首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[原创]某抢票软件崩溃分析
发表于: 2017-9-20 20:33 7874

[原创]某抢票软件崩溃分析

goddkiller 活跃值
2017-9-20 20:33
7874

0:008> .loadby sos mscorwks

0:008> !help

-------------------------------------------------------------------------------

SOS is a debugger extension DLL designed to aid in the debugging of managed

programs. Functions are listed by category, then roughly in order of

importance. Shortcut names for popular functions are listed in parenthesis.

Type "!help <functionname>" for detailed info on that function. 

Object Inspection                  Examining code and stacks

-----------------------------      -----------------------------

DumpObj (do)                       Threads

DumpArray (da)                     CLRStack

DumpStackObjects (dso)             IP2MD

DumpHeap                           U

DumpVC                             DumpStack

GCRoot                             EEStack

ObjSize                            GCInfo

FinalizeQueue                      EHInfo

PrintException (pe)                COMState

TraverseHeap                       BPMD 

Examining CLR data structures      Diagnostic Utilities

-----------------------------      -----------------------------

DumpDomain                         VerifyHeap

EEHeap                             DumpLog

Name2EE                            FindAppDomain

SyncBlk                            SaveModule

DumpMT                             GCHandles

DumpClass                          GCHandleLeaks

DumpMD                             VMMap

Token2EE                           VMStat

EEVersion                          ProcInfo 

DumpModule                         StopOnException (soe)

ThreadPool                         MinidumpMode 

DumpAssembly                       

DumpMethodSig                      Other

DumpRuntimeTypes                   -----------------------------

DumpSig                            FAQ

RCWCleanupList

DumpIL


0:008> !DumpStack

OS Thread Id: 0xdb4 (8)

Current frame: KERNELBASE!RaiseException+0x58

ChildEBP RetAddr  Caller,Callee

055fee58 758ad3cf KERNELBASE!RaiseException+0x58, calling ntdll!RtlRaiseException

055fee6c 62c3f404 mscorwks!Binder::RawGetClass+0x20, calling mscorwks!Module::LookupTypeDef

055fee7c 62c3f877 mscorwks!Binder::IsClass+0x23, calling mscorwks!Binder::RawGetClass

055fee88 62cd7b6f mscorwks!Binder::IsException+0x14, calling mscorwks!Binder::IsClass

055fee98 62cd7b96 mscorwks!IsExceptionOfType+0x23, calling mscorwks!Binder::IsException

055feea0 62cd7d1c mscorwks!RaiseTheExceptionInternalOnly+0x2a8, calling KERNEL32!RaiseExceptionStub

055fef00 62cd1950 mscorwks!JIT_Throw+0xfc, callingmscorwks!RaiseTheExceptionInternalOnly

055fef74 62cd18a5 mscorwks!JIT_Throw+0x1e, calling mscorwks!LazyMachStateCaptureState

055fef80 62c40074 mscorwks!PreStubWorker+0x141, calling mscorwks!_EH_epilog3

055fef84 0063087e 0063087e, calling mscorwks!PreStubWorker

055fefc4 004a9a75 (MethodDesc 0x337ef0 +0x155 d.a()), calling mscorwks!JIT_Throw

055ff070 004a862e (MethodDesc 0x336350 +0x66 z.i()), calling (MethodDesc 0x337ef0 +0 d.a())

055ff088 004a856f (MethodDesc 0x336500 +0x1f z.a()), calling 0033c640

055ff0a8 62346e76 (MethodDesc 0x62204020 +0x66 System.Threading.ThreadHelper.ThreadStart_Context(System.Object))

055ff0b4 623502ff (MethodDesc 0x62172794 +0x6f System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object))

055ff0c8 62346df4 (MethodDesc 0x6216be0c +0x44 System.Threading.ThreadHelper.ThreadStart()), calling (MethodDesc 0x62172794 +0 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object))

055ff0e0 62c31b4c mscorwks!CallDescrWorker+0x33

055ff0e8 77736824 ntdll!RtlDebugFreeHeap+0x25f, calling ntdll!_SEH_epilog4

055ff0f0 62c48dde mscorwks!CallDescrWorkerWithHandler+0xa3, calling mscorwks!CallDescrWorker

055ff170 62c56a2c mscorwks!MethodDesc::CallDescr+0x19c, calling mscorwks!CallDescrWorkerWithHandler

055ff18c 62c3ea77 mscorwks!SigParser::SkipExactlyOne+0x20, calling mscorwks!CorSigEatCustomModifiersAndUncompressElementType

055ff19c 62c56ddb mscorwks!MetaSig::MetaSig+0x3a, calling MSVCR80!memcpy

055ff1ac 62c56969 mscorwks!MethodDesc::CallDescr+0xaf, calling mscorwks!ClrSafeInt<unsigned long>::addition

055ff1b8 62c56979 mscorwks!MethodDesc::CallDescr+0xbb, calling mscorwks!_alloca_probe_16

055ff218 62c348ba mscorwks!EEHeapFree+0xba, calling mscorwks!_EH_epilog3

055ff22c 776c5ae0 ntdll!RtlAllocateHeap+0x23a, calling ntdll!RtlpAllocateHeap

055ff240 62c348ba mscorwks!EEHeapFree+0xba, calling mscorwks!_EH_epilog3

055ff244 62c348d9 mscorwks!EEHeapFreeInProcessHeap+0x22, calling mscorwks!EEHeapFree

055ff258 62c34862 mscorwks!operator delete[]+0x2a, calling mscorwks!EEHeapFreeInProcessHeap

055ff294 62c3f37c mscorwks!Module::LookupTypeDef+0x36, calling mscorwks!LookupMap<MethodTable *>::GetElement

055ff2a8 62c56a5f mscorwks!MethodDesc::CallTargetWorker+0x1f, calling mscorwks!MethodDesc::CallDescr

055ff2c4 62c56a7d mscorwks!MethodDescCallSite::CallWithValueTypes_RetArgSlot+0x1a, calling mscorwks!MethodDesc::CallTargetWorker

055ff2dc 62cd3191 mscorwks!ThreadNative::KickOffThread_Worker+0x192, calling mscorwks!MethodDescCallSite::Call

055ff348 776c5dd3 ntdll!RtlpAllocateHeap+0xe73, calling ntdll!_SEH_epilog4

055ff35c 777360fe ntdll!RtlDebugAllocateHeap+0x308, calling ntdll!_SEH_epilog4

055ff360 776fa376 ntdll!RtlpAllocateHeap+0xc4, calling ntdll!RtlDebugAllocateHeap

055ff36c 776c5dd3 ntdll!RtlpAllocateHeap+0xe73, calling ntdll!_SEH_epilog4

055ff38c 776c5dd3 ntdll!RtlpAllocateHeap+0xe73, calling ntdll!_SEH_epilog4

055ff390 776c5ae0 ntdll!RtlAllocateHeap+0x23a, calling ntdll!RtlpAllocateHeap

055ff3a0 776b6054 ntdll!NtQueryInformationProcess+0xc

055ff3a4 758a94fb KERNELBASE!GetProcessVersion+0x59, calling ntdll!NtQueryInformationProcess

055ff3f0 776c5dd3 ntdll!RtlpAllocateHeap+0xe73, calling ntdll!_SEH_epilog4

055ff3f4 776c5ae0 ntdll!RtlAllocateHeap+0x23a, calling ntdll!RtlpAllocateHeap

055ff45c 62c348ba mscorwks!EEHeapFree+0xba, calling mscorwks!_EH_epilog3

055ff470 776c5ae0 ntdll!RtlAllocateHeap+0x23a, calling ntdll!RtlpAllocateHeap

055ff484 62c348ba mscorwks!EEHeapFree+0xba, calling mscorwks!_EH_epilog3

055ff488 62c348d9 mscorwks!EEHeapFreeInProcessHeap+0x22, calling mscorwks!EEHeapFree

055ff49c 62c34862 mscorwks!operator delete[]+0x2a, calling mscorwks!EEHeapFreeInProcessHeap

055ff4c4 62c8192f mscorwks!Thread::DoADCallBack+0x32a

055ff4d8 62c818cb mscorwks!Thread::ShouldChangeAbortToUnload+0xe3, calling mscorwks!Thread::DoADCallBack+0x2db

055ff500 62c34383 mscorwks!ClrFlsSetValue+0x57, calling mscorwks!_EH_epilog3

055ff504 62c34396 mscorwks!DecCantStopCount+0x10, calling mscorwks!ClrFlsSetValue

055ff51c 62cf3ec2 mscorwks!ThreadStore::TransferStartedThread+0xaa, calling mscorwks!ThreadStore::UnlockThreadStore

055ff56c 62c817f1 mscorwks!Thread::ShouldChangeAbortToUnload+0x30a, calling mscorwks!Thread::ShouldChangeAbortToUnload+0x32

