dll下载地址:
载入OD:
00B60957 >/$ 55 PUSH EBP
00B60958 |. 8BEC MOV EBP,ESP
00B6095A |. 53 PUSH EBX
00B6095B |. 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
00B6095E |. 56 PUSH ESI
00B6095F |. 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C]
00B60962 |. 57 PUSH EDI
00B60963 |. 8B7D 10 MOV EDI,DWORD PTR SS:[EBP+10]
00B60966 |. 85F6 TEST ESI,ESI
00B60968 |. 75 09 JNZ SHORT For3G.00B60973
00B6096A |. 833D 7CC6B700>CMP DWORD PTR DS:[B7C67C],0
00B60971 |. EB 26 JMP SHORT For3G.00B60999
00B60973 |> 83FE 01 CMP ESI,1
00B60976 |. 74 05 JE SHORT For3G.00B6097D
……
……
====================================================
下断BP GetModuleHandleA+5 SHIFT+F9
到这:
7C826409 837D 08 00 CMP DWORD PTR SS:[EBP+8],0
7C82640D ^ 0F84 3FC7FFFF JE kernel32.7C822B52
7C826413 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C826416 E8 495C0000 CALL kernel32.7C82C064
7C82641B 85C0 TEST EAX,EAX
7C82641D 74 08 JE SHORT kernel32.7C826427
7C82641F FF70 04 PUSH DWORD PTR DS:[EAX+4]
7C826422 E8 AEFFFFFF CALL kernel32.GetModuleHandleW
7C826427 5D POP EBP
7C826428 C2 0400 RETN 4
7C82642B 90 NOP
……
……
===============================================
继续SHIFT+F9,从堆栈找返回时机:
0006954C /000697EC
00069550 |00D852CA 返回到 00D852CA 来自 kernel32.GetModuleHandleA
00069554 |000696A0 ASCII "kernel32.dll"
00069558 |0006E9BC
0006955C |8666D38C
==============================================
这时取消断点,ALT+F9返回:
00D852CA 8B0D 3C1EDB00 MOV ECX,DWORD PTR DS:[DB1E3C]
00D852D0 89040E MOV DWORD PTR DS:[ESI+ECX],EAX
00D852D3 A1 3C1EDB00 MOV EAX,DWORD PTR DS:[DB1E3C]
00D852D8 391C06 CMP DWORD PTR DS:[ESI+EAX],EBX
00D852DB 75 16 JNZ SHORT 00D852F3
00D852DD 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
00D852E3 50 PUSH EAX
00D852E4 FF15 B842DA00 CALL DWORD PTR DS:[DA42B8] ; kernel32.LoadLibraryA
00D852EA 8B0D 3C1EDB00 MOV ECX,DWORD PTR DS:[DB1E3C]
00D852F0 89040E MOV DWORD PTR DS:[ESI+ECX],EAX
00D852F3 A1 3C1EDB00 MOV EAX,DWORD PTR DS:[DB1E3C]
00D852F8 391C06 CMP DWORD PTR DS:[ESI+EAX],EBX
00D852FB 0F84 2F010000 JE 00D85430 ================》魔法跳在这
00D85301 33C9 XOR ECX,ECX
00D85303 8B07 MOV EAX,DWORD PTR DS:[EDI]
00D85305 3918 CMP DWORD PTR DS:[EAX],EBX
……
……
=====================================================
魔法跳修改为 JMP 00D85430 后,下断点bp GetTickCount,Shift+F9运行2次
到这:
7C82BB9D >^\EB C6 JMP SHORT kernel32.7C82BB65
7C82BB9F 90 NOP
7C82BBA0 90 NOP
7C82BBA1 90 NOP
7C82BBA2 90 NOP
7C82BBA3 90 NOP
7C82BBA4 3B0D 48D1887C CMP ECX,DWORD PTR DS:[7C88D148]
7C82BBAA 0F85 C2D30300 JNZ kernel32.7C868F72
7C82BBB0 F7C1 0000FFFF TEST ECX,FFFF0000
7C82BBB6 0F85 B6D30300 JNZ kernel32.7C868F72
7C82BBBC C3 RETN
7C82BBBD 90 NOP
……
……
=================================================
取消断点,ALT+F9返回到这:
00D9AD75 2B85 A0D4FFFF SUB EAX,DWORD PTR SS:[EBP-2B60] ; Formi.009D233B
00D9AD7B 8B8D A4D4FFFF MOV ECX,DWORD PTR SS:[EBP-2B5C]
00D9AD81 6BC9 32 IMUL ECX,ECX,32
00D9AD84 81C1 D0070000 ADD ECX,7D0
00D9AD8A 3BC1 CMP EAX,ECX
00D9AD8C 76 07 JBE SHORT 00D9AD95
00D9AD8E C685 34D9FFFF 0>MOV BYTE PTR SS:[EBP-26CC],1
00D9AD95 83BD E4D7FFFF 0>CMP DWORD PTR SS:[EBP-281C],0
00D9AD9C 0F85 8A000000 JNZ 00D9AE2C
00D9ADA2 0FB685 90D4FFFF MOVZX EAX,BYTE PTR SS:[EBP-2B70]
00D9ADA9 85C0 TEST EAX,EAX
00D9ADAB 74 7F JE SHORT 00D9AE2C
00D9ADAD 6A 00 PUSH 0
00D9ADAF 8B85 94D4FFFF MOV EAX,DWORD PTR SS:[EBP-2B6C]
00D9ADB5 C1E0 02 SHL EAX,2
00D9ADB8 50 PUSH EAX
00D9ADB9 8B85 0CD8FFFF MOV EAX,DWORD PTR SS:[EBP-27F4]
00D9ADBF 0385 8CD4FFFF ADD EAX,DWORD PTR SS:[EBP-2B74]
00D9ADC5 50 PUSH EAX
00D9ADC6 E8 B51C0000 CALL 00D9CA80
00D9ADCB 83C4 0C ADD ESP,0C
00D9ADCE 8B85 94D4FFFF MOV EAX,DWORD PTR SS:[EBP-2B6C]
00D9ADD4 C1E0 02 SHL EAX,2
00D9ADD7 50 PUSH EAX
=================================
按照黑鹰三人行的脱2。51-3。XXDLL教程,这时应该可以搜索到一段命令,但这个DLL无法搜索到:
PUSH EAX
XCHG CX,CX
POP EAX
STC
也就无法查找到重定位表了,用零位论坛的那个帖子不行,在改完魔法跳,内存reloc区段下断,F2,F9运行就会跑飞了。
这个Armadillo 2.51 - 3.xx DLL Stub -> Silicon Realms Toolworks可能加壳深度很深,用常规方式不能脱掉。有谁有兴趣的指导一下啊。
QQ 1172031
[课程]Linux pwn 探索篇!