-
-
[原创]CVE-2017-14627栈溢出漏洞及exploit的调试与分析
-
发表于: 2022-11-28 20:13 18039
-
纸上得来终觉浅,绝知此事要躬行 --陆游
最近《漏洞战争》快看完了,也跟着书把漏洞分析了一遍。虽然也有自己的思考,但绝大部分都是复刻书中的操作。以我浅薄的知识,甚至有的时候无法理解某些操作,只好先跟着做,等快分析结束时才能恍然大悟。在分析书中下一个漏洞时,总是有种无从下手的感觉。所以就想着自主分析一下漏洞,顺便沉淀一下所学知识。
CyberLink LabelPrint是一套快速简易的光盘卷标制作软件,支持最新lightscribe光盘封面刻录技术。 CyberLink LabelPrint 2.5中基于堆栈的缓冲区溢出允许远程攻击者通过lpp项目文件中的(1)author(INFORMATION标签内)、(2)name(INFORMATION标签内),(3)artist(TRACK标签内)或(4)default(TEXT标签内)参数执行任意代码。
此漏洞的利用代码在Metasploit有集成,我们以一个弹计算器的形式生成一个exploit:
生成的exploit我们打开后,根据漏洞描述可以确定是name属性造成的堆溢出:
我们打开exploit可以看到calc成功弹出,接下里就是分析漏洞成因了。
首先我们运行LabelPrint,然后打开windbg,并用windbg附加LabelPrint.exe运行,并打开msf.lpp,打开后触发异常:
可以看到这是调用MSVCR71!wcscpy的时候,由于循环复制内存数据到栈空间时,未能检测复制的内存大小,导致覆盖到00130000这个只读内存空间,最后造成异常。同时我们再看看栈发生什么变化:
可以看到栈已经被破坏了,反汇编MSVCR71!wcscpy:
可以看到wcscpy没有自己的栈帧,同时也没有任何改变栈的操作,所以栈顶一定存放着返回地址。
可以看到函数在004657c2这个地址调用wcscpy进行内存拷贝,我们将此函数暂且称为vulfunc。用IDA中打开此函数:
现在我们确定了漏洞函数,重新附加在vulfunc函数头下断:
断下后运行会发现再次断下,我们在第5次断下的时候再运行才触发异常
重新加载在第5次断下时,查看此时esp,确定函数调用过程:
函数在00410c21地址处调用了vulfunc函数。再用ida查看此函数:
现在我们知道为什么vulfunc要调用5次了。而且这些属性正好和exploit中一一对应。但是在vulfunc中仍进行了两次if判断才最终执行wcscpy。所以想要继续确定执行流程,还得分析vulfunc函数。重新加载在vulfunc函数头下断,在第5次断下时单步跟踪确定执行流程:
对应的C代码如下
上面先是调用VariantInit初始化pvarg,pvarg是变体类型Variant,Variant 是一种特殊的数据类型,除了定长String数据及用户定义类型外,可以包含任何种类的数据。Variant 也可以包含Empty、Error、Nothing及Null等特殊值。VARIANT数据结构包含两个域(如果不考虑保留的域)。vt域描述了第二个域的数据类型。
之后取DOMNamedNodeMapList对象及其虚表指针。
我们接着往下走:
对应的C代码如下:
上面调用了DOMNamedNodeMapList::getNamedItem将DOMNode对象传递给v10,接着跟踪:
对应C代码如下
VarType如下
由上可知通过调用DOMNode::get_nodeValue将pvarg.vt赋值为8,同时取name属性中的值放入pvarg.bstrVal中。
接下来就是一些数值传递:
最后调用拷贝函数,在此之前需要确定拷贝的目标地址:
拷贝的目标地址为0012e8a8。
由于程序在调用vulfunc读取属性值的时候,没有计算属性值所占用的空间大小,最终在复制时导致溢出。
源码如下:
可以看到exploit将0x42作为nop,以ABC中随机一个字符作为填充。将以上代码优化后如下:
接来下我们单步调试确定各个区块的作用
先是用junk填充790字节,再用0x61,0x42覆盖掉SEH指针 可以看到地址为0x12EED4,用target['Ret'] 覆盖seh Handler :
当覆盖到0x00130000这个地址的时候触发异常进入0044002c执行:
此时堆栈情况如下,可以看到执行两次pop后ret到0x12EED4
正好跳转到我们的覆盖的SEH结构上,0x61为popad,执行后提高了我们的esp 同时注意此时的edi为0012EED4。
执行完此区块后的寄存器情况:
此区块单纯的将esp提升到0x0012f655, 提升的目的是什么,为什么是这个地址?而且msf对此区块的注释是我们需要对RET地址进行编码,因为RET(\xc3)被称为坏字符。现在我们只能记住此地址,接着向下分析。
此时堆栈情况如下:
将0012EED4写入0012F651地址msf的解释是为了对齐堆栈。我们暂且不管这个操作,接着将C300C300写入0012F64D这个地址,貌似上面一切改变esp的操作都是为了让我们将 C300C300写入00126F4D这个地址。根据上面解释0xc3代表ret指令。我们在汇编窗口查看0012F64D+1这个地址,可以看到此汇编指令变成了ret。为什么不直接输入c3指令,反而废了这么大功夫就为了生成0xC3。在msf.lpp文件中任意位置改成0xC3后用程序打开后显示加载项目设置时出错,请确认您选择的项目类型正确。
可以看到此区块的作用是将0012F651地址中的0012EED4取出给eax,再将eax提升到0012F6D4后压入栈:
为什么要这么操作,还得接着向下分析。
pop esp,所以上一个区块是为了将eax给esp,此时esp为0012F6D4,此时堆栈情况如下:
之后执行pop eax是为了将0012F6D4里的0x0032007B取出给eax。0x0032007B这个值是不是很熟悉,我们看第五个区块的末尾:
这里预先存放了0x0032007B。接着一顿操作将eax变为7C32537B后压入栈:
接下里一路执行直到0012F64E地址处的ret指令。执行ret指令跟进7C32537B地址发现这是一个call esp,而此时的esp是0012F6D8。
现在我们明白原来预先在0012F6D4这个地址里放入0x0032007B不是随便找的地址。我们既拿到了0x0032007B又把堆栈提高到了0012F6D4,之后的操作也是只是对堆栈进行小修改。最后通过7C32537B处的call esp使程序跳转到0012F6D8处执行。之后一路滑行到达第六个区块
这里前两句可以理解成将edi赋值给eax,edi的值在哪来的,还记得最开始的时候的popad吗,那时候将edi变为0012EED4。接着向下走对eax一顿操作,经过一个nop后终于到达了我们的payload。此时eax和eip都指向我们的payload。查看此时payload发现已经进行了编码,看不出来什么东西。跟踪payload时会发现payload头部会有一个解码的程序,这块我就不过多赘述了。最后弹出计算器。
此漏洞我在网上貌似没有找到有人分析过,所以可能有的地方分析的不对,遗漏错误之处请大佬们斧正。学习的同时顺便也想把研究成功分享一下,在下文笔可能也略显粗糙,请多多海涵。
https://www.exploit-db.com/exploits/45985
https://baike.baidu.com/item/Variant/4668832?fr=aladdin
使用的环境 | 备注 | |
---|---|---|
操作系统 | Windows7 x32 sp1 | 简体中文版 |
漏洞软件 | CyberLink LabelPrint | 版本号:2.5.0.12508 |
(f44.
968
): Access violation
-
code c0000005 (first chance)
First chance exceptions are reported before
any
exception handling.
This exception may be expected
and
handled.
eax
=
07220042
ebx
=
01571fb0
ecx
=
00130000
edx
=
0722807c
esi
=
01571ae8
edi
=
00000000
eip
=
7c37042b
esp
=
0012e16c
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz na pe nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00010206
*
*
*
ERROR: Symbol
file
could
not
be found. Defaulted to export symbols
for
C:\Program Files\CyberLink\LabelPrint\MSVCR71.dll
-
MSVCR71!wcscpy
+
0xb
:
7c37042b
668901
mov word ptr [ecx],ax ds:
0023
:
00130000
=
6341
0
:
000
> !address
00130000
Failed to
map
Heaps (error
80004005
)
Usage: MemoryMappedFile
Allocation Base:
00130000
Base Address:
00130000
End Address:
00134000
Region Size:
00004000
Type
:
00040000
MEM_MAPPED
State:
00001000
MEM_COMMIT
Protect:
00000002
PAGE_READONLY
Mapped
file
name: PageFile
(f44.
968
): Access violation
-
code c0000005 (first chance)
First chance exceptions are reported before
any
exception handling.
This exception may be expected
and
handled.
eax
=
07220042
ebx
=
01571fb0
ecx
=
00130000
edx
=
0722807c
esi
=
01571ae8
edi
=
00000000
eip
=
7c37042b
esp
=
0012e16c
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz na pe nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00010206
*
*
*
ERROR: Symbol
file
could
not
be found. Defaulted to export symbols
for
C:\Program Files\CyberLink\LabelPrint\MSVCR71.dll
-
MSVCR71!wcscpy
+
0xb
:
7c37042b
668901
mov word ptr [ecx],ax ds:
0023
:
00130000
=
6341
0
:
000
> !address
00130000
Failed to
map
Heaps (error
80004005
)
Usage: MemoryMappedFile
Allocation Base:
00130000
Base Address:
00130000
End Address:
00134000
Region Size:
00004000
Type
:
00040000
MEM_MAPPED
State:
00001000
MEM_COMMIT
Protect:
00000002
PAGE_READONLY
Mapped
file
name: PageFile
0
:
000
> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information
not
available. Following frames may be wrong.
0012eee4
0001001b
002d0042
00010001
00500042
MSVCR71!wcscpy
+
0xb
0012eee8
002d0042
00010001
00500042
005c0042
0x1001b
0012eeec
00010001
00500042
005c0042
00250042
0x2d0042
0012eef0
00500042
005c0042
00250042
007e007e
0x10001
0012eef4
005c0042
00250042
007e007e
00250042
0x500042
0012eef8
00250042
007e007e
00250042
00010001
0x5c0042
0012eefc
007e007e
00250042
00010001
00350042
0x250042
0012ef00
00250042
00010001
00350042
007f007f
0x7e007e
0012ef04
00010001
00350042
007f007f
00050042
0x250042
0012ef08
00350042
007f007f
00050042
00440044
0x10001
0012ef0c
007f007f
00050042
00440044
00570042
0x350042
0012ef10
00050042
00440044
00570042
00500042
0x7f007f
*
*
*
ERROR: Module load completed but symbols could
not
be loaded
for
C:\Program Files\CyberLink\LabelPrint\LabelPrint.exe
0012ef14
00440044
00570042
00500042
00420042
0x50042
0012ef18
00570042
00500042
00420042
00420042
LabelPrint
+
0x40044
0012ef1c
00500042
00420042
00420042
00420042
0x570042
0012ef20
00420042
00420042
00420042
00420042
0x500042
0012ef24
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef28
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef2c
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef30
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef34
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef38
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef3c
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef40
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef44
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef48
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef4c
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef50
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef54
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef58
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
........
