Yi Language is a scripting language, it uses encapsulation form to complete it.
When it is under 5.0, it adopts the compilation mode of the Easy Language Development Environment, and it also uses C++ compilation.
He mainly uses Chinese programming and is very popular among novices, so I recommend everyone to learn it here.
Yi Language is actually like us wearing clothes. If we need to see the inner world, we need to take off the clothes first. In fact, it is the same as the type of shell.
00445151 >/$ 55 push ebp
00445152 |. 8BEC mov ebp,esp
00445154 |. 6A FF push -0x1
00445156 |. 68 70AD4600 push 1111.0046AD70
0044515B |. 68 5C994400 push 1111.0044995C �
00445160 |. 64:A1 0000000>mov eax,dword ptr fs:[0]
00445166 |. 50 push eax
00445167 |. 64:8925 00000>mov dword ptr fs:[0],esp
0044516E |. 83EC 58 sub esp,0x58
00445171 |. 53 push ebx
00445172 |. 56 push esi
00445173 |. 57 push edi ; ntdll.7C930738
00445174 |. 8965 E8 mov [local.6],esp
Binary search, easy to identify easy language FC DB E3
After running, we can use binary search in the AIT+E search user module
004198A1 59 pop ecx
004198A2 49 dec ecx
004198A3 ^ 75 EB jnz short six-open squeezing line.00419890
004198A5 E8 A8000000 call Six-opening squeezing line.00419952
004198AA 83C4 04 add esp,0x4
004198AD 8B1D 18754C00 mov ebx,dword ptr ds:[0x4C7518]
004198B3 85DB test ebx,ebx
004198B5 74 09 je short six-open squeezing line.004198C0
004198B7 53 push ebx
004198B8 E8 95000000 call Six-opening squeezing line.00419952
004198BD 83C4 04 add esp,0x4
004198C0 8B1D 1C754C00 mov ebx,dword ptr ds:[0x4C751C]
004198C6 53 push ebx
004198C7 E8 86000000 call Six-opening squeezing line.00419952
004198CC 83C4 04 add esp,0x4
004198CF 8B1D 20754C00 mov ebx,dword ptr ds:[0x4C7520]
004198D5 53 push ebx
004198D6 E8 77000000 call Six-opening squeezing line.00419952
004198DB 83C4 04 add esp,0x4
004198DE 8B1D 24754C00 mov ebx,dword ptr ds:[0x4C7524]
004198E4 85DB test ebx,ebx
004198E6 74 09 je short six-open squeezing line.004198F1
004198E8 53 push ebx
004198E9 E8 64000000 call Six-opening squeezing line.00419952
004198EE 83C4 04 add esp,0x4
004198F1 8B1D 30754C00 mov ebx,dword ptr ds:[0x4C7530]
004198F7 53 push ebx
004198F8 E8 55000000 call Six-opening squeezing line.00419952
004198FD 83C4 04 add esp,0x4
00419900 8B1D 34754C00 mov ebx,dword ptr ds:[0x4C7534]
00419906 53 push ebx
00419907 E8 46000000 call Six-opening squeezing line.00419952
0041990C 83C4 04 add esp,0x4
0041990F C3 retn
00419910 B8 06000000 mov eax,0x6
00419915 E8 32000000 call Six-opening squeezing line.0041994C
0041991A FC cld
0041991B DBE3 finit
0041991D E8 33FDFFFF call Six-open squeezing line.00419655
00419922 68 F1974100 push Six-open squeeze line.004197F1
00419927 B8 03000000 mov eax,0x3
0041992C E8 1B000000 call Six-opening squeezing line.0041994C
00419931 83C4 04 add esp,0x4
00419934 E8 E5E8FFFF call Six-opening squeezing line.0041821E
00419939 E8 C676FEFF call Six-opening squeezing line.00401004
