sunsvc_http默认监听端口号:80
启动后界面显示:
[I2020-06-18 13:45:13.339 8784] [runstate.cpp:196] 服务启动完成, Port: 80, CPU Cores: 8
使用x96dbg分析后,发现这个默认的端口号有3个地方需要修改
分析思路:
socket服务器,必须要监听端口,监听端口必须要调用函数:
u_short htons( u_short hostshort );
所以 bp htons 然后堆栈回溯可以找到要修改的2个端口号 0x50 即10进制的80
第3个端口号是界面显示的80端口号,这个找起来有点麻烦,看看界面显示:
服务启动完成, Port: 80, CPU Cores: 8
是否能通过CPU核数来查找呢?查了下怎么获取CPU核数,
然后 bp GetSystemInfo 断下后分析CPU核数引用的地方,就可以找到第3处要修改的0x50
------------------------------------------------------------------------
后面发现更简单的方法:
查找模块sunsvc_http.exe的字符串,然后找到字符串 StandaloneHTTPServer-Main-
转到字符串 StandaloneHTTPServer-Main-所在的代码附近
就可以看到2个16进制的50,然后修改即可
00007FF6EDFDF605 | FF50 08 | call qword ptr ds:[rax+8] |
00007FF6EDFDF608 | BA 50000000 | mov edx,50 | 50:'P' 程序监听HTTP端口号
00007FF6EDFDF60D | 48:8D4D E8 | lea rcx,qword ptr ss:[rbp-18] |
00007FF6EDFDF611 | E8 EAF9FFFF | call sunsvc_http.7FF6EDFDF000 |
00007FF6EDFDF616 | 48:8BD8 | mov rbx,rax |
00007FF6EDFDF619 | 48:C745 98 0F000000 | mov qword ptr ss:[rbp-68],F |
00007FF6EDFDF621 | 4C:8965 90 | mov qword ptr ss:[rbp-70],r12 |
00007FF6EDFDF625 | C645 80 00 | mov byte ptr ss:[rbp-80],0 |
00007FF6EDFDF629 | 41:B8 1A000000 | mov r8d,1A |
00007FF6EDFDF62F | 48:8D15 AA840800 | lea rdx,qword ptr ds:[7FF6EE067AE0] | 00007FF6EE067AE0:"StandaloneHTTPServer-Main-"
00007FF6EDFDF636 | 48:8D4D 80 | lea rcx,qword ptr ss:[rbp-80] |
00007FF6EDFDF63A | E8 1158FDFF | call sunsvc_http.7FF6EDFB4E50 |
00007FF6EDFDF63F | 90 | nop |
00007FF6EDFDF640 | 4C:8BC3 | mov r8,rbx |
00007FF6EDFDF643 | 48:8D55 80 | lea rdx,qword ptr ss:[rbp-80] |
00007FF6EDFDF647 | 48:8D4D A0 | lea rcx,qword ptr ss:[rbp-60] |
00007FF6EDFDF64B | E8 000AFEFF | call sunsvc_http.7FF6EDFC0050 |
00007FF6EDFDF650 | 90 | nop |
00007FF6EDFDF651 | 48:8B4C24 40 | mov rcx,qword ptr ss:[rsp+40] |
00007FF6EDFDF656 | 48:83C1 30 | add rcx,30 |
00007FF6EDFDF65A | 48:3BC8 | cmp rcx,rax |
00007FF6EDFDF65D | 74 0F | je sunsvc_http.7FF6EDFDF66E |
00007FF6EDFDF65F | 4D:8BCE | mov r9,r14 |
00007FF6EDFDF662 | 45:33C0 | xor r8d,r8d |
00007FF6EDFDF665 | 48:8BD0 | mov rdx,rax |
00007FF6EDFDF668 | E8 B356FDFF | call sunsvc_http.7FF6EDFB4D20 |
00007FF6EDFDF66D | 90 | nop |
00007FF6EDFDF66E | 48:837D B8 10 | cmp qword ptr ss:[rbp-48],10 |
00007FF6EDFDF673 | 72 09 | jb sunsvc_http.7FF6EDFDF67E |
00007FF6EDFDF675 | 48:8B4D A0 | mov rcx,qword ptr ss:[rbp-60] |
00007FF6EDFDF679 | E8 326E0100 | call sunsvc_http.7FF6EDFF64B0 |
00007FF6EDFDF67E | 48:C745 B8 0F000000 | mov qword ptr ss:[rbp-48],F |
00007FF6EDFDF686 | 4C:8965 B0 | mov qword ptr ss:[rbp-50],r12 |
00007FF6EDFDF68A | C645 A0 00 | mov byte ptr ss:[rbp-60],0 |
00007FF6EDFDF68E | 48:837D 98 10 | cmp qword ptr ss:[rbp-68],10 |
00007FF6EDFDF693 | 72 09 | jb sunsvc_http.7FF6EDFDF69E |
00007FF6EDFDF695 | 48:8B4D 80 | mov rcx,qword ptr ss:[rbp-80] |
00007FF6EDFDF699 | E8 126E0100 | call sunsvc_http.7FF6EDFF64B0 |
00007FF6EDFDF69E | 48:C745 98 0F000000 | mov qword ptr ss:[rbp-68],F |
00007FF6EDFDF6A6 | 4C:8965 90 | mov qword ptr ss:[rbp-70],r12 |
00007FF6EDFDF6AA | C645 80 00 | mov byte ptr ss:[rbp-80],0 |
00007FF6EDFDF6AE | 48:837D 00 10 | cmp qword ptr ss:[rbp],10 |
00007FF6EDFDF6B3 | 72 09 | jb sunsvc_http.7FF6EDFDF6BE |
00007FF6EDFDF6B5 | 48:8B4D E8 | mov rcx,qword ptr ss:[rbp-18] |
00007FF6EDFDF6B9 | E8 F26D0100 | call sunsvc_http.7FF6EDFF64B0 |
00007FF6EDFDF6BE | 48:8B4424 40 | mov rax,qword ptr ss:[rsp+40] |
00007FF6EDFDF6C3 | 48:8B48 08 | mov rcx,qword ptr ds:[rax+8] |
00007FF6EDFDF6C7 | 48:894D 60 | mov qword ptr ss:[rbp+60],rcx |
00007FF6EDFDF6CB | 48:8D55 60 | lea rdx,qword ptr ss:[rbp+60] |
00007FF6EDFDF6CF | 48:8D4D C0 | lea rcx,qword ptr ss:[rbp-40] |
00007FF6EDFDF6D3 | E8 281E0000 | call sunsvc_http.7FF6EDFE1500 |
00007FF6EDFDF6D8 | 0F57C0 | xorps xmm0,xmm0 |
00007FF6EDFDF6DB | F3:0F7F4424 30 | movdqu xmmword ptr ss:[rsp+30],xmm0 |
00007FF6EDFDF6E1 | 48:8D4C24 30 | lea rcx,qword ptr ss:[rsp+30] |
00007FF6EDFDF6E6 | 48:3BC8 | cmp rcx,rax |
00007FF6EDFDF6E9 | 74 1A | je sunsvc_http.7FF6EDFDF705 |
00007FF6EDFDF6EB | 48:8B48 08 | mov rcx,qword ptr ds:[rax+8] |
00007FF6EDFDF6EF | 48:894C24 38 | mov qword ptr ss:[rsp+38],rcx |
00007FF6EDFDF6F4 | 4C:8960 08 | mov qword ptr ds:[rax+8],r12 |
00007FF6EDFDF6F8 | 48:8B30 | mov rsi,qword ptr ds:[rax] |
00007FF6EDFDF6FB | 48:897424 30 | mov qword ptr ss:[rsp+30],rsi |
00007FF6EDFDF700 | 4C:8920 | mov qword ptr ds:[rax],r12 |
00007FF6EDFDF703 | EB 05 | jmp sunsvc_http.7FF6EDFDF70A |
00007FF6EDFDF705 | 48:8B7424 30 | mov rsi,qword ptr ss:[rsp+30] |
00007FF6EDFDF70A | 48:8B4424 38 | mov rax,qword ptr ss:[rsp+38] |
00007FF6EDFDF70F | 48:894424 68 | mov qword ptr ss:[rsp+68],rax |
00007FF6EDFDF714 | 48:897424 60 | mov qword ptr ss:[rsp+60],rsi |
