今天中午的时候听同事提起说某个软件抢票率很高该软件还是收费的,于是就百度下来,想试试看。没想到刚下载好,一跑起来,一会就崩溃挂了。于是就有了这篇文章
该软件经查看是用.NET来写的,像这种程序的崩溃和我们平常看到的用C/C++写的程序还是有点区别的。这种.NET写的程序跑起来的代码全是托管代码,如果不知道托管代码是什么的请看百度这里的说明:http://baike.baidu.com/link?url=0IoxrMN_R9HqpbmahzNFFizDOj-XOZL7cUQY4r2v-17zGAc6trGR5PK0eXDpsxu-由于我的调试器是设成JIT的,一旦有崩溃发生我的调试器就能第一时间捕获到异常。下面则是崩溃时捕获到的,我们可以看到这个程序加载的模块中有许多托管代码所需要的库
像这种托管代码的调试WINDBG已经集成了一套指令供我们来调试。 下面我们来分析下这个崩溃因为是托管代码,所以我们要分析就要加载其相应版本的文件分析
0:008> .loadby sos mscorwks
0:008> !help
-------------------------------------------------------------------------------
SOS is a debugger extension DLL designed to aid in the debugging of managed
programs. Functions are listed by category, then roughly in order of
importance. Shortcut names for popular functions are listed in parenthesis.
Type "!help " for detailed info on that function.
Object Inspection Examining code and stacks
----------------------------- -----------------------------
DumpObj (do) Threads
DumpArray (da) CLRStack
DumpStackObjects (dso) IP2MD
DumpHeap U
DumpVC DumpStack
GCRoot EEStack
ObjSize GCInfo
FinalizeQueue EHInfo
PrintException (pe) COMState
TraverseHeap BPMD
Examining CLR data structures Diagnostic Utilities
----------------------------- -----------------------------
DumpDomain VerifyHeap
EEHeap DumpLog
Name2EE FindAppDomain
SyncBlk SaveModule
DumpMT GCHandles
DumpClass GCHandleLeaks
DumpMD VMMap
Token2EE VMStat
EEVersion ProcInfo
DumpModule StopOnException (soe)
ThreadPool MinidumpMode
DumpAssembly
DumpMethodSig Other
DumpRuntimeTypes -----------------------------
DumpSig FAQ
RCWCleanupList
DumpIL
执行上面的指令之后我们就可用很多命令来帮助我们分析了先查看下崩溃时的整个堆栈情况
0:008> !DumpStack
OS Thread Id: 0xdb4 (8)
Current frame: KERNELBASE!RaiseException+0x58
ChildEBP RetAddr Caller,Callee
055fee58 758ad3cf KERNELBASE!RaiseException+0x58, calling ntdll!RtlRaiseException
055fee6c 62c3f404 mscorwks!Binder::RawGetClass+0x20, calling mscorwks!Module::LookupTypeDef
055fee7c 62c3f877 mscorwks!Binder::IsClass+0x23, calling mscorwks!Binder::RawGetClass
055fee88 62cd7b6f mscorwks!Binder::IsException+0x14, calling mscorwks!Binder::IsClass
055fee98 62cd7b96 mscorwks!IsExceptionOfType+0x23, calling mscorwks!Binder::IsException
055feea0 62cd7d1c mscorwks!RaiseTheExceptionInternalOnly+0x2a8, calling KERNEL32!RaiseExceptionStub
055fef00 62cd1950 mscorwks!JIT_Throw+0xfc, callingmscorwks!RaiseTheExceptionInternalOnly
055fef74 62cd18a5 mscorwks!JIT_Throw+0x1e, calling mscorwks!LazyMachStateCaptureState
055fef80 62c40074 mscorwks!PreStubWorker+0x141, calling mscorwks!_EH_epilog3
055fef84 0063087e 0063087e, calling mscorwks!PreStubWorker
055fefc4 004a9a75 (MethodDesc 0x337ef0 +0x155 d.a()), calling mscorwks!JIT_Throw
055ff070 004a862e (MethodDesc 0x336350 +0x66 z.i()), calling (MethodDesc 0x337ef0 +0 d.a())
055ff088 004a856f (MethodDesc 0x336500 +0x1f z.a()), calling 0033c640
055ff0a8 62346e76 (MethodDesc 0x62204020 +0x66 System.Threading.ThreadHelper.ThreadStart_Context(System.Object))
055ff0b4 623502ff (MethodDesc 0x62172794 +0x6f System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object))
055ff0c8 62346df4 (MethodDesc 0x6216be0c +0x44 System.Threading.ThreadHelper.ThreadStart()), calling (MethodDesc 0x62172794 +0 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object))
055ff0e0 62c31b4c mscorwks!CallDescrWorker+0x33
055ff0e8 77736824 ntdll!RtlDebugFreeHeap+0x25f, calling ntdll!_SEH_epilog4
055ff0f0 62c48dde mscorwks!CallDescrWorkerWithHandler+0xa3, calling mscorwks!CallDescrWorker
055ff170 62c56a2c mscorwks!MethodDesc::CallDescr+0x19c, calling mscorwks!CallDescrWorkerWithHandler
055ff18c 62c3ea77 mscorwks!SigParser::SkipExactlyOne+0x20, calling mscorwks!CorSigEatCustomModifiersAndUncompressElementType
055ff19c 62c56ddb mscorwks!MetaSig::MetaSig+0x3a, calling MSVCR80!memcpy
055ff1ac 62c56969 mscorwks!MethodDesc::CallDescr+0xaf, calling mscorwks!ClrSafeInt::addition
055ff1b8 62c56979 mscorwks!MethodDesc::CallDescr+0xbb, calling mscorwks!_alloca_probe_16
055ff218 62c348ba mscorwks!EEHeapFree+0xba, calling mscorwks!_EH_epilog3
055ff22c 776c5ae0 ntdll!RtlAllocateHeap+0x23a, calling ntdll!RtlpAllocateHeap
055ff240 62c348ba mscorwks!EEHeapFree+0xba, calling mscorwks!_EH_epilog3
055ff244 62c348d9 mscorwks!EEHeapFreeInProcessHeap+0x22, calling mscorwks!EEHeapFree
055ff258 62c34862 mscorwks!operator delete[]+0x2a, calling mscorwks!EEHeapFreeInProcessHeap
055ff294 62c3f37c mscorwks!Module::LookupTypeDef+0x36, calling mscorwks!LookupMap::GetElement
055ff2a8 62c56a5f mscorwks!MethodDesc::CallTargetWorker+0x1f, calling mscorwks!MethodDesc::CallDescr
055ff2c4 62c56a7d mscorwks!MethodDescCallSite::CallWithValueTypes_RetArgSlot+0x1a, calling mscorwks!MethodDesc::CallTargetWorker
055ff2dc 62cd3191 mscorwks!ThreadNative::KickOffThread_Worker+0x192, calling mscorwks!MethodDescCallSite::Call
055ff348 776c5dd3 ntdll!RtlpAllocateHeap+0xe73, calling ntdll!_SEH_epilog4
055ff35c 777360fe ntdll!RtlDebugAllocateHeap+0x308, calling ntdll!_SEH_epilog4
055ff360 776fa376 ntdll!RtlpAllocateHeap+0xc4, calling ntdll!RtlDebugAllocateHeap
055ff36c 776c5dd3 ntdll!RtlpAllocateHeap+0xe73, calling ntdll!_SEH_epilog4
055ff38c 776c5dd3 ntdll!RtlpAllocateHeap+0xe73, calling ntdll!_SEH_epilog4
055ff390 776c5ae0 ntdll!RtlAllocateHeap+0x23a, calling ntdll!RtlpAllocateHeap
055ff3a0 776b6054 ntdll!NtQueryInformationProcess+0xc
055ff3a4 758a94fb KERNELBASE!GetProcessVersion+0x59, calling ntdll!NtQueryInformationProcess
055ff3f0 776c5dd3 ntdll!RtlpAllocateHeap+0xe73, calling ntdll!_SEH_epilog4
055ff3f4 776c5ae0 ntdll!RtlAllocateHeap+0x23a, calling ntdll!RtlpAllocateHeap
055ff45c 62c348ba mscorwks!EEHeapFree+0xba, calling mscorwks!_EH_epilog3
055ff470 776c5ae0 ntdll!RtlAllocateHeap+0x23a, calling ntdll!RtlpAllocateHeap
055ff484 62c348ba mscorwks!EEHeapFree+0xba, calling mscorwks!_EH_epilog3
055ff488 62c348d9 mscorwks!EEHeapFreeInProcessHeap+0x22, calling mscorwks!EEHeapFree
055ff49c 62c34862 mscorwks!operator delete[]+0x2a, calling mscorwks!EEHeapFreeInProcessHeap
055ff4c4 62c8192f mscorwks!Thread::DoADCallBack+0x32a
055ff4d8 62c818cb mscorwks!Thread::ShouldChangeAbortToUnload+0xe3, calling mscorwks!Thread::DoADCallBack+0x2db
055ff500 62c34383 mscorwks!ClrFlsSetValue+0x57, calling mscorwks!_EH_epilog3
055ff504 62c34396 mscorwks!DecCantStopCount+0x10, calling mscorwks!ClrFlsSetValue
055ff51c 62cf3ec2 mscorwks!ThreadStore::TransferStartedThread+0xaa, calling mscorwks!ThreadStore::UnlockThreadStore
055ff56c 62c817f1 mscorwks!Thread::ShouldChangeAbortToUnload+0x30a, calling mscorwks!Thread::ShouldChangeAbortToUnload+0x32
055ff5a8 62c8197d mscorwks!Thread::ShouldChangeAbortToUnload+0x33e, calling mscorwks!Thread::ShouldChangeAbortToUnload+0x29d
055ff5d0 62cd2f62 mscorwks!ManagedThreadBase::KickOff+0x13, calling mscorwks!Thread::ShouldChangeAbortToUnload+0x319
055ff5e8 62cd303c mscorwks!ThreadNative::KickOffThread+0x26b, calling mscorwks!ManagedThreadBase::KickOff
055ff610 62c348ba mscorwks!EEHeapFree+0xba, calling mscorwks!_EH_epilog3
055ff684 62d9805a mscorwks!Thread::intermediateThreadProc+0x49
055ff790 62d98048 mscorwks!Thread::intermediateThreadProc+0x37, calling mscorwks!_alloca_probe_16
055ff7a4 7747ed6c KERNEL32!BaseThreadInitThunk+0xe
055ff7b0 776d37f5 ntdll!__RtlUserThreadStart+0x70
055ff7f0 776d37c8 ntdll!_RtlUserThreadStart+0x1b, calling ntdll!__RtlUserThreadStart
上面没有对应的符号就是托管代码即时编译出来调用的 ,后面就调用RaiseTheExceptionInternalOnly抛出了一个异常那么 就是说即时编译出来的代码存在问题。我们可以看下当时的执行过程
0:008> !clrstack
OS Thread Id: 0xdb4 (8)
ESP EIP
055fef28 758ad3cf [HelperMethodFrame: 055fef28]
055fefcc 004a9a75 d.a()
055ff078 004a862e z.i()
055ff090 004a856f z.a()
055ff0b0 62346e76 System.Threading.ThreadHelper.ThreadStart_Context(System.Object)
055ff0bc 623502ff System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
055ff0d4 62346df4 System.Threading.ThreadHelper.ThreadStart()
055ff2fc 62c31b4c [GCFrame: 055ff2fc]
到这里我们只知道问题是出现在这些代码上,但是为什么会崩溃我们还得知,只能看反汇编代码了解这过程到底发生了什么事
0:008> !u 004a9a75
Normal JIT generated code
d.a()
Begin 004a9920, size 160
004a9920 55 push ebp
004a9921 8bec mov ebp,esp
004a9923 57 push edi
004a9924 56 push esi
004a9925 53 push ebx
004a9926 83ec20 sub esp,20h
004a9929 8d7dd4 lea edi,[ebp-2Ch]
004a992c b907000000 mov ecx,7
004a9931 33c0 xor eax,eax
004a9933 f3ab rep stos dword ptr es:[edi]
004a9935 33c0 xor eax,eax
004a9937 8945e8 mov dword ptr [ebp-18h],eax
004a993a 33ff xor edi,edi
004a993c c745dc10000000 mov dword ptr [ebp-24h],10h
004a9943 eb0c jmp 004a9951
004a9945 83f806 cmp eax,6
004a9948 7307 jae 004a9951
004a994a ff2485809a4a00 jmp dword ptr [eax*4+4A9A80h]
004a9951 33d2 xor edx,edx
004a9953 8955d8 mov dword ptr [ebp-28h],edx
004a9956 8b1d341f8f02 mov ebx,dword ptr ds:[28F1F34h] ("https://dynamic.12306.cn/otsweb/passCodeAction.do?rand=sjrand")
004a995c b9488e3300 mov ecx,338E48h (MT: v)
004a9961 e8b686d0ff call 001b201c (JitHelp: CORINFO_HELP_NEWSFAST)
004a9966 8bf0 mov esi,eax
004a9968 8b0de0718f02 mov ecx,dword ptr ds:[28F71E0h] ("堞搠眢")
004a996e ba10000000 mov edx,10h
004a9973 e878d7ffff call 004a70f0 (.b(System.String, Int32), mdToken: 06000001)
004a9978 50 push eax
004a9979 8bd3 mov edx,ebx
004a997b 8bce mov ecx,esi
004a997d ff15bc8c3300 call dword ptr ds:[338CBCh] (az..ctor(System.String, System.String), mdToken: 060000ba)
004a9983 8b0de4718f02 mov ecx,dword ptr ds:[28F71E4h] ("瘞䰠䈢䈤䈦ب嬪䌬䠮ᴰጲ尴娶堸尺堼\?\?㕂\?汆ㅈ\?\?捎煐㩒㡔㙖㹘㹚牜畞婠ቢ塤坦䝨卪䅬佮孰屲彴䱶\?䙺䵼兾뒀")
004a9989 ba10000000 mov edx,10h
004a998e e85dd7ffff call 004a70f0 (.b(System.String, Int32), mdToken: 06000001)
004a9993 8d5628 lea edx,[esi+28h]
004a9996 e8e5957862 call mscorwks!JIT_WriteBarrierEAX (62c32f80)
004a999b 8bce mov ecx,esi
004a999d ff15808d3300 call dword ptr ds:[338D80h] (az.ad(), mdToken: 060000cb)
004a99a3 8bd8 mov ebx,eax
004a99a5 b803000000 mov eax,3
004a99aa eb99 jmp 004a9945
004a99ac 3903 cmp dword ptr [ebx],eax
004a99ae 837b0400 cmp dword ptr [ebx+4],0
004a99b2 7417 je 004a99cb
004a99b4 8b4b04 mov ecx,dword ptr [ebx+4]
004a99b7 3909 cmp dword ptr [ecx],ecx
*** WARNING: Unable to verify checksum for C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll
004a99b9 e816ed5d61 call System_ni+0xf86d4 (61a886d4) (System.Net.HttpWebResponse.get_StatusCode(), mdToken: 0600202f)
004a99be 3dc8000000 cmp eax,0C8h
004a99c3 0f94c0 sete al
004a99c6 0fb6c0 movzx eax,al
004a99c9 eb02 jmp 004a99cd
004a99cb 33c0 xor eax,eax
004a99cd 85c0 test eax,eax
004a99cf 744d je 004a9a1e
004a99d1 b802000000 mov eax,2
004a99d6 e96affffff jmp 004a9945
*** WARNING: Unable to verify checksum for C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll
004a99db b9f8c9da64 mov ecx,offset System_Drawing_ni+0x5c9f8 (64dac9f8) (MT: System.Drawing.Bitmap)
004a99e0 e891fe7962 call mscorwks!JIT_NewCrossContext (62c49876)
004a99e5 8bf0 mov esi,eax
004a99e7 8bd7 mov edx,edi
004a99e9 8bce mov ecx,esi
004a99eb e81c308e64 call System_Drawing_ni+0x3ca0c (64d8ca0c) (System.Drawing.Bitmap..ctor(System.IO.Stream), mdToken: 06000181)
004a99f0 8975d8 mov dword ptr [ebp-28h],esi
004a99f3 b805000000 mov eax,5
004a99f8 e948ffffff jmp 004a9945
004a99fd 8b4b04 mov ecx,dword ptr [ebx+4]
004a9a00 8b01 mov eax,dword ptr [ecx]
004a9a02 ff5074 call dword ptr [eax+74h]
004a9a05 8bf8 mov edi,eax
004a9a07 33c0 xor eax,eax
004a9a09 e937ffffff jmp 004a9945
004a9a0e 85ff test edi,edi
004a9a10 740c je 004a9a1e
004a9a12 b801000000 mov eax,1
004a9a17 e929ffffff jmp 004a9945
004a9a1c ebbd jmp 004a99db
004a9a1e 8bcb mov ecx,ebx
004a9a20 3909 cmp dword ptr [ecx],ecx
004a9a22 ff15488f3300 call dword ptr ds:[338F48h] (as.r(), mdToken: 060002ba)
004a9a28 8b45d8 mov eax,dword ptr [ebp-28h]
004a9a2b 8945d4 mov dword ptr [ebp-2Ch],eax
004a9a2e b804000000 mov eax,4
004a9a33 e90dffffff jmp 004a9945
004a9a38 8bf8 mov edi,eax
004a9a3a b9b8903300 mov ecx,3390B8h (MT: av)
004a9a3f e8d885d0ff call 001b201c (JitHelp: CORINFO_HELP_NEWSFAST)
004a9a44 8bf0 mov esi,eax
004a9a46 ba5c2c3300 mov edx,332C5Ch
004a9a4b b917030270 mov ecx,70020317h
004a9a50 e8fd7c8262 call mscorwks!JIT_StrCns (62cd1752)
004a9a55 8bc8 mov ecx,eax
004a9a57 8b55dc mov edx,dword ptr [ebp-24h]
004a9a5a e891d6ffff call 004a70f0 (.b(System.String, Int32), mdToken: 06000001)
004a9a5f 50 push eax
004a9a60 57 push edi
004a9a61 8bce mov ecx,esi
004a9a63 ba66000000 mov edx,66h
004a9a68 ff15a8903300 call dword ptr ds:[3390A8h] (av..ctor(Int32, System.String, System.Exception), mdToken: 0600005e)
004a9a6e 8bce mov ecx,esi
004a9a70 e8127e8262 call mscorwks!JIT_Throw (62cd1887)
>>> 004a9a75 8b45d4 mov eax,dword ptr [ebp-2Ch]
004a9a78 8d65f4 lea esp,[ebp-0Ch]
004a9a7b 5b pop ebx
004a9a7c 5e pop esi
004a9a7d 5f pop edi
004a9a7e 5d pop ebp
004a9a7f c3 ret
从上面的反汇编得知,该程序在尝试去访问https://dynamic.12306.cn/otsweb/passCodeAction.do?rand=sjrand这个网站,崩溃的源头的位置在004a99e0 这个函数调用的返回值,我们看下这个函数里面做了什么事
0:008> !u 62c49876
Unmanaged code
62c49876 51 push ecx
62c49877 51 push ecx
62c49878 e8a9ffffff call mscorwks!CRemotingServices::RequiresManagedActivation(62c49826)
62c4987d 85c0 test eax,eax
62c4987f 0f85185a1e00 jne mscorwks!JIT_NewCrossContext+0x24 (62e2f29d)
62c49885 8b0c24 mov ecx,dword ptr [esp]
62c49888 e8e1ffffff call mscorwks!MethodTable::CannotUseSuperFastHelper (62c4986e)
62c4988d 85c0 test eax,eax
62c4988f 0f8507ffffff jne mscorwks!JIT_NewCrossContext+0x1e (62c4979c)
62c49895 59 pop ecx
62c49896 ff25dcd21863 jmp dword ptr [mscorwks!hlpDynamicFuncTable+0xc (6318d2dc)]
62c4989c 393d5cd21863 cmp dword ptr [mscorwks!g_IBCLogger (6318d25c)],edi
62c498a2 0f85ab422c00 jne mscorwks!CRemotingServices::RequiresManagedActivation+0x45 (62f0db53)
62c498a8 ff1584d41863 call dword ptr [mscorwks!GetAppDomain (6318d484)]
62c498ae 66f780900300000001 test word ptr [eax+390h],100h
62c498b7 0f85a1422c00 jne mscorwks!CRemotingServices::RequiresManagedActivation+0x5c (62f0db5e)
62c498bd f70600000040 test dword ptr [esi],40000000h
62c498c3 0f859d422c00 jne mscorwks!CRemotingServices::RequiresManagedActivation+0x69 (62f0db66)
62c498c9 8bce mov ecx,esi
62c498cb e8e3f1ffff call mscorwks!MethodTable::GetWriteableDataForWrite(62c48ab3)
62c498d0 33d2 xor edx,edx
62c498d2 42 inc edx
62c498d3 8bc8 mov ecx,eax
62c498d5 ff1570d21863 call dword ptr [mscorwks!FastInterlockOr (6318d270)]
62c498db eb89 jmp mscorwks!CRemotingServices::RequiresManagedActivation+0x80 (62c49866)
62c498dd 90 nop
62c498de 90 nop
62c498df 90 nop
这个函数像是在请求一个远程的地址(其实也就是上面的12306那个URL),但是由于这个URL在我写这篇文章的时候已经失效了,导致返回的状态不是正常的,这点软件的作者应该没有做处理,之后就是程序抛出了异常。但是为什么它要访问这个URL呢,我们再往上回溯
0:008> !u 004a862e
Normal JIT generated code
z.i()
Begin 004a85c8, size 102
004a85c8 55 push ebp
004a85c9 8bec mov ebp,esp
004a85cb 57 push edi
004a85cc 56 push esi
004a85cd 53 push ebx
004a85ce 50 push eax
004a85cf 33c0 xor eax,eax
004a85d1 8945f0 mov dword ptr [ebp-10h],eax
004a85d4 8bd9 mov ebx,ecx
004a85d6 eb0c jmp 004a85e4
004a85d8 83f809 cmp eax,9
004a85db 7307 jae 004a85e4
004a85dd ff2485d0864a00 jmp dword ptr [eax*4+4A86D0h]
004a85e4 33ff xor edi,edi
004a85e6 b99c893300 mov ecx,33899Ch (MT: z+j)
004a85eb e82c9ad0ff call 001b201c (JitHelp: CORINFO_HELP_NEWSFAST)
004a85f0 8bf0 mov esi,eax
004a85f2 8d5604 lea edx,[esi+4]
004a85f5 e8aea97862 call mscorwks!JIT_WriteBarrierEBX (62c32fa8)
004a85fa c6460800 mov byte ptr [esi+8],0
004a85fe 8d4706 lea eax,[edi+6]
004a8601 ebd5 jmp 004a85d8
004a8603 8b8b60010000 mov ecx,dword ptr [ebx+160h]
004a8609 8b01 mov eax,dword ptr [ecx]
004a860b ff9028010000 call dword ptr [eax+128h]
004a8611 85c0 test eax,eax
004a8613 7404 je 004a8619
004a8615 33c0 xor eax,eax
004a8617 ebbf jmp 004a85d8
004a8619 8b8b60010000 mov ecx,dword ptr [ebx+160h]
004a861f 33d2 xor edx,edx
004a8621 3909 cmp dword ptr [ecx],ecx
004a8623 e80029a860 call System_Windows_Forms_ni+0x17af28 (60f2af28) (System.Windows.Forms.PictureBox.set_Image(System.Drawing.Image), mdToken: 06004b82)
004a8628 ff15f87e3300 call dword ptr ds:[337EF8h] (d.a(), mdToken: 060001fb)
>>> 004a862e 8945f0 mov dword ptr [ebp-10h],eax
004a8631 b801000000 mov eax,1
004a8636 eba0 jmp 004a85d8
004a8638 837df000 cmp dword ptr [ebp-10h],0
004a863c 0f847e000000 je 004a86c0
004a8642 b807000000 mov eax,7
004a8647 eb8f jmp 004a85d8
004a8649 8b8b60010000 mov ecx,dword ptr [ebx+160h]
004a864f 8bd7 mov edx,edi
004a8651 3909 cmp dword ptr [ecx],ecx
004a8653 e8bc08a960 call System_Windows_Forms_ni+0x188f14 (60f38f14) (System.Windows.Forms.Control.Invoke(System.Delegate), mdToken: 06001510)
004a8658 b808000000 mov eax,8
004a865d e976ffffff jmp 004a85d8
004a8662 b804000000 mov eax,4
004a8667 e96cffffff jmp 004a85d8
004a866c 85ff test edi,edi
004a866e 75d9 jne 004a8649
004a8670 b802000000 mov eax,2
004a8675 e95effffff jmp 004a85d8
004a867a 8b8b60010000 mov ecx,dword ptr [ebx+160h]
004a8680 8b55f0 mov edx,dword ptr [ebp-10h]
004a8683 3909 cmp dword ptr [ecx],ecx
004a8685 e89e28a860 call System_Windows_Forms_ni+0x17af28 (60f2af28) (System.Windows.Forms.PictureBox.set_Image(System.Drawing.Image), mdToken: 06004b82)
