http://www.hackerschool.org/HS_Boards/zboard.php?id=HS_Translate&no=83 [º¹»ç]
µý°Ç µÑ°ġ°í, ¸»ÀÌ ³Ê¹« »¡¶ó¿ä..... ¤Ð¤Ð
´Ê°Ô¿Ã¸®´Â ÁÖÁ¦¿¡ ºóĵµ ¸¹Áö¸¸... ¾Æ¹«Æ° 1Â÷¹ø¿ªº» ¿Ã¸³´Ï´Ù
0:00
we just put the breakpoint in front of it, and just punching it, trust him
ÀÌ ¾Õ¿¡ ºê·¹ÀÌÅ©Æ÷ÀÎÆ®¸¦ °Ì´Ï´Ù. ***** , *****
you' setting the earlier breakpoint that you said
ÀÌÀü¿¡ ¸»Çß´ø ºê·¹ÀÌÅ©Æ÷ÀÎÆ®¸¦ ¼³Á¤Çϼ¼¿ä. (?)
and you slop her deyoda for proportion
**********
so we just opt intros on the jump
(´À³¦À¸·Î Çؼ®) ¿ì¸®´Â ¸Ç óÀ½(intro)À¸·Î °¡´Â Á¡ÇÁ¹®À» ã¾Ò¾î¿ä
and we freeze single step once, we're right inside
ÇÑ stepÀ» ÁøÇàÇϸé, ¾ÈÀ¸·Î µé¾î¿ÀÁÒ
00:40
and so pogging underaround
********
everything is a "back to near loop"
¸ðµç °ÍÀÌ back to near loop(?) ÇÕ´Ï´Ù.
so go get just a make a memory dump
ÀÌÁ¦ memory dump¸¦ ¸¸µå¼¼¿ä.
of bafter ground
*******
we're going to use a Import Reconstructor
¿ì¸®´Â "Import Reconstructor"¶ó´Â ÇÁ·Î±×·¥À» »ç¿ëÇÒ °Å¿¡¿ä
because it's a very nice tool
¾ÆÁÖ ÁÁÀº ÅøÀ̱⠶§¹®ÀÌÁÒ
1:00
process number and a (impor triple striptor)
ÇÁ·Î¼¼½º ¹øÈ£¿Í ****¸¦ ÀÔ·ÂÇϸé
so we (just a actual) process
******
(¿©±â ¿ÖÀÌ·¸°Ô ´Ü¾î°¡ ÀÌ»óÇÏÁÒ... triport, porphia ¶æÀ» ¸ð¸£°Ú¾î¿ä)
we have to write up (triport) here
******
which is a several 4 for porphia
******
press "IAT autosearch"
IAT autosearch ¹öÆ°À» ´©¸£¼¼¿ä.
so it's a, searching for IAT import table,
±×·¯¸é IAT import Å×À̺íÀ» °Ë»öÇÏ°Ô µË´Ï´Ù.
ane we've(?) get to import
******
so we have **** imported through dlls and function right here
ÀÌÁ¦ dll°ú ÇÔ¼öµéÀ» import Çß±¸¿ä.
so i'm going to make a dump, all the process,
ÇÁ·Î¼¼½º ÀüüÀÇ ´ýÇÁ¸¦ ¸¸µé°Ì´Ï´Ù.
(go right)
1:50
ends endless feesee info takler
******????
jumped up, everything is (ripple shripped into a no reges dots, stuck you care on it)
Á¡ÇÁÇØ ¿Ô±¸¿ä. ¸ðµç °ÍÀº ********
2:05
and we get the grows of deriving ******** (meeyour, my roo..)
********** (?)
thank you
°¨»çÇÕ´Ï´Ù
(i didn't you donno)
couple quick points there
¸î°¡Áö ÁöÀûÇص帮°í ½ÍÀº Á¡ÀÌ ÀÖ½À´Ï´Ù.
if you used import reconstructor before we,
¸¸¾à import reconstructor¸¦ »ç¿ëÇϼÌÀ» °æ¿ì
be aware that it doesn't always leave a perfectly working executable immediately
¿Ïº®È÷ ÀÛµ¿ÇÏ´Â ½ÇÇàÆÄÀÏÀ» ¹Ù·Î ¸¸µé¾îÁÖÁö´Â ¾Ê´Â´Ù´Â °ÍÀÔ´Ï´Ù.
they have to do *****(¿¡Ãë)******** sinces faces of washes code
~~~~~~ ¸¦ ÇØ¾ß ÇÕ´Ï´Ù.
