97, 1/4 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   neb91
   9¹øÆÄÆ® dictationÀÔ´Ï´Ù

http://www.hackerschool.org/HS_Boards/zboard.php?id=HS_Translate&no=93 [º¹»ç]


Á˼ÛÇÕ´Ï´Ù.. ´ÊÀºÁÖÁ¦¿¡ ¹ø¿ªµµ ¾È µÇ¾îÀÖ°í..

±×·¸´Ù°í 100% ¿Ïº®ÇÏ°Ô µÈ °Íµµ ¾Æ´Ï°í..

´õ ´ÊÀ¸¸é Àá¼öÅÀ´Ù°í »ý°¢ÇϽDZîºÁ ±×³É ¿Ã¸³´Ï´Ù..¤Ì¤Ì

¹ø¿ª ..¸Ã¾ÆÁֽǺÐ.... ¤Ì¤Ì Á˼ÛÇØ¿ä ¤Ì

==========================================

um... we can have a look at the first section.


And is the first section characteristics is irregular.


Maybe..umm.. ugh there is a background going to open that's first section,


so we need to have write access to it.


um... we cannot look at the first section rawsize


and...um... is ugh.. the file is FAT.


the physical size of the first section is null,


because the null and the FAT to that section.


we can also have a look at the last section as a..


as a Entry Point.. sorry,


And ugh.. Entry Point starting in the last section.


It's means that ugh.. something has happened to the program,


because usually the program stops at the first section.


It can also be a virus.


ugh.. we can also check the section names


and we can find something like **** section names


or um.. aspect sections.


So sometimes it gives you an idea of the record review.


We can also checks Import Table.


And if there is a very few important functions,


it might be because there is a background import table.


And those **** program import table so it might be packed.


we can also check for strings,


ugh.. usually packers um..


pack up the data section


where we find **** strings,


so if you find those strings as well


maybe it's a file ***.


Unless *** is a looking at the Raw Size and..


it in a file that has been packed


so..the physical size is going to be smaller that the **** size.


So, um...


we can see the Entry Point **** ***


and we can see that it's the last section **** address.


You can also see that's the Raw Size is blue here


so this file must not have been packed.


And with this example,


if you look at the last section the Raw Size section here


you can see the characteristic and um..


the last section is executable.


Raw Size sections are usually not executable


so it might be a hint that's the file has been packed.


So now the basic unpacking method


we have to find the original Entry Point first


and this is the *** of the *** program.


So a few ways to find the original Entry Point is to trace until you jump to the real program.


You can also use a static disassembly


***** jump to the first section or


um.. hint to jump to the first section.


Or you can use ********* smart hardware break points.


And you can also use a API functions break point.


Because umm...ugh.. computer programs like c++ programs


are going to use a start up API functions ***


at the Entry Points


where you can adjust the break point of these functions


and... **** program


adjust so you can ****


if you are at the Entry Point.


Once you have found the Entry Point


we have to *** the process to authorized ********


there should have program.


As then you have to Reconstruct import table


so we have a few ways to do it.


You can trust the packer and find ***


the Import Access Table is being ****


and ugh.. *** information or um..


attach to packers represents originate functions.


or if you are lazy you can use a *** tool


is called Import Reconstructor


to ugh.. reconstruct the Import table automatically.


So we are going to do a demonstration *********


So *** *** the program **** packed it **** Entry Points


I'm going to do it **** and hope that ********* effect.


"He's using my laptop for this step of course."


==================================

Áß°£¿¡ ¸¶ÀÌÅ© ¾È ´ë°í ¸»ÇÑ °Íµµ **·Î Ç¥½ÃÇß½À´Ï´Ù. ¾Æ¿¹ µé¸®Áú ¾Ê¾Æ¼­..

¹ßÀ½ÀÌ..ºÒ¾î¿¡ °¡±î¿ö¼­ dictationµµ Á¤È®ÇÑÁöµµ ¸ð¸£°Ú½À´Ï´Ù.

´Ù½Ã Çѹø Á˼ÛÇÕ´Ï´Ù..¤Ì¤Ì

  Hit : 2297     Date : 2011/08/26 02:04



    
¸Û¸Û °í»ýÇϼ̽À´Ï´Ù~! 2011/08/26  
1234qwert so..the physical size is going to be smaller that the ****(actual) size. ÀΰŰ°³×¿ä 2011/09/09  
1234qwert and this is the ***(start) of the ***(packed) program. 2011/09/09  
1234qwert *****(and look to the) jump to the first section or 2011/09/09  
1234qwert we have to ***(have) the process to authorized ********(to pack) 2011/09/09  
1234qwert and ugh.. ***(grab) information or um.. 2011/09/09  
1234qwert or if you are lazy you can use a ***(nice) tool 2011/09/09  
1234qwert So ***(this is the packed) the program ***(, the program isn't packed) Entry Points 2011/09/09  
1234qwert And those ****(real) program import table so it might be packed. 2011/09/09  
1234qwert Unless[another] ***(thing) is a looking at the Raw Size and.. 2011/09/09  
1234qwert where we find ****(data) strings

