51 70 45 00 C9 71 45 00 0D 77 45 00 22 78 45 00 33 78 45 00 9A
78 45 00 FD 7C 45 00 19 82 45 00
1F 82 45 00 AA 84 45 00 3A 85 45 00 C3 87 45 00 4C 8D 45 00 68
8D 45 00 1D 92 45 00 71 93 45 00
8C 93 45 00 B9 93 45 00 CA 93 45 00 05 94 45 00 0D 94 45 00 13
94 45 00 1A 94 45 00 22 94 45 00
58 94 45 00 C4 94 45 00 53 95 45 00 76 95 45 00 96 95 45 00 B9 95
45 00 D9 95 45 00 DF 95 45 00
FB 95 45 00 14 96 45 00 31 96 45 00 4A 96 45 00 67 96 45 00 7C 96
45 00 8F 96 45 00 95 96 45 00
B1 96 45 00 C6 96 45 00 D9 96 45 00 DF 96 45 00 FB 96 45 00 10 97
45 00 23 97 45 00 FD 97 45 00
19 98 45 00 65 98 45 00 75 98 45 00 87 98 45 00 95 98 45 00 A3 98
45 00 B1 98 45 00 BF 98 45 00
CD 98 45 00 DB 98 45 00 E9 98 45 00 F7 98 45 00 31 9A 45 00 3D
9A 45 00 4C 9A 45 00 56 9A 45 00
67 9A 45 00 73 9A 45 00 84 9A 45 00 90 9A 45 00 A1 9A 45 00 AD
9A 45 00 BE 9A 45 00 CA 9A 45 00
DB 9A 45 00 E7 9A 45 00 F5 9A 45 00 01 9B 45 00 0F 9B 45 00 1B
9B 45 00 29 9B 45 00 35 9B 45 00
43 9B 45 00 14 9D 45 00 84 9D 45 00 A5 9E 45 00 B2 9E 45 00 F4
9E 45 00 FE 9E 45 00 94 9F 45 00
09 A0 45 00 B5 A0 45 00 D3 A0 45 00 EE A0 45 00 30 A2 45 00 3D
A2 45 00 17 A3 45 00 1D A3 45 00
6A A3 45 00 72 A3 45 00 8D A3 45 00 95 A3 45 00 9F A3 45 00 A5
A3 45 00 A9 A3 45 00 AD A3 45 00
52 A4 45 00 AB A4 45 00 45 A5 45 00 48 A5 45 00 50 A5 45 00 65
A5 45 00 E3 A7 45 00 6D A9 45 00
7E A9 45 00 9E A9 45 00 C8 A9 45 00 23 AA 45 00 43 AA 45 00 65
AB 45 00 D2 AB 45 00 E5 AB 45 00
83 AC 45 00 E1 AC 45 00 5E AD 45 00 8F AD 45 00 AC AD 45 00
B6 AD 45 00 CA AD 45 00 D6 AD 45 00
E2 AD 45 00 EE AD 45 00 02 AE 45 00 16 AE 45 00 69 AF 45 00
75 AF 45 00 81 AF 45 00 57 B2 45 00
98 B4 45 00 77 B6 45 00 DA B7 45 00 DB BC 45 00 ED BC 45 00
00 BF 45 00 03 BF 45 00 0F BF 45 00
A1 BF 45 00 FD BF 45 00 C3 C0 45 00 DC C0 45 00 EE C0 45 00

