shellcode怎么运行啊

hhxk123 · 发表于 2024-5-20 21:45

我有一道CTF的题，给了一段shellcode，运行之后这就能得到flag，但是怎么运行啊

lyl610abc · 发表于 2024-5-21 11:26

本帖最后由 lyl610abc 于 2024-5-21 11:31 编辑

只需要 3 步：
1.向 chatgpt 提问：c++ windows 申请可执行内存并执行一段 shellcode
chatgpt提问.png

2.将 chatgpt 返回代码里的 shellcode 替换为你文本里的代码

[C++] 纯文本查看 复制代码

#include <windows.h>
#include <iostream>

// 用于测试的shellcode，通常是一段机器码。这里只是一个示例。
// 实际的shellcode应该是二进制形式，且与你的目标平台架构相匹配。
const char shellcode[] = "\x90\x90\x90"; // NOP NOP NOP (无操作指令)

int main() {
    // shellcode的大小
    SIZE_T shellcodeSize = sizeof(shellcode);

    // 申请可执行内存
    LPVOID execMemory = VirtualAlloc(
        NULL,            // 系统决定分配的地址
        shellcodeSize,   // 要分配的内存大小
        MEM_COMMIT | MEM_RESERVE, // 分配的内存类型
        PAGE_EXECUTE_READWRITE    // 可执行、可读写的保护属性
    );

    if (execMemory == NULL) {
        std::cerr << "Memory allocation failed." << std::endl;
        return 1;
    }

    // 将shellcode复制到申请的内存中
    RtlMoveMemory(execMemory, shellcode, shellcodeSize);

    // 转换指针类型以执行shellcode
    void (*shellcodeFunc)() = (void (*)())execMemory;

    // 执行shellcode
    shellcodeFunc();

    // 释放内存
    VirtualFree(execMemory, 0, MEM_RELEASE);

    return 0;
}

3. 编译执行得到结果
执行结果.png

爱飞的猫 · 发表于 2024-5-21 01:51

随便找个 EXE （关掉可执行文件的 ASLR 避免干扰）把入口替换成这段 ShellCode 然后在调试器或静态分析工具观察吧。

lyl610abc · 发表于 2024-5-21 11:39

还有一种更简单的办法，直接将十六进制代码转换为汇编代码
使用在线网站：Online x86 / x64 Assembler and Disassembler
把十六进制代码粘贴进来一键转换：
在线转换1.png

得到反汇编代码：

[Asm] 纯文本查看 复制代码

0:  55                      push   ebp
1:  8b ec                   mov    ebp,esp
3:  81 ec b0 00 00 00       sub    esp,0xb0
9:  c7 45 fc 00 00 00 00    mov    DWORD PTR [ebp-0x4],0x0
10: 50                      push   eax
11: 64 a1 30 00 00 00       mov    eax,fs:0x30
17: 8b 40 0c                mov    eax,DWORD PTR [eax+0xc]
1a: 8b 40 1c                mov    eax,DWORD PTR [eax+0x1c]
1d: 8b 00                   mov    eax,DWORD PTR [eax]
1f: 8b 40 08                mov    eax,DWORD PTR [eax+0x8]
22: 89 45 fc                mov    DWORD PTR [ebp-0x4],eax
25: 58                      pop    eax
26: 8b 45 fc                mov    eax,DWORD PTR [ebp-0x4]
29: 89 85 70 ff ff ff       mov    DWORD PTR [ebp-0x90],eax
2f: 8b 8d 70 ff ff ff       mov    ecx,DWORD PTR [ebp-0x90]
35: 8b 55 fc                mov    edx,DWORD PTR [ebp-0x4]
38: 03 51 3c                add    edx,DWORD PTR [ecx+0x3c]
3b: 89 95 6c ff ff ff       mov    DWORD PTR [ebp-0x94],edx
41: 8b 85 6c ff ff ff       mov    eax,DWORD PTR [ebp-0x94]
47: 83 c0 78                add    eax,0x78
4a: 89 85 68 ff ff ff       mov    DWORD PTR [ebp-0x98],eax
50: 8b 8d 68 ff ff ff       mov    ecx,DWORD PTR [ebp-0x98]
56: 8b 55 fc                mov    edx,DWORD PTR [ebp-0x4]
59: 03 11                   add    edx,DWORD PTR [ecx]
5b: 89 55 f0                mov    DWORD PTR [ebp-0x10],edx
5e: 8b 45 f0                mov    eax,DWORD PTR [ebp-0x10]
61: 8b 48 1c                mov    ecx,DWORD PTR [eax+0x1c]
64: 03 4d fc                add    ecx,DWORD PTR [ebp-0x4]
67: 89 8d 5c ff ff ff       mov    DWORD PTR [ebp-0xa4],ecx
6d: 8b 55 f0                mov    edx,DWORD PTR [ebp-0x10]
70: 8b 42 20                mov    eax,DWORD PTR [edx+0x20]
73: 03 45 fc                add    eax,DWORD PTR [ebp-0x4]
76: 89 85 64 ff ff ff       mov    DWORD PTR [ebp-0x9c],eax
7c: 8b 4d f0                mov    ecx,DWORD PTR [ebp-0x10]
7f: 8b 51 24                mov    edx,DWORD PTR [ecx+0x24]
82: 03 55 fc                add    edx,DWORD PTR [ebp-0x4]
85: 89 95 60 ff ff ff       mov    DWORD PTR [ebp-0xa0],edx
8b: c7 85 74 ff ff ff 00    mov    DWORD PTR [ebp-0x8c],0x0
92: 00 00 00
95: c7 45 f4 00 00 00 00    mov    DWORD PTR [ebp-0xc],0x0
9c: eb 09                   jmp    0xa7
9e: 8b 45 f4                mov    eax,DWORD PTR [ebp-0xc]
a1: 83 c0 01                add    eax,0x1
a4: 89 45 f4                mov    DWORD PTR [ebp-0xc],eax
a7: 8b 4d f0                mov    ecx,DWORD PTR [ebp-0x10]
aa: 8b 55 f4                mov    edx,DWORD PTR [ebp-0xc]
ad: 3b 51 18                cmp    edx,DWORD PTR [ecx+0x18]
b0: 73 7a                   jae    0x12c
b2: 8b 45 f4                mov    eax,DWORD PTR [ebp-0xc]
b5: 8b 8d 64 ff ff ff       mov    ecx,DWORD PTR [ebp-0x9c]
bb: 8b 14 81                mov    edx,DWORD PTR [ecx+eax*4]
be: 03 55 fc                add    edx,DWORD PTR [ebp-0x4]
c1: 89 55 ec                mov    DWORD PTR [ebp-0x14],edx
c4: c7 45 f8 00 00 00 00    mov    DWORD PTR [ebp-0x8],0x0
cb: 8b 45 ec                mov    eax,DWORD PTR [ebp-0x14]
ce: 0f be 08                movsx  ecx,BYTE PTR [eax]
d1: 85 c9                   test   ecx,ecx
d3: 74 28                   je     0xfd
d5: 8b 55 f8                mov    edx,DWORD PTR [ebp-0x8]
d8: c1 e2 19                shl    edx,0x19
db: 8b 45 f8                mov    eax,DWORD PTR [ebp-0x8]
de: c1 e8 07                shr    eax,0x7
e1: 0b d0                   or     edx,eax
e3: 89 55 f8                mov    DWORD PTR [ebp-0x8],edx
e6: 8b 4d ec                mov    ecx,DWORD PTR [ebp-0x14]
e9: 0f be 11                movsx  edx,BYTE PTR [ecx]
ec: 03 55 f8                add    edx,DWORD PTR [ebp-0x8]
ef: 89 55 f8                mov    DWORD PTR [ebp-0x8],edx
f2: 8b 45 ec                mov    eax,DWORD PTR [ebp-0x14]
f5: 83 c0 01                add    eax,0x1
f8: 89 45 ec                mov    DWORD PTR [ebp-0x14],eax
fb: eb ce                   jmp    0xcb
fd: 81 7d f8 85 df af bb    cmp    DWORD PTR [ebp-0x8],0xbbafdf85
104:    75 21                   jne    0x127
106:    8b 4d f4                mov    ecx,DWORD PTR [ebp-0xc]
109:    8b 95 60 ff ff ff       mov    edx,DWORD PTR [ebp-0xa0]
10f:    0f b7 04 4a             movzx  eax,WORD PTR [edx+ecx*2]
113:    8b 8d 5c ff ff ff       mov    ecx,DWORD PTR [ebp-0xa4]
119:    8b 14 81                mov    edx,DWORD PTR [ecx+eax*4]
11c:    03 55 fc                add    edx,DWORD PTR [ebp-0x4]
11f:    89 95 74 ff ff ff       mov    DWORD PTR [ebp-0x8c],edx
125:    eb 05                   jmp    0x12c
127:    e9 72 ff ff ff          jmp    0x9e
12c:    8b 85 74 ff ff ff       mov    eax,DWORD PTR [ebp-0x8c]
132:    89 85 78 ff ff ff       mov    DWORD PTR [ebp-0x88],eax
138:    c6 45 b0 4c             mov    BYTE PTR [ebp-0x50],0x4c
13c:    c6 45 b1 6f             mov    BYTE PTR [ebp-0x4f],0x6f
140:    c6 45 b2 61             mov    BYTE PTR [ebp-0x4e],0x61
144:    c6 45 b3 64             mov    BYTE PTR [ebp-0x4d],0x64
148:    c6 45 b4 4c             mov    BYTE PTR [ebp-0x4c],0x4c
14c:    c6 45 b5 69             mov    BYTE PTR [ebp-0x4b],0x69
150:    c6 45 b6 62             mov    BYTE PTR [ebp-0x4a],0x62
154:    c6 45 b7 72             mov    BYTE PTR [ebp-0x49],0x72
158:    c6 45 b8 61             mov    BYTE PTR [ebp-0x48],0x61
15c:    c6 45 b9 72             mov    BYTE PTR [ebp-0x47],0x72
160:    c6 45 ba 79             mov    BYTE PTR [ebp-0x46],0x79
164:    c6 45 bb 45             mov    BYTE PTR [ebp-0x45],0x45
168:    c6 45 bc 78             mov    BYTE PTR [ebp-0x44],0x78
16c:    c6 45 bd 41             mov    BYTE PTR [ebp-0x43],0x41
170:    c6 45 be 00             mov    BYTE PTR [ebp-0x42],0x0
174:    c6 45 d8 75             mov    BYTE PTR [ebp-0x28],0x75
178:    c6 45 d9 73             mov    BYTE PTR [ebp-0x27],0x73
17c:    c6 45 da 65             mov    BYTE PTR [ebp-0x26],0x65
180:    c6 45 db 72             mov    BYTE PTR [ebp-0x25],0x72
184:    c6 45 dc 33             mov    BYTE PTR [ebp-0x24],0x33
188:    c6 45 dd 32             mov    BYTE PTR [ebp-0x23],0x32
18c:    c6 45 de 2e             mov    BYTE PTR [ebp-0x22],0x2e
190:    c6 45 df 64             mov    BYTE PTR [ebp-0x21],0x64
194:    c6 45 e0 6c             mov    BYTE PTR [ebp-0x20],0x6c
198:    c6 45 e1 6c             mov    BYTE PTR [ebp-0x1f],0x6c
19c:    c6 45 e2 00             mov    BYTE PTR [ebp-0x1e],0x0
1a0:    c6 45 c0 4d             mov    BYTE PTR [ebp-0x40],0x4d
1a4:    c6 45 c1 65             mov    BYTE PTR [ebp-0x3f],0x65
1a8:    c6 45 c2 73             mov    BYTE PTR [ebp-0x3e],0x73
1ac:    c6 45 c3 73             mov    BYTE PTR [ebp-0x3d],0x73
