看完题目要求,因为是修改弹出窗口显示内容,所以用ollydbg加载exlpoitme.exe,下MessageBoxA断点。
点击按钮后断下来以后返回程序代码,得到如下程序段:
004002F6 /$ 55 PUSH EBP
004002F7 |. 8BEC MOV EBP,ESP
004002F9 |. 83EC 10 SUB ESP,10
004002FC |. 56 PUSH ESI
004002FD |. 57 PUSH EDI
004002FE |. 33FF XOR EDI,EDI
00400300 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00400303 |. 33F6 XOR ESI,ESI
00400305 |. 897D FC MOV DWORD PTR SS:[EBP-4],EDI
00400308 |. 897D F8 MOV DWORD PTR SS:[EBP-8],EDI
0040030B |. E8 60010000 CALL ExploitM.00400470
00400310 |. 68 6C024000 PUSH ExploitM.0040026C ; ASCII "test.txt"
00400315 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00400318 |. E8 63010000 CALL ExploitM.00400480
0040031D |. 85C0 TEST EAX,EAX
0040031F |. 74 64 JE SHORT ExploitM.00400385
00400321 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00400324 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00400327 |. 50 PUSH EAX
00400328 |. E8 D3010000 CALL ExploitM.00400500
0040032D |. 85C0 TEST EAX,EAX
0040032F |. 74 54 JE SHORT ExploitM.00400385 ; 判断文件是否打开
00400331 |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
00400334 |. 83F9 08 CMP ECX,8
00400337 |. 7E 4C JLE SHORT ExploitM.00400385 ; 判断文件大小是否>0
00400339 |. B8 00100000 MOV EAX,1000
0040033E |. 3BC8 CMP ECX,EAX
00400340 |. 7F 43 JG SHORT ExploitM.00400385 ; 判断文件大小是否<1000H
00400342 |. 6A 40 PUSH 40 ; /Protect = PAGE_EXECUTE_READWRITE
00400344 |. 41 INC ECX ; |
00400345 |. 50 PUSH EAX ; |AllocationType => MEM_COMMIT
00400346 |. 51 PUSH ECX ; |Size
00400347 |. 57 PUSH EDI ; |Address
00400348 |. FF15 24024000 CALL DWORD PTR DS:[<&KERNEL32.VirtualAlloc>] ; \VirtualAlloc
0040034E |. 8BF0 MOV ESI,EAX
00400350 |. 3BF7 CMP ESI,EDI
00400352 |. 74 31 JE SHORT ExploitM.00400385
00400354 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00400357 |. 53 PUSH EBX
00400358 |. 50 PUSH EAX
00400359 |. 56 PUSH ESI
0040035A |. FF75 FC PUSH DWORD PTR SS:[EBP-4]
0040035D |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00400360 |. E8 AB010000 CALL ExploitM.00400510
00400365 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00400368 |. 8BD8 MOV EBX,EAX
0040036A |. E8 61010000 CALL ExploitM.004004D0
0040036F |. 3BDF CMP EBX,EDI
00400371 |. 5B POP EBX
00400372 |. 74 11 JE SHORT ExploitM.00400385
00400374 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00400377 |. 3945 F8 CMP DWORD PTR SS:[EBP-8],EAX
0040037A |. 75 09 JNZ SHORT ExploitM.00400385
0040037C |. 50 PUSH EAX
0040037D |. 56 PUSH ESI
0040037E |. E8 FDFEFFFF CALL ExploitM.00400280
00400383 |. 59 POP ECX
00400384 |. 59 POP ECX
00400385 |> 57 PUSH EDI ; /Style
00400386 |. 68 68024000 PUSH ExploitM.00400268 ; |Title = "Try"
0040038B |. 68 60024000 PUSH ExploitM.00400260 ; |Text = "Failed!"
00400390 |. 57 PUSH EDI ; |hOwner
00400391 |. FF15 4C024000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>] ; \MessageBoxA
00400397 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
0040039A |. E8 31010000 CALL ExploitM.004004D0
0040039F |. 3BF7 CMP ESI,EDI
004003A1 |. 74 0D JE SHORT ExploitM.004003B0
004003A3 |. 68 00800000 PUSH 8000 ; /FreeType = MEM_RELEASE
004003A8 |. 57 PUSH EDI ; |Size
004003A9 |. 56 PUSH ESI ; |Address
004003AA |. FF15 20024000 CALL DWORD PTR DS:[<&KERNEL32.VirtualFree>] ; \VirtualFree
004003B0 |> 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
004003B3 |. E8 38010000 CALL ExploitM.004004F0
004003B8 |. 6A 01 PUSH 1
004003BA |. 58 POP EAX
004003BB |. 5F POP EDI
004003BC |. 5E POP ESI
004003BD |. C9 LEAVE
004003BE \. C3 RETN
0040037C |. 50 PUSH EAX
0040037D |. 56 PUSH ESI
0040037E |. E8 FDFEFFFF CALL ExploitM.00400280
00400280 /$ 55 PUSH EBP
00400281 |. 8BEC MOV EBP,ESP
00400283 |. 83EC 2C SUB ESP,2C
00400286 |. 8065 D4 00 AND BYTE PTR SS:[EBP-2C],0
0040028A |. 56 PUSH ESI
0040028B |. 57 PUSH EDI
0040028C |. 6A 0A PUSH 0A
0040028E |. 59 POP ECX
0040028F |. 33C0 XOR EAX,EAX
00400291 |. 8D7D D5 LEA EDI,DWORD PTR SS:[EBP-2B]
00400294 |. 837D 0C 00 CMP DWORD PTR SS:[EBP+C],0
00400298 |. F3:AB REP STOS DWORD PTR ES:[EDI]
