能力值:
( LV3,RANK:30 )
|
-
-
2 楼
signed int __cdecl checkFun_401000()
{
HANDLE v0; // eax@1
void *pszFileContent; // ebp@1
void *v2; // edi@1
void *hFile; // esi@1
HANDLE v4; // eax@1
unsigned int dwFileLen; // ebx@2
HMODULE hUser32Dll; // esi@3
signed int iRetn; // [sp+10h] [bp-318h]@1
void *v9; // [sp+14h] [bp-314h]@1
HANDLE v10; // [sp+18h] [bp-310h]@1
DWORD NumberOfBytesRead; // [sp+1Ch] [bp-30Ch]@1
int (**v12)(); // [sp+20h] [bp-308h]@1
char v13; // [sp+24h] [bp-304h]@4
int v14; // [sp+A4h] [bp-284h]@1
char v15; // [sp+A8h] [bp-280h]@6
char Buffer; // [sp+128h] [bp-200h]@3
iRetn = 0;
v12 = &off_4050B4;
v14 = (int)off_4050B0;
NumberOfBytesRead = 0;
v4 = HeapCreate(0, 0x1000u, 0x10000u);
v2 = v4;
v9 = v4;
pszFileContent = HeapAlloc(v4, 0, 0x200u);
v0 = CreateFileA("exploit.dat", 0x80000000u, 1u, 0, 4u, 0x80u, 0);
hFile = v0;
v10 = v0;
if ( v0 != (HANDLE)-1 )
{
dwFileLen = GetFileSize(v0, 0);
if ( dwFileLen <= 0x200 )
{
ReadFile(hFile, &Buffer, dwFileLen, &NumberOfBytesRead, 0);
memcpy(pszFileContent, &Buffer, dwFileLen);
memset(&Buffer, 0, 0x200u);
hUser32Dll = LoadLibraryA("user32.dll");
pfunMsgW = (int)GetProcAddress(hUser32Dll, "MessageBoxW");
pfunMsgA = (int)GetProcAddress(hUser32Dll, "MessageBoxA");
if ( dwFileLen <= 0x84 )
memcpy(&v13, pszFileContent, dwFileLen);
HeapFree(v9, 1u, pszFileContent);
memset(pszFileContent, 0, 0x80u);
if ( dwFileLen <= 0x84 )
memcpy(&v15, pszFileContent, dwFileLen); // 在此处溢出
((void (__thiscall *)(int (***)()))*v12)(&v12); // Sleep (1000)
(*(void (__thiscall **)(int *))v14)(&v14); // MessageBox(Fail)
v2 = v9;
hFile = v10;
iRetn = 1;
}
}
if ( hFile )
CloseHandle(hFile);
if ( pszFileContent )
HeapFree(v2, 1u, pszFileContent);
if ( v2 )
HeapDestroy(v2);
return iRetn;
}
|