1b0:    c6 45 c4 61             mov    BYTE PTR [ebp-0x3c],0x61
1b4:    c6 45 c5 67             mov    BYTE PTR [ebp-0x3b],0x67
1b8:    c6 45 c6 65             mov    BYTE PTR [ebp-0x3a],0x65
1bc:    c6 45 c7 42             mov    BYTE PTR [ebp-0x39],0x42
1c0:    c6 45 c8 6f             mov    BYTE PTR [ebp-0x38],0x6f
1c4:    c6 45 c9 78             mov    BYTE PTR [ebp-0x37],0x78
1c8:    c6 45 ca 41             mov    BYTE PTR [ebp-0x36],0x41
1cc:    c6 45 cb 00             mov    BYTE PTR [ebp-0x35],0x0
1d0:    c6 45 cc 45             mov    BYTE PTR [ebp-0x34],0x45
1d4:    c6 45 cd 78             mov    BYTE PTR [ebp-0x33],0x78
1d8:    c6 45 ce 69             mov    BYTE PTR [ebp-0x32],0x69
1dc:    c6 45 cf 74             mov    BYTE PTR [ebp-0x31],0x74
1e0:    c6 45 d0 50             mov    BYTE PTR [ebp-0x30],0x50
1e4:    c6 45 d1 72             mov    BYTE PTR [ebp-0x2f],0x72
1e8:    c6 45 d2 6f             mov    BYTE PTR [ebp-0x2e],0x6f
1ec:    c6 45 d3 63             mov    BYTE PTR [ebp-0x2d],0x63
1f0:    c6 45 d4 65             mov    BYTE PTR [ebp-0x2c],0x65
1f4:    c6 45 d5 73             mov    BYTE PTR [ebp-0x2b],0x73
1f8:    c6 45 d6 73             mov    BYTE PTR [ebp-0x2a],0x73
1fc:    c6 45 d7 00             mov    BYTE PTR [ebp-0x29],0x0
200:    8d 4d b0                lea    ecx,[ebp-0x50]
203:    51                      push   ecx
204:    8b 55 fc                mov    edx,DWORD PTR [ebp-0x4]
207:    52                      push   edx
208:    ff 95 78 ff ff ff       call   DWORD PTR [ebp-0x88]
20e:    89 85 58 ff ff ff       mov    DWORD PTR [ebp-0xa8],eax
214:    8d 45 cc                lea    eax,[ebp-0x34]
217:    50                      push   eax
218:    8b 4d fc                mov    ecx,DWORD PTR [ebp-0x4]
21b:    51                      push   ecx
21c:    ff 95 78 ff ff ff       call   DWORD PTR [ebp-0x88]
222:    89 85 50 ff ff ff       mov    DWORD PTR [ebp-0xb0],eax
228:    8d 55 c0                lea    edx,[ebp-0x40]
22b:    52                      push   edx
22c:    6a 00                   push   0x0
22e:    6a 00                   push   0x0
230:    8d 45 d8                lea    eax,[ebp-0x28]
233:    50                      push   eax
234:    ff 95 58 ff ff ff       call   DWORD PTR [ebp-0xa8]
23a:    50                      push   eax
23b:    ff 95 78 ff ff ff       call   DWORD PTR [ebp-0x88]
241:    89 85 54 ff ff ff       mov    DWORD PTR [ebp-0xac],eax
247:    c6 85 7c ff ff ff 66    mov    BYTE PTR [ebp-0x84],0x66
24e:    c6 85 7d ff ff ff 6c    mov    BYTE PTR [ebp-0x83],0x6c
255:    c6 85 7e ff ff ff 61    mov    BYTE PTR [ebp-0x82],0x61
25c:    c6 85 7f ff ff ff 67    mov    BYTE PTR [ebp-0x81],0x67
263:    c6 45 80 7b             mov    BYTE PTR [ebp-0x80],0x7b
267:    c6 45 81 68             mov    BYTE PTR [ebp-0x7f],0x68
26b:    c6 45 82 61             mov    BYTE PTR [ebp-0x7e],0x61
26f:    c6 45 83 69             mov    BYTE PTR [ebp-0x7d],0x69
273:    c6 45 84 2d             mov    BYTE PTR [ebp-0x7c],0x2d
277:    c6 45 85 73             mov    BYTE PTR [ebp-0x7b],0x73
27b:    c6 45 86 68             mov    BYTE PTR [ebp-0x7a],0x68
27f:    c6 45 87 61             mov    BYTE PTR [ebp-0x79],0x61
283:    c6 45 88 6e             mov    BYTE PTR [ebp-0x78],0x6e
287:    c6 45 89 67             mov    BYTE PTR [ebp-0x77],0x67
