18. ASCII without AlphaNum(no alphabet number)
0x20 0x30 0 0x40 @ 0x50 P 0x60 ` 0x70 p
0x21 ! 0x31 1 0x41 A 0x51 Q 0x61 a 0x71 q
0x22 ' 0x32 2 0x42 B 0x52 R 0x62 b 0x72 r
0x23 # 0x33 3 0x43 C 0x53 S 0x63 c 0x73 s
0x24 $ 0x34 4 0x44 D 0x54 T 0x64 d 0x74 t
0x25 % 0x35 5 0x45 E 0x55 U 0x65 e 0x75 u
0x26 & 0x36 6 0x46 F 0x56 V 0x66 f 0x76 v
0x27 ' 0x37 7 0x47 G 0x57 W 0x67 g 0x77 w
0x28 ( 0x38 8 0x48 H 0x58 X 0x68 h 0x78 x
0x29 ) 0x39 9 0x49 I 0x59 Y 0x69 i 0x79 y
0x2A * 0x3A : 0x4A J 0x5A Z 0x6A j 0x7A z
0x2B + 0x3B ; 0x4B K 0x5B [ 0x6B k 0x7B {
0x2C , 0x3C < 0x4C L 0x5C ¥ 0x6C l 0x7C |
0x2D - 0x3D = 0x4D M 0x5D ] 0x6D m 0x7D }
0x2E . 0x3E > 0x4E N 0x5E ^ 0x6E n 0x7E ~
0x2F / 0x3F ? 0x4F O 0x5F _ 0x6F o
33. Binaryを使わずにx86を実行できるか?
00000000 2540404040 and eax,0x40404040
00000005 2521212121 and eax,0x21212121
0000000A 2D2D213D3D sub eax,0x3d3d212d
0000000F 2D2A7D3B3B sub eax,0x3b3b7d2a
00000014 2D233E7B7B sub eax,0x7b7b3e23
00000019 2D25607B7B sub eax,0x7b7b6025
0000001E 60 pushad
0000001F 5B pop ebx
00000020 5E pop esi
00000021 5F pop edi
00000022 5E pop esi
00000023 5B pop ebx
00000024 5E pop esi
00000025 5F pop edi
00000026 2540404040 and eax,0x40404040
0000002B 2521212121 and eax,0x21212121
00000030 2D2D2D2D2D sub eax,0x2d2d2d2d
00000035 2D287E2A2A sub eax,0x2a2a7e28
39. 10 characters only !
0x20 0x30 0 0x40 @ 0x50 P 0x60 ` 0x70 p
0x21 ! 0x31 1 0x41 A 0x51 Q 0x61 a 0x71 q
0x22 ' 0x32 2 0x42 B 0x52 R 0x62 b 0x72 r
0x23 # 0x33 3 0x43 C 0x53 S 0x63 c 0x73 s
0x24 $ 0x34 4 0x44 D 0x54 T 0x64 d 0x74 t
0x25 % 0x35 5 0x45 E 0x55 U 0x65 e 0x75 u
0x26 & 0x36 6 0x46 F 0x56 V 0x66 f 0x76 v
0x27 ' 0x37 7 0x47 G 0x57 W 0x67 g 0x77 w
0x28 ( 0x38 8 0x48 H 0x58 X 0x68 h 0x78 x
0x29 ) 0x39 9 0x49 I 0x59 Y 0x69 i 0x79 y
0x2A * 0x3A : 0x4A J 0x5A Z 0x6A j 0x7A z
0x2B + 0x3B ; 0x4B K 0x5B [ 0x6B k 0x7B {
0x2C , 0x3C < 0x4C L 0x5C ¥ 0x6C l 0x7C |
0x2D - 0x3D = 0x4D M 0x5D ] 0x6D m 0x7D }
0x2E . 0x3E > 0x4E N 0x5E ^ 0x6E n 0x7E ~
0x2F / 0x3F ? 0x4F O 0x5F _ 0x6F o
40. 言語仕様書(x86命令の10個の記号だけ)
% 25 and eax,XXXXXXXX
- 2D sub eax,XXXXXXXX
# 23 and ebp,[edi+ebx*2]
) 29 sub [edi+ebx*2],ebp
, 2C sub al,XX
` 60 pushad
[ 5B pop ebx
] 5D pop ebp
_ 5F pop edi
~ 7E jne(jng) XX
44. 乱数で生成した記号バナリを逆ゕセ
00000000 293D2B283A5B sub [dword 0x5b3a282b],edi
00000006 2C2A sub al,0x2a
00000008 2821 sub [ecx],ah
0000000A 3E283B sub [ds:ebx],bh
0000000D 60 pushad
0000000E 3D3B7C2F7C cmp eax,0x7c2f7c3b
00000013 5F pop edi
00000014 60 pushad
00000015 2B3E sub edi,[esi]
00000017 5F pop edi
00000018 2B7D21 sub edi,[ebp+0x21]
0000001B 5E pop esi
0000001C 3C2B cmp al,0x2b
0000001E 3F aas
0000001F 5D pop ebp
00000020 7B25 jpo 0x47
00000022 2D295B7B2E sub eax,0x2e7b5b29
00000027 3C23 cmp al,0x23
使えそうな命令を探す
00000029 5C pop esp
45. 0x60 PUSHAD (`)
60 PUSHA Push AX, CX, DX, BX, original SP, BP, SI, and DI.
60 PUSHAD Push EAX, ECX, EDX, EBX, original ESP, EBP, ESI, and EDI.
Temporary = ESP;
Push(EAX);
Push(ECX);
Push(EDX);
Push(EBX);
Push(Temporary);
Push(EBP);
Push(ESI);
Push(EDI);
46. 0x61 POPAD (’a’) oh! Alphabet…
61 POPA Pop DI, SI, BP, BX, DX, CX, and AX.
61 POPAD Pop EDI, ESI, EBP, EBX, EDX, ECX, and EAX.
//Instruction == POPAD
_ EDI = Pop();
^ ESI = Pop();
] EBP = Pop();
¥ ESP = ESP + 4; //skip next 4 bytes of stack
[ EBX = Pop();
Z EDX = Pop();
Y ECX = Pop();
X EAX = Pop();
47. 使えるレジスタに制限がある
58 pop eax; X
59 pop ecx; Y
5A pop edx; Z
5B pop ebx; [
5C pop esp; ¥
5D pop ebp; ]
5E pop esi; ^
5F pop edi; _
48. AND SUB PUSHAD POP x 7
00000000 2540404040 and eax,0x40404040
00000005 2521212121 and eax,0x21212121
0000000A 2D2D213D3D sub eax,0x3d3d212d
0000000F 2D2A7D3B3B sub eax,0x3b3b7d2a
00000014 2D233E7B7B sub eax,0x7b7b3e23
00000019 2D25607B7B sub eax,0x7b7b6025
0000001E 60 pushad
0000001F 5B pop ebx
00000020 5E pop esi
00000021 5F pop edi
00000022 5E pop esi
00000023 5B pop ebx
00000024 5E pop esi
00000025 5F pop edi
PUSH dword 0x???????? 相当のx86コード