shows a simple Hello World example that uses this technique., using call/pop pairs to obtain pointers to data may be incorporated into larger programs as an additional anti-reverse-engineering technique.The remaining code calls MessageBoxA ❹ to show the “Hello World!” message, and then ExitProcess ❺ to cleanly exit. This sample uses hard-coded locations for both function calls because imported functions in shellcode are not automatically resolved by the loader, but hard-coded locations make this code fragile. (These addresses come from a Windows XP SP3 box, and may differ from yours.)
To find these function addresses with OllyDbg, open any process and press CTRL-G to bring up the Enter Expression to Follow dialog. Enter MessageBoxA in the dialog and press ENTER. The debugger should show the location of the function, as long as the library with this export (user32.dll) is loaded by the process being debugged.
shows the 28-byte structure used by the fstenv and fnstenv instructions to store the state of the FPU to memory when executing in 32-bit protected mode.
shows the disassembly of another Hello World program that uses fnstenv to obtain the EIP value. is a contrived example, but it is common for shellcode to store or create function pointer arrays. We used the fldz instruction in this example, but any non-control FPU instruction can be used.This example can be executed using shellcode_launcher.exe with the following command:
shellcode_launcher.exe -i hellofstenv.bin -bp -L user32
call/pop pairs to obtain pointers to data may be incorporated into larger programs as an additional anti-reverse-engineering technique.The remaining code calls MessageBoxA ❹ to show the “Hello World!” message, and then ExitProcess ❺ to cleanly exit. This sample uses hard-coded locations for both function calls because imported functions in shellcode are not automatically resolved by the loader, but hard-coded locations make this code fragile. (These addresses come from a Windows XP SP3 box, and may differ from yours.)
To find these function addresses with OllyDbg, open any process and press CTRL-G to bring up the Enter Expression to Follow dialog. Enter MessageBoxA in the dialog and press ENTER. The debugger should show the location of the function, as long as the library with this export (user32.dll) is loaded by the process being debugged.
shows the 28-byte structure used by the fstenv and fnstenv instructions to store the state of the FPU to memory when executing in 32-bit protected mode.
fnstenv to obtain the EIP value.fldz instruction in this example, but any non-control FPU instruction can be used.This example can be executed using shellcode_launcher.exe with the following command:
shellcode_launcher.exe -i hellofstenv.bin -bp -L user32
Войти в систему
Войти с помощью соц. сетей:
