有个朋友叫我帮他看下一个dll的导出函数调用
无壳无花 无vm(貌似vs2005)
一个标准的被反汇编的对象啊。。
我用ida
f5了一下。无奈找不出处理办法。。
int __stdcall WSPStartup(int wVersionRequested, LPWSPDATA lpWSPData, LPWSAPROTOCOL_INFOW lpProtocolInfo, WSPUPCALLTABLE UpcallTable, LPWSPPROC_TABLE lpProcTable)
{
int v5; // ebx@1
int v6; // esi@1
unsigned __int8 v7; // zf@1
char v8; // sf@1
unsigned __int8 v9; // of@1
unsigned int v10; // edx@3
_UNKNOWN *i; // eax@4
signed int v12; // ecx@4
int v13; // eax@11
int v14; // edx@11
char *v15; // ecx@12
DWORD v16; // ebx@15
int v17; // eax@16
WCHAR *v18; // esi@16
char *v19; // ecx@17
int result; // eax@21
HMODULE v21; // eax@26
FARPROC v22; // eax@27
LPWSPPROC_TABLE v23; // ebx@28
char v24; // [sp-10h] [bp-60h]@28
int v25; // [sp-Ch] [bp-5Ch]@28
int v26; // [sp-8h] [bp-58h]@28
int v27; // [sp-4h] [bp-54h]@28
int v28; // [sp+0h] [bp-50h]@28
int v29; // [sp+4h] [bp-4Ch]@28
int v30; // [sp+8h] [bp-48h]@28
int v31; // [sp+Ch] [bp-44h]@28
int v32; // [sp+10h] [bp-40h]@28
int v33; // [sp+14h] [bp-3Ch]@28
int v34; // [sp+18h] [bp-38h]@28
int v35; // [sp+1Ch] [bp-34h]@28
int v36; // [sp+20h] [bp-30h]@28
int v37; // [sp+24h] [bp-2Ch]@28
int v38; // [sp+28h] [bp-28h]@28
HGLOBAL v39; // [sp+2Ch] [bp-24h]@30
DWORD v40; // [sp+40h] [bp-10h]@1
int v41; // [sp+44h] [bp-Ch]@1
int ProviderDllPathLen; // [sp+48h] [bp-8h]@16
int Errno; // [sp+4Ch] [bp-4h]@23
OutputDebugStringW(L"IPFilter WSPStartup ...");
v6 = 0;
v5 = 0;
v9 = __SETO__(lpProtocolInfo->ProtocolChain.ChainLen, 1);
v7 = lpProtocolInfo->ProtocolChain.ChainLen == 1;
v8 = lpProtocolInfo->ProtocolChain.ChainLen - 1 < 0;
v41 = 0;
v40 = 0;
if ( (unsigned __int8)(v8 ^ v9) | v7 )
goto LABEL_31;
sub_100011A0();
if ( dword_1000BB98 > 0 )
{
v10 = hMem - &unk_1000AC50 + 20;
while ( 2 )
{
v12 = 16;
for ( i = &unk_1000AC50; ; i = (char *)i + 4 )
{
if ( (unsigned int)v12 < 4 )
{
v5 = *((_DWORD *)hMem + 157 * v6 + 9);
goto LABEL_11;
}
if ( *(_DWORD *)((char *)i + v10) != *(_DWORD *)i )
break;
v12 -= 4;
}
++v6;
v10 += 628;
if ( v6 < dword_1000BB98 )
continue;
break;
}
v5 = v41;
}
LABEL_11:
v14 = lpProtocolInfo->ProtocolChain.ChainLen;
v13 = 0;
if ( v14 <= 0 )
{
LABEL_15:
v16 = v40;
}
else
{
v15 = (char *)lpProtocolInfo->ProtocolChain.ChainEntries;
while ( *(_DWORD *)v15 != v5 )
{
++v13;
v15 += 4;
if ( v13 >= v14 )
goto LABEL_15;
}
v16 = lpProtocolInfo->ProtocolChain.ChainEntries[v13 + 1];
}
ProviderDllPathLen = 260;
v18 = (WCHAR *)GlobalAlloc(0x40u, 0x104u);
v17 = 0;
if ( dword_1000BB98 > 0 )
{
v19 = (char *)hMem + 36;
while ( v16 != *(_DWORD *)v19 )
{
++v17;
v19 += 628;
if ( v17 >= dword_1000BB98 )
goto LABEL_20;
}
if ( WSCGetProviderPath((LPGUID)(hMem + 628 * v17 + 20), v18, &ProviderDllPathLen, &Errno) == -1 )
{
OutputDebugStringW(L"WSCGetProviderPath Error!");
return 10106;
}
}
LABEL_20:
if ( !ExpandEnvironmentStringsW(v18, v18, 0x104u) )
{
OutputDebugStringW(L"ExpandEnvironmentStrings Error!");
return 10106;
}
v21 = LoadLibraryW(v18);
if ( !v21 || (v22 = GetProcAddress(v21, "WSPStartup"), !v22) )
return 10106;
v23 = lpProcTable;
memcpy(&v24, &UpcallTable, 0x3Cu);
result = ((int (__stdcall *)(int, LPWSPDATA, LPWSAPROTOCOL_INFOW, _DWORD, int, int, int, int, int, int, int, int, int, int, int, int, int, int, LPWSPPROC_TABLE))v22)(
wVersionRequested,
lpWSPData,
lpProtocolInfo,
*(_DWORD *)&v24,
v25,
v26,
v27,
v28,
v29,
v30,
v31,
v32,
v33,
v34,
v35,
v36,
v37,
v38,
lpProcTable);
Errno = result;
if ( !result )
{
if ( dword_1000BB9C )
{
memcpy(&unk_1000BB18, v23, 0x78u);
v39 = hMem;
v23->lpWSPSend = (LPWSPSEND)sub_10001290;
v23->lpWSPRecv = (LPWSPRECV)sub_10001410;
GlobalFree(v39);
}
LABEL_31:
result = 0;
}
return result;
}
希望大家帮我看下怎么调用这个函数。。
调用很多次都不成功
另外奉上dll文件
大家先杀毒然后ida之。
参数也只有几个 但是真不知道怎么写。。。
[课程]Linux pwn 探索篇!