Windows
安装 CFF Explorer,勾选属性 File is a DLL,保存文件后缀名为 dll
外部调用程序如下,其中 0x11A0 为函数的偏移地址
#include <cstdio>
#include <windows.h>
typedef int (*func1)(__int64, const char*, __int64, __int64, __int64);
int main() {
HMODULE hdll = LoadLibraryA("./babyRe.dll");
func1 myfunc = func1((unsigned char*)hdll + 0x11A0);
for (int i = 0; i < 16; i++)
printf("%02x", *((unsigned char*)myfunc + i));
printf("
");
myfunc(0, "key3:44c16d", 0, 0, 0);
FreeLibrary(hdll);
return 0;
}
Linux
安装 LIEF,使用下面的脚本去除 PIE 标志
import lief
import sys
path = "babyRe"
bin_ = lief.parse(path)
bin_[lief.ELF.DYNAMIC_TAGS.FLAGS_1].remove(lief.ELF.DYNAMIC_FLAGS_1.PIE)
bin_.write(path + ".so")
外部调用程序如下,其中 0x120A 为函数的偏移地址
#include <cstdio>
#include <dlfcn.h>
typedef char * (*func1)(const char *);
int main() {
void *hdll = dlopen("./babyRe.so", RTLD_LAZY);
func1 myfunc = func1(*(unsigned char**)hdll + 0x120A);
for (int i = 0; i < 16; i++)
printf("%02x", *((unsigned char*)myfunc + i));
printf("
");
char *buf = myfunc("this is a message to encode");
printf("%s", buf);
dlclose(hdll);
return 0;
}