0040029A |. 66:AB STOS WORD PTR ES:[EDI]
0040029C |. AA STOS BYTE PTR ES:[EDI]
0040029D |. 7C 51 JL SHORT ExploitM.004002F0
0040029F |. 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
004002A2 |. 68 A802CC78 PUSH 78CC02A8
004002A7 |. 68 1B8F9469 PUSH 69948F1B
004002AC |. FF76 04 PUSH DWORD PTR DS:[ESI+4]
004002AF |. FF36 PUSH DWORD PTR DS:[ESI]
004002B1 |. E8 0A030000 CALL ExploitM.004005C0
004002B6 |. 68 82FFE65B PUSH 5BE6FF82
004002BB |. 68 854716A5 PUSH A5164785
004002C0 |. 52 PUSH EDX
004002C1 |. 50 PUSH EAX
004002C2 |. E8 79020000 CALL ExploitM.00400540
004002C7 |. 6A 04 PUSH 4
004002C9 |. 8BCE MOV ECX,ESI
004002CB |. 5F POP EDI
004002CC |> 8031 1C /XOR BYTE PTR DS:[ECX],1C
004002CF |. 8A11 |MOV DL,BYTE PTR DS:[ECX]
004002D1 |. 3051 01 |XOR BYTE PTR DS:[ECX+1],DL
004002D4 |. 41 |INC ECX
004002D5 |. 41 |INC ECX
004002D6 |. 4F |DEC EDI
004002D7 |.^ 75 F3 \JNZ SHORT ExploitM.004002CC
004002D9 |. 6A 1A PUSH 1A
004002DB |. 59 POP ECX
004002DC |. 2BC8 SUB ECX,EAX
004002DE |. 0FAFC8 IMUL ECX,EAX
004002E1 |. 81E9 9C000000 SUB ECX,9C
004002E7 |. 85C9 TEST ECX,ECX
004002E9 |. 7E 05 JLE SHORT ExploitM.004002F0
004002EB |. 8D7D D4 LEA EDI,DWORD PTR SS:[EBP-2C]
004002EE |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
004002F0 |> 5F POP EDI
004002F1 |. 33C0 XOR EAX,EAX
004002F3 |. 5E POP ESI
004002F4 |. C9 LEAVE
004002F5 \. C3 RETN
004005C0 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
004005C4 |. 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
004005C8 |. 0BC8 OR ECX,EAX
004005CA |. 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
004005CE |. 75 09 JNZ SHORT ExploitM.004005D9
004005D0 |. 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
004005D4 |. F7E1 MUL ECX
004005D6 |. C2 1000 RETN 10
004005D9 |> 53 PUSH EBX
004005DA |. F7E1 MUL ECX
004005DC |. 8BD8 MOV EBX,EAX
004005DE |. 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
004005E2 |. F76424 14 MUL DWORD PTR SS:[ESP+14]
004005E6 |. 03D8 ADD EBX,EAX
004005E8 |. 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
004005EC |. F7E1 MUL ECX
004005EE |. 03D3 ADD EDX,EBX
004005F0 |. 5B POP EBX
004005F1 \. C2 1000 RETN 10
00400540 /$ 53 PUSH EBX
00400541 |. 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
00400545 |. 0BC0 OR EAX,EAX
00400547 |. 75 18 JNZ SHORT ExploitM.00400561
00400549 |. 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
0040054D |. 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
00400551 |. 33D2 XOR EDX,EDX
00400553 |. F7F1 DIV ECX
00400555 |. 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
00400559 |. F7F1 DIV ECX
0040055B |. 8BC2 MOV EAX,EDX
0040055D |. 33D2 XOR EDX,EDX
0040055F |. EB 50 JMP SHORT ExploitM.004005B1
00400561 |> 8BC8 MOV ECX,EAX
00400563 |. 8B5C24 10 MOV EBX,DWORD PTR SS:[ESP+10]
00400567 |. 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
0040056B |. 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
0040056F |> D1E9 /SHR ECX,1
00400571 |. D1DB |RCR EBX,1
00400573 |. D1EA |SHR EDX,1
00400575 |. D1D8 |RCR EAX,1
00400577 |. 0BC9 |OR ECX,ECX
00400579 |.^ 75 F4 \JNZ SHORT ExploitM.0040056F
0040057B |. F7F3 DIV EBX
0040057D |. 8BC8 MOV ECX,EAX
0040057F |. F76424 14 MUL DWORD PTR SS:[ESP+14]
00400583 |. 91 XCHG EAX,ECX
00400584 |. F76424 10 MUL DWORD PTR SS:[ESP+10]
00400588 |. 03D1 ADD EDX,ECX
0040058A |. 72 0E JB SHORT ExploitM.0040059A
0040058C |. 3B5424 0C CMP EDX,DWORD PTR SS:[ESP+C]
00400590 |. 77 08 JA SHORT ExploitM.0040059A
00400592 |. 72 0E JB SHORT ExploitM.004005A2
00400594 |. 3B4424 08 CMP EAX,DWORD PTR SS:[ESP+8]
00400598 |. 76 08 JBE SHORT ExploitM.004005A2
0040059A |> 2B4424 10 SUB EAX,DWORD PTR SS:[ESP+10]
0040059E |. 1B5424 14 SBB EDX,DWORD PTR SS:[ESP+14]
004005A2 |> 2B4424 08 SUB EAX,DWORD PTR SS:[ESP+8]
004005A6 |. 1B5424 0C SBB EDX,DWORD PTR SS:[ESP+C]
004005AA |. F7DA NEG EDX
004005AC |. F7D8 NEG EAX
004005AE |. 83DA 00 SBB EDX,0
004005B1 |> 5B POP EBX
004005B2 \. C2 1000 RETN 10
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课