unsigned char dis[2359] =
{
0xE9, 0x0A, 0x08, 0x00, 0x00, 0xE8, 0x19, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x10, 0x00, .........}
typedef void (__stdcall *GETCODELENGTH)(PVOID code,ULONG_PTR *len);
GetCodeLength = (GETCODELENGTH)dis;
该是某个大牛写的代码,小白只能浅显的分析一下
根据词义,应该是个获取代码长度的函数,直接windbg调试,反了其中的一些代码,将一个大概用伪代码写了一下,主要就是根据传进来的地址,获取该地址的code作为index,(dis+10)+inedx*4,在数组中找到值,然后进行位的判断,下面贴伪代码,由于基本没写过代码,凑合看看吧.....
PVOID FunctionAddr;
BYTE AssemCode;
void (__stdcall *GETCODELENGTH)(PVOID FunctionAddr,ULONG_PTR *len)
{
goto jmp80f;
jmp5;
call823(len);
jmp80f:
AssemCode = *(BYTE*)FunctionAddr;
goto jmp5;
}
void call823(ULONG_PTR *lenth)
{
BYTE* FuncRtnAddr = NULL;
BYTE* ChangeAddr = NULL;
BYTE b_Temp;
__asm pop FuncRtnAddr
ULONG ReferNumber = *(FuncRtnAddr+AssemCode*4);
ChangeAddr = FunctionAddr;
ChangeAddr = ChangeAddr+1;
if(!((ReferNumer&FF00)>>8&0x20))
{
b_Temp = *(BYTE*)ChangeAddr;
b_Temp = b_Temp&0x38;
b_Temp = ~b_Temp;
ReferNumer = ReferNumer&0xFFFFFF00;
ReferNumer = ReferNumer|b_Temp;
if(ReferNumber)
{
ReferNumber = -1;
}else{
ReferNumber = 0;
}
ReferNumber = ReferNumber&0xFFFFF000;
ReferNumber += 0x1800;
if(!((ReferNumer&FF00)>>8&0x40))
{
if(!((ReferNumer&FF)&1))
{
ReferNumer = ReferNumer&0xFFFFFFFE;
goto jmp80f;
if(!((ReferNumer&FF00)>>8&0x10))
{
if(!(b_Temp&0x1))
{
ReferNumer = ReferNumer|0x10;
}else{
ReferNumer = ReferNumer|0x8;
}
if(!((ReferNumer&FF00)>>8&0x8))
{
if(!((ReferNumber&0xFF)&(ReferNumber&0xFF)))
{
if(!(ReferNumber&0xFF)&0x8)
{
if(!(ReferNumber&0x100))
{
if(!(ReferNumber&0x200))
{
if(!(ReferNumber&0x400))
{
if(!(ReferNumber&0xFF)&0x10)
{
if(!(ReferNumber&0xFF)&0x20)
{
if(!(ReferNumber&0xFF)&0x40)
{
*lenth = ChangeAddr - FuncRtnAddr;
return;
}
}
}
}
}
}
}
}
}
}
}
}
}
}
[课程]Linux pwn 探索篇!
