B070> 55 push ebp
0103B071 8BEC mov ebp, esp
0103B073 6A FF push-1
0103B075 68 FC424000 push 4042FC
0103B07A 68 04214000 push 402104
0103B07F 64: A1 00000000 mov eax, dword ptr fs: [0]
0103B085 50 push eax
0103B086 64: 8925 00000000 mov dword ptr fs: [0], esp
0103B08D 83EC 58 sub esp, 58
0103B090 53 push ebx
0103B091 56 push esi
0103B092 57 push edi
0103B093 8965 E8 mov dword ptr ss: [ebp-18], esp
0103B096 FF15 A0B00301 call dword ptr ds: [103B0A0]; unpackme1_103b0a4

Ctrl + G to: VirtualAlloc, broken at the end of the section:
7C809A64 E8 09000000 call kernel32.VirtualAllocEx
7C809A69 5D pop ebp
7C809A6A C2 1000 retn 10 =========== disconnected under this F2

F9 runs. After 7 interruptions, the breakpoint is canceled. when F7 enters, it comes:
01015F2A A3 F8850201 mov dword ptr ds: [10285F8], eax
01015F2F 8B15 F4850201 mov edx, dword ptr ds: [10285F4]
01015F35 C702 0D661900 mov dword ptr ds: [edx], 19660D
01015F3B A1 F8850201 mov eax, dword ptr ds: [10285F8]
01015F40 C700 5FF36E3C mov dword ptr ds: [eax], 3C6EF35F
01015F46 C745 EC 00000000 mov dword ptr ss: [ebp-14], 0
01015F4D C745 FC 00000000 mov dword ptr ss: [ebp-4], 0
01015F54 68 pushed 2e00 push 2E0000
01015F59 E8 40 FCFFFF call unpackme%1015b9e

Ctrl + G again to: LoadLibraryA, broken at the end of the section:
7C801D9C FF75 08 push dword ptr ss: [ebp + 8]
7C801D9F E8 ABFFFFFF call kernel32.LoadLibraryExA
7C801DA4 5E pop esi
7C801DA5 5B pop ebx
7C801DA6 5D pop ebp
7C801DA7 C2 0400 retn 4 ============================== disconnected under this F2

After the breakpoint is canceled, the following message is returned:
0102159E 8945 F0 mov dword ptr ss: [ebp-10], eax
010215A1 837D F0 00 cmp dword ptr ss: [ebp-10], 0
010215A5 75 16 jnz short unpackme%10215bd

Continue to find the end of the paragraph:
010216CC 68 64760201 push unpackme%1027664; ASCII "WriteFile"
010216D1 FF75 FC push dword ptr ss: [ebp-4]
010216D4 FF75 F8 push dword ptr ss: [ebp-8]
010216D7 E8 90 FCFFFF call unpackme%10%6c
010216DC 83C4 0C add esp, 0C
010216DF 8945 E0 mov dword ptr ss: [ebp-20], eax
010216E2 837D E0 00 cmp dword ptr ss: [ebp-20], 0
010216E6 74 08 je short unpackme%10216f0
010216E8 8B45 E0 mov eax, dword ptr ss: [ebp-20]
010216EB A3 3C870201 mov dword ptr ds: [102873C], eax
010216F0 C9 leave
010216F1 C3 retn =================== disconnected under this F2

After F9 is interrupted, the breakpoint is canceled and F7 enters:
01021552 83C4 0C add esp, 0C
01021555 68 F0550201 push unpackme%10255f0; ASCII "oleaut32.dll"
0102155A 6A 02 push 2
0102155C 68 A8830201 push unpackme%10283a8
01021561 E8 13000000 call unpackme%1021579
01021566 83C4 0C add esp, 0C
01021569 68 AC550201 push unpackme%10255ac & n

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
manual search iat certification iat ii certification iat ii certifications disc encryption chap encryption bcrypt encryption
Related Article
How does personal cloud security guarantee data security?
Model-driven cloud security-automating cloud security with cl...
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Decrypting Cisco type 5 password hashes
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More