13 C1 45 00 25 C1 45 00 4A C1 45 00
5C C1 45 00 81 C1 45 00 93 C1 45 00 A5 C1 45 00 B8 C2 45 00 D1
C2 45 00 F3 C2 45 00 28 C3 45 00
4A C3 45 00 7F C3 45 00 A1 C3 45 00 D6 C3 45 00 F8 C3 45 00 1A
C4 45 00 D8 C6 45 00 F6 C6 45 00
8D C7 45 00 D7 C7 45 00 18 C8 45 00 26 C8 45 00 70 C8 45 00 9E
C8 45 00 A1 C8 45 00 A4 C8 45 00
B1 C8 45 00 B7 C8 45 00 A5 C9 45 00 B5 C9 45 00 0C CB 45 00 3D
CB 45 00 75 CB 45 00 0B CD 45 00
31 CD 45 00 39 D8 45 00 0A DD 45 00 0D DD 45 00 C5 DD 45 00
5E DE 45 00 A3 DE 45 00 F1 DE 45 00
F5 DE 45 00 06 E1 45 00 2C E1 45 00 0E E9 45 00 7F F5 45 00 C6
F5 45 00 87 F6 45 00 A2 F6 45 00
00 FB 45 00 9E FB 45 00 A1 FB 45 00 CC FB 45 00 4F FC 45 00 C3
FC 45 00 12 FD 45 00 D5 FF 45 00
3E 00 46 00 FA 01 46 00 15 02 46 00 31 02 46 00 4D 02 46 00 14
04 46 00 52 04 46 00 FE 04 46 00
20 0F 46 00 ED 12 46 00 8E 14 46 00 2D 18 46 00 61 1C 46 00 3E
23 46 00 7F 23 46 00 09 24 46 00
13 24 46 00 1D 24 46 00 4F 24 46 00 59 24 46 00 7D 24 46 00 8D
24 46 00 99 24 46 00 A3 24 46 00
AD 24 46 00 DF 24 46 00 E9 24 46 00 10 25 46 00 20 25 46 00 2C
25 46 00 36 25 46 00 40 25 46 00
72 25 46 00 7C 25 46 00 A3 25 46 00 B3 25 46 00 BF 25 46 00 C9
25 46 00 D3 25 46 00 05 26 46 00
0F 26 46 00 36 26 46 00 46 26 46 00 52 26 46 00 5C 26 46 00 66
26 46 00 98 26 46 00 A2 26 46 00
C9 26 46 00 D9 26 46 00 EB 26 46 00 F5 26 46 00 03 27 46 00 38
27 46 00 42 27 46 00 6F 27 46 00
7F 27 46 00 91 27 46 00 9B 27 46 00 A9 27 46 00 DE 27 46 00 E8
27 46 00 15 28 46 00 25 28 46 00
37 28 46 00 41 28 46 00 4F 28 46 00 84 28 46 00 8E 28 46 00 BB
28 46 00 CB 28 46 00 DD 28 46 00
E7 28 46 00 F5 28 46 00 2A 29 46 00 34 29 46 00 61 29 46 00 71
29 46 00 83 29 46 00 8D 29 46 00
9B 29 46 00 D0 29 46 00 DA 29 46 00 07 2A 46 00 17 2A 46 00 29
2A 46 00 33 2A 46 00 41 2A 46 00
76 2A 46 00 80 2A 46 00 AD 2A 46 00 BD 2A 46 00 CF 2A 46 00
D9 2A 46 00 E7 2A 46 00 1C 2B 46 00
26 2B 46 00 53 2B 46 00 63 2B 46 00 75 2B 46 00 7F 2B 46 00 8D
2B 46 00 C2 2B 46 00 CC 2B 46 00
F9 2B 46 00 09 2C 46 00 F2 2C 46 00 F8 2C 46 00 11 2D 46 00 9A
33 46 00 AD 33 46 00 39 41 46 00
6B 41 46 00 8C 41 46 00 B0 41 46 00 FD 41 46 00 87 42 46 00 A2
42 46 00 98 43 46 00 BA 43 46 00
E9 43 46 00 48 44 46 00 E5 44 46 00 07 46 46 00 2D 46 46 00 50
46 46 00 74 46 46 00 0A 47 46 00
15 47 46 00 1B 47 46 00 3A 47 46 00 3D 47 46 00 68 47 46 00 FD
51 46 00 F1 67 46 00 D2 76 46 00
9D 78 46 00 D8 79 46 00 EA 7B 46 00 4F 7D 46 00 52 7D 46 00 5D
7D 46 00 66 7D 46 00 8F 7D 46 00
A3 7D 46 00 B4 7D 46 00 65 7E 46 00 A5 7E 46 00 B5 7E 46 00 FE
7E 46 00 0D 80 46 00 0D 81 46 00
7D 81 46 00 51 82 46 00 1D 83 46 00 4B 83 46 00 74 84 46 00 9A
84 46 00 86 85 46 00 C1 85 46 00
54 86 46 00 82 86 46 00 D2 87 46 00 F5 87 46 00 DD 88 46 00 A1
89 46 00 D1 89 46 00 D6 89 46 00
9A 8A 46 00 BE 8A 46 00 E2 8B 46 00 BE 8C 46 00 EE 8C 46 00 E2
8D 46 00 CF 91 46 00 E4 91 46 00
14 92 46 00 1E 92 46 00 27 92 46 00 38 92 46 00 41 92 46 00 26 93
46 00 29 93 46 00 F6 93 46 00
F9 93 46 00 C4 97 46 00 44 98 46 00 5F 98 46 00 68 98 46 00 8E 98
46 00 EA 98 46 00 00 99 46 00
19 9C 46 00 27 9C 46 00 3F 9C 46 00 6B 9D 46 00 77 9D 46 00 99
9D 46 00 A5 9D 46 00 04 9E 46 00
0E 9E 46 00 14 9E 46 00 C8 9E 46 00 10 9F 46 00 3C 9F 46 00 5D
9F 46 00 0A A4 46 00 A4 A4 46 00
03 A5 46 00 E7 AB 46 00 03 AC 46 00 CC AC 46 00 94 AD 46 00
AF AD 46 00 78 AE 46 00 03 B0 46 00
D3 B0 46 00 12 B1 46 00 18 B1 46 00 29 B1 46 00 77 B1 46 00 3A
B3 46 00 2A B8 46 00 4A B8 46 00
90 B8 46 00 9E B8 46 00 0B B9 46 00 3A B9 46 00 44 B9 46 00 6D
B9 46 00 8F B9 46 00 3C BA 46 00
4A BA 46 00 A4 BA 46 00 12 BC 46 00 15 BC 46 00 18 BC 46 00
AE BC 46 00 B1 BC 46 00 B4 BC 46 00
07 BD 46 00 29 BD 46 00 C6 BD 46 00 97 C3 46 00 B5 C3 46 00
C6 C5 46 00 D4 C5 46 00 04 C6 46 00
11 C6 46 00 23 C6 46 00 A5 C6 46 00 86 C7 46 00 C8 C7 46 00
2B C8 46 00 32 CB 46 00 80 CC 46 00
DE CC 46 00 85 D7 46 00 8B D7 46 00 B2 D7 46 00 CE D7 46
00 9A D9 46 00 2E DB 46 00 82 DB 46 00
C7 DB 46 00 15 DC 46 00 19 DC 46 00 2D DC 46 00 7D DC 46
00 B1 DC 46 00 08 DF 46 00 40 E0 46 00
90 E1 46 00 EC E2 46 00 24 E4 46 00 74 E5 46 00 86 E7 46 00
89 E7 46 00 D2 E7 46 00 AD E8 46 00
D0 E8 46 00 D8 E8 46 00 EE E8 46 00 03 E9 46 00 20 E9 46 00
1D EA 46 00 40 EA 46 00 48 EA 46 00
5E EA 46 00 73 EA 46 00 90 EA 46 00 DC EA 46 00 FA EA 46 00
91 EB 46 00 DB EB 46 00 1C EC 46 00
2A EC 46 00 74 EC 46 00 A2 EC 46 00 A5 EC 46 00 A8 EC 46 00
B8 EC 46 00 D6 EC 46 00 6D ED 46 00
B7 ED 46 00 F8 ED 46 00 06 EE 46 00 50 EE 46 00 7E EE 46 00
81 EE 46 00 84 EE 46 00 DC EE 46 00
EA EE 46 00 1D EF 46 00 4D EF 46 00 7F F1 46 00 89 F1 46 00
B7 F1 46 00 D8 F1 46 00 CC F2 46 00
DD F2 46 00 15 F3 46 00 45 F6 46 00 48 F6 46 00 6B F6 46 00
AC F6 46 00 84 F7 46 00 A5 F7 46 00
B3 F7 46 00 0B F8 46 00 3F F8 46 00 7A F8 46 00 C4 FD 46 00
A1 FF 46 00 00 00 00 00 00 00 00 00

 

恢复修改的代码，回到原来的EIP处，检查各个寄存器值保持和原来的一样。

4.修改处理部分的代码，完成修复CC工作

要利用处理代码修复CC必须具备几个条件：
   1.> CC 地址，这个我们通过上面的方法得到了。
   2.> jump 的长度，这个通过分析知道在处理代码中提供给了我们，下面将会直接使用。
   3.> jump 的跳转类型，这是个重点，也是个难点，我们将利用壳的模拟处理EFLAGS寄存器值来判断标志寄存器的标志位的代码。

让我们一个一个的来修改处理代码：
  提供我们得到的CC地址给处理代码，利用这个代码--

修改这个代码为：

00805E51    8B15 00808200   MOV     EDX, DWORD PTR DS:[828000]                ; ezcddax.00439891
00805E57    8915 008F8200   MOV     DWORD PTR DS:[828F00], EDX                ；传送参数
00805E5D    C705 108F8200 0>MOV     DWORD PTR DS:[828F10], ezcddax.00828000   
00805E67    90              NOP
00805E68    90              NOP
00805E69    90              NOP
00805E6A    90              NOP
00805E6B    90              NOP
00805E6C    90              NOP
00805E6D    90              NOP
00805E6E    90              NOP
00805E6F    90              NOP
00805E70    90              NOP
00805E71    90              NOP
00805E72    90              NOP
00805E73    90              NOP
00805E74    90              NOP
00805E75    90              NOP
00805E76    90              NOP
00805E77    90              NOP
00805E78    90              NOP
00805E79    90              NOP
00805E7A    90              NOP
00805E7B    90              NOP
00805E7C    EB 03           JMP     SHORT ezcddax.00805E81

看看原来的取地址：

00805EC3    8B95 34ECFFFF   MOV     EDX, DWORD PTR SS:[EBP-13CC]  //取Context域
00805EC9    52              PUSH    EDX

修改方法是在地址00828F00 写入CC地址表的第一个地址：00439891 然后通过上面的修改把这个提供给处理代码使用。

下面这段代码是计算CC地址在不在表中

00805ECA    8B85 48EEFFFF   MOV     EAX, DWORD PTR SS:[EBP-11B8]
00805ED0    FF1485 98CD8300 CALL    DWORD PTR DS:[EAX*4+83CD98]
00805ED7    83C4 04         ADD     ESP, 4
00805EDA    8985 78EBFFFF   MOV     DWORD PTR SS:[EBP-1488], EAX
00805EE0    C785 74EBFFFF 0>MOV     DWORD PTR SS:[EBP-148C], 0
00805EEA    8B8D 48EEFFFF   MOV     ECX, DWORD PTR SS:[EBP-11B8]
00805EF0    8B148D 00F38300 MOV     EDX, DWORD PTR DS:[ECX*4+83F300]
00805EF7    8995 54EEFFFF   MOV     DWORD PTR SS:[EBP-11AC], EDX
00805EFD    8B85 74EBFFFF   MOV     EAX, DWORD PTR SS:[EBP-148C]
00805F03    3B85 54EEFFFF   CMP     EAX, DWORD PTR SS:[EBP-11AC]
00805F09    7D 5C           JGE     SHORT ezcddax.00805F67
00805F0B    8B85 54EEFFFF   MOV     EAX, DWORD PTR SS:[EBP-11AC]
00805F11    2B85 74EBFFFF   SUB     EAX, DWORD PTR SS:[EBP-148C]
00805F17    99              CDQ
00805F18    2BC2            SUB     EAX, EDX
00805F1A    D1F8            SAR     EAX, 1
00805F1C    8B8D 74EBFFFF   MOV     ECX, DWORD PTR SS:[EBP-148C]
00805F22    03C8            ADD     ECX, EAX
00805F24    898D 70EBFFFF   MOV     DWORD PTR SS:[EBP-1490], ECX
00805F2A    8B95 48EEFFFF   MOV     EDX, DWORD PTR SS:[EBP-11B8]
00805F30    8B0495 7CF28300 MOV     EAX, DWORD PTR DS:[EDX*4+83F27C]
00805F37    8B8D 70EBFFFF   MOV     ECX, DWORD PTR SS:[EBP-1490]
00805F3D    8B95 78EBFFFF   MOV     EDX, DWORD PTR SS:[EBP-1488]
00805F43    3B1488          CMP     EDX, DWORD PTR DS:[EAX+ECX*4]
00805F46    76 11           JBE     SHORT ezcddax.00805F59
00805F48    8B85 70EBFFFF   MOV     EAX, DWORD PTR SS:[EBP-1490]
00805F4E    83C0 01         ADD     EAX, 1
00805F51    8985 74EBFFFF   MOV     DWORD PTR SS:[EBP-148C], EAX
00805F57    EB 0C           JMP     SHORT ezcddax.00805F65
00805F59    8B8D 70EBFFFF   MOV     ECX, DWORD PTR SS:[EBP-1490]
00805F5F    898D 54EEFFFF   MOV     DWORD PTR SS:[EBP-11AC], ECX
00805F65  ^ EB 96           JMP     SHORT ezcddax.00805EFD
00805F67    60              PUSHAD
00805F68    33C0            XOR     EAX, EAX
00805F6A    75 02           JNZ     SHORT ezcddax.00805F6E
00805F6C    EB 15           JMP     SHORT ezcddax.00805F83
00805F6E    EB 33           JMP     SHORT ezcddax.00805FA3
00805F70    C075 18 7A      SAL     BYTE PTR SS:[EBP+18], 7A
00805F74    0C 70           OR      AL, 70
00805F76    0E              PUSH    CS
00805F77    EB 0D           JMP     SHORT ezcddax.00805F86
00805F79    E8 720E79F1     CALL    F1F96DF0
00805F7E    FF15 00790974   CALL    DWORD PTR DS:[74097900]
00805F84    F0:EB 87        LOCK JMP SHORT ezcddax.00805F0E               
; 不允许锁定前缀
00805F87    DB7A F0         FSTP    TBYTE PTR DS:[EDX-10]
00805F8A    A0 33618B95     MOV     AL, BYTE PTR DS:[958B6133]
00805F8F    48              DEC     EAX
00805F90    EE              OUT     DX, AL
00805F91    FFFF            ???                                            ; 未知命令
00805F93    8B0495 7CF28300 MOV     EAX, DWORD PTR DS:[EDX*4+83F27C]
00805F9A    8B8D 74EBFFFF   MOV     ECX, DWORD PTR SS:[EBP-148C]
00805FA0    8B1488          MOV     EDX, DWORD PTR DS:[EAX+ECX*4]
00805FA3    3B95 78EBFFFF   CMP     EDX, DWORD PTR SS:[EBP-1488]       
//比较表中的值和CC地址计算的值是否相等，测试CC地址是否有效
00805FA9    0F85 90020000   JNZ     ezcddax.0080623F

