--------------------------------------------------------------------------------
0040444D |. 898C24 240400>mov dword ptr [esp+424], ecx
00404454 |> 39AC24 280400>cmp dword ptr [esp+428], ebp
0040445B |. 0F84 C8000000 je 00404529 ; Key nj
00404461 |. 3BCD cmp ecx, ebp
00404463 |. 0F84 C0000000 je 00404529 ; Key nj
00404469 |. 39AC24 2C0400>cmp dword ptr [esp+42C], ebp
00404470 |. 75 21 jnz short 00404493 ; Key nj
00404472 |. 8B9424 200400>mov edx, dword ptr [esp+420]
00404479 |. 8D0C89 lea ecx, dword ptr [ecx+ecx*4]
0040447C |. 8D044A lea eax, dword ptr [edx+ecx*2]
0040447F |. 8B8C24 1C0400>mov ecx, dword ptr [esp+41C]
00404486 |. 3B0C85 4C1442>cmp ecx, dword ptr [eax*4+42144C]
0040448D |. 0F85 96000000 jnz 00404529 ; Key nj
00404493 |> 5F pop edi
------------------------------------------------------------------------------------------
修改后:
0040444D |. 898C24 240400>mov dword ptr [esp+424], ecx
00404454 |> 39AC24 280400>cmp dword ptr [esp+428], ebp
0040445B EB 15 jmp short 00404472 ; Key nj
0040445D 90 nop
0040445E 90 nop
0040445F 90 nop
00404460 90 nop
00404461 |. 3BCD cmp ecx, ebp
00404463 |. 0F84 C0000000 je 00404529 ; Key nj
00404469 |. 39AC24 2C0400>cmp dword ptr [esp+42C], ebp
00404470 |. 75 21 jnz short 00404493 ; Key nj
00404472 |. 8B9424 200400>mov edx, dword ptr [esp+420]
00404479 |. 8D0C89 lea ecx, dword ptr [ecx+ecx*4]
0040447C |. 8D044A lea eax, dword ptr [edx+ecx*2]
0040447F |. 8B8C24 1C0400>mov ecx, dword ptr [esp+41C]
00404486 |. 3B0C85 4C1442>cmp ecx, dword ptr [eax*4+42144C]
0040448D 90 nop ; Key nj
0040448E 90 nop
0040448F 90 nop
00404490 90 nop
00404491 90 nop
00404492 90 nop
00404493 |> 5F pop edi
上面程序在内存修改过后运行正常,但是用HEX编辑软件查找EXE文件内部时,
0040448D 处查到的内容竟然多一个00,实际上是“0F85 96000000 00”
所以我只填充6个NOP不够,程序运行内存错误,又加了一个NOP(一共7个)才正常。
我是新手,没遇到过这个现象。
[课程]Linux pwn 探索篇!
