adobe flash player升级coredump分析
来源:互联网 发布:淘宝土家酱香饼纸袋 编辑:程序博客网 时间:2024/05/17 17:38
flash player版本:14.0.0.125
产品名称:Adobe® Flash® Player Installer/Uninstaller
系统:windows xp sp3
调试器:windbg
反汇编器:IDA
应用程序:FlashUtil32_14_0_0_125_Plugin.exe
coredump信息:
eax=00000000 ebx=01ed75f0 ecx=00000000 edx=00000000 esi=01ed75f0 edi=00000000eip=00409db5 esp=0012fc1c ebp=0012fc30 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246FlashUtil32_14_0_0_125_Plugin+0x9db5:00409db5 f7f1 div eax,ecx
堆栈:
0:000> kbChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong.0012fc30 0040c1e6 00000001 00000064 00000000 FlashUtil32_14_0_0_125_Plugin+0x9db50012fcd0 77d18734 00010652 00000464 00000001 FlashUtil32_14_0_0_125_Plugin+0xc1e60012fcfc 77d18816 0040c190 00010652 00000464 USER32!GetDC+0x6d0012fd64 77d189cd 00000000 0040c190 00010652 USER32!GetDC+0x14f0012fdc4 77d18a10 0012fdec 00000000 0012fe0c USER32!GetWindowLongW+0x1270012fdd4 0040c5c9 0012fdec 0042c0b8 01be42b8 USER32!DispatchMessageW+0xf0012fe0c 00406975 01be2ad8 01be42b8 01be2d80 FlashUtil32_14_0_0_125_Plugin+0xc5c90012fe80 00404b5b 0040150e 01be2a08 00404ba7 FlashUtil32_14_0_0_125_Plugin+0x69750012fe84 0040150e 01be2a08 00404ba7 01be2ad8 FlashUtil32_14_0_0_125_Plugin+0x4b5b0012fe8c 00404ba7 01be2ad8 01be42b8 01be2d80 FlashUtil32_14_0_0_125_Plugin+0x150e0012feb8 0040120a 01ed7298 01eeefc8 00000000 FlashUtil32_14_0_0_125_Plugin+0x4ba700000000 00000000 00000000 00000000 00000000 FlashUtil32_14_0_0_125_Plugin+0x120a
从“coredump信息”里可以, 由于ecx=00000000所以导致div eax,ecx出现除0异常。
那么,ecx的值是从哪里来呢?
用IDA打开FlashUtil32_14_0_0_125_Plugin.exe,跳转到地址00409db5,可以看到:
.text:00409DA4 loc_409DA4: ; CODE XREF: sub_4099CA+2BEj.text:00409DA4 mov edi, [ebp+arg_8].text:00409DA7 movzx ecx, word ptr [ebp+arg_8].text:00409DAB shr edi, 10h.text:00409DAE mov eax, edi.text:00409DB0 imul eax, 64h.text:00409DB3 xor edx, edx.text:00409DB5 div ecx
由上面代码片段,可以看出,ecx的值是由00409db5所在函数的第三个参数赋值的。看一下第三个参数是多少?
0:000> dd ebp L 80012fc30 0012fcd0 0040c1e6 00000001 000000640012fc40 00000000 0012fd38 0040c190 00000000从这里看到,第三个参数也是0(地址0012fc40的值)。那么,第三个参数的值又是从哪里来的?