下面来到壳的模拟处理EFLAGS寄存器值来判断标志寄存器的标志位的函数入口，而这个入口是个与CC地址有关的变量。

00806006    8B85 48EEFFFF   MOV     EAX, DWORD PTR SS:[EBP-11B8]
0080600C    8B0C85 64F38300 MOV     ECX, DWORD PTR DS:[EAX*4+83F364]
00806013    8B95 74EBFFFF   MOV     EDX, DWORD PTR SS:[EBP-148C]
00806019    8B0491          MOV     EAX, DWORD PTR DS:[ECX+EDX*4]
0080601C    8985 5CEBFFFF   MOV     DWORD PTR SS:[EBP-14A4], EAX
00806022    8B8D 3CECFFFF   MOV     ECX, DWORD PTR SS:[EBP-13C4]
00806028    81E1 D70F0000   AND     ECX, 0FD7
0080602E    898D 6CEBFFFF   MOV     DWORD PTR SS:[EBP-1494], ECX
00806034    8B95 5CEBFFFF   MOV     EDX, DWORD PTR SS:[EBP-14A4]
0080603A    81E2 000000FF   AND     EDX, FF000000
00806040    C1EA 18         SHR     EDX, 18
00806043    8995 60EBFFFF   MOV     DWORD PTR SS:[EBP-14A0], EDX
00806049    8B85 5CEBFFFF   MOV     EAX, DWORD PTR SS:[EBP-14A4]
0080604F    25 FFFFFF00     AND     EAX, 0FFFFFF
00806054    8985 64EBFFFF   MOV     DWORD PTR SS:[EBP-149C], EAX
0080605A    8B8D 28ECFFFF   MOV     ECX, DWORD PTR SS:[EBP-13D8]
00806060    51              PUSH    ECX
00806061    8B95 6CEBFFFF   MOV     EDX, DWORD PTR SS:[EBP-1494]
00806067    52              PUSH    EDX
00806068    8B85 64EBFFFF   MOV     EAX, DWORD PTR SS:[EBP-149C]

上一页  [1] [2] [3] [4] [5] [6] [7] [8] [9] 下一页