信息安全逆向反匯編練習_第1頁
信息安全逆向反匯編練習_第2頁
信息安全逆向反匯編練習_第3頁
信息安全逆向反匯編練習_第4頁
信息安全逆向反匯編練習_第5頁
已閱讀5頁,還剩4頁未讀, 繼續(xù)免費閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進行舉報或認領(lǐng)

文檔簡介

1、2015回顧,測試一下一、判斷選擇1. 從底層代碼觀察,變量指針強制指針轉(zhuǎn)化時,不會產(chǎn)生實際指令 2. 子過程自身的局部變量可以表示為ebp+Y形式,此處Y為正值 3. 在通過類型強制轉(zhuǎn)換的數(shù)據(jù)拷貝中,以下哪種情況會發(fā)生數(shù)據(jù)越界A、int指針數(shù)據(jù)向char變量拷貝 B、double指針數(shù)據(jù)向int變量拷貝C、char指針數(shù)據(jù)向int變量拷貝 D、double指針數(shù)據(jù)向double變量拷貝二 填空1. 考慮到內(nèi)存對齊,計算并顯示回答如下數(shù)據(jù)結(jié)構(gòu)實際所占內(nèi)存單元大小,并在圖中標示出來數(shù)據(jù)的實際存儲情況。Struct AAAshort a;int b;int c; 從此處開始填(低端地址) bbb;

2、bbb.a = 0x1111;bbb.b = 0x22222222;bbb.c = 0x33333333;答: 該結(jié)構(gòu)體實際所占內(nèi)存數(shù)是_2.現(xiàn)在正在對一個exe程序進行逆向分析,反匯編該程序得到的信息如下:已知,當EXE載入后,EIP內(nèi)容為00411A20:問題:請完成程序執(zhí)行到箭頭所指處,填寫完成棧的實際內(nèi)容。 (14分)ediesi第14空CCCC.CCCC0CCH第12空第11空第10空第9空第8空 第7空第6空第1空|第2空|CCCC.CCCC第5空第4空第13空第3空CCCC主函數(shù)ebp0013FF68ebp棧內(nèi)容如下,請完成14個填空(注意:能寫出準確16進制數(shù)據(jù)的,必須填寫16

3、進制數(shù)值,不能準確寫出的,可以填寫當時現(xiàn)場的寄存器)1. _2. _H3. _H4. _H5. _H6. _7. _8. _H9. _H10._H11._H12._H13._H14._附逆向EXE的反匯編代碼:再次強調(diào)一下當EXE載入后,EIP內(nèi)容為00411A20:004113A0 push ebp 004113A1 mov ebp,esp 004113A3 sub esp,0CCh 004113A9 push ebx 004113AA push esi 004113AB push edi 004113AC lea edi,ebp+FFFFFF34h 004113B2 mov ecx,33h

4、 004113B7 mov eax,0CCCCCCCCh 004113BC rep stos dword ptr es:edi 004113BE mov eax,dword ptr ebp+8 004113C1 add eax,dword ptr ebp+0Ch 004113C4 add eax,dword ptr ebp+10h 004113C7 mov dword ptr ebp-8,eax 004113CA mov eax,dword ptr ebp-8 004113CD pop edi 004113CE pop esi 004113CF pop ebx 004113D0 mov esp

5、,ebp 004113D2 pop ebp 004113D3 ret+/+00411A20 push ebp 00411A21 mov ebp,esp 00411A23 sub esp,0F0h 00411A29 push ebx 00411A2A push esi 00411A2B push edi 00411A2C lea edi,ebp+FFFFFF10h 00411A32 mov ecx,3Ch 00411A37 mov eax,0CCCCCCCCh 00411A3C rep stos dword ptr es:edi 00411A3E mov dword ptr ebp-8,21h

6、00411A45 mov dword ptr ebp-14h,2Ch 00411A4C mov dword ptr ebp-20h,37h 00411A53 mov eax,dword ptr ebp-20h 00411A56 push eax 00411A57 mov ecx,dword ptr ebp-14h 00411A5A push ecx 00411A5B mov edx,dword ptr ebp-8 00411A5E push edx 00411A5F call 004111D1 00411A64 add esp,0Ch 00411A67 mov dword ptr ebp-2C

7、h,eax 00411A6A xor eax,eax 00411A6C pop edi 00411A6D pop esi 00411A6E pop ebx 00411A6F add esp,0F0h 00411A75 cmp ebp,esp 00411A77 call 00411145 00411A7C mov esp,ebp 00411A7E pop ebp 00411A7F ret +/+004111D1 jmp 004113A0三、逆向練習現(xiàn)在得到一個可執(zhí)行EXE執(zhí)行程序,反匯編該程序得到的信息展示如下:已知,當EXE載入后,EIP內(nèi)容為00411490要求: 寫出其對應(yīng)的高級語言 附逆

8、向EXE的反匯編代碼:再次強調(diào)一下當EXE載入后,EIP內(nèi)容為0041149000411490 push ebp / 00411491 mov ebp,esp / 形成自己的棧坐標00411493 sub esp,0D8h /00411499 push ebx /-0041149A push esi / 寄存器保護0041149B push edi / 0041149C lea edi,ebp+FFFFFF28h /- 004114A2 mov ecx,36h /004114A7 mov eax,0CCCCCCCCh / 初始化臨時變量區(qū)004114AC rep stos dword ptr

