The shell check is VC ++ 6.0.Īfter shelling, track the program and try the patch. Use loadpe to transfer the memory block to the hard disk, and then import the memory block to the segment in the PE editor, note: edit the virtual address of this segment to be consistent with the virtual address of the original memory block.Ĥ. If it is allocated or changed in the hook code, this error will not occur.ģ. Why not re-allocate or change the memory block in the hook code, because I have fully transferred the decompressed code. Combined with the previous invalid IAT analysis, it is inferred that after the shell is started, some original software code is hooked after the code is decompressed, and several memory blocks are allocated for it. (The OD module shows that this memory block is not available ). For the breakpoint at the error point, the cause of the error is that the memory block is not allocated. The preliminary tracking has not found any special points.Ģ. The preliminary consideration is that there is a problem with the deleted invalid IAT. During the repair process, find the last line of invalid and delete it first. Try using the ESP law, you can directly connect to OEP, use loadpe to complete the transfer first, and then use importrec to repair IAT. Use peid to check the shell as an unknown shell.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |