当前位置:网站首页>Record the problem of removing the limit of the number of connections at one time
Record the problem of removing the limit of the number of connections at one time
2022-07-22 03:37:00 【friendan】
There's a piece of code , The number of connections exceeds 100 after , You can't connect again , Go straight back to 0
. edition 2
. Cycle head (150, i)
Connection handle = Module class .UConnect ( Client handle , “127.0.0.1”, 2020, To long integers (id), false , 1, “”)
Edit box 1. Add text ( To text (i) + “ ” + Take hexadecimal text ( Connection handle ) + # A newline )
. Cycle end ()
The key information :UConnect and 0
IDA Load object file , View string window , notice :
.data:10044074 00000011 C UConnect called\n
Double click the string to :
.data:10044074 aUconnectCalled db 'UConnect called',0Ah,0
Then right click Xrefs graph to
Found only functions FastUdxApi_6 It refers to the string UConnect called'
IDA Enter function FastUdxApi_6 then F5 The code is as follows :
int __stdcall FastUdxApi_6(int a1, int a2, int a3, int a4, int a5, int a6, __int16 a7, int a8)
{
void *v8; // eax
int v9; // eax
int v10; // esi
int v12; // [esp+8h] [ebp-Ch]
int v13; // [esp+Ch] [ebp-8h]
char v14; // [esp+10h] [ebp-4h]
v8 = sub_10002B30(); // call 1
(*(void (__thiscall **)(void *, char *))(*(_DWORD *)v8 + 12))(v8, aUconnectCalled);// call 2
v12 = 0;
v13 = 0;
v14 = 0;
LOWORD(v12) = a7;
v9 = (*(int (__stdcall **)(int, int, int, int, int, _DWORD, _DWORD, signed int, int, int *, _DWORD, signed int))(*(_DWORD *)a1 + 8))(
a2,
a3,
a6,
a4,
a5,
0,
0,
100,
a8,
&v12,
0,
1); // call 3 sub_10006740
v10 = v9;
if ( a6 && (*(int (__thiscall **)(int))(*(_DWORD *)v9 + 68))(v9) )// call 4
(*(void (__thiscall **)(int))(*(_DWORD *)v10 + 60))(v10);// call 5
return v10;
}It's found that there are 5 individual Call,Call1 Code for IDA You can see directly , go in Call1 Inside , No abnormality found
in addition 4 individual Call Your address cannot be in IDA Seen inside , What do I do ?
open x96dbg, At the address FastUdxApi_6 Break down , When it's off , Don't rush to look at assembly code
direct F8 Go all the way , have a look 5 individual Call Which one is it Call Returned connection handle ,Call The return value in EAX In the register , observe
F8 Single step discovery Call3 After execution ,EAX Returned connection handle , explain Call3 That's what we're looking for
100011A0 | 83EC 0C | sub esp,C | UConnect called
100011A3 | 56 | push esi |
100011A4 | 57 | push edi |
100011A5 | E8 86190000 | call tongxin.10002B30 | Call 1
100011AA | 8B10 | mov edx,dword ptr ds:[eax] |
100011AC | 68 74400410 | push tongxin.10044074 | 10044074:"UConnect called\n"
100011B1 | 8BC8 | mov ecx,eax |
100011B3 | FF52 0C | call dword ptr ds:[edx+C] | Call 2
100011B6 | 33C0 | xor eax,eax |
100011B8 | 6A 01 | push 1 |
100011BA | 894424 0C | mov dword ptr ss:[esp+C],eax |
100011BE | 66:8B4C24 34 | mov cx,word ptr ss:[esp+34] |
100011C3 | 894424 10 | mov dword ptr ss:[esp+10],eax |
100011C7 | 8B7C24 30 | mov edi,dword ptr ss:[esp+30] |
100011CB | 884424 14 | mov byte ptr ss:[esp+14],al |
100011CF | 50 | push eax |
100011D0 | 8D4424 10 | lea eax,dword ptr ss:[esp+10] |
100011D4 | 66:894C24 10 | mov word ptr ss:[esp+10],cx |
100011D9 | 50 | push eax |
100011DA | 8B4424 40 | mov eax,dword ptr ss:[esp+40] |
100011DE | 50 | push eax |
100011DF | 8B4424 38 | mov eax,dword ptr ss:[esp+38] |
100011E3 | 8B4C24 28 | mov ecx,dword ptr ss:[esp+28] |
100011E7 | 6A 64 | push 64 |
100011E9 | 6A 00 | push 0 |
100011EB | 6A 00 | push 0 |
100011ED | 8B11 | mov edx,dword ptr ds:[ecx] |
100011EF | 50 | push eax |
100011F0 | 8B4424 44 | mov eax,dword ptr ss:[esp+44] |
100011F4 | 50 | push eax |
100011F5 | 8B4424 44 | mov eax,dword ptr ss:[esp+44] |
100011F9 | 57 | push edi |
100011FA | 50 | push eax |
100011FB | 8B4424 48 | mov eax,dword ptr ss:[esp+48] |
100011FF | 50 | push eax |
10001200 | FF52 08 | call dword ptr ds:[edx+8] | Call 3 Get connection handle
10001203 | 85FF | test edi,edi |
10001205 | 8BF0 | mov esi,eax |
10001207 | 74 12 | je tongxin.1000121B |
10001209 | 8B16 | mov edx,dword ptr ds:[esi] |
1000120B | 8BCE | mov ecx,esi |
1000120D | FF52 44 | call dword ptr ds:[edx+44] | Call 4
10001210 | 85C0 | test eax,eax |
10001212 | 74 07 | je tongxin.1000121B |
10001214 | 8B06 | mov eax,dword ptr ds:[esi] |
10001216 | 8BCE | mov ecx,esi |
10001218 | FF50 3C | call dword ptr ds:[eax+3C] | Call 5
1000121B | 8BC6 | mov eax,esi |
1000121D | 5F | pop edi |
1000121E | 5E | pop esi |
1000121F | 83C4 0C | add esp,C |
10001222 | C2 2000 | ret 20 |And then in Call3 Next breakpoint , Reload the program , stay Call3 When it's off ,F7 Follow in , obtain Call 3 The address for 10006740
Now back to IDA, open sub_10006740 then F5 The code is as follows :
_DWORD *__thiscall sub_10006740(void *this, int a2, int a3, int a4, int a5, int a6, int a7, int a8, int a9, int ArgList, int a11, int a12, int a13)
{
char *v13; // ebx
int *v14; // edi
_DWORD *v15; // ebp
const char *v16; // esi
unsigned int v17; // kr04_4
unsigned int v18; // kr08_4
_DWORD *result; // eax
int v20; // eax
unsigned __int8 v21; // cl
int (__thiscall ***v22)(_DWORD); // eax
int v23; // eax
int v24; // ecx
int v25; // eax
int v26; // esi
int *v27; // eax
int v28; // esi
int v29; // eax
int v30; // eax
bool v31; // zf
unsigned int v32; // kr14_4
unsigned int v33; // kr14_4
int v34; // esi
int v35; // ecx
int v36; // edx
int v37; // edi
int v38; // eax
int v39; // edx
int v40; // eax
char v41; // dl
int v42; // eax
int v43; // edx
int v44; // edx
char v45; // al
char v46; // [esp-10h] [ebp-64h]
int v47; // [esp-Ch] [ebp-60h]
int v48; // [esp-8h] [ebp-5Ch]
signed int v49; // [esp-4h] [ebp-58h]
int v50; // [esp+10h] [ebp-44h]
int v51; // [esp+14h] [ebp-40h]
int v52; // [esp+18h] [ebp-3Ch]
int v53; // [esp+1Ch] [ebp-38h]
char *v54; // [esp+20h] [ebp-34h]
unsigned int v55; // [esp+24h] [ebp-30h]
int v56; // [esp+28h] [ebp-2Ch]
char v57; // [esp+2Ch] [ebp-28h]
int v58; // [esp+48h] [ebp-Ch]
int v59; // [esp+50h] [ebp-4h]
int ArgLista; // [esp+78h] [ebp+24h]
v13 = (char *)this;
memset(&v57, 0, 0x1Cu);
v14 = &v58;
v15 = 0;
v50 = 0;
if ( a11 && *(_WORD *)a11 == -6 )
v50 = 1;
v16 = (const char *)ArgList;
v51 = 0;
if ( !ArgList || (v17 = strlen((const char *)ArgList) + 1, v14 = (int *)(ArgList + v17), v17 == 1) || v50 )
{
if ( a2 )
{
v49 = (unsigned __int16)a3;
v48 = a2;
sub_10002360((int)v13, 0, (int)v14, ArgList, aFastudxNewConn_0, a2, (unsigned __int16)a3);
}
else
{
v49 = (unsigned __int16)a3;
sub_10002360((int)v13, 0, (int)v14, ArgList, aFastudxNewConn_1, (unsigned __int16)a3);
}
}
else
{
v18 = strlen((const char *)ArgList) + 1;
v14 = (int *)(ArgList + v18);
sub_10002360((int)v13, 0, ArgList + v18, ArgList, aFastudxNewConn, ArgList, v18 - 1);
v51 = 1;
result = (_DWORD *)sub_1001F580(&v57, ArgList);
if ( !result )
return result;
}
if ( sub_10009E30((int)v13, (int)v13, 0, (int)v14, 1) )// Notice this function , If the return value is true, Then return to 0
return 0;
v20 = sub_10018AB0(v13 + 3852);
v21 = v13[4980];
v52 = v20;
v22 = (int (__thiscall ***)(_DWORD))(*(_DWORD *)(*((_DWORD *)v13 + 1243)
+ 4 * ((signed int)v21 % *((_DWORD *)v13 + 1244)))
+ 36);
v13[4980] = v21 + 1;
v23 = (**v22)(v22);
if ( v23 )
v15 = (_DWORD *)(v23 - 8);
v15[7] = v13;
if ( a11 )
{
v24 = (int)(v15 + 593);
v15[593] = *(_DWORD *)a11;
*(_DWORD *)(v24 + 4) = *(_DWORD *)(a11 + 4);
*(_BYTE *)(v24 + 8) = *(_BYTE *)(a11 + 8);
}
if ( a12 )
{
v25 = (*(int (__thiscall **)(int))(*(_DWORD *)a12 + 8))(a12);
v26 = v25;
if ( v25 )
{
if ( v25 == 1 )
{
if ( !(byte_10049228 & 1) )
{
byte_10049228 |= 1u;
sub_10002500(&dword_10049240);
atexit(unknown_libname_1);
}
v27 = (int *)(*(int (__thiscall **)(int *, signed int))dword_10049240)(&dword_10049240, 10240);
goto LABEL_31;
}
if ( !(byte_10049228 & 1) )
{
byte_10049228 |= 1u;
sub_10002500(&dword_10049240);
atexit(unknown_libname_1);
}
v49 = v26;
}
else
{
if ( !(byte_10049228 & 1) )
{
byte_10049228 |= 1u;
sub_10002500(&dword_10049240);
atexit(unknown_libname_1);
}
v49 = 1024;
}
v27 = (int *)(*(int (__thiscall **)(int *, signed int))dword_10049240)(&dword_10049240, v49);
LABEL_31:
v15[596] = v27;
v28 = *v27;
v29 = (*(int (__thiscall **)(int))(*(_DWORD *)a12 + 8))(a12);
v30 = (*(int (__thiscall **)(int, int))(*(_DWORD *)a12 + 4))(a12, v29);
(*(void (__thiscall **)(_DWORD, int))(v28 + 28))(v15[596], v30);
v16 = (const char *)ArgList;
}
sub_10012130(v15);
sub_10012120(v52);
v31 = v50 == 0;
v15[497] = 1000 * *((_DWORD *)v13 + 1248);
if ( v31 && v51 )
{
qmemcpy((void *)v15[474], &v57, 0x1Cu);
v16 = (const char *)ArgList;
v15[489] = sub_1001F290(ArgList);
}
v54 = 0;
LOBYTE(v53) = ArgList;
v55 = 0;
v56 = 0;
std::basic_string<char,std::char_traits<char>,std::allocator<char>>::assign(
&v53,
aMasterUdxSocke,
strlen(aMasterUdxSocke));
v59 = 0;
if ( v50 )
{
if ( v16 )
{
if ( strlen(v16) != 0 )
{
v32 = strlen(v16) + 1;
if ( (unsigned __int8)std::basic_string<char,std::char_traits<char>,std::allocator<char>>::_Grow(
&v53,
v32 - 1,
1) )
{
v33 = v32 - 1;
qmemcpy(v54, v16, v33);
v55 = v33;
v54[v33] = 0;
}
}
}
}
ArgLista = 0;
if ( *((_DWORD *)v13 + 1098) > 0 )
{
v34 = 0;
do
{
v35 = *((_DWORD *)v13 + 1097);
v36 = *v15;
v49 = (signed int)v15;
v37 = v35 + v34;
v38 = (*(int (__thiscall **)(_DWORD *))(v36 + 100))(v15) & 7;
if ( v38 < 0 )
v38 = (((_BYTE)v38 - 1) | 0xFFFFFFF8) + 1;
if ( !sub_10003530((char **)(v37 + 60 * v38), v49) )
break;
v34 += 480;
++ArgLista;
}
while ( ArgLista < *((_DWORD *)v13 + 1098) );
}
v39 = *v15;
v49 = (signed int)v15;
v40 = (*(int (__thiscall **)(_DWORD *))(v39 + 100))(v15) & 7;
if ( v40 < 0 )
v40 = (((_BYTE)v40 - 1) | 0xFFFFFFF8) + 1;
sub_10003530((char **)&v13[60 * v40 + 3908], v49);
v15[488] = *((_DWORD *)v13 + 1246);
v41 = v53;
++*((_DWORD *)v13 + 1246);
v46 = v41;
v47 = 0;
v48 = 0;
v49 = 0;
std::basic_string<char,std::char_traits<char>,std::allocator<char>>::assign(
&v46,
&v53,
0,
std::basic_string<char,std::char_traits<char>,std::allocator<char>>::npos);
v42 = sub_1001B200(v13 + 516, v46, v47, v48, v49);
v49 = a3;
v48 = a2;
v15[21] = v42;
sub_100219C0(v48, v49);
v43 = a6 | a5;
if ( __PAIR__(a6, a5) )
{
v44 = *v15;
v49 = a6;
v48 = a5;
(*(void (__thiscall **)(_DWORD *, int, int))(v44 + 112))(v15, a5, a6);
}
if ( __PAIR__(a8, a7) )
*(_DWORD *)((*(int (__thiscall **)(_DWORD *))(*v15 + 96))(v15) + 20) = a7;
*(_DWORD *)((*(int (__fastcall **)(_DWORD *, int))(*v15 + 96))(v15, v43) + 16) = a9;
sub_1000DDF0(v15 + 14);
sub_10024040(v15 + 18);
if ( a4 && !*((_DWORD *)v13 + 97) )
sub_1000DE00(v15[497]);
if ( !a13 )
(*(void (__thiscall **)(_DWORD *))(*v15 + 60))(v15);
(*(void (__thiscall **)(_DWORD *))(v15[2] + 4))(v15 + 2);
if ( v54 )
{
v45 = *(v54 - 1);
if ( v45 && v45 != -1 )
*(v54 - 1) = v45 - 1;
else
sub_100385C0(v54 - 1);
}
return v15;
}Yes 200 Many lines of code , Don't look carefully , I browsed it carelessly , stay 85 OK, I saw something suspicious :
if ( sub_10009E30((int)v13, (int)v13, 0, (int)v14, 1) )// Notice this function , If the return value is true, Then return to 0
return 0;
Subfunctions sub_10009E30 Very suspicious , Double click directly to see :
int __userpurge [email protected]<eax>(int [email protected]<ecx>, int [email protected]<ebx>, int [email protected]<ebp>, int [email protected]<edi>, int ArgList)
{
void *v5; // esi
int v6; // eax
v5 = (void *)(a1 + 3852);
if ( sub_10018A20((void *)(a1 + 3852)) < 100 )// Finally I saw the familiar numbers 100
return 0;
v6 = sub_10018A20(v5);
sub_10002360(a2, a3, a4, (int)v5, aServerOverflow, ArgList, v6);
return 1;
}That's it , Not much code , sub_10018A20 Function should be the function to get the current number of connections
That's the end of the analysis , Don't say how to revise ...
边栏推荐
- Techempower web框架性能测试第21轮结果发布--asp.net core继续前进
- Jenkins installs and configures the accelerator
- 为什么用了大牌工具后报表开发依然头痛
- 斯坦福CV课程学习笔记(一)
- 一次血的教训 记npm package-lock.json导致的腥风血雨
- How to make the demand unable to go online smoothly as scheduled (III) development stage
- npm 与 yarn 发展史
- 第108篇 Compound 简单部署
- Series operation of deque container (detailed explanation)
- UVM register model: reg adapter implementation and integration
猜你喜欢
Information entropy_ Joint entropy_ Conditional entropy_ information gain
随机森林思想
SAP ABAP 解析 excel 文件的函数 TEXT_CONVERT_XLS_TO_SAP 单步执行分析
Techempower web框架性能测试第21轮结果发布--asp.net core继续前进
Run busybox, buildroot, loognix, qt5.12 system for Godson development board process
迅为龙芯开发板流程运行busybox,buildroot,loognix,QT5.12系统
怎样让全彩LED显示屏变的节能环保?
Alibaba cloud technology expert Yang Zeqiang: building observable capabilities on elastic computing cloud
数据库索引:索引并不是万能药
隐马尔科夫模型 HMM
随机推荐
怎样才能让需求无法如期顺利上线(一)整体策略
Part 100 library contract compatible with Eth and erc20
高度关注!2022 开放原子开源峰会最新议程一览
Comptroller in compound, part 105
第105篇 Compound 中的 Comptroller
CLion配置WSL工具链
ASP.NET GridView动态显示隐藏列,并保存客户的配置(用户控件Cookie版)
推荐系统常见术语
Chapter 97 notes - abstraction in solidity
怎样让全彩LED显示屏变的节能环保?
Custom annotation verification parameters
Try to divide to find the divisor
阿里云技术专家杨泽强:弹性计算云上可观测能力构建
訓練精度媲美 AlphaFold2、速度翻倍,飛槳螺旋槳HelixFold訓練和推理代碼全面開源...
Part 93 inter contract transfer (II)
第107篇 Compound 中的 InterestRateModel
一次血的教训 记npm package-lock.json导致的腥风血雨
yii2 JsBlock::begin 无效问题
ASP. Net GridView dynamically displays hidden columns and saves the customer's configuration (user control cookie version)
[first launch in the whole network] redis series 4: sentinel (sentinel mode) with high availability