主要2出错误,都是没校验直接从文件中读出。
bass_wv.dll中的
seg002:10005C2D ; —————————————————————————
seg002:10005C2D ; 148: clean_junk_part:
seg002:10005C2D ; 149: v17 = malloc(site_malloc_may_error);
seg002:10005C2D
seg002:10005C2D clean_junk_part: ; CODE XREF: seem_important+1BDj
seg002:10005C2D ; seem_important+245j
seg002:10005C2D push esi ; Size
seg002:10005C2E call malloc ; /size = F2471B06 (-230221050.)可控
seg002:10005C34 ; 150: (**(memory1 + 112))(*(memory1 + 116), v17, site_malloc_may_error);// basedll(+116)
seg002:10005C34 mov ecx, [ebp+74h] ; 申请失败,导致EAX==00
seg002:10005C37 add esp, 4
seg002:10005C3A mov edi, eax ; eax==0000 污染源
seg002:10005C3C mov eax, [ebp+70h]
seg002:10005C3F push esi
seg002:10005C40 mov edx, edi
seg002:10005C42 call dword ptr [eax] ; call base.dll!!!!!!!!!!!!!!!!
seg002:10005C42 ; 从文件里读ECX大小内容到刚开辟空间
seg002:10005C44 ; 151: free(v17);
seg002:10005C44 push edi ; Memory
seg002:10005C45 call free
seg002:10005C4B ; 152: strncpy_ = strncmp;
seg002:10005C4B mov edi, strncmp
seg002:10005C51 add esp, 4
seg002:10005C54 jmp loc_10005AF7
另一来自base.dll
seg000:1001083D pop eax
seg000:1001083E ; 100: if ( v66 > 0×12 ) v66可控污染源
seg000:1001083E cmp [ebp+var_10], eax
seg000:10010841 jbe short crash_inside
seg000:10010843 ; 101: v14 = v66;
seg000:10010843 mov eax, [ebp+var_10]
seg000:10010846 ; 102: v15 = v14 + 3;
seg000:10010846
seg000:10010846 crash_inside: ; CODE XREF: crash_here__+242j
seg000:10010846 add eax, 3
seg000:10010849 ; 103: LOBYTE(v15) = v15 & 0xFC;
seg000:10010849 and al, 0FCh
seg000:1001084B ; 104: v16 = alloca(v15);
seg000:1001084B call __alloca_probe
seg000:10010850 ; 105: v4 = &v39;
seg000:10010850 mov ebx, esp
seg000:10010852 ; 106: sub_10001974(v5, &v39, v66);
bass_wv.dll的里面看了半天,想搞个什么use after free,double free什么的,可惜没找到啊,小遗憾啦
0 条评论。