环境 virtualBOX中的windows xp sp3
远程windbg
kd> r gdtr
gdtr=8003f000
kd> db 8003f000
8003f000 00 00 00 00 00 00 00 00-ff ff 00 00 00 9a cf 00 ................
8003f010 ff ff 00 00 00 93 cf 00-ff ff 00 00 00 fa cf 00 ................
8003f020 ff ff 00 00 00 f3 cf 00-ab 20 00 20 04 8b 00 80 ......... . ....
8003f030 01 00 00 f0 df 93 c0 ff-ff 0f 00 00 00 f3 40 00 ..............@.
8003f040 ff ff 00 04 00 f2 00 00-00 00 00 00 00 00 00 00 ................
8003f050 68 00 00 22 55 89 00 80-68 00 68 22 55 89 00 80 h.."U...h.h"U...
8003f060 ff ff 40 2f 02 93 00 00-ff 3f 00 80 0b 92 00 00 ..@/.....?......
8003f070 ff 03 00 70 ff 92 00 ff-ff ff 00 00 40 9a 00 80 ...p........@...
本地打开一个记事本查看
CS = 0x1B 00011011 3
DS = 0x23 00100011 4
ES = 0x23 00100011 4
FS = 0x38 00111000 7
GS = 0x00 00000000 0
SS = 0x23 00100011 4
0:001> dg 1b
P Si Gr Pr Lo
Sel Base Limit Type l ze an es ng Flags
---- -------- -------- ---------- - -- -- -- -- --------
001B 00000000 ffffffff Code RE 3 Bg Pg P Nl 00000cfa
0:001> dg 23
P Si Gr Pr Lo
Sel Base Limit Type l ze an es ng Flags
---- -------- -------- ---------- - -- -- -- -- --------
0023 00000000 ffffffff Data RW Ac 3 Bg Pg P Nl 00000cf3
0:001> dg 38
P Si Gr Pr Lo
Sel Base Limit Type l ze an es ng Flags
---- -------- -------- ---------- - -- -- -- -- --------
0038 7ffde000 00000fff Data RW Ac 3 Bg By P Nl 000004f3
0:001> ~
0 Id: 6a8.644 Suspend: 1 Teb: 7ffdf000 Unfrozen
. 1 Id: 6a8.6d4 Suspend: 1 Teb: 7ffde000 Unfrozen
其中dg 38那个base是怎么计算得来的?
dg 1b
dg 23 都没有问题
就是不知道dg 38 base是怎么算出来的
[课程]FART 脱壳王!加量不加价!FART作者讲授!