9、es:edi /-004114AE mov esi,esp 004114B0 push 415AB0h 004114B5 call dword ptr ds:004182BCh / printf函數(shù)004114BB add esp,4 / 堆棧平衡調(diào)整004114BE cmp esi,esp 004114C0 call 00411145 /安全機制函數(shù),逆向忽略004114C5 mov esi,esp 004114C7 push 4157ACh 004114CC call dword ptr ds:004182BCh / printf函數(shù)004114D2 add esp,4 004114D5

10、cmp esi,esp /004114D7 call 00411145 /安全機制函數(shù),逆向忽略004114DC mov dword ptr ebp-8,39h 004114E3 mov dword ptr ebp-14h,3Ch 004114EA mov eax,dword ptr ebp-8 004114ED cmp eax,dword ptr ebp-14h 004114F0 jle 0041150B 004114F2 mov esi,esp 004114F4 push 4162E4h 004114F9 call dword ptr ds:004182BCh / printf函數(shù)0041

11、14FF add esp,4 00411502 cmp esi,esp 00411504 call 00411145 /安全機制函數(shù),逆向忽略00411509 jmp 0041151B 0041150B mov eax,dword ptr ebp-14h 0041150E push eax 0041150F mov ecx,dword ptr ebp-8 00411512 push ecx 00411513 call 00411168 00411518 add esp,8 0041151B mov dword ptr ebp-14h,32h 00411522 mov eax,dword ptr

12、 ebp-8 00411525 cmp eax,dword ptr ebp-14h 00411528 jle 0041153A 0041152A mov eax,dword ptr ebp-14h 0041152D push eax 0041152E mov ecx,dword ptr ebp-8 00411531 push ecx 00411532 call 00411168 00411537 add esp,8 0041153A mov esi,esp 0041153C push 4162A0h 00411541 call dword ptr ds:004182BCh / printf函數(shù)

13、00411547 add esp,4 0041154A cmp esi,esp 0041154C call 00411145 /安全機制函數(shù),逆向忽略00411551 mov esi,esp 00411553 push 415BC8h 00411558 call dword ptr ds:004182BCh / printf函數(shù)0041155E add esp,4 00411561 cmp esi,esp 00411563 call 00411145 /安全機制函數(shù),逆向忽略00411568 xor eax,eax / 程序狀態(tài)返回置0 / 和下面的代碼構(gòu)成高級語言0041156A pop e

14、di / return 00041156B pop esi / 程序收尾返回0041156C pop ebx /0041156D add esp,0D8h /00411573 cmp ebp,esp /00411575 call 00411145 /安全機制函數(shù),逆向忽略0041157A mov esp,ebp /0041157C pop ebp 0041157D ret +/+00411168 jmp 004113B0+/+004113B0 push ebp / 004113B1 mov ebp,esp / 形成自己的棧坐標004113B3 sub esp,0CCh /-004113B9 p

15、ush ebx /004113BA push esi / 寄存器保護004113BB push edi /-004113BC lea edi,ebp+FFFFFF34h /004113C2 mov ecx,33h /004113C7 mov eax,0CCCCCCCCh / 初始化臨時變量區(qū)004113CC rep stos dword ptr es:edi /-004113CE mov eax,dword ptr ebp+8 004113D1 cmp eax,dword ptr ebp+0Ch 004113D4 jl 004113E1 004113D6 mov eax,dword ptr e

16、bp+8 004113D9 sub eax,dword ptr ebp+0Ch 004113DC mov dword ptr ebp-8,eax 004113DF jmp 004113EA 004113E1 mov eax,dword ptr ebp+0Ch 004113E4 sub eax,dword ptr ebp+8 004113E7 mov dword ptr ebp-8,eax 004113EA mov esi,esp 004113EC mov eax,dword ptr ebp-8 004113EF push eax 004113F0 push 41576Ch 004113F5 c

17、all dword ptr ds:004182BCh / printf函數(shù) 004113FB add esp,8 004113FE cmp esi,esp 00411400 call 00411145 /安全機制函數(shù),逆向忽略00411405 mov esi,esp 00411407 push 41575Ch 0041140C call dword ptr ds:004182BCh / printf函數(shù)00411412 add esp,4 00411415 cmp esi,esp 00411417 call 00411145 /安全機制函數(shù),逆向忽略0041141C mov esi,esp 0

18、041141E push 415748h 00411423 call dword ptr ds:004182BCh / printf函數(shù)00411429 add esp,4 0041142C cmp esi,esp 0041142E call 00411145 / 安全機制函數(shù),逆向忽略00411433 mov esi,esp 00411435 push 415858h 0041143A call dword ptr ds:004182BCh / printf函數(shù)00411440 add esp,4 00411443 cmp esi,esp 00411445 call 00411145 / 安

