注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

且行且记录

点滴记录,行的更远!

 
 
 

日志

 
 

本想调试下9x共享密码漏洞,无果  

2013-06-13 10:39:17|  分类: 调试记录 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

以前用过某个工具,现在想调试一下,无奈现在没有环境。只有一台虚拟机里有9x的,而自己的机器又太老了运行不了多个虚拟机。

又由于用惯了OD,windbg,现在再用trw2000感觉非常不好用,这个调试器以及9x虚拟机是04年刚学破解时装的。

好像没怎么用过,之后就用OD了。

验证最好有两台9x,而现在只有9x和xp,想改一下客户端发密码长度的地方不知在哪。

只是按文章找到了相关代码(那个文章里的代码好乱),截了2张图。

本想调试时改ecx的值为1的,但是好像不起作用,可能要改数据包里的长度吧!

之后在虚拟机9x里装了个iris嗅了一下访问共享的过程,保存这些数据包用于分析。

估计也可以按照发包来实现的!

服务端的相关代码:

本想调试下9x共享密码漏洞,无果 - appall - 且行且记录
@@//VSERVER.VXD
LCOD:C000361F sub_C000361F    proc near               ; CODE XREF: sub_C00033F4:loc_C0003498p
LCOD:C000361F
LCOD:C000361F arg_0           = dword ptr  8
LCOD:C000361F
LCOD:C000361F                 push    ebp
LCOD:C0003620                 mov     ebp, esp
LCOD:C0003622                 lea     edi, [ebx+1Eh]
LCOD:C0003625                 mov     eax, [ebx+34h]
LCOD:C0003628                 mov     esi, [ebx]
LCOD:C000362A                 cmp     esi, offset dword_C0011CA4
LCOD:C0003630                 jz      short loc_C0003637
LCOD:C0003632                 cmp     eax, [esi+34h]
LCOD:C0003635                 jz      short loc_C0003647
LCOD:C0003637
LCOD:C0003637 loc_C0003637:                           ; CODE XREF: sub_C000361F+11j
LCOD:C0003637                 mov     esi, [ebx+4]
LCOD:C000363A                 cmp     esi, offset dword_C0011CA4
LCOD:C0003640                 jz      short loc_C0003655
LCOD:C0003642                 cmp     eax, [esi+34h]
LCOD:C0003645                 jnz     short loc_C0003655
LCOD:C0003647
LCOD:C0003647 loc_C0003647:                           ; CODE XREF: sub_C000361F+16j
LCOD:C0003647                 cmp     word ptr [edx], 20h
LCOD:C000364B                 jnz     short loc_C000365A ; 9X BUG IS HERE!
LCOD:C000364D                 mov     eax, 8460002h
LCOD:C0003652                 stc
LCOD:C0003653                 leave
LCOD:C0003654                 retn
LCOD:C0003655 ; ---------------------------------------------------------------------------
LCOD:C0003655
LCOD:C0003655 loc_C0003655:                           ; CODE XREF: sub_C000361F+21j
LCOD:C0003655                                         ; sub_C000361F+26j
LCOD:C0003655                 cmp     byte ptr [edi], 0
LCOD:C0003658                 jz      short loc_C0003680
LCOD:C000365A
LCOD:C000365A loc_C000365A:                           ; CODE XREF: sub_C000361F+2Cj
@@LCOD:C000365A                 cmp     ecx, 18h        ; 9X BUG IS HERE! @@VSERVER(01)+365A
LCOD:C000365D                 jz      short loc_C0003683
LCOD:C000365F                 cmp     ecx, 9
LCOD:C0003662                 ja      short loc_C0003680
LCOD:C0003664                 cmc
LCOD:C0003665                 sbb     ecx, 0
LCOD:C0003668                 push    ecx
LCOD:C0003669                 push    ebx
LCOD:C000366A                 mov     ebx, ds:off_C00137F4
LCOD:C0003670                 mov     esi, edx
LCOD:C0003672                 sub     eax, eax
LCOD:C0003674                 dec     edi
LCOD:C0003675
LCOD:C0003675 loc_C0003675:                           ; CODE XREF: sub_C000361F+5Dj
LCOD:C0003675                 inc     edi
LCOD:C0003676                 lodsb
LCOD:C0003677                 mov     al, [eax+ebx]
LCOD:C000367A                 cmp     al, [edi]
LCOD:C000367C                 loope   loc_C0003675  ;9x bug is here
LCOD:C000367E                 pop     ebx
LCOD:C000367F                 pop     ecx
LCOD:C0003680
LCOD:C0003680 loc_C0003680:                           ; CODE XREF: sub_C000361F+39j
LCOD:C0003680                                         ; sub_C000361F+43j ...
LCOD:C0003680                 clc
LCOD:C0003681                 leave
LCOD:C0003682                 retn
LCOD:C0003683 ; ---------------------------------------------------------------------------
LCOD:C0003683
LCOD:C0003683 loc_C0003683:                           ; CODE XREF: sub_C000361F+3Ej
LCOD:C0003683                 sub     esp, 0E4h
LCOD:C0003689                 mov     eax, esp
LCOD:C000368B                 pusha
LCOD:C000368C                 push    edx
LCOD:C000368D                 push    eax
LCOD:C000368E                 mov     eax, [ebp+arg_0]
LCOD:C0003691                 mov     eax, [eax+24h]
LCOD:C0003694                 push    eax
LCOD:C0003695                 push    edi
LCOD:C0003696                 call    sub_C0006D3C
LCOD:C000369B                 add     esp, 10h
LCOD:C000369E                 test    eax, eax
LCOD:C00036A0                 popa
LCOD:C00036A1                 jmp     short loc_C0003680
LCOD:C00036A1 sub_C000361F    endp
LCOD:C00036A1
LCOD:C00036A3 ; ---------------------------------------------------------------------------
LCOD:C00036A3 ; START OF FUNCTION CHUNK FOR sub_C00036B8
LCOD:C00036A3
LCOD:C00036A3 loc_C00036A3:                           ; CODE XREF: sub_C00036B8-4j
LCOD:C00036A3                                         ; sub_C00036B8+8j
LCOD:C00036A3                 mov     eax, offset byte_C00121FB
LCOD:C00036A8                 call    sub_C0008778
LCOD:C00036AD                 test    byte ptr ds:dword_C00121FF, 1
LCOD:C00036B4                 jnz     short loc_C00036A3
LCOD:C00036B6                 retn
LCOD:C00036B6 ; END OF FUNCTION CHUNK FOR sub_C00036B8
LCOD:C00036B6 ; ---------------------------------------------------------------------------
LCOD:C00036B7                 align 4
 

 客户端的相关代码:

本想调试下9x共享密码漏洞,无果 - appall - 且行且记录

 @@//VREDIR.VXD
PCOD:C0015F6C loc_C0015F6C:                           ; CODE XREF: sub_C0015CC0+290j
PCOD:C0015F6C                 test    cl, 2
PCOD:C0015F6F                 jz      short loc_C0015FA8
PCOD:C0015F71                 mov     ecx, [ebp+var_C]
PCOD:C0015F74                 test    byte ptr [ecx+1Ch], 20h
PCOD:C0015F78                 jz      short loc_C0015FA8
PCOD:C0015F7A                 mov     ecx, [ebp+var_14]
PCOD:C0015F7D                 mov     edx, [ebp+var_C]
@@PCOD:C0015F80                 mov     word ptr [ecx+7], 18h ; password length @@VREDIR(06)+2F80
PCOD:C0015F86                 add     ecx, 7
PCOD:C0015F89                 add     edx, 35h
PCOD:C0015F8C                 mov     eax, [ebp+var_8]
PCOD:C0015F8F                 add     eax, 6Ch
PCOD:C0015F92                 mov     [ebp+var_10], ecx
PCOD:C0015F95                 mov     ecx, [ebp+var_14]
PCOD:C0015F98                 add     ecx, 0Bh
PCOD:C0015F9B                 push    ecx
PCOD:C0015F9C                 push    edx
PCOD:C0015F9D                 push    eax
PCOD:C0015F9E                 call    sub_C0006F2A
PCOD:C0015FA3                 add     esp, 0Ch
PCOD:C0015FA6                 jmp     short loc_C0016019
PCOD:C0015FA8 ; ---------------------------------------------------------------------------
PCOD:C0015FA8
PCOD:C0015FA8 loc_C0015FA8:                           ; CODE XREF: sub_C0015CC0+2AFj
PCOD:C0015FA8                                         ; sub_C0015CC0+2B8j
PCOD:C0015FA8                 cmp     ds:byte_C00001E0, 0
PCOD:C0015FAF                 jnz     short loc_C0015FD2
PCOD:C0015FB1                 mov     ecx, [ebp+var_C]
PCOD:C0015FB4                 test    byte ptr [ecx+1Ch], 20h
PCOD:C0015FB8                 jz      short loc_C0015FD2
PCOD:C0015FBA                 mov     ecx, [ebp+var_14]
PCOD:C0015FBD                 mov     eax, [ebp+var_14]
PCOD:C0015FC0                 mov     word ptr [ecx+7], 1
PCOD:C0015FC6                 add     ecx, 7
PCOD:C0015FC9                 mov     byte ptr [eax+0Bh], 0
PCOD:C0015FCD                 mov     [ebp+var_10], ecx
PCOD:C0015FD0                 jmp     short loc_C0016019
PCOD:C0015FD2 ; ---------------------------------------------------------------------------
PCOD:C0015FD2
PCOD:C0015FD2 loc_C0015FD2:                           ; CODE XREF: sub_C0015CC0+2EFj
PCOD:C0015FD2                                         ; sub_C0015CC0+2F8j
PCOD:C0015FD2                 mov     ecx, [ebp+var_14]
PCOD:C0015FD5                 mov     edx, [ebp+var_C]
PCOD:C0015FD8                 add     ecx, 7
PCOD:C0015FDB                 add     edx, 35h
PCOD:C0015FDE                 mov     edi, edx
PCOD:C0015FE0                 sub     eax, eax
PCOD:C0015FE2                 mov     [ebp+var_10], ecx
PCOD:C0015FE5                 mov     ecx, 0FFFFFFFFh
PCOD:C0015FEA                 repne scasb
PCOD:C0015FEC                 mov     esi, [ebp+var_10]
PCOD:C0015FEF                 mov     edi, edx
PCOD:C0015FF1                 not     ecx
PCOD:C0015FF3                 mov     [esi], cx
PCOD:C0015FF6                 sub     eax, eax
PCOD:C0015FF8                 mov     ecx, 0FFFFFFFFh
PCOD:C0015FFD                 repne scasb
PCOD:C0015FFF                 not     ecx
PCOD:C0016001                 sub     edi, ecx
PCOD:C0016003                 mov     eax, ecx
PCOD:C0016005                 shr     ecx, 2
PCOD:C0016008                 mov     esi, edi
PCOD:C001600A                 mov     edi, [ebp+var_14]