0041993E E8 03000000 call Six-opening squeezing line.00419946
00419943 33C0 xor eax,eax
00419945 C3 retn
00419946 FF25 64AA4900 jmp dword ptr ds:[0x49AA64] �
0041994C FF25 6CAA4900 jmp dword ptr ds:[0x49AA6C]
00419952 FF25 5CAA4900 jmp dword ptr ds:[0x49AA5C]
00419958 FF25 54AA4900 jmp dword ptr ds:[0x49AA54] �
0041995E FF25 48AA4900 jmp dword ptr ds:[0x49AA48] �
00419964 FF25 4CAA4900 jmp dword ptr ds:[0x49AA4C]
0041996A FF25 50AA4900 jmp dword ptr ds:[0x49AA50] �
00419970 FF25 40AA4900 jmp dword ptr ds:[0x49AA40] �
00419976 FF25 3CAA4900 jmp dword ptr ds:[0x49AA3C]
0041997C FF25 44AA4900 jmp dword ptr ds:[0x49AA44] �
00419982 FF25 58AA4900 jmp dword ptr ds:[0x49AA58] �
The above code is called Yiyuan
First we arrange it by intensity
The first one is of course
Cocoa Verification
Most of them are used in DNF plug-ins
Piaoling Network Verification
The early version of Piaoling can be copied from the management side
CC Network Verification
Relatively speaking, it is relatively simple, but the author is quite cheap, and the original CC comes with a grid code
Xiaofan's network verification
Simpler, with database vulnerabilities
When we identify which network verification is more common, we can try to find a shellless version first, and then apply the idea
UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo
This without additional data can be determined to be compiled by the version, that is, it does not have a shelling machine
Of course, UPX is relatively simple, it has a shelling machine. If it is a VMP, it will hurt to hold JJ and cry
After a program is unshelled, the first step should not be to run it to see if it can run it, because if it is valid, you will die in your place
Little hands above
0041CF7B . 50 push eax ; /Style = MB_OKCANCEL|MB_APPLMODAL
0041CF7C . 52 push edx ; |Title = ""
0041CF7D . 51 push ecx ; |Text = "?"
0041CF7E . 6A 00 push 0x0 ; |hOwner = NULL
0041CF80 . FF15 18754900 call dword ptr ds:[<&>>; \MessageBoxA
0041CF86 . 5F �
0041CF87 . 83F8 03 cmp eax,0x3 ; Switch (cases 2..7)
0041CF8A . 5E �
0041CF8B . 75 0F jnz short six-open squeezing line.0041CF9C //When we get here
0041CF8D . 8B4C24 68 mov ecx,dword ptr ss:[esp+0x68] ; Case 3 of switch 0041CF87
0041CF91 . B8 02000000 mov eax,0x2
0041CF96 . 8901 mov dword ptr ds:[ecx],eax
0041CF98 . 83C4 64 add esp,0x64
0041CF9B . C3 retn
When we retract, all the easy languages will stay in this position, of course, they are only for the information box
Modify the Z flag to prevent jumping, or follow it multiple times in a single step
00415728 > \6A 00 push 0x0
0041572A . 6A 00 push 0x0
0041572C . 6A 00 push 0x0
0041572E . 68 01030080 push 0x80000301
00415733 . 6A 00 push 0x0
00415735 . 68 00000100 push 0x10000 ; UNICODE "=::=::\"
0041573A . 68 04000080 push 0x80000004
0041573F . 6A 00 push 0x0
00415741 . 68 84D64900 push Six-open squeeze line.0049D684 �
00415746 . 68 03000000 push 0x3
0041574B . BB E0CE4100 mov ebx, six-open squeezing line.0041CEE0
00415750 . E8 09420000 call Six-open squeezing line.0041995E
00415755 . 83C4 28 add esp,0x28---------------------------------------------------------------------------------------------------------------------------
004156A5 . 68 02000080 push 0x80000002
004156AA . 6A 00 push 0x0
004156AC . 68 00000000 push 0x0
004156B1 . 6A 00 push 0x0
004156B3 . 6A 00 push 0x0
004156B5 . 6A 00 push 0x0
004156B7 . 68 01000100 push 0x10001
004156BC . FF35 D4744C00 push dword ptr ds:[0x4C74D4]
004156C2 . FF35 D0744C00 push dword ptr ds:[0x4C74D0]
004156C8 . 68 03000000 push 0x3
004156CD . BB D09E4100 mov ebx, six-open squeezing line.00419ED0
004156D2 . E8 87420000 call Six-open squeezing line.0041995E
004156D7 . 83C4 28 add esp,0x28
004156DA . 6A 00 push 0x0
004156DC . 68 02000000 push 0x2
004156E1 . 6A FF push -0x1
004156E3 . 6A 12 push 0x12
004156E5 . 68 E6A90206 push 0x602A9E6
004156EA . 68 7F9F0252 push 0x52029F7F
004156EF . E8 76420000 call Six-open squeezing line.0041996A
004156F4 . 83C4 18 add esp,0x18
004156F7 . 6A 00 push 0x0
004156F9 . 68 00000000 push 0x0
004156FE . 6A FF push -0x1
00415700 . 6A 05 push 0x5
00415702 . 68 E6A90206 push 0x602A9E6
00415707 . 68 7F9F0252 push 0x52029F7F
0041570C . E8 59420000 call Six-opening squeezing line.0041996A
00415711 . 83C4 18 add esp,0x18
00415714 . E8 0B79FFFF call Six-open squeezing line.0040D024
00415719 . E8 C594FFF call Six-opening squeezing line.0040EBE3
004156DA . 6A 00 push 0x0
004156DC . 68 02000000 push 0x2
004156E1 . 6A FF push -0x1
004156E3 . 6A 12 push 0x12
004156E5 . 68 E6A90206 push 0x602A9E6
004156EA . 68 7F9F0252 push 0x52029F7F
004156EF . E8 76420000 call Six-open squeezing line.0041996A
004156F4 . 83C4 18 add esp,0x18
We call this code a form event. Anyone who has tinkered with the old version of Yi Language is more clear
As long as the form event can be locked, a super jump can be made
Easy language button event search method
Find binary code
FF 55 FC 5F 5E
00402A70 |. F6C4 01 test ah,0x1
00402A73 |. 74 02 je short six-open squeezing line.00402A77
00402A75 |. D9E0 fchs
00402A77 |> DC1D 63AC4900 fcomp qword ptr ds:[0x49AC63]
00402A7D |. DFE0 fstsw ax
00402A7F |. F6C4 41 test ah,0x41
00402A82 |. 0F84 04000000 je six-open extrusion line.00402A8C
00402A88 |. 33C0 xor eax,eax
00402A8A |. EB 05 jmp short six-open squeezing line.00402A91
The long jump of Yi Language and the JE JNZ of Yi Language are very important to pay attention to
0043B880 55 push ebp
0043B881 |. 8BEC mov ebp,esp
0043B883 |. 8B45 08 mov eax,[arg.1] �
0043B886 |. 50 push eax
0043B887 |. B9 60364D00 mov ecx, six-open squeezing line.004D3660
0043B88C |. E8 FF85FFFF call Six-open squeezing line.00433E90
0043B891 |. 8B4D 08 mov ecx,[arg.1]
0043B894 |. 51 push ecx ; /ExitCode = BD8B88
0043B895 \. FF15 90724900 call dword ptr ds:[<&>; \ExitProcess
0043B89B . 5D pop ebp ; user32.77D191AE
0043B89C . C3 retn
