-
-
[求助][求助]学习(0day安全,软件漏洞分析)中栈溢出中碰见溢出代码会动??
-
发表于:
2013-1-21 16:20
4270
-
[求助][求助]学习(0day安全,软件漏洞分析)中栈溢出中碰见溢出代码会动??
本人在学习(0day安全,软件漏洞分析)中的栈溢出:
第四章、vc6.0编译win32、win7_x64平台
debug版本的程序我能够溢出成功,并且弹出messagebox。
但是当我尝试,栈溢出release版本的时候,通过strcpy也把shellcode复制到了栈中,通过EIP也跳转到对应的shellcode中,但是当我执行shellcode的时候,shellcode的代码会动...,如下:
1. 刚进入shellcode:
debug011:0018FB08 ; ---------------------------------------------------------------------------
debug011:0018FB08 xor ebx, ebx
debug011:0018FB0A push ebx
debug011:0018FB0B push offset unk_74736577
debug011:0018FB10 push offset unk_6C696166
[COLOR="Red"]debug011:0018FB15 mov eax, esp //现在单步到这里
debug011:0018FB17 push ebx
debug011:0018FB18 push eax
debug011:0018FB19 push eax
debug011:0018FB1A push ebx
debug011:0018FB1B mov eax, offset user32_MessageBoxExA
debug011:0018FB20 call eax ; user32_MessageBoxExA
debug011:0018FB22 nop
debug011:0018FB23 nop
debug011:0018FB24 nop
debug011:0018FB25 nop
2. 我继续单步:
debug011:0018FB08 ; ---------------------------------------------------------------------------
debug011:0018FB08 xor ebx, ebx
debug011:0018FB0A push ebx
debug011:0018FB0B push offset unk_74736577
debug011:0018FB10 push offset unk_6C696166
debug011:0018FB15 mov eax, esp
debug011:0018FB17 push ebx
debug011:0018FB18 push eax
debug011:0018FB19 push eax //现在单步到这里
debug011:0018FB1A push ebx
debug011:0018FB1B mov eax, offset user32_MessageBoxExA
debug011:0018FB20 call eax ; user32_MessageBoxExA
debug011:0018FB22 nop
debug011:0018FB23 nop
debug011:0018FB24 sub al, 0FBh
debug011:0018FB25 sti
debug011:0018FB26 sbb [eax], al
debug011:0018FB26 ; ---------------------------------------------------------------------------
debug011:0018FB27 db 0
debug011:0018FB28 db 0
debug011:0018FB29 db 0
debug011:0018FB2A db 0
debug011:0018FB2B db 0
debug011:0018FB2C db 66h ; f
debug011:0018FB2D db 61h ; a
3. 继续单步
debug011:0018FB08 ; ---------------------------------------------------------------------------
debug011:0018FB08 xor ebx, ebx
debug011:0018FB0A push ebx
debug011:0018FB0B push offset unk_74736577
debug011:0018FB10 push offset unk_6C696166
debug011:0018FB15 mov eax, esp
debug011:0018FB17 push ebx
debug011:0018FB18 push eax
debug011:0018FB19 push eax
debug011:0018FB1A push ebx //现在单步到这里
debug011:0018FB1B mov eax, offset user32_MessageBoxExA
debug011:0018FB20 sub al, 0FBh //call eax ; user32_MessageBoxExA 没了...
debug011:0018FB22 sbb [eax], al
debug011:0018FB23 add [ebx+edi*8], ch
debug011:0018FB24 sub al, 0FBh
debug011:0018FB25 sti
debug011:0018FB26 sbb [eax], al
debug011:0018FB26 ; ---------------------------------------------------------------------------
4. 继续单步
debug011:0018FB08 ; ---------------------------------------------------------------------------
debug011:0018FB08 xor ebx, ebx
debug011:0018FB0A push ebx
debug011:0018FB0B push offset unk_74736577
debug011:0018FB10 push offset unk_6C696166
debug011:0018FB15 mov eax, esp
debug011:0018FB17 push ebx
debug011:0018FB18 push eax
debug011:0018FB19 push eax
debug011:0018FB1A push ebx
debug011:0018FB1B mov eax, 0 //单步到这里,mov eax, offset user32_MessageBoxExA 没了...为什么???
debug011:0018FB20 sub al, 0FBh
debug011:0018FB22 sbb [eax], al
debug011:0018FB23 add [ebx+edi*8], ch
debug011:0018FB24 sub al, 0FBh
debug011:0018FB25 sti
debug011:0018FB26 sbb [eax], al
debug011:0018FB26 ; ---------------------------------------------------------------------------
请教为什么,代码会动态的变?
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!