maybe it's a file (packed)***.
2011/09/09  
1234qwert we can see the Entry Point **** ***(here) 2011/09/09  
1234qwert and we can see that it's the last section ****(actual) address. 2011/09/09  
     [°øÁö] RECON 2005 ¹ßÇ¥ÀÚ·á ¸ñ·ÏÀÔ´Ï´Ù ¸Û¸Û 05/03 2981
     Á¦°¡ »ç¿ëÇÏ´Â ¸®½º´× ¹æ¹ý ÆÁ.. [4] Prox 05/21 3237
     RECON 2006 ±¦Âú¾Æº¸ÀÌ´Â ¹ßÇ¥ÁÖÁ¦µé ¸Þ¸ð ¸Û¸Û 06/14 2145
     [Çʵ¶] ¸®½º´× & ¹ø¿ª ½ÃÀÇ ±ÔÄ¢ÀÔ´Ï´Ù. [2] ¸Û¸Û 05/09 2243
     [°øÁö] ÁÖ±âÀûÀ¸·Î Á¤ÆÃÀ» ÇÏ·Á°í ÇÕ´Ï´Ù. [11] ¸Û¸Û 05/11 2142
     [°øÁö] WIKI¸¦ ÀÌ¿ëÇÑ Çùµ¿ ¹ø¿ª ¹æ¹ýÀÔ´Ï´Ù. ¸Û¸Û 05/13 2215
     [°øÁö] µ¿¿µ»ó ºÐÇÒ ¹æ¹ýÀÔ´Ï´Ù. ¸Û¸Û 05/11 3189
     [°øÁö] ¹ø¿ªÆÀ ¸â¹ö ¸ñ·ÏÀÔ´Ï´Ù. [33] ¸Û¸Û 05/03 3178
89   ÇïÇÁ¿ä~![1]     sdjgfhhfg12
12/13 1290
88   °¡ÀÔÇß½À´Ï´Ù.     nectars
03/03 1419
87   Èå¾Æ Á˼ÛÇØ¿ä ¤Ð¤Ð¤Ð 11¹ø µ¿¿µ»ó ¹ø¿ª~     dex023
04/14 2725
86 ºñ¹Ð±ÛÀÔ´Ï´Ù  VPN ¸Þ´º¾ó ¹ø¿ªÁ¡..[1]     wkdrns9711
03/07 0
85   Áß±¹¾î ¹ø¿ªÀº ÇÊ¿ä ¾ø³ª¿ä?     ºÒ²É¿¬ÁÖ°¡
01/02 2338
84   ³²Àº 10¹ø, 11¹ø ÆÄÆ® ¸®½º´×&¹ø¿ª ÇØÁÖ½Ç ºÐ ã½À´Ï´Ù.[5]     ¸Û¸Û
11/17 2489
  9¹øÆÄÆ® dictationÀÔ´Ï´Ù[13]     neb91
08/26 2296
82   hackerwannabe´Ô, neb91´Ô, eplesky´Ô ÁøÇà»óȲ ¸»¾¸ÇØ Áֽñ⠹ٶø´Ï´Ù.[2]     ¸Û¸Û
08/23 2331
81   µ¿¿µ»ó 7¹ø ÆÄÆ®ÀÔ´Ï´Ù.[1]     babyalpha
08/22 2456
80   ¹ø¿ª part 7 status     babyalpha
08/21 1983
79   7¹ø, 9¹ø, 10¹ø, 11¹ø ÆÄÆ® ¸Ã¾ÆÁÖ½Ç ºÐ ¸ð½Ê´Ï´Ù~[9]     ¸Û¸Û
08/09 2389
78   ÆÄÆ® 3 ºÐ·® ÀÔ´Ï´Ù[1]     L0phrack
08/09 2217
77   l0phrack, heeya90, goodfacesong´ÔµéÀº ÁøÇà»óȲÀ» Àû¾îÁÖ¼¼¿ä[2]     ¸Û¸Û
08/08 2236
76   Àú Æ÷±â..Çؾ߰ڳ׿©     d4rkang3l
08/07 2641
75   ¹ø¿ª ÁøÇàÀÌ Á» ´õµð³×¿ä.[2]     babyalpha
08/06 2167
74   ÁøÇà»óȲ Á¤¸® (¸Þ¸ð¿ë)     ¸Û¸Û
08/05 2212
73   12¹ø ÆÄÆ® (ºóÄ­ÀÌ ¸¹¾Æ¿ä)     Prox
08/03 2001
1 [2][3][4]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org