Each EXE program, as we all know there are various segments, such as executing code TEXT, resources, data, etc., when not running the code, I think it's called static code, if you're running, the system assigns space, paragraphs distribution in different address Spaces, EXE program has a CALL function, to go in, when I debug the disassembly for the function of the code (hexadecimal), will search in the code in the static EXE program (open) with WINHEX, but how also can not find the code, sometimes even in bytes, not search, can parse, why can't find you, I know some instruction after EXE loaded into memory operand will change, I don't have to have the operation code to search as far as possible, also hard to search, please give directions, thank you!

CodePudding user response:

Whether its shell or encryption?

CodePudding user response:

Not a string search! Is a binary search!

CodePudding user response:

Is the machine code search (not JNC xx)

CodePudding user response:

Shell or virtual machine

CodePudding user response:

Is machine code search, that's right, the disassembly of hexadecimal code, on the other hand, is a simple MFC compiled EXE, program no optimizations, oneself plait, no shell

CodePudding user response:

That can you locate the CALL of the DLL in the space, outside the EXE to set breakpoints the CALL stack

CodePudding user response:

"Is the machine code search, that's right, the disassembly of hexadecimal code"
"Hexadecimal code" is not the machine code, to return to base 2

CodePudding user response:

Need to search the binary value of the code, namely the machine code, rather than the assembly code

CodePudding user response:

Please use "IDA," is the Interactive DisAssembler:

CodePudding user response:

refer to 7th floor schlafenhamster response:

"is machine code search, that's right, the disassembly of hexadecimal code"
"Hexadecimal code" is not the machine code, want to go back to 2 hexadecimal

I do not know why, recently the old can't above
Such that if the code in memory to see is:
8 b f4 6 a 15 9 c 7 c 33 01 00 ff 3 b f4 e8 38 dc, I can't use this to search

CodePudding user response:

"Assuming that see the code in memory is: 8 b f4 6 a 15 9 c 7 c 33 01 00 ff 3 b f4 e8 38 dc,"
It should be 0 x8b (139, is a byte) and "8 b" is a string, is 2 bytes 0 x38 0 x42,
WINHEX convert binary to Hex format,
In memory see all have already convert Hex

CodePudding user response:

short

CodePudding user response:

11 references schlafenhamster response:

"hypothesis see code in memory is: 8 b f4 6 a 15 9 c 7 c 33 01 00 ff 3 b f4 e8 38 dc,"
It should be 0 x8b (139, is a byte) and "8 b" is a string, is 2 bytes 0 x38 0 x42,
WINHEX convert binary to Hex format,
In memory see all have already convert Hex

Memory is the binary actually, he just said, in the form of hexadecimal HEX WINHEX is also used to show, when I search is to search with HEX, rather than string


The

refer to 12 floor zhao4zhong1 reply:

short

I try again, sometimes just for seven or eight bytes, found too little is not good, repeat, search no more

CodePudding user response:

Running code are ultimately generated binary form, 0 xaa 0 XFF those machine code, the reason should be that, if no static code, code encrypted, virtual machine vmprotect those shell, lets you search is less than the original code,

CodePudding user response:

//
BYTE HexValue BYTE (a)
{
A -=48;//'0' 0 x30
If (a & gt; 32) a -=32;//'a' 0 x61
If (a & gt; 9) a -=7;//'A' 0 x41
return a;
}
//"8 b=139
"BYTE Hex2Bytes (BYTE s [2])
{
BYTE v=0;
For (int ii=0; Ii<2; Ii++)
{
V & lt; & lt;=4;
V +=HexValue (s [ii]);
}
Return v.
}