help you creating (ferfrep) that may not actually run
½ÇÁ¦·Î ½ÇÇàµÇÁö´Â ¾Ê´Â ½ÇÇàÆÄÀÏÀ» ¸¸µé¾îÁشٴ °ÍÀÌÁÒ. (?)
instead, ah, what i'm gonna ****(introduce?) is, it is now easily analyzed in ida-pro,
´ë½Å, **** ÀÌÁ¦´Â, Áö±ÝÀº ida-pro·Î ½ÇÇàÆÄÀÏÀ» ½±°Ô ºÐ¼® ÇÒ ¼ö ÀÖ½À´Ï´Ù.
so as you seen before, when i try to load it up, i wouldn't get the very good.. ******** (->don't efeckers is looking into quickter's code)
ÀÌÀü¿¡ º¸¾Ò´Ù½ÃÇÇ, ÀÌ°ÍÀ» ºÒ·¯¿À°íÀÚ ÇÒ ¶§, ¾ÆÁÖ ÁÁÀº ********** ¸¦ ¾òÁö´Â ¸øÇÕ´Ï´Ù.
but nichole find out was that, this was looks like it was first tab
±×·¯³ª nicholeÀÌ ¾Ë¾Æ³½ ¹Ù·Î´Â, ÀÌ°Ç first tabó·³ º¸ÀÌÁö¸¸
ifewer px and aelviyoda quicter run on a so lu's actually two
????????????????????????, ÀÌ°ÍÀº ½ÇÁ¦·Î µÎ°³¶õ °ÍÀÌÁÒ. (?)
3:00
may have **** noticed two different places for of you separate points and cocked(talked) out
*******
ahm, it's quite good, the main reason why **** (ka kei) to do this that
±×Á¡Àº ÁÁ¾Æ¿ä. *********
you just did that in, a know what 10 minutes,
´ç½ÅÀÌ ±×°É ÇÏ´Â µ¥ 10ºÐ¹Û¿¡ ¾È°É·È°í
everyone took him few minutes longer than that
´Ù¸¥ ºÐµéµµ 10ºÐº¸´Ù Á¶±Ý ´õ °É¸° Á¤µµÁö¿ä.
and you get that for real for the first time (that's for days) so..
***********
very lucky to have him to demonstrate to you via **** of these
À̺Ð(Nichole?)ÀÌ ****À» ÅëÇØ ¿©·¯ºÐ²² ºÐ¼®À» ½Ã¿¬ÇÏ°Ô µÇ¾î¼ ¾ÆÁÖ Çà¿îÀ̶ó »ý°¢ÇÕ´Ï´Ù.
if you noticed **** slides, there's preety lame,
*** ½½¶óÀ̵带 º¸½Ã¸é ¾Ë°ÚÁö¸¸, ****
discussion on how i used to do a bad thing,
Á¦°¡ ¾î¶»°Ô ³ª»Û Áþµé(?)À» Çß´ÂÁö discussionÇÑ °Ô ÀÖ¾î¿ä.
yeah, and a good place ****, with this actually we getting slides to the conference garge you can download
*******
3:40
i'll come little over talk *** trying go through quickly see you guys ** launch here
unloading FV , now nofect, executable,
and a *** hotload 201 here
yeah i'm go right from my don before
didn't complain about the imports table (at top), that's a good sign
¸Ç À§¿¡ ÀÖ´Â import table¿¡ ´ëÇØ ºÒÆòÇÏÁö ¸¶¼¼¿ä. ±×°Ç ÁÁÀº ¶æÀÌ¿¡¿ä
yeah, you see we actually have "local ****(saico) real WinMain"
ÀÌ°÷¿¡¼ ÁøÂ¥ WinMainÇÔ¼ö¸¦ º¼ ¼ö ÀÖÁÒ.
and I prose(?) finding lots and lots of executable code
ÀÌÁ¦ ***** ¾ÆÁÖ ¸¹Àº ½ÇÇàÄڵ带 ã¾Ò¾î¿ä.
so, again (polly take it over, ok)
(Æú¸®¾¾, ¹ÞÀ¸¼¼¿ä, ¿ÀÄÉÀÌ.)
so, its, i'm gonna see if i can see the structure (»ß³î¸®¾Æ)
this is still quite busy but it's far far better ******* in terms of
¾ÆÁ÷ ÇؾßÇÒ °Ô ¸¹Áö¸¸, ÀÌ·¸°Ô ÇÏ´Â °Ç ******º¸´Ù ÈξÀ ÁÁ¾Æ¿ä. |
Hit : 2010 Date : 2011/08/03 06:20
|