055ff5a8 62c8197d mscorwks!Thread::ShouldChangeAbortToUnload+0x33e, calling mscorwks!Thread::ShouldChangeAbortToUnload+0x29d

055ff5d0 62cd2f62 mscorwks!ManagedThreadBase::KickOff+0x13, calling mscorwks!Thread::ShouldChangeAbortToUnload+0x319

055ff5e8 62cd303c mscorwks!ThreadNative::KickOffThread+0x26b, calling mscorwks!ManagedThreadBase::KickOff

055ff610 62c348ba mscorwks!EEHeapFree+0xba, calling mscorwks!_EH_epilog3

055ff684 62d9805a mscorwks!Thread::intermediateThreadProc+0x49

055ff790 62d98048 mscorwks!Thread::intermediateThreadProc+0x37, calling mscorwks!_alloca_probe_16

055ff7a4 7747ed6c KERNEL32!BaseThreadInitThunk+0xe

055ff7b0 776d37f5 ntdll!__RtlUserThreadStart+0x70

055ff7f0 776d37c8 ntdll!_RtlUserThreadStart+0x1b, calling ntdll!__RtlUserThreadStart


上面没有对应的符号就是托管代码即时编译出来调用的 ,后面就调用RaiseTheExceptionInternalOnly抛出了一个异常那么 就是说即时编译出来的代码存在问题。我们可以看下当时的执行过程

0:008> !clrstack

OS Thread Id: 0xdb4 (8)

ESP       EIP     

055fef28 758ad3cf [HelperMethodFrame: 055fef28] 

055fefcc 004a9a75 d.a()

055ff078 004a862e z.i()

055ff090 004a856f z.a()

055ff0b0 62346e76 System.Threading.ThreadHelper.ThreadStart_Context(System.Object)

055ff0bc 623502ff System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)

055ff0d4 62346df4 System.Threading.ThreadHelper.ThreadStart()

055ff2fc 62c31b4c [GCFrame: 055ff2fc] 


到这里我们只知道问题是出现在这些代码上,但是为什么会崩溃我们还得知,只能看反汇编代码了解这过程到底发生了什么事 

0:008> !u 004a9a75 

Normal JIT generated code

d.a()

Begin 004a9920, size 160

004a9920 55              push    ebp

004a9921 8bec            mov     ebp,esp

004a9923 57              push    edi

004a9924 56              push    esi

004a9925 53              push    ebx

004a9926 83ec20          sub     esp,20h

004a9929 8d7dd4          lea     edi,[ebp-2Ch]

004a992c b907000000      mov     ecx,7

004a9931 33c0            xor     eax,eax

004a9933 f3ab            rep stos dword ptr es:[edi]

004a9935 33c0            xor     eax,eax

004a9937 8945e8          mov     dword ptr [ebp-18h],eax

004a993a 33ff            xor     edi,edi

004a993c c745dc10000000  mov     dword ptr [ebp-24h],10h

004a9943 eb0c            jmp     004a9951

004a9945 83f806          cmp     eax,6

004a9948 7307            jae     004a9951

004a994a ff2485809a4a00  jmp     dword ptr [eax*4+4A9A80h]

004a9951 33d2            xor     edx,edx

004a9953 8955d8          mov     dword ptr [ebp-28h],edx

004a9956 8b1d341f8f02    mov     ebx,dword ptr ds:[28F1F34h] ("https://dynamic.12306.cn/otsweb/passCodeAction.do?rand=sjrand")

004a995c b9488e3300      mov     ecx,338E48h (MT: v)

004a9961 e8b686d0ff      call    001b201c (JitHelp: CORINFO_HELP_NEWSFAST)

004a9966 8bf0            mov     esi,eax

004a9968 8b0de0718f02    mov     ecx,dword ptr ds:[28F71E0h] ("堞搠眢")

004a996e ba10000000      mov     edx,10h

004a9973 e878d7ffff      call    004a70f0 (<Module>.b(System.String, Int32), mdToken: 06000001)

004a9978 50              push    eax

004a9979 8bd3            mov     edx,ebx

004a997b 8bce            mov     ecx,esi

004a997d ff15bc8c3300    call    dword ptr ds:[338CBCh] (az..ctor(System.String, System.String), mdToken: 060000ba)