28b:    c6 45 8a 2d             mov    BYTE PTR [ebp-0x76],0x2d
28f:    c6 45 8b 73             mov    BYTE PTR [ebp-0x75],0x73
293:    c6 45 8c 68             mov    BYTE PTR [ebp-0x74],0x68
297:    c6 45 8d 65             mov    BYTE PTR [ebp-0x73],0x65
29b:    c6 45 8e 6e             mov    BYTE PTR [ebp-0x72],0x6e
29f:    c6 45 8f 67             mov    BYTE PTR [ebp-0x71],0x67
2a3:    c6 45 90 2d             mov    BYTE PTR [ebp-0x70],0x2d
2a7:    c6 45 91 6d             mov    BYTE PTR [ebp-0x6f],0x6d
2ab:    c6 45 92 69             mov    BYTE PTR [ebp-0x6e],0x69
2af:    c6 45 93 6e             mov    BYTE PTR [ebp-0x6d],0x6e
2b3:    c6 45 94 67             mov    BYTE PTR [ebp-0x6c],0x67
2b7:    c6 45 95 2d             mov    BYTE PTR [ebp-0x6b],0x2d
2bb:    c6 45 96 79             mov    BYTE PTR [ebp-0x6a],0x79
2bf:    c6 45 97 75             mov    BYTE PTR [ebp-0x69],0x75
2c3:    c6 45 98 65             mov    BYTE PTR [ebp-0x68],0x65
2c7:    c6 45 99 2d             mov    BYTE PTR [ebp-0x67],0x2d
2cb:    c6 45 9a 2d             mov    BYTE PTR [ebp-0x66],0x2d
2cf:    c6 45 9b 74             mov    BYTE PTR [ebp-0x65],0x74
2d3:    c6 45 9c 69             mov    BYTE PTR [ebp-0x64],0x69
2d7:    c6 45 9d 61             mov    BYTE PTR [ebp-0x63],0x61
2db:    c6 45 9e 6e             mov    BYTE PTR [ebp-0x62],0x6e
2df:    c6 45 9f 2d             mov    BYTE PTR [ebp-0x61],0x2d
2e3:    c6 45 a0 79             mov    BYTE PTR [ebp-0x60],0x79
2e7:    c6 45 a1 61             mov    BYTE PTR [ebp-0x5f],0x61
2eb:    c6 45 a2 2d             mov    BYTE PTR [ebp-0x5e],0x2d
2ef:    c6 45 a3 67             mov    BYTE PTR [ebp-0x5d],0x67
2f3:    c6 45 a4 6f             mov    BYTE PTR [ebp-0x5c],0x6f
2f7:    c6 45 a5 6e             mov    BYTE PTR [ebp-0x5b],0x6e
2fb:    c6 45 a6 67             mov    BYTE PTR [ebp-0x5a],0x67
2ff:    c6 45 a7 2d             mov    BYTE PTR [ebp-0x59],0x2d
303:    c6 45 a8 63             mov    BYTE PTR [ebp-0x58],0x63
307:    c6 45 a9 69             mov    BYTE PTR [ebp-0x57],0x69
30b:    c6 45 aa 2d             mov    BYTE PTR [ebp-0x56],0x2d
30f:    c6 45 ab 73             mov    BYTE PTR [ebp-0x55],0x73
313:    c6 45 ac 68             mov    BYTE PTR [ebp-0x54],0x68
317:    c6 45 ad 69             mov    BYTE PTR [ebp-0x53],0x69
31b:    c6 45 ae 7d             mov    BYTE PTR [ebp-0x52],0x7d
31f:    c6 45 af 00             mov    BYTE PTR [ebp-0x51],0x0
323:    c6 45 e4 66             mov    BYTE PTR [ebp-0x1c],0x66
327:    c6 45 e5 6c             mov    BYTE PTR [ebp-0x1b],0x6c
32b:    c6 45 e6 61             mov    BYTE PTR [ebp-0x1a],0x61
32f:    c6 45 e7 67             mov    BYTE PTR [ebp-0x19],0x67
333:    c6 45 e8 00             mov    BYTE PTR [ebp-0x18],0x0
337:    6a 00                   push   0x0
339:    8d 4d e4                lea    ecx,[ebp-0x1c]
33c:    51                      push   ecx
33d:    8d 95 7c ff ff ff       lea    edx,[ebp-0x84]
343:    52                      push   edx
344:    6a 00                   push   0x0
346:    ff 95 54 ff ff ff       call   DWORD PTR [ebp-0xac]
34c:    6a 00                   push   0x0
34e:    ff 95 50 ff ff ff       call   DWORD PTR [ebp-0xb0]
354:    8b e5                   mov    esp,ebp
356:    5d                      pop    ebp
357:    c3                      ret

很容易就找到赋值的反汇编代码：

[Asm] 纯文本查看 复制代码

247:    c6 85 7c ff ff ff 66    mov    BYTE PTR [ebp-0x84],0x66
24e:    c6 85 7d ff ff ff 6c    mov    BYTE PTR [ebp-0x83],0x6c
255:    c6 85 7e ff ff ff 61    mov    BYTE PTR [ebp-0x82],0x61
25c:    c6 85 7f ff ff ff 67    mov    BYTE PTR [ebp-0x81],0x67
263:    c6 45 80 7b             mov    BYTE PTR [ebp-0x80],0x7b
267:    c6 45 81 68             mov    BYTE PTR [ebp-0x7f],0x68
26b:    c6 45 82 61             mov    BYTE PTR [ebp-0x7e],0x61
26f:    c6 45 83 69             mov    BYTE PTR [ebp-0x7d],0x69
273:    c6 45 84 2d             mov    BYTE PTR [ebp-0x7c],0x2d
277:    c6 45 85 73             mov    BYTE PTR [ebp-0x7b],0x73
27b:    c6 45 86 68             mov    BYTE PTR [ebp-0x7a],0x68
27f:    c6 45 87 61             mov    BYTE PTR [ebp-0x79],0x61
283:    c6 45 88 6e             mov    BYTE PTR [ebp-0x78],0x6e
287:    c6 45 89 67             mov    BYTE PTR [ebp-0x77],0x67
28b:    c6 45 8a 2d             mov    BYTE PTR [ebp-0x76],0x2d
28f:    c6 45 8b 73             mov    BYTE PTR [ebp-0x75],0x73
293:    c6 45 8c 68             mov    BYTE PTR [ebp-0x74],0x68
297:    c6 45 8d 65             mov    BYTE PTR [ebp-0x73],0x65
29b:    c6 45 8e 6e             mov    BYTE PTR [ebp-0x72],0x6e
29f:    c6 45 8f 67             mov    BYTE PTR [ebp-0x71],0x67
2a3:    c6 45 90 2d             mov    BYTE PTR [ebp-0x70],0x2d
2a7:    c6 45 91 6d             mov    BYTE PTR [ebp-0x6f],0x6d
2ab:    c6 45 92 69             mov    BYTE PTR [ebp-0x6e],0x69
2af:    c6 45 93 6e             mov    BYTE PTR [ebp-0x6d],0x6e
2b3:    c6 45 94 67             mov    BYTE PTR [ebp-0x6c],0x67
2b7:    c6 45 95 2d             mov    BYTE PTR [ebp-0x6b],0x2d
2bb:    c6 45 96 79             mov    BYTE PTR [ebp-0x6a],0x79
2bf:    c6 45 97 75             mov    BYTE PTR [ebp-0x69],0x75
2c3:    c6 45 98 65             mov    BYTE PTR [ebp-0x68],0x65
2c7:    c6 45 99 2d             mov    BYTE PTR [ebp-0x67],0x2d
2cb:    c6 45 9a 2d             mov    BYTE PTR [ebp-0x66],0x2d
2cf:    c6 45 9b 74             mov    BYTE PTR [ebp-0x65],0x74
2d3:    c6 45 9c 69             mov    BYTE PTR [ebp-0x64],0x69
2d7:    c6 45 9d 61             mov    BYTE PTR [ebp-0x63],0x61
2db:    c6 45 9e 6e             mov    BYTE PTR [ebp-0x62],0x6e
2df:    c6 45 9f 2d             mov    BYTE PTR [ebp-0x61],0x2d
2e3:    c6 45 a0 79             mov    BYTE PTR [ebp-0x60],0x79
2e7:    c6 45 a1 61             mov    BYTE PTR [ebp-0x5f],0x61
2eb:    c6 45 a2 2d             mov    BYTE PTR [ebp-0x5e],0x2d
2ef:    c6 45 a3 67             mov    BYTE PTR [ebp-0x5d],0x67
2f3:    c6 45 a4 6f             mov    BYTE PTR [ebp-0x5c],0x6f
2f7:    c6 45 a5 6e             mov    BYTE PTR [ebp-0x5b],0x6e
2fb:    c6 45 a6 67             mov    BYTE PTR [ebp-0x5a],0x67
2ff:    c6 45 a7 2d             mov    BYTE PTR [ebp-0x59],0x2d
303:    c6 45 a8 63             mov    BYTE PTR [ebp-0x58],0x63
307:    c6 45 a9 69             mov    BYTE PTR [ebp-0x57],0x69
30b:    c6 45 aa 2d             mov    BYTE PTR [ebp-0x56],0x2d
30f:    c6 45 ab 73             mov    BYTE PTR [ebp-0x55],0x73
313:    c6 45 ac 68             mov    BYTE PTR [ebp-0x54],0x68
317:    c6 45 ad 69             mov    BYTE PTR [ebp-0x53],0x69
31b:    c6 45 ae 7d             mov    BYTE PTR [ebp-0x52],0x7d
31f:    c6 45 af 00             mov    BYTE PTR [ebp-0x51],0x0
323:    c6 45 e4 66             mov    BYTE PTR [ebp-0x1c],0x66
327:    c6 45 e5 6c             mov    BYTE PTR [ebp-0x1b],0x6c
32b:    c6 45 e6 61             mov    BYTE PTR [ebp-0x1a],0x61
32f:    c6 45 e7 67             mov    BYTE PTR [ebp-0x19],0x67
333:    c6 45 e8 00             mov    BYTE PTR [ebp-0x18],0x0