004a868a c6460801 mov byte ptr [esi+8],1
004a868e b803000000 mov eax,3
004a8693 e940ffffff jmp 004a85d8
004a8698 b9448a3300 mov ecx,338A44h (MT: z+c)
004a869d e82a9ad0ff call 001b20cc (JitHelp: CORINFO_HELP_NEWSFAST_CHKRESTORE)
004a86a2 8bc8 mov ecx,eax
004a86a4 8d5104 lea edx,[ecx+4]
004a86a7 e84ca97862 call mscorwks!JIT_WriteBarrierESI (62c32ff8)
004a86ac b880c63300 mov eax,33C680h
004a86b1 89410c mov dword ptr [ecx+0Ch],eax
004a86b4 8bf9 mov edi,ecx
004a86b6 b805000000 mov eax,5
004a86bb e918ffffff jmp 004a85d8
004a86c0 0fb64608 movzx eax,byte ptr [esi+8]
004a86c4 59 pop ecx
004a86c5 5b pop ebx
004a86c6 5e pop esi
004a86c7 5f pop edi
004a86c8 5d pop ebp
004a86c9 c3 ret
从反汇编来看这个函数是尝试去设置一个图片到程序界面上显示,这个图片应该就是12306的图片验证码了。而它的再上层的函数
0:008> !u 004a856f
Normal JIT generated code
z.a()
Begin 004a8550, size 67
004a8550 55 push ebp
004a8551 8bec mov ebp,esp
004a8553 57 push edi
004a8554 56 push esi
004a8555 83ec10 sub esp,10h
004a8558 33c0 xor eax,eax
004a855a 8945e8 mov dword ptr [ebp-18h],eax
004a855d 8945ec mov dword ptr [ebp-14h],eax
004a8560 8945f0 mov dword ptr [ebp-10h],eax
004a8563 8945f4 mov dword ptr [ebp-0Ch],eax
004a8566 8bf9 mov edi,ecx
004a85688bcf mov ecx,edi
004a856a e8d140e9ff call 0033c640 (z.i(), mdToken: 060000f1)
>>> 004a856f 85c0 test eax,eax
004a8571 753d jne 004a85b0
004a8573 8b0d80718f02 mov ecx,dword ptr ds:[28F7180h] ("\?첓겙쭏摨瑿꾸\?\?")
004a8579 ba08000000 mov edx,8
004a857e e86debffff call 004a70f0 (.b(System.String, Int32), mdToken: 06000001)
004a8583 8bf0 mov esi,eax
004a8585 8d4de8 lea ecx,[ebp-18h]
004a8588 e883358f64 call System_Drawing_ni+0x4bb10 (64d9bb10) (System.Drawing.Color.get_Black(), mdToken: 0600025f)
004a858d 8d45e8 lea eax,[ebp-18h]
004a8590 ff700c push dword ptr [eax+0Ch]
004a8593 ff7008 push dword ptr [eax+8]
004a8596 ff7004 push dword ptr [eax+4]
004a8599 ff30 push dword ptr [eax]
004a859b 8bd6 mov edx,esi
004a859d 8bcf mov ecx,edi
004a859f e8ac40e9ff call 0033c650 (z.a(System.String, System.Drawing.Color), mdToken: 060000fa)
004a85a4 b9e8030000 mov ecx,3E8h
004a85a9 e82d848a62 call mscorwks!ThreadNative::Sleep (62d509db)
004a85ae ebb8 jmp 004a8568
004a85b0 8d65f8 lea esp,[ebp-8]
004a85b3 5e pop esi
004a85b4 5f pop edi
004a85b5 5d pop ebp
004a85b6 c3 ret
0:008> ? 3e8
Evaluate expression: 1000 = 000003e8
这个函数是在一个线程里面实现的,它会每隔1秒种就会调用上面两个函数,如果004a856a 这里的函数返回非零的时候就跳出循环,否则就会一直去执行上面的两个函数。
好了结合上面的信息,我们总结下这个崩溃的大致流程。该抢票软件在一运行起来之后就会创建一个线程,该线程会每隔1秒种 就会不断去尝试访问 https://dynamic.12306.cn/otsweb/passCodeAction.do?rand=sjrand ;这个地址去获取图片验证码,然后把这个图片显示到程序界面,但是很不幸的时这个地址已经失效了,作者也没有处理好之后就由程序自身抛出了异常,程序就崩溃了。
来源:http://www.12558.net
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作! |
|Archiver|手机版|小黑屋|12558网页游戏私服论坛
|网站地图
发表于 2019-8-20 11:11:31