PEtite 2.x [Level 1/9] -> Ian Luck

 

1： 可以用 变相的 ESP 定律；

程序开始是这样的：

00415042 > B8 00504100 MOV EAX,KeyGen-m.00415000

00415047 68 38214000 PUSH KeyGen-m.00402138

0041504C 64:FF35 00000000 PUSH DWORD PTR FS:[0]

00415053 64:8925 00000000 MOV DWORD PTR FS:[0],ESP

0041505A 66:9C PUSHFW

0041505C 60 PUSHAD ; 单步到这里以后，使用ESP 就可很快到达 OEP

0041505D 50 PUSH EAX

0041505E 33DB XOR EBX,EBX

00415060 8D90 78010000 LEA EDX,DWORD PTR DS:[EAX+178]

00415066 68 00004000 PUSH KeyGen-m.00400000

0041506B 8B0A MOV ECX,DWORD PTR DS:[EDX]

0041506D 0FBAF1 1F BTR ECX,1F

00415071 73 16 JNB SHORT KeyGen-m.00415089

00415073 8B0424 MOV EAX,DWORD PTR SS:[ESP] ; kernel32.7C817067

00415076 FD STD

00415077 8BF0 MOV ESI,EAX

00415079 8BF8 MOV EDI,EAX

0041507B 0372 04 ADD ESI,DWORD PTR DS:[EDX+4]

0041507E 037A 08 ADD EDI,DWORD PTR DS:[EDX+8]

00415081 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD >

00415083 83C2 0C ADD EDX,0C

2：当然也可以使用 最后一次异常的方法，不过在达到OEP是，区偏移地址时有点不同；；；

到达 OEP 是这样的

00401000 . 6A 00 PUSH 0

00401002 . E8 17020000 CALL KeyGen-m.0040121E

00401007 . A3 75334000 MOV DWORD PTR DS:[403375],EAX

0040100C . 6A 00 PUSH 0 ; /lParam = NULL

0040100E . 68 2B104000 PUSH KeyGen-m.0040102B ; |DlgProc = KeyGen-m.0040102B

00401013 . 6A 00 PUSH 0 ; |hOwner = NULL

00401015 . 68 81334000 PUSH KeyGen-m.00403381 ; |pTemplate = "A1"

0040101A . FF35 75334000 PUSH DWORD PTR DS:[403375] ; |hInst = 00400000

00401020 . E8 FF010000 CALL KeyGen-m.00401224 ; /DialogBoxParamA

00401025 . 50 PUSH EAX ; /ExitCode = 7FFDF000

00401026 . E8 ED010000 CALL KeyGen-m.00401218 ; /ExitProcess

0040102B . 55 PUSH EBP； 当前运行到这里， DUMP 程序时，填写的 OEP 1000,不然运行不了。。

0040102C . 8BEC MOV EBP,ESP

0040102E . 83C4 FC ADD ESP,-4

00401031 . 817D 0C 10010000 CMP DWORD PTR SS:[EBP+C],110

00401038 . 75 6C JNZ SHORT KeyGen-m.004010A6

0040103A . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; KeyGen-m.0040102B

0040103D . A3 69334000 MOV DWORD PTR DS:[403369],EAX

00401042 . 68 F4010000 PUSH 1F4 ; /RsrcName = 500.

00401047 . FF35 75334000 PUSH DWORD PTR DS:[403375] ; |hInst = 00400000

0040104D . E8 EA010000 CALL KeyGen-m.0040123C ; /LoadIconA

00401052 . A3 7D334000 MOV DWORD PTR DS:[40337D],EAX