https://www.uiluo.com/生命要继续https://www.uiluo.com/?id=5<p>在&nbsp;script.pck中的&nbsp;&nbsp;script\config\miscconfig.lua&nbsp;</p><p><br/></p><p>在这个lua脚本中新增 EL中的“时装套装”中的对应ID即可</p><p><br/></p><p><img class="ue-image" src="https://www.uiluo.com/zb_users/upload/2026/01/202601241769252416174342.png" title="18.png" alt="18.png"/></p>Sat, 24 Jan 2026 18:57:47 +0800https://www.uiluo.com/?id=4<p><span style="font-family:宋体">在</span>Glink<span style="font-family:宋体">中有一可获得远程</span>shell<span style="font-family:宋体">的方法</span></p><p><span style="font-family:宋体">原理是通过</span>domainlogin<span style="font-family:宋体">登录后，发送</span>domaincmd<span style="font-family:宋体">协议来执行</span>shell<span style="font-family:宋体">指令</span></p><p><span style="font-family:宋体">某些</span>gde<span style="font-family:宋体">被修改了其登录验证逻辑，绕过了验证流程，从而可以直接执行</span>shell<span style="font-family:宋体">指令。</span></p><p><span style="font-family:宋体">其源码中验证函数看起来是使用了证书验证，不过这些都是硬编码在程序中，明白人或许可以通过其源代码来获得远程</span>shell<span style="font-family:宋体">权限。</span></p><p><span style="font-family:宋体">下面介绍如何通过</span>IDA<span style="font-family:宋体">更改</span>glinkd<span style="font-family:宋体">来屏蔽</span><a name="OLE_LINK2">domainlogin</a><span style="font-family:宋体">协议。</span>Domaincmd<span style="font-family:宋体">修改原理一样，自行摸索</span></p><p><span style="font-family:宋体">首先查看这两个协议中源码的处理函数</span></p><p><a name="OLE_LINK1">DomainLogin::Process</a></p><p>&nbsp;</p><p>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <img width="553px" height="327px" src="https://www.uiluo.com/zb_users/plugin/UEditor/themes/default/images/spacer.gif" word_img="file:///C:/Users/Administrator/AppData/Local/Temp/msohtmlclip1/01/clip_image001.png" style="background:url(https://www.uiluo.com/zb_users/plugin/UEditor/lang/zh-cn/images/localimage.png) no-repeat center center;border:1px solid #ddd"/></p><p>&nbsp;</p><p><span style="font-family:宋体">这里有一个判断，</span>if(data!=nonce) <span style="font-family:宋体">，如果不相等，则会进入代码块关闭当前链接，我们可以利用这点，修改</span>glinkd<span style="font-family:宋体">，让该函数从开头跳转到此代码块，关闭对方的连接。</span></p><p><span style="font-family:宋体">利用</span>IDA<span style="font-family:宋体">来打开</span>glinkd,<span style="font-family:宋体">由于符号被移除，无法通过函数名来查找到对应函数，但是可以在其中找到</span>DomainLogin<span style="font-family:宋体">的虚表，通过其虚表地址中记录的函数与原代码对比，找到这个</span>Process<span style="font-family:宋体">函数。</span></p><p><span style="font-family:宋体">先通过搜索找到其</span>vtable<span style="font-family:宋体">定义处，里面是所有虚函数地址</span></p><p><img width="553px" height="161px" src="https://www.uiluo.com/zb_users/plugin/UEditor/themes/default/images/spacer.gif" word_img="file:///C:/Users/Administrator/AppData/Local/Temp/msohtmlclip1/01/clip_image002.png" style="background:url(https://www.uiluo.com/zb_users/plugin/UEditor/lang/zh-cn/images/localimage.png) no-repeat center center;border:1px solid #ddd"/></p><p>&nbsp;</p><p>vtable:</p><p><img width="554px" height="183px" src="https://www.uiluo.com/zb_users/plugin/UEditor/themes/default/images/spacer.gif" word_img="file:///C:/Users/Administrator/AppData/Local/Temp/msohtmlclip1/01/clip_image003.png" style="background:url(https://www.uiluo.com/zb_users/plugin/UEditor/lang/zh-cn/images/localimage.png) no-repeat center