【发布时间】:2014-11-08 00:30:34
【问题描述】:
向大家问好。
过去两天我一直在努力寻找这个 C 程序代码的入口和返回点。基本上我正在尝试使用 C 中的 strcpy 函数来理解缓冲区溢出。如果有人可以在这里帮助我,我将不胜感激。 C程序:
#include<stdio.h>
#include<string.h>
#include<stdlib.h>
int main(int argc, char *argv[]) // PROGRAM START
{ char buf[64]; // Define buf var.
// if(argc>1) // Avoided it to make assembly code short
strcpy(buf,argv[1]); // Copy the argument to buf var
printf("%s",buf);
return(0); // EXIT RETURN
// system("PAUSE"); // PAUSE THE PROGRAM, Again commented it
}
现在,当我在 Immunity 调试器中打开它时,它是一堆代码。我在下面发布代码(让程序加载在内存中,字符串加载在内存中,可能我留下了正确的部分。)
00401226 . C70424 0100000>MOV DWORD PTR SS:[ESP],1
0040122D . FF15 D0504000 CALL DWORD PTR DS:[<&msvcrt.__set_app_ty>; msvcrt.__set_app_type
00401233 . E8 C8FEFFFF CALL buff1.00401100
00401238 . 90 NOP
00401239 . 8DB426 0000000>LEA ESI,DWORD PTR DS:[ESI]
00401240 . 55 PUSH EBP
00401241 . 89E5 MOV EBP,ESP
00401243 . 83EC 08 SUB ESP,8
00401246 . C70424 0200000>MOV DWORD PTR SS:[ESP],2
0040124D . FF15 D0504000 CALL DWORD PTR DS:[<&msvcrt.__set_app_ty>; msvcrt.__set_app_type
00401253 . E8 A8FEFFFF CALL buff1.00401100
00401258 . 90 NOP
00401259 . 8DB426 0000000>LEA ESI,DWORD PTR DS:[ESI]
00401260 $ 55 PUSH EBP
00401261 . 8B0D E8504000 MOV ECX,DWORD PTR DS:[<&msvcrt.atexit>] ; msvcrt.atexit
00401267 . 89E5 MOV EBP,ESP
00401269 . 5D POP EBP
0040126A . FFE1 JMP ECX
0040126C 8D7426 00 LEA ESI,DWORD PTR DS:[ESI]
00401270 . 55 PUSH EBP
00401271 . 8B0D DC504000 MOV ECX,DWORD PTR DS:[<&msvcrt._onexit>] ; msvcrt._onexit
00401277 . 89E5 MOV EBP,ESP
00401279 . 5D POP EBP
0040127A . FFE1 JMP ECX
0040127C 90 NOP
0040127D 90 NOP
0040127E 90 NOP
0040127F 90 NOP
00401280 > 55 PUSH EBP
00401281 . 89E5 MOV EBP,ESP
00401283 . 5D POP EBP
00401284 . E9 67020000 JMP buff1.004014F0
00401289 90 NOP
0040128A 90 NOP
0040128B 90 NOP
0040128C 90 NOP
0040128D 90 NOP
0040128E 90 NOP
0040128F 90 NOP
00401290 /$ 55 PUSH EBP
00401291 |. 89E5 MOV EBP,ESP
00401293 |. 83EC 68 SUB ESP,68
00401296 |. 83E4 F0 AND ESP,FFFFFFF0
00401299 |. B8 00000000 MOV EAX,0
0040129E |. 83C0 0F ADD EAX,0F
004012A1 |. 83C0 0F ADD EAX,0F
004012A4 |. C1E8 04 SHR EAX,4
004012A7 |. C1E0 04 SHL EAX,4
004012AA |. 8945 B4 MOV DWORD PTR SS:[EBP-4C],EAX
004012AD |. 8B45 B4 MOV EAX,DWORD PTR SS:[EBP-4C]
004012B0 |. E8 7B040000 CALL buff1.00401730
004012B5 |. E8 16010000 CALL buff1.004013D0
004012BA |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; ||
004012BD |. 83C0 04 ADD EAX,4 ; ||
004012C0 |. 8B00 MOV EAX,DWORD PTR DS:[EAX] ; ||
004012C2 |. 894424 04 MOV DWORD PTR SS:[ESP+4],EAX ; ||
004012C6 |. 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48] ; ||
004012C9 |. 890424 MOV DWORD PTR SS:[ESP],EAX ; ||
004012CC |. E8 5F050000 CALL <JMP.&msvcrt.strcpy> ; |\strcpy
004012D1 |. 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48] ; |
004012D4 |. 894424 04 MOV DWORD PTR SS:[ESP+4],EAX ; |
004012D8 |. C70424 0030400>MOV DWORD PTR SS:[ESP],buff1.00403000 ; |ASCII "%s"
004012DF |. E8 3C050000 CALL <JMP.&msvcrt.printf> ; \printf
004012E4 |. B8 00000000 MOV EAX,0
004012E9 |. C9 LEAVE
004012EA \. C3 RETN
004012EB 90 NOP
004012EC 90 NOP
004012ED 90 NOP
004012EE 90 NOP
004012EF 90 NOP
004012F0 /$ 55 PUSH EBP
004012F1 |. B9 F0304000 MOV ECX,buff1.004030F0
004012F6 |. 89E5 MOV EBP,ESP
004012F8 |. EB 14 JMP SHORT buff1.0040130E
004012FA | 8DB6 00000000 LEA ESI,DWORD PTR DS:[ESI]
00401300 |> 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4]
00401303 |. 8B01 MOV EAX,DWORD PTR DS:[ECX]
00401305 |. 83C1 08 ADD ECX,8
00401308 |. 0182 00004000 ADD DWORD PTR DS:[EDX+400000],EAX
0040130E |> 81F9 F0304000 CMP ECX,buff1.004030F0
00401314 |.^72 EA JB SHORT buff1.00401300
00401316 |. 5D POP EBP
00401317 \. C3 RETN
00401318 90 NOP
00401319 90 NOP
0040131A 90 NOP
0040131B 90 NOP
0040131C 90 NOP
0040131D 90 NOP
0040131E 90 NOP
0040131F 90 NOP
00401320 /$ 55 PUSH EBP
00401321 |. 89E5 MOV EBP,ESP
00401323 |. DBE3 FINIT
00401325 |. 5D POP EBP
00401326 \. C3 RETN
00401327 90 NOP
00401328 90 NOP
00401329 90 NOP
0040132A 90 NOP
0040132B 90 NOP
0040132C 90 NOP
0040132D 90 NOP
0040132E 90 NOP
0040132F 90 NOP
00401330 /. 55 PUSH EBP
00401331 |. 89E5 MOV EBP,ESP
00401333 |. 83EC 08 SUB ESP,8
00401336 |. A1 20204000 MOV EAX,DWORD PTR DS:[402020]
0040133B |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
0040133D |. 85C9 TEST ECX,ECX
在调用strcpy函数之前,这里有6个调用函数(程序名:buff1)。我无法理解哪个是 MAIN 函数的入口点。以及从哪一点开始返回。
感谢大家抽出宝贵的时间...
马克
【问题讨论】:
标签: c reverse-engineering buffer-overflow