文件下载:
http://pan.baidu.com/s/1jG3RaGA
直接双击打开即可
启动时:
引起崩溃的是:
可见edi是罪魁祸首,edi是
008f6520 8b7c2440 mov edi,dword ptr [esp+40h]
修改,[esp+40h]的内容因此需要验证,但是之前的代码并不明确,因此还是动态跟踪一下比较好。重启,
Executable search path is:
ModLoad: 013d0000 036ee000 MazamaReader.exe
基址 0x013d0000, MazamaReader!std::_Init_locks::operator=+0x137353(01a2383f),得到MazamaReader!std::_Init_locks::operator=地址实际是0x018EC4EC,偏移 = 0x51C4EC
重新跑一遍,
Executable search path is:
ModLoad: 013d0000 036ee000 MazamaReader.exe
居然还是这个数(事实上这个程序是开启了地址随机化的),那么上一层的地址是:
MazamaReader!std::_Init_locks::operator=+0x13a04d
0x018EC4EC + 0x13a04d = 0x01A26539
这个地址距离函数开头0x000001c9,可得函数地址0x1A26370,下断点。
0:000> bp 0x1A26370
*** ERROR: Symbol file could not be found. Defaulted to export symbols for MazamaReader.exe -
0:000> g
Breakpoint 0 hit
eax=002ce9a4 ebx=00000000 ecx=050d1b38 edx=002cea58 esi=ffffffff edi=05145968
eip=01a26370 esp=002ce8a0 ebp=002cecfc iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200286
MazamaReader!std::_Init_locks::operator=+0x139e84:
01a26370 6aff push 0FFFFFFFFh
可以看到栈信息几乎是没有参考价值的……
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
002cecfc 01a616b2 MazamaReader!std::_Init_locks::operator=+0x139ea1
002ced30 01a62692 MazamaReader!std::_Init_locks::operator=+0x1751c6
002ced80 016dea4e MazamaReader!std::_Init_locks::operator=+0x1761a6
00000000 00000000 MazamaReader!xmlXIncludeProcessNode+0xacb8e
跟踪发现是:
0:000>
eax=0035e600 ebx=000004e4 ecx=010d0440 edx=0035e5f4 esi=0035e618 edi=010d0440
eip=01a26534 esp=0035e5cc ebp=010d0448 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
MazamaReader!std::_Init_locks::operator=+0x13a048:
01a26534 e8f7d2ffff call MazamaReader!std::_Init_locks::operator=+0x137344 (01a23830)
0:000>
eax=00000000 ebx=000004e4 ecx=010d046b edx=0035e5f4 esi=0035e618 edi=010d0440
eip=01a26539 esp=0035e5cc ebp=010d0448 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
MazamaReader!std::_Init_locks::operator=+0x13a04d:
01a26539 83c408 add esp,8
0:000>
eax=00000000 ebx=000004e4 ecx=010d046b edx=0035e5f4 esi=0035e618 edi=010d0440
eip=01a2653c esp=0035e5d4 ebp=010d0448 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200216
MazamaReader!std::_Init_locks::operator=+0x13a050:
01a2653c 89442440 mov dword ptr [esp+40h],eax ss:002b:0035e614=40040d01
0:000>
这里将esp+40置为0。
具体原因在这里:
解析数据时借位减法减去CF的时候导致eax变成了0xffffffff,取反后跟ecx进行逻辑和……然后就返回了空指针
这是正常的走向: