1. Shell inspection It was
found to be the shell of upx.
2. Drag into ida and find that it needs to be shelled first.
题外话。总结一下手动脱壳,esp定律:
1.先单步到只有esp红色时,右键数据窗口跟随。
2.到数据窗口后,左键硬件访问,byte和word,dword都可以任选一个,
3.F9运行,遇到大跳转,时说明我们到oep了
4.遇到向上跳的,用F4
5.用od自带的脱壳进程,脱,一种选重建导入表,一种不选
6.脱壳结束
Then I could n’t take it off manually, and I thought of the previous attack and defense problem. There is a tool, upx -d will solve it. I tried it and found that cmd could n’t find the command. It took a long time for a tool from a master to succeed in unpacking.
3. Drag into ida, static analysis.
It's plain text, directly flag, and it's a really happy new year! ! ! 2333
flag {HappyNewYear!}