-
-
[原创]第一题分析
-
发表于: 2010-10-18 21:35 2699
-
00401000 /$ 81EC 18030000 sub esp, 318
00401006 |. 53 push ebx
00401007 |. 55 push ebp
00401008 |. 56 push esi
00401009 |. 57 push edi
0040100A |. 33DB xor ebx, ebx
0040100C |. 68 00000100 push 10000 ; /MaximumSize = 10000 (65536.)
00401011 |. 68 00100000 push 1000 ; |InitialSize = 1000 (4096.)
00401016 |. 53 push ebx ; |Flags => 0
00401017 |. 895C24 1C mov dword ptr [esp+1C], ebx ; |
0040101B |. C74424 2C B45>mov dword ptr [esp+2C], 004050B4 ; |
00401023 |. C78424 B00000>mov dword ptr [esp+B0], 004050B0 ; |在这有玄机
0040102E |. 895C24 28 mov dword ptr [esp+28], ebx ; |
00401032 |. FF15 24504000 call dword ptr [<&KERNEL32.HeapCreate>>; \HeapCreate
00401038 |. 8BF8 mov edi, eax
0040103A |. 68 00020000 push 200 ; /dwBytes = 200 (512.)
0040103F |. 53 push ebx ; |dwFlags => 0
00401040 |. 57 push edi ; |hHeap
00401041 |. 897C24 20 mov dword ptr [esp+20], edi ; |
00401045 |. FF15 20504000 call dword ptr [<&KERNEL32.HeapAlloc>] ; \RtlAllocateHeap
0040104B |. 53 push ebx ; /hTemplateFile => NULL
0040104C |. 68 80000000 push 80 ; |Attributes = NORMAL
00401051 |. 6A 04 push 4 ; |Mode = OPEN_ALWAYS
00401053 |. 53 push ebx ; |pSecurity => NULL
00401054 |. 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ
00401056 |. 68 00000080 push 80000000 ; |Access = GENERIC_READ
0040105B |. 68 30604000 push 00406030 ; |exploit.datmessageboxamessageboxwuser32.dll
00401060 |. 8BE8 mov ebp, eax ; |将EAX赋给EBX
00401062 |. FF15 1C504000 call dword ptr [<&KERNEL32.CreateFileA>; \用CreateFileA函数打开exploit.dat文件
00401068 |. 8BF0 mov esi, eax
0040106A |. 83FE FF cmp esi, -1
0040106D |. 897424 18 mov dword ptr [esp+18], esi
00401071 |. 0F84 05010000 je 0040117C
00401077 |. 53 push ebx ; /pFileSizeHigh => NULL
00401078 |. 56 push esi ; |hFile
00401079 |. FF15 18504000 call dword ptr [<&KERNEL32.GetFileSize>; \取exploit.dat内的字符串长度,将长度返回给EAX
0040107F |. 8BD8 mov ebx, eax ; 将EAX赋给EBX
00401081 |. 81FB 00020000 cmp ebx, 200 ; 比较ebx中字符串长度是否大于200,如果大于200则直接跳转到失败
00401087 |. 0F87 EF000000 ja 0040117C ; 如果长度小于200就不跳
0040108D |. 8D4424 1C lea eax, dword ptr [esp+1C]
00401091 |. 6A 00 push 0 ; /pOverlapped = NULL
00401093 |. 50 push eax ; |pBytesRead
00401094 |. 8D8C24 300100>lea ecx, dword ptr [esp+130] ; |
0040109B |. 53 push ebx ; |BytesToRead
0040109C |. 51 push ecx ; |Buffer
0040109D |. 56 push esi ; |hFile
0040109E |. FF15 14504000 call dword ptr [<&KERNEL32.ReadFile>] ; \用ReadFile读取字符串