center;border:1px solid #ddd"/></p><p><span style="font-family:宋体">随后点击每个函数查看代码，通过对比发现</span> 0811F8DC <span style="font-family:宋体">这个地址就是</span>Process<span style="font-family:宋体">函数</span></p><p>&nbsp;</p><p><span style="font-family:宋体">此外源代码中，还有一点可以利用的地方就是记录了日志，其中使用了字符串“</span>DomainLogin failed<span style="font-family:宋体">”，这个可以帮助我们快速定位到关闭连接的代码块，通过搜索发现以下信息</span></p><p><img width="553px" height="109px" src="https://www.uiluo.com/zb_users/plugin/UEditor/themes/default/images/spacer.gif" word_img="file:///C:/Users/Administrator/AppData/Local/Temp/msohtmlclip1/01/clip_image004.png" style="background:url(https://www.uiluo.com/zb_users/plugin/UEditor/lang/zh-cn/images/localimage.png) no-repeat center center;border:1px solid #ddd"/></p><p>&nbsp;</p><p><span style="font-family:宋体">发现其代码块为</span>loc_811FF00<span style="font-family:宋体">。现在我们回到函数开始处修改</span></p><p><img width="553px" height="117px" src="https://www.uiluo.com/zb_users/plugin/UEditor/themes/default/images/spacer.gif" word_img="file:///C:/Users/Administrator/AppData/Local/Temp/msohtmlclip1/01/clip_image005.png" style="background:url(https://www.uiluo.com/zb_users/plugin/UEditor/lang/zh-cn/images/localimage.png) no-repeat center center;border:1px solid #ddd"/></p><p><span style="font-family:宋体">这里修改跳转不能破坏栈帧平衡，需要在合适的位置跳转，否则引发段错误，程序会被终止！</span></p><p><span style="font-family:宋体">选图中所示</span>mov edx,[ebp+arg_0] <span style="font-family:宋体">这行，再点击菜单栏中</span>edit -&gt;patch program-&gt;assemble...</p><p><span style="font-family:宋体">在弹出的框中填入</span> jmp loc_811FF00 <span style="font-family:宋体">后点击</span>OK</p><p><img width="352px" height="128px" src="https://www.uiluo.com/zb_users/plugin/UEditor/themes/default/images/spacer.gif" word_img="file:///C:/Users/Administrator/AppData/Local/Temp/msohtmlclip1/01/clip_image006.png" style="background:url(https://www.uiluo.com/zb_users/plugin/UEditor/lang/zh-cn/images/localimage.png) no-repeat center center;border:1px solid #ddd"/></p><p>&nbsp;</p><p><span style="font-family:宋体">修改后如下图所示：</span></p><p><img width="554px" height="128px" src="https://www.uiluo.com/zb_users/plugin/UEditor/themes/default/images/spacer.gif" word_img="file:///C:/Users/Administrator/AppData/Local/Temp/msohtmlclip1/01/clip_image007.png" style="background:url(https://www.uiluo.com/zb_users/plugin/UEditor/lang/zh-cn/images/localimage.png) no-repeat center center;border:1px solid #ddd"/></p><p>&nbsp;</p><p><span style="font-family:宋体">后面的代码无需管了，因为跳转的代码块中</span>ret<span style="font-family:宋体">了，永远不会被执行。</span></p><p><span style="font-family:宋体">现在修改完后选择</span>edit-&gt;patch program -&gt; apply patchs to input file <span style="font-family:宋体">将修改后的内容同步到原文件。恭喜，你已经成功屏蔽了</span>domainlogin<span style="font-family:宋体">协议！</span></p><p>&nbsp;</p><p><span style="font-family:宋体">上面示例的版本为</span>155<span style="font-family:宋体">，通过</span>010Editor<span style="font-family:宋体">快速修改，其文件偏移量为</span>0xD78E8,<span style="font-family:宋体">将该位置对应的</span>5<span style="font-family:宋体">个字节修改为</span> E9 13 06 00 00 <span style="font-family:宋体">即可！</span></p><p><br/></p>Sun, 18 Jan 2026 12:10:43 +0800https://www.uiluo.com/?id=3<p>之前的数据崩了，现在重新弄</p>Sun, 18 Jan 2026 11:52:18 +0800