看一下上一层函数(地址0040c1e6所在的函数):
.text:0040C190 ; LRESULT __stdcall PrevWndFunc(HWND, UINT, WPARAM, LPARAM).text:0040C190 PrevWndFunc proc near ; DATA XREF: sub_40C605+4Ao.text:0040C190 ; sub_40C796+30o.text:0040C190.text:0040C190 x = dword ptr -80h.text:0040C190 y = dword ptr -7Ch.text:0040C190 var_78 = dword ptr -78h.text:0040C190 var_74 = dword ptr -74h.text:0040C190 var_70 = dword ptr -70h.text:0040C190 var_6C = dword ptr -6Ch.text:0040C190 var_68 = dword ptr -68h.text:0040C190 ho = dword ptr -64h.text:0040C190 rc = RECT ptr -60h.text:0040C190 var_50 = dword ptr -50h.text:0040C190 var_4C = dword ptr -4Ch.text:0040C190 var_46 = byte ptr -46h.text:0040C190 var_45 = byte ptr -45h.text:0040C190 Paint = tagPAINTSTRUCT ptr -44h.text:0040C190 var_4 = dword ptr -4.text:0040C190 hWnd = dword ptr 8.text:0040C190 Msg = dword ptr 0Ch.text:0040C190 wParam = dword ptr 10h.text:0040C190 lParam = dword ptr 14h.text:0040C190.text:0040C190 push ebp.text:0040C191 mov ebp, esp.text:0040C193 sub esp, 80h.text:0040C199 mov eax, dword_431EAC.text:0040C19E xor eax, ebp.text:0040C1A0 mov [ebp+var_4], eax.text:0040C1A3 mov eax, [ebp+hWnd].text:0040C1A6 push ebx.text:0040C1A7 push esi.text:0040C1A8 mov esi, [ebp+lParam].text:0040C1AB push edi.text:0040C1AC push 0FFFFFFEBh ; nIndex.text:0040C1AE push eax ; hWnd.text:0040C1AF mov [ebp+var_4C], eax.text:0040C1B2 call ds:GetWindowLongW.text:0040C1B8 mov edi, [ebp+Msg].text:0040C1BB mov ebx, eax.text:0040C1BD mov [ebp+var_46], 0.text:0040C1C1 cmp edi, 0C000h.text:0040C1C7 jnb short loc_40C1E6.text:0040C1C9 cmp edi, 400h.text:0040C1CF jb short loc_40C205.text:0040C1D1 test ebx, ebx.text:0040C1D3 jz short loc_40C1E6.text:0040C1D5 mov eax, [ebx].text:0040C1D7 push esi.text:0040C1D8 lea ecx, [edi-400h].text:0040C1DE push ecx.text:0040C1DF push [ebp+wParam].text:0040C1E2 mov ecx, ebx.text:0040C1E4 call dword ptr [eax].text:0040C1E6.text:0040C1E6 loc_40C1E6: ; CODE XREF: PrevWndFunc+37j.text:0040C1E6 ; PrevWndFunc+43j ....text:0040C1E6 push esi ; lParam
由
.text:0040C1D7 push esi.text:0040C1D8 lea ecx, [edi-400h].text:0040C1DE push ecx.text:0040C1DF push [ebp+wParam].text:0040C1E2 mov ecx, ebx.text:0040C1E4 call dword ptr [eax]
和
.text:0040C1A7 push esi.text:0040C1A8 mov esi, [ebp+lParam]
可知,00409db5所在函数的第三个参数是由PrevWndFunc的第四个参数提供。查看一下第四个参数
0:000> dd 0012fcd0 L 80012fcd0 0012fcfc 77d18734 00010652 000004640012fce0 00000001 00000000 0040c190 dcbaabcd
而PrevWndFunc是由User32来调用,第四个参数0值的传入是无法避免,也就是说,00409db5所在的函数,要对第三个参数0值判断。
0 0
- adobe flash player升级coredump分析
- 业界资讯:adobe flash player 升级至10.2
- Adobe Flash Player 10.0
- Adobe Flash Player
- Ubuntu Adobe Flash Player
- Adobe Flash Player 下载
- 安装Adobe Flash Player:
- Adobe Flash Player / 功能
- Adobe Flash Player CVE-2012-0779漏洞技术分析
- Adobe flash player白利用远控分析
- Adobe Flash Player Version Penetration
- fedora14 安装adobe flash player
- ubuntu安装adobe flash player
- Adobe Flash Player常用链接
- centos 安装 Adobe Flash Player
- ubutu 安装 adobe flash player
- centos install Adobe flash player
- ubuntu install Adobe Flash Player
- Spring MVC 学习笔记8 —— 实现简单的用户管理(4)
- Android 基于google Zxing实现二维码、条形码扫描,仿微信二维码扫描效果
- ExpandableListActivity 的使用
- 小白学c++之多线程互斥锁
- maven assembly打出的独立可执行jar包找不到xml schema解决,使用shade插件
- adobe flash player升级coredump分析
- 判斷選擇的日期區間必須在某個範圍內,比如選擇的日期區間在必須三個月內
- Android 开源框架ActionBarSherlock 和 ViewPager 仿网易新闻客户端
- 正则表达式初步
- js 动态合并表格单元格
- 产品经理们都是怎样养成的?
- back for creepcrack.inp
- 背包问题-暴力求解
- 怎么修改myeclipse 中用的jdk版本