004010A4 |. 8BCB mov ecx, ebx ; 将字符串长度传给ECX
004010A6 |. 8DB424 280100>lea esi, dword ptr [esp+128] ; 将exploit.dat中的字符串的指针地址给esi
004010AD |. 8BD1 mov edx, ecx ; 将字符串长度传给EDX
004010AF |. 8BFD mov edi, ebp
004010B1 |. C1E9 02 shr ecx, 2
004010B4 |. F3:A5 rep movs dword ptr es:[edi], dword pt>
004010B6 |. 8BCA mov ecx, edx
004010B8 |. 33C0 xor eax, eax
004010BA |. 83E1 03 and ecx, 3
004010BD |. 68 54604000 push 00406054 ; /user32.dll
004010C2 |. F3:A4 rep movs byte ptr es:[edi], byte ptr >; |
004010C4 |. B9 80000000 mov ecx, 80 ; |
004010C9 |. 8DBC24 2C0100>lea edi, dword ptr [esp+12C] ; |(initial cpu selection)
004010D0 |. F3:AB rep stos dword ptr es:[edi] ; |
004010D2 |. FF15 10504000 call dword ptr [<&KERNEL32.LoadLibrary>; \LoadLibraryA
004010D8 |. 8B3D 0C504000 mov edi, dword ptr [<&KERNEL32.GetPro>; kernel32.GetProcAddress
004010DE |. 8BF0 mov esi, eax
004010E0 |. 68 48604000 push 00406048 ; /messageboxwuser32.dll
004010E5 |. 56 push esi ; |hModule
004010E6 |. FFD7 call edi ; \GetProcAddress
004010E8 |. 68 3C604000 push 0040603C ; /messageboxamessageboxwuser32.dll
004010ED |. 56 push esi ; |hModule
004010EE |. A3 10854000 mov dword ptr [408510], eax ; |
004010F3 |. FFD7 call edi ; \GetProcAddress
004010F5 |. 81FB 84000000 cmp ebx, 84 ; 比较长度是否大于132位
004010FB |. A3 14854000 mov dword ptr [408514], eax ; 将EAX指针中的MessageBoxA赋给408515所指向的指针地址
00401100 |. 77 16 ja short 00401118 ; 小于则不跳
00401102 |. 8BCB mov ecx, ebx ; 将长度赋给ECX
00401104 |. 8BF5 mov esi, ebp ; 将字符串赋给ESI
00401106 |. 8BC1 mov eax, ecx ; 将长度赋给EAX
00401108 |. 8D7C24 24 lea edi, dword ptr [esp+24] ; 将指针传递给EDI
0040110C |. C1E9 02 shr ecx, 2 ; 长度除2再除2 (length÷2÷2)
0040110F |. F3:A5 rep movs dword ptr es:[edi], dword pt>; 就是这里在向内存写代码,也就是把假码复制给edl的指针地址
00401111 |. 8BC8 mov ecx, eax ; 将假码长度赋给ECX
00401113 |. 83E1 03 and ecx, 3
00401116 |. F3:A4 rep movs byte ptr es:[edi], byte ptr >
00401118 |> 8B4C24 14 mov ecx, dword ptr [esp+14]
0040111C |. 55 push ebp ; /pMemory
0040111D |. 6A 01 push 1 ; |Flags = HEAP_NO_SERIALIZE
0040111F |. 51 push ecx ; |hHeap
00401120 |. FF15 08504000 call dword ptr [<&KERNEL32.HeapFree>] ; \HeapFree
00401126 |. B9 20000000 mov ecx, 20
0040112B |. 33C0 xor eax, eax
0040112D |. 8BFD mov edi, ebp
0040112F |. 81FB 84000000 cmp ebx, 84 ; 比较长度是否大于132
00401135 |. F3:AB rep stos dword ptr es:[edi]
00401137 |. 77 19 ja short 00401152
00401139 |. 8BCB mov ecx, ebx ; 密文长度给ECX
0040113B |. 8BF5 mov esi, ebp
0040113D |. 8BD1 mov edx, ecx ; 密文长度给EDX
0040113F |. 8DBC24 A80000>lea edi, dword ptr [esp+A8] ; 将指针地址传送给EDI
00401146 |. C1E9 02 shr ecx, 2
00401149 |. F3:A5 rep movs dword ptr es:[edi], dword pt>
0040114B |. 8BCA mov ecx, edx ; 密文长度给ECX
0040114D |. 83E1 03 and ecx, 3
00401150 |. F3:A4 rep movs byte ptr es:[edi], byte ptr >
00401152 |> 8B4424 20 mov eax, dword ptr [esp+20]
00401156 |. 8D4C24 20 lea ecx, dword ptr [esp+20] ; 代码给ECX
0040115A |. FF10 call dword ptr [eax] ; 1秒 sleep(1)
0040115C |. 8B9424 A40000>mov edx, dword ptr [esp+A4] ; 将指针地址赋给EDX
00401163 |. 8D8C24 A40000>lea ecx, dword ptr [esp+A4] ; 将指针地址传送给ECX
0040116A |. FF12 call dword ptr [edx] ; 直接CALL EDX指针所指向的地址
0040116C |. 8B7C24 14 mov edi, dword ptr [esp+14]
00401170 |. 8B7424 18 mov esi, dword ptr [esp+18]
00401174 |. C74424 10 010>mov dword ptr [esp+10], 1
0040117C |> 85F6 test esi, esi
0040117E |. 74 07 je short 00401187
00401180 |. 56 push esi ; /hObject
00401181 |. FF15 04504000 call dword ptr [<&KERNEL32.CloseHandle>; \CloseHandle
00401187 |> 85ED test ebp, ebp
00401189 |. 74 0A je short 00401195
0040118B |. 55 push ebp ; /pMemory
0040118C |. 6A 01 push 1 ; |Flags = HEAP_NO_SERIALIZE
0040118E |. 57 push edi ; |hHeap
0040118F |. FF15 08504000 call dword ptr [<&KERNEL32.HeapFree>] ; \HeapFree
00401195 |> 85FF test edi, edi
00401197 |. 74 07 je short 004011A0
00401199 |. 57 push edi ; /hHeap
0040119A |. FF15 00504000 call dword ptr [<&KERNEL32.HeapDestroy>; \HeapDestroy
004011A0 |> 8B4424 10 mov eax, dword ptr [esp+10]
004011A4 |. 5F pop edi
004011A5 |. 5E pop esi
004011A6 |. 5D pop ebp
004011A7 |. 5B pop ebx
004011A8 |. 81C4 18030000 add esp, 318
004011AE \. C3 retn
00401006 |. 53 push ebx
00401007 |. 55 push ebp
00401008 |. 56 push esi
00401009 |. 57 push edi
0040100A |. 33DB xor ebx, ebx
0040100C |. 68 00000100 push 10000 ; /MaximumSize = 10000 (65536.)
00401011 |. 68 00100000 push 1000 ; |InitialSize = 1000 (4096.)
00401016 |. 53 push ebx ; |Flags => 0
00401017 |. 895C24 1C mov dword ptr [esp+1C], ebx ; |
0040101B |. C74424 2C B45>mov dword ptr [esp+2C], 004050B4 ; |
00401023 |. C78424 B00000>mov dword ptr [esp+B0], 004050B0 ; |在这有玄机
0040102E |. 895C24 28 mov dword ptr [esp+28], ebx ; |
00401032 |. FF15 24504000 call dword ptr [<&KERNEL32.HeapCreate>>; \HeapCreate
00401038 |. 8BF8 mov edi, eax
0040103A |. 68 00020000 push 200 ; /dwBytes = 200 (512.)
0040103F |. 53 push ebx ; |dwFlags => 0
00401040 |. 57 push edi ; |hHeap
00401041 |. 897C24 20 mov dword ptr [esp+20], edi ; |
00401045 |. FF15 20504000 call dword ptr [<&KERNEL32.HeapAlloc>] ; \RtlAllocateHeap
0040104B |. 53 push ebx ; /hTemplateFile => NULL
0040104C |. 68 80000000 push 80 ; |Attributes = NORMAL
00401051 |. 6A 04 push 4 ; |Mode = OPEN_ALWAYS
00401053 |. 53 push ebx ; |pSecurity => NULL
00401054 |. 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ
00401056 |. 68 00000080 push 80000000 ; |Access = GENERIC_READ
0040105B |. 68 30604000 push 00406030 ; |exploit.datmessageboxamessageboxwuser32.dll
00401060 |. 8BE8 mov ebp, eax ; |将EAX赋给EBX
00401062 |. FF15 1C504000 call dword ptr [<&KERNEL32.CreateFileA>; \用CreateFileA函数打开exploit.dat文件
00401068 |. 8BF0 mov esi, eax
0040106A |. 83FE FF cmp esi, -1
0040106D |. 897424 18 mov dword ptr [esp+18], esi
00401071 |. 0F84 05010000 je 0040117C
00401077 |. 53 push ebx ; /pFileSizeHigh => NULL
00401078 |. 56 push esi ; |hFile
00401079 |. FF15 18504000 call dword ptr [<&KERNEL32.GetFileSize>; \取exploit.dat内的字符串长度,将长度返回给EAX
0040107F |. 8BD8 mov ebx, eax ; 将EAX赋给EBX
00401081 |. 81FB 00020000 cmp ebx, 200 ; 比较ebx中字符串长度是否大于200,如果大于200则直接跳转到失败
00401087 |. 0F87 EF000000 ja 0040117C ; 如果长度小于200就不跳
0040108D |. 8D4424 1C lea eax, dword ptr [esp+1C]
00401091 |. 6A 00 push 0 ; /pOverlapped = NULL
00401093 |. 50 push eax ; |pBytesRead
00401094 |. 8D8C24 300100>lea ecx, dword ptr [esp+130] ; |
0040109B |. 53 push ebx ; |BytesToRead
0040109C |. 51 push ecx ; |Buffer
0040109D |. 56 push esi ; |hFile
0040109E |. FF15 14504000 call dword ptr [<&KERNEL32.ReadFile>] ; \用ReadFile读取字符串
004010A4 |. 8BCB mov ecx, ebx ; 将字符串长度传给ECX
004010A6 |. 8DB424 280100>lea esi, dword ptr [esp+128] ; 将exploit.dat中的字符串的指针地址给esi
004010AD |. 8BD1 mov edx, ecx ; 将字符串长度传给EDX
004010AF |. 8BFD mov edi, ebp
004010B1 |. C1E9 02 shr ecx, 2
004010B4 |. F3:A5 rep movs dword ptr es:[edi], dword pt>
004010B6 |. 8BCA mov ecx, edx
004010B8 |. 33C0 xor eax, eax
004010BA |. 83E1 03 and ecx, 3
004010BD |. 68 54604000 push 00406054 ; /user32.dll
004010C2 |. F3:A4 rep movs byte ptr es:[edi], byte ptr >; |
004010C4 |. B9 80000000 mov ecx, 80 ; |
004010C9 |. 8DBC24 2C0100>lea edi, dword ptr [esp+12C] ; |(initial cpu selection)
004010D0 |. F3:AB rep stos dword ptr es:[edi] ; |
004010D2 |. FF15 10504000 call dword ptr [<&KERNEL32.LoadLibrary>; \LoadLibraryA
004010D8 |. 8B3D 0C504000 mov edi, dword ptr [<&KERNEL32.GetPro>; kernel32.GetProcAddress
004010DE |. 8BF0 mov esi, eax
004010E0 |. 68 48604000 push 00406048 ; /messageboxwuser32.dll
004010E5 |. 56 push esi ; |hModule
004010E6 |. FFD7 call edi ; \GetProcAddress
004010E8 |. 68 3C604000 push 0040603C ; /messageboxamessageboxwuser32.dll
004010ED |. 56 push esi ; |hModule
004010EE |. A3 10854000 mov dword ptr [408510], eax ; |
004010F3 |. FFD7 call edi ; \GetProcAddress
