Shulou(Shulou.com)06/01 Report--

Topic: see attachment

This is the last question, which is doubly difficult.

Look at the meaning of the title, should be to simulate a downloader, download a shellcode from the Internet and then execute. Ask to fix the shellcode and then get the key.

The program interface appears when OD loads MFC_ASM.exe,F9.

Because I usually use socket to write C program to access the network, I found that I didn't find the socket call. I looked at the import table and found that I used the http package provided by wininet.dll.

(I don't know if there is a better way for OD to trace the user code call to the button button. Please do not hesitate to give me your advice.)

Press button directly and an error occurs:

The stack situation at this time:

The BBBBBBBB and DDDDDDD data are consistent with the beginning of the Exploit.html file, which shows that the program has downloaded and copied the Exploit.html to the stack address 0012DF30.

In order to track down the handler of the button button, start with the string and randomly flip through it and find:

There is a reference to the http protocol here. Press button to stop after the breakpoint. All the way F8 can be followed to 00401519, where the retn instruction returns to the wrong address in shellcode.

It is important to note that the starting address of shellcode is 0012DF30, but the leave instruction at 00401518 points esp to 0012E130. The value in this address is the value that appeared in the previous error dialog box.

This is pointed out because the current esp points inside the shellcode, and if the shellcode code is executed, some areas of the shellcode will be covered, resulting in an error. This is the first problem that needs to be corrected.

The following is to analyze the Exploit.html file, load IDA, and do static analysis. Since I am not very familiar with shellcode under windows, I spent a lot of time here. The key point is that, as Daniel hints, you need to analyze a function and look for bytes in a shellcode. Because of the complexity of this shellcode, fixing is actually about finding a suitable entry point, pointing the EIP to it in OD, and directly executing it to pop up the key.

Functions are relatively easy to find, usually starting with push ebp, followed by sub esp (or add esp). IDA can analyze some functions, many of which have to be found on their own.

The Xrefs function of IDA (shortcut key X) is so useful here.

The final list of functions analyzed:

I have commented on several key functions here, and there is a lot of code worth learning, such as fs: [eax] this method of obtaining the kernel32 base address, and the establishment of the shellcode import function table, the runtime dynamically obtains the current instruction address, so that addressing in shellcode has nothing to do with the shellcode load address.

Almost all the functions in shellcode are found here, and through Xrefs analysis, there are still no key functions such as FindFunctions called, that is, the entry is not found. You can only look at it bit by bit under the text view of IDA code, and finally find an undefined byte of data in 00000CDD. Press C and define it as code:

Great! The entry point should be right here. Because there are string tables and 00 bytes elsewhere, there is no extra suspected undefined code.

OD load, breakpoint at 00401518, change EBP to 0012DF30. F8 to 00401519, change the value at 0012DF34 on the current stack to 0012DF30+CDD. Then F9, directly pop up the dialog box, key is here!

Attachment: http://down.51cto.com/data/2365159

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.