. Recently, because of a "small problem", the kernel level of Linux kernel and FreeBSD has beenTracking and debugging, and then discovering a very interesting problem, I feel that this problem may be different from the Linux shellcode andThe shellcode differences under FreeBSD are also slightly related to the system architecture. The following content isThe following is a compilation of syscall code.In Linux, the application uses the following code to call syscall:420d4330 55 push EBP |420d4331
(Contact feeling processing is a bit complex, involving multiple loops, later by the people reminded that the process also involves linked list operations)
First, the assignment operation,%edx=%ebp+8 (that is, the input string start address, also phase_6 passed in parameters) stored at the value,%eax=%ebp-24, and%eax and%edx into the stack, call read_six_numbers function, its functions are described earlier. Then the read out of the corresponding processing of the number, followed by a la
to load the program. There will be many loops in the shell program. When dealing with loops, you can only let the program run forward, basically not let it jump back, you need to think out of the loop. Do not use Peid to query entries. You can track entries in one step to improve the capability of manual entry searching.Load the program with OD.Confirm an entry warning, and the Od prompts the program to shell. If you choose not to continue the analysis.Stop here0040D001 60 pushad first remember
ancestor classes do not have a processing method that corresponds to this message number, call DefaultHandlerend;procedureGetdynamethod;{function Getdynamethod (vmt:tclass; selector:smallint): Pointer; }Asm{-EAX VMT of Class}{SI dynamic Method index}{{ZF = 0 if found}{trashes:eax, ECX}PUSH EDIXCHG Eax,esi//Exchange eax and ESI values, after which the VMT entry address in ESI, EAX is the message number, i.e. the code of the corresponding dynamic methodJMP @ @haveVMT@ @outerLoop:MOV Esi,[esi]@ @h
769 Items in swapper_pg_dir. The first two items are linear address ing for the user, and the last two items are linear address ing for the kernel. The reason why two items in the global page directory can be mapped to 8 Mb is 2 × 1024 (1024 items in the page table) × 4 K (the size of one page) = 8 m. In fact, initializing the kernel page table is not a hard rule to map the first 8 MB of RAM. This depends on the configuration of your kernel (I think it is 8 Mb ing in most cases ). In startup_32
Game: tianlong Babu, version: 0.16.0108,
System Windows XP,
Tools : Ce5.2 + od1.10 + C #2005
Objective: To find the array format and location of strange data in the memory
First, correct the search method of the character base address in Note 1. The specific search method is described below:1. Ce finds a unique address based on the person's experience or blood (in reality, I am based on experience)2. OD writes a breakpoint to memory under an empirical address0044bc28 8b46 0C mov eax, dword
*): decompile the code section of A. obj.Open the ursoft w32dasm tool (I use version 8.93)Select all files when opening the file, because the software mainly targets file formats such as PE, le, and NE. SoThe offset must be specified to decompile the OBJ file. Above attention! (Note: another way to obtain this information is to use dumpbin/section:. text ). That is, the file offset of the Code section.Therefore, in the prompt dialog box that opens the OBJ file, enter 00000355Start disassembly f
#include #include int main (){__asm{CLD//empty flag bit DFPush 0X1E380A6A//press-in Messageboxa-->user32.dllPush 0x4fd18963//press-in Exitprocess-->kernel32.dllPush 0x0c917432//press-in Loadlibrarya-->kernel32.dllmov Esi,esp//esi=esp, pointing to the address in the stack where LoadLibraryA is storedLea Edi,[esi-0xc]//edi = stack top position -0xc, e.g. 0x0012ff28-0xc==0x0012ff1c====== open up some stack spa
ESI, dword ptr [ESI + 78 H] // data directory Table offsetAdd ESI, EBXMoV EDI, dword ptr [ESI + 20 h] // function name array offsetAdd EDI, EBXMoV ECx, dword ptr [ESI + 14 h] // number of elements in the function address ArrayPush ESIXOR eax, eaxMoV edX, dword ptr [ESI + 24 h] // function name sequence number table array offsetAdd edX, EBXSHL eax, 1 // count * 2Add eax, EDX // count + function name sequenc
sufficiently compatible with the real attack features? Through vulnerability analysis, we will naturally draw a conclusion. Czy82 on the nsfocus Technology Forum published a detailed analysis of this vulnerability, see the original article: http://bbs.nsfocus.net/index.php? Act = se F = 3 t = 159298 P = 299648
The code analysis snippets of server processing commands and parameters in the analysis document are as follows:
========================================================== ============
determines whether the returned result is near or far (of course, the pseudo command is not visible from the executable file ).In wvin7 + vs2008 + release, this situation is much more complicated.
--- D: \ coding \ helloworld \ testc \ main. c optional int main () {00331370 push EBP 00331371 mov EBP, esp 00331373 sub ESP, 0c0h 00331379 push EBX 0033137a push ESI 0033137b push EDI 0033137c Lea EDI, [ebp-0C
Reading Tips:
《Delphi Image ProcessingThe series focuses on efficiency. The general code is Pascal, and the core code is BaSm.
《C ++ Image ProcessingThe series focuses on code clarity and readability, and all uses C ++ code.
Make sure that the two items are consistent and can be compared with each other.
The code in this article must include the imagedata. Pas unit in "Delphi Image Processing-data type and public process.
The minimum value processing of an image is centered on the current pixel
the API function address we want to intercept, modify it.
Invoke GetModuleHandle, addr DllName; get the name of the DLL where the API is to be intercepted
Invoke GetProcAddress, eax, addr ApiName
Mov ProcAddr, eax; gets the address of the API we want to intercept and stores it in ProcAddr.
. While! ([Esi]. originalFirstThunk = 0 [esi]. timeDateStamp = 0 [esi]. forwarderChain = 0 [esi]. name1 = 0 [esi]. firstThunk = 0); The imported table is ended by an IMAGE_IMPORT_DESCRIPTOR of all 0.
Mov
The place that strcpy didn't take into account
Original posted Address:Http://eparg.spaces.live.com/blog/cns!59BFC22C0E7E1A76!1498.entryOriginal Paste Time:2006-08-16Original Paste Author:EpargThe discussions of the year were in:
Http://eparg.spaces.live.com/blog/cns!59BFC22C0E7E1A76!533.entry
When Http://eparg.spaces.live.com/blog/cns!59BFC22C0E7E1A76!875.entry first considered the performance of strcpy, only 4bytes copies were considered. But ignoring a key question is how to judge the end of
,
Then use SoftICE to set a breakpoint on the address, SoftICE should be immediately broken,
You'll see mov DWORD PTR ds:[eax+ecx*8+eb4],edi,
In the client, the position is 0x4b2c74,
You can change the course of the game,
Put mov DWORD PTR ds:[eax+ecx*8+eb4],
EDI changed into a E9 xx xx xx xx 90 90,
JMP the free address between the rsrc and. Data in the process.
The code (xx xx xx xx) + 0x4b2c74 + 5 is modi
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.