[原创]有点小紧张-7)腾讯公司2010软件安全竞赛-看雪-安全社区|安全招聘|kanxue.com

最新回复 (1)
finn 雪币： 94 活跃值： (10) 能力值： ( LV3，RANK：30 ) 在线值：发帖 9 回帖 39 粉丝 0 关注私信	finn 2 楼 signed int __cdecl checkFun_401000() { HANDLE v0; // eax@1 void pszFileContent; // ebp@1 void v2; // edi@1 void hFile; // esi@1 HANDLE v4; // eax@1 unsigned int dwFileLen; // ebx@2 HMODULE hUser32Dll; // esi@3 signed int iRetn; // [sp+10h] [bp-318h]@1 void v9; // [sp+14h] [bp-314h]@1 HANDLE v10; // [sp+18h] [bp-310h]@1 DWORD NumberOfBytesRead; // [sp+1Ch] [bp-30Ch]@1 int (*v12)(); // [sp+20h] [bp-308h]@1 char v13; // [sp+24h] [bp-304h]@4 int v14; // [sp+A4h] [bp-284h]@1 char v15; // [sp+A8h] [bp-280h]@6 char Buffer; // [sp+128h] [bp-200h]@3 iRetn = 0; v12 = &off_4050B4; v14 = (int)off_4050B0; NumberOfBytesRead = 0; v4 = HeapCreate(0, 0x1000u, 0x10000u); v2 = v4; v9 = v4; pszFileContent = HeapAlloc(v4, 0, 0x200u); v0 = CreateFileA("exploit.dat", 0x80000000u, 1u, 0, 4u, 0x80u, 0); hFile = v0; v10 = v0; if ( v0 != (HANDLE)-1 ) { dwFileLen = GetFileSize(v0, 0); if ( dwFileLen <= 0x200 ) { ReadFile(hFile, &Buffer, dwFileLen, &NumberOfBytesRead, 0); memcpy(pszFileContent, &Buffer, dwFileLen); memset(&Buffer, 0, 0x200u); hUser32Dll = LoadLibraryA("user32.dll"); pfunMsgW = (int)GetProcAddress(hUser32Dll, "MessageBoxW"); pfunMsgA = (int)GetProcAddress(hUser32Dll, "MessageBoxA"); if ( dwFileLen <= 0x84 ) memcpy(&v13, pszFileContent, dwFileLen); HeapFree(v9, 1u, pszFileContent); memset(pszFileContent, 0, 0x80u); if ( dwFileLen <= 0x84 ) memcpy(&v15, pszFileContent, dwFileLen); // 在此处溢出 ((void (__thiscall )(int (**)()))v12)(&v12); // Sleep (1000) ((void (__thiscall )(int ))v14)(&v14); // MessageBox(Fail) v2 = v9; hFile = v10; iRetn = 1; } } if ( hFile ) CloseHandle(hFile); if ( pszFileContent ) HeapFree(v2, 1u, pszFileContent); if ( v2 ) HeapDestroy(v2); return iRetn; } 2010-10-20 12:22 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (1)

finn

雪币： 94

活跃值： (10)

能力值：

( LV3，RANK：30 )

在线值：

发帖

回帖

粉丝

关注

私信

finn: 2 楼

signed int __cdecl checkFun_401000()
{
  HANDLE v0; // eax@1
  void *pszFileContent; // ebp@1
  void *v2; // edi@1
  void *hFile; // esi@1
  HANDLE v4; // eax@1
  unsigned int dwFileLen; // ebx@2
  HMODULE hUser32Dll; // esi@3
  signed int iRetn; // [sp+10h] [bp-318h]@1
  void *v9; // [sp+14h] [bp-314h]@1
  HANDLE v10; // [sp+18h] [bp-310h]@1
  DWORD NumberOfBytesRead; // [sp+1Ch] [bp-30Ch]@1
  int (**v12)(); // [sp+20h] [bp-308h]@1
  char v13; // [sp+24h] [bp-304h]@4
  int v14; // [sp+A4h] [bp-284h]@1
  char v15; // [sp+A8h] [bp-280h]@6
  char Buffer; // [sp+128h] [bp-200h]@3

  iRetn = 0;
  v12 = &off_4050B4;
  v14 = (int)off_4050B0;
  NumberOfBytesRead = 0;
  v4 = HeapCreate(0, 0x1000u, 0x10000u);
  v2 = v4;
  v9 = v4;
  pszFileContent = HeapAlloc(v4, 0, 0x200u);
  v0 = CreateFileA("exploit.dat", 0x80000000u, 1u, 0, 4u, 0x80u, 0);
  hFile = v0;
  v10 = v0;
  if ( v0 != (HANDLE)-1 )
  {
dwFileLen = GetFileSize(v0, 0);
if ( dwFileLen <= 0x200 )
{
   ReadFile(hFile, &Buffer, dwFileLen, &NumberOfBytesRead, 0);
   memcpy(pszFileContent, &Buffer, dwFileLen);
   memset(&Buffer, 0, 0x200u);
   hUser32Dll = LoadLibraryA("user32.dll");
   pfunMsgW = (int)GetProcAddress(hUser32Dll, "MessageBoxW");
   pfunMsgA = (int)GetProcAddress(hUser32Dll, "MessageBoxA");
   if ( dwFileLen <= 0x84 )
      memcpy(&v13, pszFileContent, dwFileLen);
   HeapFree(v9, 1u, pszFileContent);
   memset(pszFileContent, 0, 0x80u);
   if ( dwFileLen <= 0x84 )
      memcpy(&v15, pszFileContent, dwFileLen);    //  在此处溢出
   ((void (__thiscall *)(int (***)()))*v12)(&v12); // Sleep (1000)
   (*(void (__thiscall **)(int *))v14)(&v14);          // MessageBox(Fail)
   v2 = v9;
   hFile = v10;
   iRetn = 1;
}
  }
  if ( hFile )
CloseHandle(hFile);
  if ( pszFileContent )
HeapFree(v2, 1u, pszFileContent);
  if ( v2 )
HeapDestroy(v2);
  return iRetn;
}

2010-10-20 12:22