0
:
000
> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information
not
available. Following frames may be wrong.
0012eee4
0001001b
002d0042
00010001
00500042
MSVCR71!wcscpy
+
0xb
0012eee8
002d0042
00010001
00500042
005c0042
0x1001b
0012eeec
00010001
00500042
005c0042
00250042
0x2d0042
0012eef0
00500042
005c0042
00250042
007e007e
0x10001
0012eef4
005c0042
00250042
007e007e
00250042
0x500042
0012eef8
00250042
007e007e
00250042
00010001
0x5c0042
0012eefc
007e007e
00250042
00010001
00350042
0x250042
0012ef00
00250042
00010001
00350042
007f007f
0x7e007e
0012ef04
00010001
00350042
007f007f
00050042
0x250042
0012ef08
00350042
007f007f
00050042
00440044
0x10001
0012ef0c
007f007f
00050042
00440044
00570042
0x350042
0012ef10
00050042
00440044
00570042
00500042
0x7f007f
*
*
*
ERROR: Module load completed but symbols could
not
be loaded
for
C:\Program Files\CyberLink\LabelPrint\LabelPrint.exe
0012ef14
00440044
00570042
00500042
00420042
0x50042
0012ef18
00570042
00500042
00420042
00420042
LabelPrint
+
0x40044
0012ef1c
00500042
00420042
00420042
00420042
0x570042
0012ef20
00420042
00420042
00420042
00420042
0x500042
0012ef24
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef28
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef2c
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef30
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef34
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef38
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef3c
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef40
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef44
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef48
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef4c
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef50
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef54
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
0012ef58
00420042
00420042
00420042
00420042
LabelPrint
+
0x20042
........
0
:
000
> u MSVCR71!wcscpy
MSVCR71!wcscpy:
7c370420
8b4c2404
mov ecx,dword ptr [esp
+
4
]
7c370424
8b542408
mov edx,dword ptr [esp
+
8
]
7c370428
668b02
mov ax,word ptr [edx]
7c37042b
668901
mov word ptr [ecx],ax
7c37042e
41
inc ecx
7c37042f
41
inc ecx
7c370430
42
inc edx
7c370431
42
inc edx
0
:
000
> u
MSVCR71!wcscpy
+
0x12
:
7c370432
6685c0
test ax,ax
7c370435
75f1
jne MSVCR71!wcscpy
+
0x8
(
7c370428
)
7c370437
8b442404
mov eax,dword ptr [esp
+
4
]
7c37043b
c3 ret
0
:
000
> u MSVCR71!wcscpy
MSVCR71!wcscpy:
7c370420
8b4c2404
mov ecx,dword ptr [esp
+
4
]
7c370424
8b542408
mov edx,dword ptr [esp
+
8
]
7c370428
668b02
mov ax,word ptr [edx]
7c37042b
668901
mov word ptr [ecx],ax
7c37042e
41
inc ecx
7c37042f
41
inc ecx
7c370430
42
inc edx
7c370431
42
inc edx
0
:
000
> u
MSVCR71!wcscpy
+
0x12
:
7c370432
6685c0
test ax,ax
7c370435
75f1
jne MSVCR71!wcscpy
+
0x8
(
7c370428
)
7c370437
8b442404
mov eax,dword ptr [esp
+
4
]
7c37043b
c3 ret
0
:
000
> dd esp
0012e16c
004657c8
0012e8a8
07226924
75c13e59
0012e17c
01cba6c0
00120008
75c14677
0721f3dc
0012e18c
002962e0
0012eed4
0048b218
00000000
0012e19c
00410c26
01571ae8
0012e8a8
0012f360
0012e1ac
01571fb0
00000000
00369008
01cba490
0012e1bc
01cba4ac
01cbabd0
0726eda0
0012e234
0012e1cc
01cba458
00000000
00000000
01cba3c8
0012e1dc
05c755dc
760dc744
0012e204
75db3a0c
0
:
000
> ub
004657c8
LabelPrint
+
0x657b4
:
004657b4
7404
je LabelPrint
+
0x657ba
(
004657ba
)
004657b6
8b06
mov eax,dword ptr [esi]
004657b8
eb02 jmp LabelPrint
+
0x657bc
(
004657bc
)
004657ba
33c0
xor eax,eax
004657bc
8b4c242c
mov ecx,dword ptr [esp
+
2Ch
]
004657c0
50