00007FF6EDFDF719 | 48:8B5D C8 | mov rbx,qword ptr ss:[rbp-38] |
00007FF6EDFDF71D | 48:85DB | test rbx,rbx |
00007FF6EDFDF720 | 74 22 | je sunsvc_http.7FF6EDFDF744 |
00007FF6EDFDF722 | F0:FF4B 08 | lock dec dword ptr ds:[rbx+8] |
00007FF6EDFDF726 | 75 17 | jne sunsvc_http.7FF6EDFDF73F |
00007FF6EDFDF728 | 48:8B03 | mov rax,qword ptr ds:[rbx] |
00007FF6EDFDF72B | 48:8BCB | mov rcx,rbx |
00007FF6EDFDF72E | FF10 | call qword ptr ds:[rax] |
00007FF6EDFDF730 | F0:FF4B 0C | lock dec dword ptr ds:[rbx+C] |
00007FF6EDFDF734 | 75 09 | jne sunsvc_http.7FF6EDFDF73F |
00007FF6EDFDF736 | 48:8B03 | mov rax,qword ptr ds:[rbx] |
00007FF6EDFDF739 | 48:8BCB | mov rcx,rbx |
00007FF6EDFDF73C | FF50 08 | call qword ptr ds:[rax+8] |
00007FF6EDFDF73F | 48:8B7424 30 | mov rsi,qword ptr ss:[rsp+30] |
00007FF6EDFDF744 | C706 50000000 | mov dword ptr ds:[rsi],50 | 50:'P'
00007FF6EDFDF74A | 41:B8 50000000 | mov r8d,50 | 50:'P' 程序监听HTTP端口号
00007FF6EDFDF750 | 48:8D15 19970800 | lea rdx,qword ptr ds:[7FF6EE068E70] | 00007FF6EE068E70:"0.0.0.0"
00007FF6EDFDF757 | 48:8B4E 08 | mov rcx,qword ptr ds:[rsi+8] |
00007FF6EDFDF75B | E8 B0710500 | call sunsvc_http.7FF6EE036910 |
界面显示的端口号更简单,直接在模块sunsvc_http.exe中搜索命令:
mov qword ptr ss:[rbp],FFFFFFFFFFFFFFFE
发现有2条,进入第一条看到:
mov dword ptr ss:[rbp+A0],50 // 界面显示的监听端口号
然后修改即可。
00007FF6EDFCE4D0 | 40:55 | push rbp |
00007FF6EDFCE4D2 | 53 | push rbx |
00007FF6EDFCE4D3 | 56 | push rsi |
00007FF6EDFCE4D4 | 57 | push rdi |
00007FF6EDFCE4D5 | 41:54 | push r12 |
00007FF6EDFCE4D7 | 41:55 | push r13 |
00007FF6EDFCE4D9 | 41:56 | push r14 |
00007FF6EDFCE4DB | 41:57 | push r15 |
00007FF6EDFCE4DD | 48:8D6C24 A8 | lea rbp,qword ptr ss:[rsp-58] |
00007FF6EDFCE4E2 | 48:81EC 58010000 | sub rsp,158 |
00007FF6EDFCE4E9 | 48:C745 00 FEFFFFFF | mov qword ptr ss:[rbp],FFFFFFFFFFFFFFFE | 这条汇编好特别 是不是可以拿来做特征 下次直接搜这条汇编代码
00007FF6EDFCE4F1 | 4C:8BF1 | mov r14,rcx |
00007FF6EDFCE4F4 | C785 A0000000 50000000 | mov dword ptr ss:[rbp+A0],50 | 50:'P' 界面显示的端口号
00007FF6EDFCE4FE | 48:8B49 28 | mov rcx,qword ptr ds:[rcx+28] |
00007FF6EDFCE502 | E8 49100100 | call sunsvc_http.7FF6EDFDF550 |
00007FF6EDFCE507 | 84C0 | test al,al |
00007FF6EDFCE509 | 0F84 98030000 | je sunsvc_http.7FF6EDFCE8A7 |
00007FF6EDFCE50F | 49:8B4E 28 | mov rcx,qword ptr ds:[r14+28] |
00007FF6EDFCE513 | E8 48150100 | call sunsvc_http.7FF6EDFDFA60 |