这里赋值的是字符串对应的 ASCII 码，将 ASCII 码转换回字符串
网上随便搜了个在线网站: code-convert-ascii
把对应的 ASCII 码丢进来解析即可得到 flag
在线转换3.png

lyl610abc · 发表于 2024-5-21 11:52

爱飞的猫发表于 2024-5-21 01:51
随便找个 EXE （关掉可执行文件的 ASLR 避免干扰）把入口替换成这段 ShellCode 然后在调试器或静态分析工具 ...

这个思路有点太侵入式了，shellcode 本质只是一段可执行的代码，而不是非要侵入才能执行
对于 flag 题中的一段 shellcode ，需要的无非是：
shellcode 执行的结果
shellcode 执行过程中的隐藏信息(需要分析执行过程对应的汇编代码)

对于 shellcode ，随便写一个 demo，分配一段可执行的内存区域执行这段 shellcode 即可
或者是直接将 shellcode 转换为汇编代码进行分析

hhxk123 · 发表于 2024-5-21 15:32

lyl610abc 发表于 2024-5-21 11:26
只需要 3 步：
1.向 chatgpt 提问：c++ windows 申请可执行内存并执行一段 shellcode

厉害了，谢谢大佬

爱飞的猫 · 发表于 2024-5-23 01:49

lyl610abc 发表于 2024-5-21 11:52
这个思路有点太侵入式了，shellcode 本质只是一段可执行的代码，而不是非要侵入才能执行
对于 flag 题中 ...

植入到可执行文件主要还是为了更方便看 IDA 的伪码，如果给的 ShellCode 本身比较简单，那确实没啥必要。

帐号		自动登录	找回密码
密码			注册[Register]

[已解决] shellcode怎么运行啊

免费评分

点评

免费评分