To remove 0043B880, you can solve the hidden installation of exit
85 C9 75 09 33 C0 80 3A 00 74 01 40 C3 F7 C2 03 00 00 00 75 37 8B 02 3A 01 75 2B 0A C0 74 24 3A
61 01 75 22 0A E4 74 1B C1 E8 10 3A 41 02 75 16 0A C0 74 0F 3A 61 03 75 0D 83 C1 04 83 C2 04 0A
E4 75 D2 33 C0 C3 1B C0 D1 E0 40 C3004022F8 |> \85C9 test ecx,ecx
004022FA |. 75 09 jnz short six-open squeezing line.00402305
004022FC |. 33C0 xor eax,eax
004022FE |. 803A 00 cmp byte ptr ds:[edx],0x0
00402301 |. 74 01 je short six-open squeezing line.00402304
00402303 |. 40 inc eax
00402304 |> C3 retn
00402305 |> F7C2 03000000 test edx,0x3
0040230B |. 75 37 jnz short six-open squeezing line.00402344
0040230D |> 8B02 /mov eax,dword ptr ds:[edx]
0040230F |. 3A01 |cmp al,byte ptr ds:[ecx]
00402311 |. 75 2B |jnz short six-open squeezing line.0040233E
00402313 |. 0AC0 |or al,al
00402315 |. 74 24 |je short six-open squeezing line.0040233B
00402317 |. 3A61 01 |cmp ah,byte ptr ds:[ecx+0x1]
0040231A |. 75 22 |jnz short six-open squeezing line.0040233E
0040231C |. 0AE4 |or ah,ah
0040231E |. 74 1B |je short six-open squeezing line.0040233B
00402320 |. C1E8 10 |shr eax,0x10
00402323 |. 3A41 02 |cmp al,byte ptr ds:[ecx+0x2]
00402326 |. 75 16 |jnz short six-open squeezing line.0040233E
00402328 |. 0AC0 |or al,al
0040232A |. 74 0F |je short six-open squeezing line.0040233B
0040232C |. 3A61 03 |cmp ah,byte ptr ds:[ecx+0x3]
0040232F |. 75 0D |jnz short six-open squeezing line.0040233E
00402331 |. 83C1 04 |add ecx,0x4
00402334 |. 83C2 04 |add edx,0x4
00402337 |. 0AE4 |or ah,ah
00402339 |.^ 75 D2 \jnz short Six-open squeezing line.0040230D
0040233B |> 33C0 xor eax,eax Return to 0 when the control jumps
0040233D |. C3 retn
0040233E |> 1BC0
00402340 |. D1E0 shl eax,1
00402342 |. 40 inc eax
00402343 |. C3 retn
0040109A |. 68 C2920152 push 0x520192C2 �
Easy language cracking is nothing more than focusing on EAX
Pay attention to long jump
When the following strings exist in the string are old version
For the old version of search string, you need to find it first
0040118A |$ 810424 761E00>add dword ptr ss:[esp],0x1E76
00401191 |. FFD0 call eax
If you want to find a button event, you must search in the sentence I selected
10028CCE E8 4D050300 call krnln.10059220
10028CD3 - FFE0 �
10028CD5 EB 0E jmp short krnln.10028CE5
10028CD7 8B55 08 mov edx,dword ptr ss:[ebp+0x8] ; Dreamy Wind and Frost.00403000
10028CDA 52 push edx ; ntdll.7C99C0D8
10028CDB 8B4D F8 mov ecx,dword ptr ss:[ebp-0x8] ; krnln.1002979B
10028CDE E8 3D050300 call krnln.10059220
10028CE3 FFD0When the error in the figure above occurs, you can first lock such addresses JL and JNS
004770CC /7C 0D jl short Fantasy Wind and Frost.004770DB
004770CE |68 01000000 push 0x1
004770D3 |E8 BA890000 call Dreamy Wind and Frost.0047FA92
004770D8 |83C4 04 add esp,0x4
004770DB \C1E0 02 shl eax,0x2
Section A must have a CALL call the following paragraph, and the call section A must be the above paragraph of section A