004a9983 8b0de4718f02    mov     ecx,dword ptr ds:[28F71E4h] ("瘞䰠䈢䈤䈦ب嬪䌬䠮ᴰጲ尴娶堸尺堼\?\?㕂\?汆ㅈ\?\?捎煐㩒㡔㙖㹘㹚牜畞婠ቢ塤坦䝨卪䅬佮孰屲彴䱶\?䙺䵼兾뒀")

004a9989 ba10000000      mov     edx,10h

004a998e e85dd7ffff      call    004a70f0 (<Module>.b(System.String, Int32), mdToken: 06000001)

004a9993 8d5628          lea     edx,[esi+28h]

004a9996 e8e5957862      call    mscorwks!JIT_WriteBarrierEAX (62c32f80)

004a999b 8bce            mov     ecx,esi

004a999d ff15808d3300    call    dword ptr ds:[338D80h] (az.ad(), mdToken: 060000cb)

004a99a3 8bd8            mov     ebx,eax

004a99a5 b803000000      mov     eax,3

004a99aa eb99            jmp     004a9945

004a99ac 3903            cmp     dword ptr [ebx],eax

004a99ae 837b0400        cmp     dword ptr [ebx+4],0

004a99b2 7417            je      004a99cb

004a99b4 8b4b04          mov     ecx,dword ptr [ebx+4]

004a99b7 3909            cmp     dword ptr [ecx],ecx

*** WARNING: Unable to verify checksum for C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll

004a99b9 e816ed5d61      call    System_ni+0xf86d4 (61a886d4) (System.Net.HttpWebResponse.get_StatusCode(), mdToken: 0600202f)

004a99be 3dc8000000      cmp     eax,0C8h

004a99c3 0f94c0          sete    al

004a99c6 0fb6c0          movzx   eax,al

004a99c9 eb02            jmp     004a99cd

004a99cb 33c0            xor     eax,eax

004a99cd 85c0            test    eax,eax

004a99cf 744d            je      004a9a1e

004a99d1 b802000000      mov     eax,2

004a99d6 e96affffff      jmp     004a9945

*** WARNING: Unable to verify checksum for C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll

004a99db b9f8c9da64      mov     ecx,offset System_Drawing_ni+0x5c9f8 (64dac9f8) (MT: System.Drawing.Bitmap)

004a99e0 e891fe7962      call    mscorwks!JIT_NewCrossContext (62c49876)

004a99e5 8bf0            mov     esi,eax

004a99e7 8bd7            mov     edx,edi

004a99e9 8bce            mov     ecx,esi

004a99eb e81c308e64      call    System_Drawing_ni+0x3ca0c (64d8ca0c) (System.Drawing.Bitmap..ctor(System.IO.Stream), mdToken: 06000181)

004a99f0 8975d8          mov     dword ptr [ebp-28h],esi

004a99f3 b805000000      mov     eax,5

004a99f8 e948ffffff      jmp     004a9945

004a99fd 8b4b04          mov     ecx,dword ptr [ebx+4]

004a9a00 8b01            mov     eax,dword ptr [ecx]

004a9a02 ff5074          call    dword ptr [eax+74h]

004a9a05 8bf8            mov     edi,eax

004a9a07 33c0            xor     eax,eax

004a9a09 e937ffffff      jmp     004a9945

004a9a0e 85ff            test    edi,edi

004a9a10 740c            je      004a9a1e

004a9a12 b801000000      mov     eax,1

004a9a17 e929ffffff      jmp     004a9945


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 1
支持
分享
最新回复 (8)
MaYil
雪    币: 7016
活跃值: (4227)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
感谢分享
2017-9-20 21:22
0
Editor
雪    币: 26205
活跃值: (63302)
能力值: (RANK:135 )
在线值:
发帖
回帖
粉丝
私信
3
分享一种美得
2017-9-20 21:48
0
fengyunabc
雪    币: 3738
活跃值: (3872)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
4
继续分享,哈哈! 
2017-9-21 13:18
0
聖blue
雪    币: 6818
活跃值: (153)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
不错!!!!!!
2017-9-21 19:14
0
pull
雪    币: 242
活跃值: (89)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
6
感谢分享
2017-9-22 07:36
0
windtrace
雪    币: 4441
活跃值: (805)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
私信
7
感谢分享,看来得要研究WinDBG了
2017-9-22 19:21
0
任飞guan
雪    币: 1432
活跃值: (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
8
非常不错,感谢分享!
2017-9-25 09:47
0
暖洋洋
雪    币: 10888
活跃值: (3924)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
9
学习了,感谢
2017-9-25 20:27
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//