004010F5 |. 81FB 84000000 cmp ebx, 84 ; 比较长度是否大于132位
004010FB |. A3 14854000 mov dword ptr [408514], eax ; 将EAX指针中的MessageBoxA赋给408515所指向的指针地址
00401100 |. 77 16 ja short 00401118 ; 小于则不跳
00401102 |. 8BCB mov ecx, ebx ; 将长度赋给ECX
00401104 |. 8BF5 mov esi, ebp ; 将字符串赋给ESI
00401106 |. 8BC1 mov eax, ecx ; 将长度赋给EAX
00401108 |. 8D7C24 24 lea edi, dword ptr [esp+24] ; 将指针传递给EDI
0040110C |. C1E9 02 shr ecx, 2 ; 长度除2再除2 (length÷2÷2)
0040110F |. F3:A5 rep movs dword ptr es:[edi], dword pt>; 就是这里在向内存写代码,也就是把假码复制给edl的指针地址
00401111 |. 8BC8 mov ecx, eax ; 将假码长度赋给ECX
00401113 |. 83E1 03 and ecx, 3
00401116 |. F3:A4 rep movs byte ptr es:[edi], byte ptr >
00401118 |> 8B4C24 14 mov ecx, dword ptr [esp+14]
0040111C |. 55 push ebp ; /pMemory
0040111D |. 6A 01 push 1 ; |Flags = HEAP_NO_SERIALIZE
0040111F |. 51 push ecx ; |hHeap
00401120 |. FF15 08504000 call dword ptr [<&KERNEL32.HeapFree>] ; \HeapFree
00401126 |. B9 20000000 mov ecx, 20
0040112B |. 33C0 xor eax, eax
0040112D |. 8BFD mov edi, ebp
0040112F |. 81FB 84000000 cmp ebx, 84 ; 比较长度是否大于132
00401135 |. F3:AB rep stos dword ptr es:[edi]
00401137 |. 77 19 ja short 00401152
00401139 |. 8BCB mov ecx, ebx ; 密文长度给ECX
0040113B |. 8BF5 mov esi, ebp
0040113D |. 8BD1 mov edx, ecx ; 密文长度给EDX
0040113F |. 8DBC24 A80000>lea edi, dword ptr [esp+A8] ; 将指针地址传送给EDI
00401146 |. C1E9 02 shr ecx, 2
00401149 |. F3:A5 rep movs dword ptr es:[edi], dword pt>
0040114B |. 8BCA mov ecx, edx ; 密文长度给ECX
0040114D |. 83E1 03 and ecx, 3
00401150 |. F3:A4 rep movs byte ptr es:[edi], byte ptr >
00401152 |> 8B4424 20 mov eax, dword ptr [esp+20]
00401156 |. 8D4C24 20 lea ecx, dword ptr [esp+20] ; 代码给ECX
0040115A |. FF10 call dword ptr [eax] ; 1秒 sleep(1)
0040115C |. 8B9424 A40000>mov edx, dword ptr [esp+A4] ; 将指针地址赋给EDX
00401163 |. 8D8C24 A40000>lea ecx, dword ptr [esp+A4] ; 将指针地址传送给ECX
0040116A |. FF12 call dword ptr [edx] ; 直接CALL EDX指针所指向的地址
0040116C |. 8B7C24 14 mov edi, dword ptr [esp+14]
00401170 |. 8B7424 18 mov esi, dword ptr [esp+18]
00401174 |. C74424 10 010>mov dword ptr [esp+10], 1
0040117C |> 85F6 test esi, esi
0040117E |. 74 07 je short 00401187
00401180 |. 56 push esi ; /hObject
00401181 |. FF15 04504000 call dword ptr [<&KERNEL32.CloseHandle>; \CloseHandle
00401187 |> 85ED test ebp, ebp
00401189 |. 74 0A je short 00401195
0040118B |. 55 push ebp ; /pMemory
0040118C |. 6A 01 push 1 ; |Flags = HEAP_NO_SERIALIZE
0040118E |. 57 push edi ; |hHeap
0040118F |. FF15 08504000 call dword ptr [<&KERNEL32.HeapFree>] ; \HeapFree
00401195 |> 85FF test edi, edi
00401197 |. 74 07 je short 004011A0
00401199 |. 57 push edi ; /hHeap
0040119A |. FF15 00504000 call dword ptr [<&KERNEL32.HeapDestroy>; \HeapDestroy
004011A0 |> 8B4424 10 mov eax, dword ptr [esp+10]
004011A4 |. 5F pop edi
004011A5 |. 5E pop esi
004011A6 |. 5D pop ebp
004011A7 |. 5B pop ebx
004011A8 |. 81C4 18030000 add esp, 318
004011AE \. C3 retn
赞赏
看原图
赞赏
雪币:
留言: