Breakpoint 1 hit
eax=00000001 ebx=00000000 ecx=00a21080 edx=00000000 esi=00a1e420 edi=0012d1dc
eip=00b63b44 esp=0012d1c4 ebp=00000000 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
php_tidy!get_module+0x12b44:
00b63b44 8a4701 mov al,byte ptr [edi+1] ds:0023:0012d1dd=6f
0:000> dc edi
0012d1dc 666e6f43 203a6769 0012d200 0012d26c Config:
第一个字符串时候Config,接下来马上会到达另一处循环。
0:000> p
eax=00000043 ebx=00000000 ecx=00a1e958 edx=00000043 esi=00a1e420 edi=0012d21c
eip=00b63b64 esp=0012d1cc ebp=00000000 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
php_tidy!get_module+0x12b64:
00b63b64 51 push ecx
0:000> p
eax=00000043 ebx=00000000 ecx=00a1e958 edx=00000043 esi=00a1e420 edi=0012d21c
eip=00b63b65 esp=0012d1c8 ebp=00000000 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
php_tidy!get_module+0x12b65:
00b63b65 52 push edx
0:000> p
eax=00000043 ebx=00000000 ecx=00a1e958 edx=00000043 esi=00a1e420 edi=0012d21c
eip=00b63b66 esp=0012d1c4 ebp=00000000 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
php_tidy!get_module+0x12b66:
00b63b66 e86534ffff call php_tidy!get_module+0x5fd0 (00b56fd0)
0:000> p
eax=00000009 ebx=00000000 ecx=00a21080 edx=00000008 esi=00a1e420 edi=0012d21c
eip=00b63b6b esp=0012d1c4 ebp=00000000 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
php_tidy!get_module+0x12b6b:
00b63b6b 8a4701 mov al,byte ptr [edi+1] ds:0023:0012d21d=61
0:000> dc edi
0012d21c 276e6143 706f2074 22206e65 41414141 Can't open "AAAA
0012d22c 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
0012d23c 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
0012d24c 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
0012d25c 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
0012d26c 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
这里就会拷贝cant open + 畸形字符串 的字符串了,这里拷贝过程并没有对拷贝字符串进行长度控制,导致拷贝结束后会溢出目标字符串的缓冲区。
拷贝结束后,可以直接看一下目标缓冲区的内容。