When the ESP law cannot be used-the use of EBP

1. Understand the EBP register

There are many registers in the register, although their functions and use are no different, but in the long-term programming and use, in programmer habits, each register has been given a special meaning by default. For example, EAX is generally used for return values, and ECX is used for counting. In the win32 environment, the EBP register is used with the ESP value stored after the call is entered, so that the ESP value can be returned when the call is exited to achieve stack balancing.

The application has previously said:

The OEP of the original program usually starts with Push EBP, MOV Ebp, and Esp. I don't need to say that everyone knows that the meaning of these two sentences is to replace ESP with EBP, as a pointer to the stack.

Why? Why is the beginning of almost every program? If we have written functions such as C, we should be clear that the program starts with a main function main, the most important thing in the function access process is to ensure the balance of the stack, and the way to maintain the balance in the win32 environment is as follows:

1. Let EBP Save the ESP value;

2. Call at the end

Mov esp, ebp
Pop ebp
Retn
 

Or

Leave
Retn
 

Two forms mean one thing.
The advantage of this is that you do not need to consider the number of ESP equal to, the number of PUSH times, and the number of POP times, because we know that the EBP contains the ESP value at the beginning.

2. Extended ESP Law

When looking for OEP, often broken HW ESP-4 is not successful, in addition to the shell code to delete the hardware breakpoint, it is very likely that when the shell code is running to the OEP, its ESP is no longer the ESP (12FFC4) at the EP. In this case, the disconnection is of course unsuccessful.

The key is how to find the stack value when the shell reaches the OEP.

Here, the key to our application is

Push EBP
MOV Ebp, Esp ---- the key is this sentence
 

Let me explain that when the program reaches OEP, the Push EBP statement is a ESP-4 for the ESP value, and then the ESP-4 is assigned to EBP, the value of the EBP register used to save the ESP value in this "Top program" will never change. Although it may change temporarily after entering the sub-call (used for the stack balance of the sub-call), after exiting, the original ebp value will be restored according to * pop EBP.

Taking this sentence as a breakthrough means that as long as we can break through the "top-Layer Program", we can observe the ESP value of EBP when the shell is between JMP and OEP.

3. Practice

Let's take a look at the pespin1.1 shell. In the pespin1.0 shell, we can easily find the place of stolen code using HW 12FFC0, but we won't be able to find it by pespin1.1. HW 12FFC0 cannot be disconnected.

Now we will use this extended ESP law to load the program and come to the final exception.

0040ED85 2BDB sub ebx, ebx // stop here
0040ED87 64: 8F03 pop dword ptr fs: [ebx]
0040ED8A 58 pop eax
0040ED8B 5D pop ebp
0040ED8C 2BFF sub edi, edi
0040ED8E EB 01 jmp short pespin1 _. 0040ED91
0040ED90 C466 81 les esp, fword ptr ds: [esi-7F]
 

I used the memory breakpoint method to come to the FOEP.

004010D3 0000 add byte ptr ds: [eax], al
004010D5 0000 add byte ptr ds: [eax], al
004010D7 0000 add byte ptr ds: [eax], al
004010D9 0000 add byte ptr ds: [eax], al
004010DB 0000 add byte ptr ds: [eax], al
004010DD 0000 add byte ptr ds: [eax], al
004010DF 75 1B jnz short pespin1 _. 004010FC // here is FOEP
004010E1 56 push esi
004010E2 FF15 99F44000 call dword ptr ds: [40F499]
004010E8 8BF0 mov esi, eax
004010EA 8A00 mov al, byte ptr ds: [eax]
 

Well, here is the "top-Layer Program". Let's look at the registers.

EAX 00141E22
ECX 0040C708 pespin1 _. 0040C708
EDX 0040C708 pespin1 _. 0040C708
EBX 0040C708 pespin1 _. 0040C708
ESP 0012F978
EBP 0012F9C0 // note this
ESI 00141EE0
EDI 0040E5CD pespin1 _. 0040E5CD
EIP 004010DF pespin1 _. 004010DF
 

See, EBP = 0012F9C0. Let's imagine how this value is obtained.

First, it must be through mov esp, EBP, that is to say, ESP is 0012F9C0 at this time. However, there is also a push ebp above, that is, ESP should be 0012F9C4 when it reaches OEP. Now, we can quickly find the stolen code.

An error occurred while stopping again.

0040ED85 2BDB sub ebx, ebx // stop here
0040ED87 64: 8F03 pop dword ptr fs: [ebx]
0040ED8A 58 pop eax
0040ED8B 5D pop ebp
0040ED8C 2BFF sub edi, edi
0040ED8E EB 01 jmp short pespin1 _. 0040ED91
0040ED90 C466 81 les esp, fword ptr ds: [esi-7F]
 

Then disconnected HW 0012F9C0, F9 run, come here

0040D8FB 61 popad
0040D8FC 55 push ebp
0040D8FD EB 01 jmp short pespin1 _. 0040D900 // stop here
0040D8FF 318B ECEB01AC xor dword ptr ds: [ebx + AC01EBEC], ecx
0040D905 83EC 44 sub esp, 44
0040D908 EB 01 jmp short pespin1 _. 0040D90B
0040D90A 72 56 jb short pespin1 _. 0040D962
0040D90C EB 01 jmp short pespin1 _. 0040D90F
0040D90E 95