从线程栈看,请求 http://m.365ey.net:13064/AssistLog.svc 是由 Record1 方法发起的,一看就是个 WCF 方法,参数名称和个数都和 Fiddler 中保持一致,截图如下:
文章插图
3. 这些参数都是什么要找到原参数信息,需要找到是谁调用了
Record1 方法,可以用 !U 067c835f 查看函数汇编代码,简化后如下:0:013> !U 067c835fNormal JIT generated codeSystem.Base.ApplicationContext+<>c.<HashObjectMap>b__19_0()Begin 067c7ed8, size 584...067c8333 8b3d74361904movedi,dword ptr ds:[4193674h] (Object: System.Runtime.Remoting.Proxies.__TransparentProxy)067c8339 ff75b0pushdword ptr [ebp-50h]067c833c ff75acpushdword ptr [ebp-54h]067c833f ff75a8pushdword ptr [ebp-58h]067c8342 ff75a4pushdword ptr [ebp-5Ch]067c8345 ff75a0pushdword ptr [ebp-60h]067c8348 b94e080000movecx,84Eh067c834d ff15b05d7a06calldword ptr ds:[67A5DB0h] (System.Base.ApplicationContext+<>c.zmMLEYhjSCTVEl2CxBD(Int32), mdToken: 0600009e)067c8353 50pusheax067c8354 8b55b4movedx,dword ptr [ebp-4Ch]067c8357 8bcfmovecx,edi067c8359 ff15d8016d00calldword ptr ds:[6D01D8h]...原来是 <HashObjectMap>b__19_0 方法做的调用,也就是 call dword ptr ds:[6D01D8h],不信的话可以截图看源码:
文章插图
从混淆的代码看,有几个特征:
- aa 依赖于 n9UuXCvGC
- bb 依赖于 gY03KpyvZ
- cc 依赖于 GsvWjQg1p
- hh 依赖于 text
x4phG7d0qxdP1ZxlQa.pliOsRbOU 方法上下一个断点,即 067c820b 处观察方法参数,下断点后,让程序回流 。0:013> !U 067c8359Normal JIT generated codeSystem.Base.ApplicationContext+<>c.<HashObjectMap>b__19_0()...067c8206 50pusheax067c8207 8bd3movedx,ebx067c8209 8bcfmovecx,edi067c820b ff15e8667a06calldword ptr ds:[67A66E8h] (System.Base.ApplicationContext+x4phG7d0qxdP1ZxlQa.pliOsRbOU(System.String, System.String, System.String), mdToken: 0600003e)067c8211 8945b4movdword ptr [ebp-4Ch],eax...0:013> bp 067c820b0:013> g-Breakpoint 1 hitTime Travel Position: 117A27:A80eax=032c0ca4 ebx=032bf94c ecx=0329e558 edx=032bf94c esi=032bea78 edi=0329e558eip=067c820b esp=079bf640 ebp=079bf6a8 iopl=0nv up ei pl zr na pe nccs=0023ss=002bds=002bes=002bfs=0053gs=002befl=00000246067c820b ff15e8667a06calldword ptr ds:[67A66E8h] ds:002b:067a66e8=067cdf000:013> ub 067c820b067c81ef 8945b8movdword ptr [ebp-48h],eax067c81f2 8b3d68361904movedi,dword ptr ds:[4193668h]067c81f8 8b5e08movebx,dword ptr [esi+8]067c81fb b914040000movecx,414h067c8200 ff15b0647a06calldword ptr ds:[67A64B0h]067c8206 50pusheax067c8207 8bd3movedx,ebx067c8209 8bcfmovecx,edi上面输出的 ecx, edx, eax 分别就是 pliOsRbOU() 方法的三个参数 。0:013> !do ecxName:System.StringMethodTable: 7ad924e4EEClass:7ae97690Size:40(0x28) bytesFile:C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dllString:192.168.0.106Fields:MTFieldOffsetType VTAttrValue Name7ad942a840002834System.Int321 instance13 m_stringLength7ad92c9c40002848System.Char1 instance31 m_firstChar7ad924e4400028870System.String0sharedstatic Empty>> Domain:Value00b0bce8:NotInit<<0:013> !do edxName:System.StringMethodTable: 7ad924e4EEClass:7ae97690Size:46(0x2e) bytesFile:C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dllString:N8CDEFGH+JKLM..PFields:MTFieldOffsetType VTAttrValue Name7ad942a840002834System.Int321 instance16 m_stringLength7ad92c9c40002848System.Char1 instance4e m_firstChar7ad924e4400028870System.String0sharedstatic Empty>> Domain:Value00b0bce8:NotInit<<0:013> !do eaxName:System.StringMethodTable: 7ad924e4EEClass:7ae97690Size:32(0x20) bytesFile:C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dllString:TripleDESFields:MTFieldOffsetType VTAttrValue Name7ad942a840002834System.Int321 instance9 m_stringLength7ad92c9c40002848System.Char1 instance54 m_firstChar7ad924e4400028870System.String0sharedstatic Empty>> Domain:Value00b0bce8:NotInit<<
经验总结扩展阅读
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- .net core Blazor+自定义日志提供器实现实时日志查看器
- 学习ASP.NET Core Blazor编程系列九——服务器端校验
- 快读《ASP.NET Core技术内幕与项目实战》WebApi3.1:WebApi最佳实践
- 重新整理 .net core 实践篇 ———— linux上排查问题 [外篇]
- .NET API 接口数据传输加密最佳实践
- 重新整理 .net core 实践篇 ———— linux 上线篇 [外篇]
- .Net Core&RabbitMQ限制循环消费
- IQueryable和IEnumerable 快读《ASP.NET Core技术内幕与项目实战》EFCore2.5:集合查询原理揭秘
- .NET6打包部署到Windows Service
- Dapr实现.Net Grpc服务之间的发布和订阅,并采用WebApi类似的事件订阅方式