19、全機制函數(shù),逆向忽略0041144A mov eax,dword ptr ebp-8 / 返回值保存?zhèn)鬟f返回0041144D pop edi /0041144E pop esi /0041144F pop ebx / 程序收尾返回00411450 add esp,0CCh /00411456 cmp ebp,esp /00411458 call 00411145 / 安全機制函數(shù),逆向忽略0041145D mov esp,ebp /0041145F pop ebp /00411460 ret /=內(nèi)存數(shù)據(jù)區(qū):0x00415740 00 00 00 00 00 00 00 00 74 68 65

20、 20 61 62 69 6c .the abil0x00415750 69 74 79 20 6f 66 20 00 00 00 00 00 63 61 6e 20 ity of .can 0x00415760 79 6f 75 20 68 61 76 65 20 00 00 00 74 68 65 69 you have .thei0x00415770 72 20 73 75 6d 20 69 73 20 a3 ba 25 64 0a 00 00 r sum is .%d.0x00415780 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

21、.0x00415790 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .0x004157A0 00 00 00 00 00 00 00 00 00 00 00 00 70 72 6f 67 .prog0x004157B0 72 61 6d 20 79 6f 75 20 61 72 65 20 61 6e 61 6c ram you are anal0x004157C0 79 7a 69 6e 67 20 6e 6f 77 21 00 00 00 00 00 00 yzing now!.0x004157D0 00 00 00 00 00 00 0

22、0 00 00 00 00 00 00 00 00 00 .0x00415840 72 00 63 00 5c 00 63 00 72 00 74 00 65 00 78 00 r.c.c.r.t.e.x.0x00415850 65 00 2e 00 63 00 00 00 72 65 76 65 72 73 65 20 e.c.reverse 0x00415860 61 6e 61 6c 79 73 69 73 00 00 00 00 00 00 00 00 analysis.0x00415870 5f 00 5f 00 6e 00 61 00 74 00 69 00 76 00 65 00

23、 _._.n.a.t.i.v.e.0x00415B70 67 20 63 6f 6e 76 65 6e 74 69 6f 6e 20 77 69 74 g convention wit0x00415B80 68 20 61 20 66 75 6e 63 74 69 6f 6e 20 70 6f 69 h a function poi0x00415B90 6e 74 65 72 20 64 65 63 6c 61 72 65 64 20 77 69 nter declared wi0x00415BA0 74 68 20 61 20 64 69 66 66 65 72 65 6e 74 20 63

24、 th a different c0x00415BB0 61 6c 6c 69 6e 67 20 63 6f 6e 76 65 6e 74 69 6f alling conventio0x00415BC0 6e 2e 0a 0d 00 00 00 00 74 72 61 70 a3 ac 63 6f n.trap.co0x00415BD0 6e 67 72 61 74 75 6c 61 74 69 6f 6e 21 20 6e 6f ngratulation! no0x00415BE0 77 20 69 73 20 74 68 65 20 65 6e 64 0a 00 00 00 w is t

25、he end.0x00415BF0 00 00 00 00 e8 5a 41 00 90 59 41 00 68 59 41 00 .ZA.YA.hYA.0x00415C00 28 59 41 00 f4 58 41 00 d0 58 41 00 01 00 00 00 (YA.XA.XA.0x00415C10 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 .0x00415C20 01 00 00 00 53 74 61 63 6b 20 61 72 6f 75 6e 64 .Stack around0x00415C30 20 74 68 65

26、 20 76 61 72 69 61 62 6c 65 20 27 00 the variable .0x00416280 41 00 00 00 41 44 56 41 50 49 33 32 2e 44 4c 4c A.ADVAPI32.DLL0x00416290 00 00 00 00 98 71 41 00 f0 71 41 00 00 00 00 00 .qA.qA.0x004162A0 74 68 69 73 20 69 73 20 74 72 75 65 20 65 6e 64 this is true end0x004162B0 21 20 62 75 74 20 79 6f

27、75 20 73 68 6f 75 6c 64 ! but you should0x004162C0 20 6e 6f 74 20 72 65 6c 61 78 20 79 6f 75 72 73 not relax yours0x004162D0 65 6c 66 21 21 21 20 42 65 20 63 61 72 65 66 75 elf! Be carefu0x004162E0 6c 20 00 00 68 65 6c 6c 6f a3 ac 64 6f 20 79 6f l .hello.do yo0x004162F0 75 20 68 61 76 65 20 67 65 74

28、 20 74 68 65 20 72 u have get the r0x00416300 69 67 68 74 20 72 65 73 75 6c 74 3f 20 6e 6f 21 ight result? no!0x00416310 20 69 74 27 73 20 6e 6f 74 20 6f 76 65 72 0a 00 its not over.0x00415A50 43 68 61 6e 67 69 6e 67 20 74 68 65 20 63 6f 64 Changing the cod0x00415A60 65 20 69 6e 20 74 68 69 73 20 77 61 79 20 77 69 e in this way wi0x00415A70 6c 6c 20 6e 6f 74 20 61 66 66 65 63 74 20 74 68 ll no

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預覽,若沒有圖紙預覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負責。
  • 6. 下載文件中如有侵權(quán)或不適當內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準確性、安全性和完整性, 同時也不承擔用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論