push eax
004657c1
51
push ecx
004657c2
ff150cf14800 call dword ptr [LabelPrint
+
0x8f10c
(
0048f10c
)]
0
:
000
> dd
0048f10c
0048f10c
7c370420
7c378a5d
7c379aca
7c3639fc
0048f11c
7c372806
7c38ab8d
7c38b668
7c3901c4
0048f12c
7c370223
7c36240d
7c37043c
7c3745a0
0048f13c
7c391173
7c3902cd
7c375867
7c391a3e
0048f14c
7c390c31
7c39108f
7c37056a
7c386655
0048f15c
7c3704ff
7c378ad2
7c378b03
7c378aeb
0048f16c
7c3703f6
00000000
75c14642
75c13e59
0048f17c
75c13eae
75c36ba7
75c145d2
75c13ed5
0
:
000
> u
7c370420
MSVCR71!wcscpy:
7c370420
8b4c2404
mov ecx,dword ptr [esp
+
4
]
7c370424
8b542408
mov edx,dword ptr [esp
+
8
]
7c370428
668b02
mov ax,word ptr [edx]
7c37042b
668901
mov word ptr [ecx],ax
7c37042e
41
inc ecx
7c37042f
41
inc ecx
7c370430
42
inc edx
7c370431
42
inc edx
0
:
000
> dd esp
0012e16c
004657c8
0012e8a8
07226924
75c13e59
0012e17c
01cba6c0
00120008
75c14677
0721f3dc
0012e18c
002962e0
0012eed4
0048b218
00000000
0012e19c
00410c26
01571ae8
0012e8a8
0012f360
0012e1ac
01571fb0
00000000
00369008
01cba490
0012e1bc
01cba4ac
01cbabd0
0726eda0
0012e234
0012e1cc
01cba458
00000000
00000000
01cba3c8
0012e1dc
05c755dc
760dc744
0012e204
75db3a0c
0
:
000
> ub
004657c8
LabelPrint
+
0x657b4
:
004657b4
7404
je LabelPrint
+
0x657ba
(
004657ba
)
004657b6
8b06
mov eax,dword ptr [esi]
004657b8
eb02 jmp LabelPrint
+
0x657bc
(
004657bc
)
004657ba
33c0
xor eax,eax
004657bc
8b4c242c
mov ecx,dword ptr [esp
+
2Ch
]
004657c0
50
push eax
004657c1
51
push ecx
004657c2
ff150cf14800 call dword ptr [LabelPrint
+
0x8f10c
(
0048f10c
)]
0
:
000
> dd
0048f10c
0048f10c
7c370420
7c378a5d
7c379aca
7c3639fc
0048f11c
7c372806
7c38ab8d
7c38b668
7c3901c4
0048f12c
7c370223
7c36240d
7c37043c
7c3745a0
0048f13c
7c391173
7c3902cd
7c375867
7c391a3e
0048f14c
7c390c31
7c39108f
7c37056a
7c386655
0048f15c
7c3704ff
7c378ad2
7c378b03
7c378aeb
0048f16c
7c3703f6
00000000
75c14642
75c13e59
0048f17c
75c13eae
75c36ba7
75c145d2
75c13ed5
0
:
000
> u
7c370420
MSVCR71!wcscpy:
7c370420
8b4c2404
mov ecx,dword ptr [esp
+
4
]
7c370424
8b542408
mov edx,dword ptr [esp
+
8
]
7c370428
668b02
mov ax,word ptr [edx]
7c37042b
668901
mov word ptr [ecx],ax
7c37042e
41
inc ecx
7c37042f
41
inc ecx
7c370430
42
inc edx
7c370431
42
inc edx
int
__thiscall vulfunc(_DWORD
*
*
this, _DWORD
*
a2, wchar_t
*
Destination)
{
.....
v10
=
0
;
VariantInit(&pvarg);
v4
=
*
this[
2
];
v9
=
this[
2
];
v12
=
0
;
if
( (
*
(
int
(__stdcall
*
*
)(_DWORD
*
, _DWORD
*
,
int
*
))(v4
+
28
))(v9, a2, &v10) >
=
0
&& v10 )
{
(
*
(void (__stdcall
*
*
)(
int
, VARIANTARG
*
))(
*
(_DWORD
*
)v10
+
32
))(v10, &pvarg);
if
( pvarg.vt
=
=
8
)
{
sub_4652C0(&pvarg);
v5
=
a2 ? (const wchar_t
*
)
*
a2 :
0
;
wcscpy(Destination, v5);
/
/
这里拷贝造成了异常
if
( a2 )
sub_40D110(a2);
}
VariantClear(&pvarg);
(
*
(void (__stdcall
*
*
)(
int
))(
*
(_DWORD
*
)v10
+
8
))(v10);
v12
=
-
1
;
v6
=
VariantClear(&pvarg);
if
( v6 <
0
)
sub_483340(v6);
return
0
;
}
.....
int
__thiscall vulfunc(_DWORD
*
*
this, _DWORD
*
a2, wchar_t
*
Destination)
{
.....
v10
=
0
;
VariantInit(&pvarg);
v4
=
*
this[
2
];
v9
=
this[
2
];
v12
=
0
;
if
( (
*
(
int
(__stdcall
*
*
)(_DWORD
*
, _DWORD
*
,
int
*
))(v4
+
28
))(v9, a2, &v10) >
=
0
&& v10 )
{
(
*
(void (__stdcall
*
*
)(
int
, VARIANTARG
*
))(
*
(_DWORD
*
)v10
+
32
))(v10, &pvarg);
if
( pvarg.vt
=
=
8
)
{
sub_4652C0(&pvarg);
v5
=
a2 ? (const wchar_t
*
)
*
a2 :
0
;
wcscpy(Destination, v5);
/
/
这里拷贝造成了异常
if
( a2 )
sub_40D110(a2);
}
VariantClear(&pvarg);
(
*
(void (__stdcall
*
*
)(
int
))(
*
(_DWORD
*
)v10
+
8
))(v10);
v12
=
-
1
;
v6
=
VariantClear(&pvarg);
if
( v6 <
0
)
sub_483340(v6);
return
0
;
}
.....
