发布于admin

CE汇编逆向注入学习

Tutorial-i386.exe+29480 – 53 – push ebx
Tutorial-i386.exe+29481 – 89 C3 – mov ebx,eax
Tutorial-i386.exe+29483 – B8 05000000 – mov eax,00000005
Tutorial-i386.exe+29488 – E8 A359FEFF – call Tutorial-i386.exe+EE30
Tutorial-i386.exe+2948D – 8D 50 02 – lea edx,[eax+02]
Tutorial-i386.exe+29490 – 8B 83 F8040000 – mov eax,[ebx+000004F8]
Tutorial-i386.exe+29496 – E8 A5F6FFFF – call Tutorial-i386.exe+28B40
Tutorial-i386.exe+2949B – 5B – pop ebx

可用
alloc(newmem,2048)
newmem:
mov ebx,019F3608
mov eax,00000005
call Tutorial-i386.exe+EE30
lea edx,[eax+02]
mov eax,[ebx+000004F8]
call Tutorial-i386.exe+28B40
ret
createthread(newmem)

ret上面有个pop 不需要,你 push 了多少次,就必须 pop 多少次 上面没有push 所以不用pop

以下如何修改

alloc(newmem,2048)
newmem:
push rbx
lea rsp,[rsp-20]
mov rbx,rcx
mov ecx,00000005
call Tutorial-x86_64.exe+FC10
lea edx,[rax+02]
mov rcx,[rbx+00000888]
call Tutorial-x86_64.exe+2EEB0
nop
lea rsp,[rsp+20]
pop rbx
ret
createthread(newmem)

正确的
Tutorial-x86_64.exe+2F930 – 53 – push rbx
Tutorial-x86_64.exe+2F931 – 48 8D 64 24 E0 – lea rsp,[rsp-20]
Tutorial-x86_64.exe+2F936 – 48 89 CB – mov rbx,rcx
Tutorial-x86_64.exe+2F939 – B9 05000000 – mov ecx,00000005
Tutorial-x86_64.exe+2F93E – E8 CD02FEFF – call Tutorial-x86_64.exe+FC10
Tutorial-x86_64.exe+2F943 – 67 8D 50 02 – lea edx,[rax+02]
Tutorial-x86_64.exe+2F947 – 48 8B 8B 88080000 – mov rcx,[rbx+00000888]
Tutorial-x86_64.exe+2F94E – E8 5DF5FFFF – call Tutorial-x86_64.exe+2EEB0
Tutorial-x86_64.exe+2F953 – 90 – nop
Tutorial-x86_64.exe+2F954 – 48 8D 64 24 20 – lea rsp,[rsp+20]
Tutorial-x86_64.exe+2F959 – 5B – pop rbx
Tutorial-x86_64.exe+2F95A – C3 – ret

错误:
Tutorial-x86_64.exe+2F92B – 00 00 – add [rax],al
Tutorial-x86_64.exe+2F92D – 00 00 – add [rax],al
Tutorial-x86_64.exe+2F92F – 00 53 48 – add [rbx+48],dl
Tutorial-x86_64.exe+2F932 – 8D 64 24 E0 – lea esp,[rsp-20]
Tutorial-x86_64.exe+2F936 – 48 89 CB – mov rbx,rcx
Tutorial-x86_64.exe+2F939 – B9 05000000 – mov ecx,00000005
Tutorial-x86_64.exe+2F93E – E8 CD02FEFF – call Tutorial-x86_64.exe+FC10
Tutorial-x86_64.exe+2F943 – 67 8D 50 02 – lea edx,[rax+02]
Tutorial-x86_64.exe+2F947 – 48 8B 8B 88080000 – mov rcx,[rbx+00000888]
Tutorial-x86_64.exe+2F94E – E8 5DF5FFFF – call Tutorial-x86_64.exe+2EEB0
Tutorial-x86_64.exe+2F953 – 90 – nop
Tutorial-x86_64.exe+2F954 – 48 8D 64 24 20 – lea rsp,[rsp+20]
Tutorial-x86_64.exe+2F959 – 5B – pop rbx
Tutorial-x86_64.exe+2F95A – C3 – ret

可用:

alloc(newmem,2048)
newmem:
push rbx
push rsi
push rdi
push r12
push r13
push r14
push r15
sub rsp,20
// mov rax,0000000000000002 //这行是无效的无用的
mov rcx, 00000000015BE0B0
mov rbx,rcx
mov ecx,00000005
call Tutorial-x86_64.exe+FC10
lea edx,[rax+02] // 这里的rax是call返回的
mov rcx,[rbx+00000888]
call Tutorial-x86_64.exe+2EEB0
add rsp,20
pop r15
pop r14
pop r13
pop r12
pop rdi
pop rsi
pop rbx
ret
createthread(newmem)

模板:

alloc(newmem,2048)
newmem:
push rbx
push rsi
push rdi
push r12
push r13
push r14
push r15
sub rsp,20

add rsp,20
pop r15
pop r14
pop r13
pop r12
pop rdi
pop rsi
pop rbx
ret
createthread(newmem)