PCOD:C001600D                 add     edi, 0Bh
PCOD:C0016010                 rep movsd
PCOD:C0016012                 mov     ecx, eax
PCOD:C0016014                 and     ecx, 3
PCOD:C0016017                 rep movsb
PCOD:C0016019
PCOD:C0016019 loc_C0016019:                           ; CODE XREF: sub_C0015CC0+2A7j
PCOD:C0016019                                         ; sub_C0015CC0+2E6j ...
PCOD:C0016019                 xor     eax, eax
PCOD:C001601B                 mov     esi, [ebp+var_10]
PCOD:C001601E                 mov     ax, [esi]
PCOD:C0016021                 mov     ecx, [ebp+var_14]
PCOD:C0016024                 mov     esi, [ebp+var_8]
PCOD:C0016027                 lea     edx, [eax+ecx+0Bh]
PCOD:C001602B                 mov     ax, [esi+1Ah]
PCOD:C001602F                 mov     [ebp+var_10], edx
PCOD:C0016032                 test    ah, 2
PCOD:C0016035                 jz      loc_C00160DE
PCOD:C001603B                 test    al, 80h
PCOD:C001603D                 jz      loc_C00160DE
PCOD:C0016043                 cmp     ds:dword_C000190C, 0
PCOD:C001604A                 jz      loc_C00160DE
PCOD:C0016050                 add     [ebp+var_10], 2
PCOD:C0016054                 mov     word ptr [edx], 5Ch
PCOD:C0016059                 lea     ecx, [esi+3Ch]
PCOD:C001605C                 push    ecx
PCOD:C001605D                 mov     [ebp+var_1C], ecx
PCOD:C0016060                 call    sub_C00111A0
PCOD:C0016065                 add     esp, 4
PCOD:C0016068                 add     eax, eax
PCOD:C001606A                 mov     edi, [ebp+var_10]
PCOD:C001606D                 mov     esi, [ebp+var_1C]
PCOD:C0016070                 mov     ecx, eax
PCOD:C0016072                 shr     ecx, 2
PCOD:C0016075                 rep movsd
PCOD:C0016077                 mov     ecx, eax
PCOD:C0016079                 and     ecx, 3
PCOD:C001607C                 rep movsb
PCOD:C001607E                 mov     ecx, [ebp+var_1C]
PCOD:C0016081                 push    ecx
PCOD:C0016082                 call    sub_C00111A0
PCOD:C0016087                 add     esp, 4
PCOD:C001608A                 mov     edx, [ebp+var_10]
PCOD:C001608D                 mov     esi, [ebp+var_C]
PCOD:C0016090                 lea     ecx, [edx+eax*2]
PCOD:C0016093                 mov     word ptr [ecx], 5Ch
PCOD:C0016098                 add     esi, 7Bh
PCOD:C001609B                 push    esi
PCOD:C001609C                 mov     [ebp+var_10], ecx
PCOD:C001609F                 add     [ebp+var_10], 2
PCOD:C00160A3                 call    sub_C00111A0
PCOD:C00160A8                 add     esp, 4
PCOD:C00160AB                 lea     eax, ds:2[eax*2]
PCOD:C00160B2                 mov     edi, [ebp+var_10]
PCOD:C00160B5                 mov     ecx, eax
PCOD:C00160B7                 shr     ecx, 2
PCOD:C00160BA                 rep movsd
PCOD:C00160BC                 mov     ecx, eax
PCOD:C00160BE                 and     ecx, 3
PCOD:C00160C1                 rep movsb
PCOD:C00160C3                 mov     edx, [ebp+var_10]
PCOD:C00160C6                 push    edx
PCOD:C00160C7                 call    sub_C00111A0
PCOD:C00160CC                 add     esp, 4
PCOD:C00160CF                 mov     edx, [ebp+var_10]
PCOD:C00160D2                 lea     ecx, [edx+eax*2+2]
PCOD:C00160D6                 mov     [ebp+var_10], ecx
PCOD:C00160D9                 jmp     loc_C0016164
PCOD:C00160DE ; -----------------------------------------------

  评论这张
 
阅读(311)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017