(a34.
5ac
): Break instruction exception
-
code
80000003
(first chance)
eax
=
7ff9b000
ebx
=
00000000
ecx
=
00000000
edx
=
76faec83
esi
=
00000000
edi
=
00000000
eip
=
76f43c48
esp
=
0736ff5c
ebp
=
0736ff88
iopl
=
0
nv up ei pl zr na pe nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000246
ntdll!DbgBreakPoint:
76f43c48
cc
int
3
0
:
016
> bp
00465730
*
*
*
ERROR: Module load completed but symbols could
not
be loaded
for
C:\Program Files\CyberLink\LabelPrint\LabelPrint.exe
0
:
016
> g
ModLoad:
6da60000
6dab8000
C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
ModLoad:
6e710000
6e741000
C:\Windows\system32\EhStorShell.dll
ModLoad:
6e6a0000
6e70a000
C:\Windows\System32\cscui.dll
ModLoad:
6e7e0000
6e7e9000
C:\Windows\System32\CSCDLL.dll
ModLoad:
6fa00000
6fa0b000
C:\Windows\system32\CSCAPI.dll
ModLoad:
6e630000
6e6a0000
C:\Windows\system32\ntshrui.dll
ModLoad:
74cb0000
74cc9000
C:\Windows\system32\srvcli.dll
ModLoad:
73620000
7362a000
C:\Windows\system32\slc.dll
ModLoad:
6e620000
6e626000
C:\Windows\system32\IconCodecService.dll
ModLoad:
71590000
715ec000
C:\Windows\System32\StructuredQuery.dll
ModLoad:
6e300000
6e34e000
C:\Windows\system32\actxprxy.dll
ModLoad:
6acf0000
6ad1b000
C:\Program Files\Internet Explorer\ieproxy.dll
ModLoad:
72430000
72446000
C:\Windows\system32\thumbcache.dll
ModLoad:
6dfc0000
6dfee000
C:\Windows\system32\SHDOCVW.dll
ModLoad:
697f0000
69890000
C:\Windows\system32\SearchFolder.dll
ModLoad:
6ca60000
6cbf8000
C:\Windows\system32\NetworkExplorer.dll
ModLoad:
6f4d0000
6f4d9000
C:\Windows\system32\LINKINFO.dll
ModLoad:
73120000
7312f000
C:\Windows\system32\samcli.dll
ModLoad:
73f80000
73f92000
C:\Windows\system32\SAMLIB.dll
ModLoad:
732c0000
732c9000
C:\Windows\system32\netutils.dll
Breakpoint
0
hit
eax
=
0710591c
ebx
=
01651fb0
ecx
=
0012e1b8
edx
=
00000002
esi
=
75c13e59
edi
=
00000000
eip
=
00465730
esp
=
0012e19c
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz na po nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000202
LabelPrint
+
0x65730
:
00465730
6aff
push
0FFFFFFFFh
(a34.
5ac
): Break instruction exception
-
code
80000003
(first chance)
eax
=
7ff9b000
ebx
=
00000000
ecx
=
00000000
edx
=
76faec83
esi
=
00000000
edi
=
00000000
eip
=
76f43c48
esp
=
0736ff5c
ebp
=
0736ff88
iopl
=
0
nv up ei pl zr na pe nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000246
ntdll!DbgBreakPoint:
76f43c48
cc
int
3
0
:
016
> bp
00465730
*
*
*
ERROR: Module load completed but symbols could
not
be loaded
for
C:\Program Files\CyberLink\LabelPrint\LabelPrint.exe
0
:
016
> g
ModLoad:
6da60000
6dab8000
C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
ModLoad:
6e710000
6e741000
C:\Windows\system32\EhStorShell.dll
ModLoad:
6e6a0000
6e70a000
C:\Windows\System32\cscui.dll
ModLoad:
6e7e0000
6e7e9000
C:\Windows\System32\CSCDLL.dll
ModLoad:
6fa00000
6fa0b000
C:\Windows\system32\CSCAPI.dll
ModLoad:
6e630000
6e6a0000
C:\Windows\system32\ntshrui.dll
ModLoad:
74cb0000
74cc9000
C:\Windows\system32\srvcli.dll
ModLoad:
73620000
7362a000
C:\Windows\system32\slc.dll
ModLoad:
6e620000
6e626000
C:\Windows\system32\IconCodecService.dll
ModLoad:
71590000
715ec000
C:\Windows\System32\StructuredQuery.dll
ModLoad:
6e300000
6e34e000
C:\Windows\system32\actxprxy.dll
ModLoad:
6acf0000
6ad1b000
C:\Program Files\Internet Explorer\ieproxy.dll
ModLoad:
72430000
72446000
C:\Windows\system32\thumbcache.dll
ModLoad:
6dfc0000
6dfee000
C:\Windows\system32\SHDOCVW.dll
ModLoad:
697f0000
69890000
C:\Windows\system32\SearchFolder.dll
ModLoad:
6ca60000
6cbf8000
C:\Windows\system32\NetworkExplorer.dll
ModLoad:
6f4d0000
6f4d9000
C:\Windows\system32\LINKINFO.dll
ModLoad:
73120000
7312f000
C:\Windows\system32\samcli.dll
ModLoad:
73f80000
73f92000
C:\Windows\system32\SAMLIB.dll
ModLoad:
732c0000
732c9000
C:\Windows\system32\netutils.dll
Breakpoint
0
hit
eax
=
0710591c
ebx
=
01651fb0
ecx
=
0012e1b8
edx
=
00000002
esi
=
75c13e59
edi
=
00000000
eip
=
00465730
esp
=
0012e19c
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz na po nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000202
LabelPrint
+
0x65730
:
00465730
6aff
push
0FFFFFFFFh
Breakpoint
0
hit
eax
=
0710591c
ebx
=
01651fb0
ecx
=
0012e1b8
edx
=
00000002
esi
=
75c13e59
edi
=
00000000
eip
=
00465730
esp
=
0012e19c
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz na po nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000202
LabelPrint
+
0x65730
:
00465730
6aff
push
0FFFFFFFFh
0
:
000
> g
Breakpoint
0
hit
eax
=
0710578c
ebx
=
01651fb0
ecx
=
0012e1b8
edx
=
00000000
esi
=
75c13e59
edi
=
00000000
eip
=
00465730
esp
=
0012e19c
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz na po nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000202
LabelPrint
+
0x65730
:
00465730
6aff
push
0FFFFFFFFh
0
:
000
> g
Breakpoint
0
hit
eax
=
0710591c
ebx
=
01651fb0
ecx
=
0012e1b8
edx
=
00000000
esi
=
75c13e59
edi
=
00000000
eip
=
00465730
esp
=
0012e19c
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz na po nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000202
LabelPrint
+
0x65730
:
00465730
6aff
push
0FFFFFFFFh
0
:
000
> g
Breakpoint
0
hit
eax
=
0710578c
ebx
=
01651fb0
ecx
=
0012e1b8
edx
=
00000000
esi
=
75c13e59
edi
=
0012e6a0
eip
=
00465730
esp
=
0012e19c
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz na po nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000202
LabelPrint
+
0x65730
:
00465730
6aff
push
0FFFFFFFFh
0
:
000
> g
Breakpoint
0
hit
eax
=
0710591c
ebx
=
01651fb0
ecx
=
0012e1b8
edx
=
0012e8a8
esi
=
75c13e59
edi
=
00000000
eip
=
00465730
esp
=
0012e19c
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz na po nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000202
LabelPrint
+
0x65730
:
00465730
6aff
push
0FFFFFFFFh
0
:
000
> g
(a34.
238
): Access violation
-
code c0000005 (first chance)
First chance exceptions are reported before
any
exception handling.
This exception may be expected
and
handled.
eax
=
07190042
ebx
=
01651fb0
ecx
=
00130000
edx
=
07193bec
esi
=
01651ae8
edi
=
00000000
eip
=
7c37042b
esp
=
0012e16c
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz na pe nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00010206
*
*
*
ERROR: Symbol
file
could
not
be found. Defaulted to export symbols
for
C:\Program Files\CyberLink\LabelPrint\MSVCR71.dll
-
MSVCR71!wcscpy
+
0xb
:
7c37042b
668901
mov word ptr [ecx],ax ds:
0023
:
00130000
=
6341
Breakpoint
0
hit
eax
=
0710591c
ebx
=
01651fb0
ecx
=
0012e1b8
edx
=
00000002
esi
=
75c13e59
edi
=
00000000
eip
=
00465730
esp
=
0012e19c
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz na po nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000202
LabelPrint
+
0x65730
:
00465730
6aff
push
0FFFFFFFFh
0
:
000
> g
Breakpoint
0
hit
eax
=
0710578c
ebx
=
01651fb0
ecx
=
0012e1b8
edx
=
00000000
esi
=
75c13e59
edi
=
00000000
eip
=
00465730
esp
=
0012e19c
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz na po nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000202
LabelPrint
+
0x65730
:
00465730
6aff
push
0FFFFFFFFh
0
:
000
> g
Breakpoint
0
hit
eax
=
0710591c
ebx
=
01651fb0
ecx
=
0012e1b8
edx
=
00000000
esi
=
75c13e59
edi
=
00000000
eip
=
00465730
esp
=
0012e19c
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz na po nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000202
LabelPrint
+
0x65730
:
00465730
6aff
push
0FFFFFFFFh
0
:
000
> g
Breakpoint
0
hit
eax
=
0710578c
ebx
=
01651fb0
ecx
=
0012e1b8
edx
=
00000000
esi
=
75c13e59
edi
=
0012e6a0
eip
=
00465730
esp
=
0012e19c
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz na po nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000202
LabelPrint
+
0x65730
:
00465730
6aff
push
0FFFFFFFFh
0
:
000
> g
Breakpoint
0
hit
eax
=
0710591c
ebx
=
01651fb0
ecx
=
0012e1b8
edx
=
0012e8a8
esi
=
75c13e59
edi
=
00000000
eip
=
00465730
esp
=
0012e19c
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz na po nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000202
LabelPrint
+
0x65730
:
00465730
6aff
push
0FFFFFFFFh
0
:
000
> g
(a34.
238
): Access violation
-
code c0000005 (first chance)
First chance exceptions are reported before
any
exception handling.
This exception may be expected
and
handled.
eax
=
07190042
ebx
=
01651fb0
ecx
=
00130000
edx
=
07193bec
esi
=
01651ae8
edi
=
00000000
eip
=
7c37042b
esp
=
0012e16c
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz na pe nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00010206
*
*
*
ERROR: Symbol
file
could
not
be found. Defaulted to export symbols
for
C:\Program Files\CyberLink\LabelPrint\MSVCR71.dll
-
MSVCR71!wcscpy
+
0xb
:
7c37042b
668901
mov word ptr [ecx],ax ds:
0023
:
00130000
=
6341
Breakpoint
0
hit
eax
=
06eafea4
ebx
=
01581fb0
ecx
=
0012e1b8
edx
=
0012e8a8
esi
=
75c13e59
edi
=
00000000
eip
=
00465730
esp
=
0012e19c
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz na po nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000202
LabelPrint
+
0x65730
:
00465730
6aff
push
0FFFFFFFFh
0
:
000
> dd esp
0012e19c
00410c26
06eafea4
0012e8a8
0012f360
0012e1ac
01581fb0
00000000
06dcd8c0
01afa490
0012e1bc
01afa4ac
01afabd0
06e26658
0012e234
0012e1cc
01afa458
00000000
00000000
01afa3c8
0012e1dc
06e0d464
760dc744
0012e204
75db3a0c
0012e1ec
06e389fe
00000000
0012e234
00000000
0012e1fc
00000000
06eafea4
0012e220
06eafef4
0012e20c
06e389fe
06eafea4
0012e234
06eafef4
0
:
000
> ub
00410c26
LabelPrint
+
0x10c05
:
00410c05
e836b6ffff call LabelPrint
+
0xc240
(
0040c240
)
00410c0a
8b00
mov eax,dword ptr [eax]
00410c0c
8d942400070000
lea edx,[esp
+
700h
]
00410c13
52
push edx
00410c14
50
push eax
00410c15
8d4c2418
lea ecx,[esp
+
18h
]
00410c19
c684243c0d000024 mov byte ptr [esp
+
0D3Ch
],
24h
00410c21
e80a4b0500 call LabelPrint
+
0x65730
(
00465730
) 调用vulfunc函数
Breakpoint
0
hit
eax
=
06eafea4
ebx
=
01581fb0
ecx
=
0012e1b8
edx
=
0012e8a8
esi
=
75c13e59
edi
=
00000000
eip
=
00465730
esp
=
0012e19c
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz na po nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000202
LabelPrint
+
0x65730
:
00465730
6aff
push
0FFFFFFFFh
0
:
000
> dd esp
0012e19c
00410c26
06eafea4
0012e8a8
0012f360
0012e1ac
01581fb0
00000000
06dcd8c0
01afa490
0012e1bc
01afa4ac
01afabd0
06e26658
0012e234
0012e1cc
01afa458
00000000
00000000
01afa3c8
0012e1dc
06e0d464
760dc744
0012e204
75db3a0c
0012e1ec
06e389fe
00000000
0012e234
00000000
0012e1fc
00000000
06eafea4
0012e220
06eafef4
0012e20c
06e389fe
06eafea4
0012e234
06eafef4
0
:
000
> ub
00410c26
LabelPrint
+
0x10c05
:
00410c05
e836b6ffff call LabelPrint
+
0xc240
(
0040c240
)
00410c0a
8b00
mov eax,dword ptr [eax]
00410c0c
8d942400070000
lea edx,[esp
+
700h
]
00410c13
52
push edx
00410c14
50
push eax
00410c15
8d4c2418
lea ecx,[esp
+
18h
]
00410c19
c684243c0d000024 mov byte ptr [esp
+
0D3Ch
],
24h
00410c21
e80a4b0500 call LabelPrint
+
0x65730
(
00465730
) 调用vulfunc函数
....
v123
=
*
(_DWORD
*
*
)sub_40C240((OLECHAR
*
)L
"title"
);
LOBYTE(STACK[
0xD30
])
=
32
;
vulfunc(&p_bstrString, v123, (wchar_t
*
)(a1
+
5876
));
/
/
1
v151
=
a18;
LOBYTE(STACK[
0xD30
])
=
0
;
a2(v151);
v124
=
*
(_DWORD
*
*
)sub_40C240((OLECHAR
*
)L
"author"
);
LOBYTE(STACK[
0xD30
])
=
33
;
vulfunc(&p_bstrString, v124, (wchar_t
*
)(a1
+
6396
));
/
/
2
v152
=
a20;
LOBYTE(STACK[
0xD30
])
=
0
;
a2(v152);
v125
=
*
(_DWORD
*
*
)sub_40C240((OLECHAR
*
)L
"date"
);
LOBYTE(STACK[
0xD30
])
=
34
;
vulfunc(&p_bstrString, v125, (wchar_t
*
)(a1
+
6916
));
/
/
3
v153
=
a22;
LOBYTE(STACK[
0xD30
])
=
0
;
a2(v153);
LOWORD(STACK[
0x2EC
])
=
0
;
memset(&STACK[
0x2EE
],
0
,
0x204u
);
LOWORD(STACK[
0x4F2
])
=
0
;
v126
=
*
(_DWORD
*
*
)sub_40C240((OLECHAR
*
)L
"SystemTime"
);
LOBYTE(STACK[
0xD30
])
=
35
;
vulfunc(&p_bstrString, v126, (wchar_t
*
)&STACK[
0x2EC
]);
/
/
4
......
v106
=
*
(_DWORD
*
*
)sub_40C240((OLECHAR
*
)L
"name"
);
LOBYTE(STACK[
0xD28
])
=
36
;
vulfunc(&v156, v106, (wchar_t
*
)&STACK[
0x6F4
]);
/
/
5
....
v123
=
*
(_DWORD
*
*
)sub_40C240((OLECHAR
*
)L
"title"
);
LOBYTE(STACK[
0xD30
])
=
32
;
vulfunc(&p_bstrString, v123, (wchar_t
*
)(a1
+
5876
));
/
/
1
v151
=
a18;
LOBYTE(STACK[
0xD30
])
=
0
;
a2(v151);
v124
=
*
(_DWORD
*
*
)sub_40C240((OLECHAR
*
)L
"author"
);
LOBYTE(STACK[
0xD30
])
=
33
;
vulfunc(&p_bstrString, v124, (wchar_t
*
)(a1
+
6396
));
/
/
2
v152
=
a20;
LOBYTE(STACK[
0xD30
])
=
0
;
a2(v152);
v125
=
*
(_DWORD
*
*
)sub_40C240((OLECHAR
*
)L
"date"
);
LOBYTE(STACK[
0xD30
])
=
34
;
vulfunc(&p_bstrString, v125, (wchar_t
*
)(a1
+
6916
));
/
/
3
v153
=
a22;
LOBYTE(STACK[
0xD30
])
=
0
;
a2(v153);
LOWORD(STACK[
0x2EC
])
=
0
;
memset(&STACK[
0x2EE
],
0
,
0x204u
);
LOWORD(STACK[
0x4F2
])
=
0
;
v126
=
*
(_DWORD
*
*
)sub_40C240((OLECHAR
*
)L
"SystemTime"
);
LOBYTE(STACK[
0xD30
])
=
35
;
vulfunc(&p_bstrString, v126, (wchar_t
*
)&STACK[
0x2EC
]);
/
/
4
......
v106
=
*
(_DWORD
*
*
)sub_40C240((OLECHAR
*
)L
"name"
);
LOBYTE(STACK[
0xD28
])
=
36
;
vulfunc(&v156, v106, (wchar_t
*
)&STACK[
0x6F4
]);
/
/
5
eax
=
06eafea4
ebx
=
01581fb0
ecx
=
0012e1b8
edx
=
0012e8a8
esi
=
75c13e59
edi
=
00000000
eip
=
00465730
esp
=
0012e19c
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz na po nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000202
LabelPrint
+
0x65730
:
00465730
6aff
push
0FFFFFFFFh
0
:
000
> dc eax
06eafea4
0061006e
0065006d
00320000
00310030
n.a.m.e...
2.0
.
1.
06eafeb4
00000035
0000004e
00000000
72b6d559
5.
..N.......Y..r
06eafec4
80000000
0061006b
00650062
0050006c
....k.a.b.e.l.P.
06eafed4
00690072
0074006e
00460020
006c0069
r.i.n.t. .F.i.l.
06eafee4
00000065
72b6d55c
88000000
00000014
e...\..r........
06eafef4
00790053
00740073
006d0065
00690054
S.y.s.t.e.m.T.i.
06eaff04
0065006d
00000000
00000000
72b6d563
m.e.........c..r
06eaff14
80000000
0061007a
00650062
0050006c
....z.a.b.e.l.P.
.......
eax
=
0012e180
ebx
=
01581fb0
ecx
=
0012e1b8
edx
=
0012e8a8
esi
=
0012e1b8
edi
=
00000000
eip
=
00465758
esp
=
0012e174
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz ac po nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000212
LabelPrint
+
0x65758
:
00465758
ff1588f14800 call dword ptr [LabelPrint
+
0x8f188
(
0048f188
)] ds:
0023
:
0048f188
=
{OLEAUT32!VariantInit (
75c13ed5
)}
0
:
000
> p
eax
=
00000000
ebx
=
01581fb0
ecx
=
0012e180
edx
=
0012e8a8
esi
=
0012e1b8
edi
=
00000000
eip
=
0046575e
esp
=
0012e178
ebp
=
0012eee4
iopl
=
0
nv up ei pl zr na pe nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000246
LabelPrint
+
0x6575e
:
0046575e
8b4608
mov eax,dword ptr [esi
+
8
] ds:
0023
:
0012e1c0
=
01afabd0
0
:
000
> p
eax
=
01afabd0
ebx
=
01581fb0
ecx
=
0012e180
edx
=
0012e8a8
esi
=
0012e1b8
edi
=
00000000
eip
=
00465761
esp
=
0012e178
ebp
=
0012eee4
iopl
=
0
nv up ei pl zr na pe nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000246
LabelPrint
+
0x65761
:
00465761
8b08
mov ecx,dword ptr [eax] ds:
0023
:
01afabd0
=
{msxml3!DOMNamedNodeMapList::`vftable' (
6927cc90
)}
eax
=
06eafea4
ebx
=
01581fb0
ecx
=
0012e1b8
edx
=
0012e8a8
esi
=
75c13e59
edi
=
00000000
eip
=
00465730
esp
=
0012e19c
ebp
=
0012eee4
iopl
=
0
nv up ei pl nz na po nc
cs
=
001b
ss
=
0023
ds
=
0023
es
=
0023
fs
=
003b
gs
=
0000
efl
=
00000202
LabelPrint
+
0x65730
:
00465730
6aff
push
0FFFFFFFFh
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)