- Joined
- Sep 10, 2007
- Messages
- 970
- Reaction score
- 815
Code:
005E168E 60 PUSHAD
005E168F E8 0C000000 CALL Gunz_-_U.005E16A0
005E1694 00006B00 DD Gunz_-_U.006B0000
005E1698 99834400 DD Gunz_-_U.00448399
005E169C 00006C00 DD Gunz_-_U.006C0000
005E16A0 /. 5D POP EBP
005E16A1 |. 8D45 00 LEA EAX,DWORD PTR SS:[EBP]
005E16A4 |. 8D5D 04 LEA EBX,DWORD PTR SS:[EBP+4]
005E16A7 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
005E16AA |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005E16AC |. 8B1B MOV EBX,DWORD PTR DS:[EBX]
005E16AE |. 8B09 MOV ECX,DWORD PTR DS:[ECX]
005E16B0 |. 8918 MOV DWORD PTR DS:[EAX],EBX
005E16B2 |. 50 PUSH EAX
005E16B3 |. 51 PUSH ECX ; /pOldProtect
005E16B4 |. 6A 40 PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE
005E16B6 |. 6A 30 PUSH 30 ; |Size = 30 (48.)
005E16B8 |. 53 PUSH EBX ; |Address
005E16B9 |. FF15 F4625E00 CALL DWORD PTR DS:[<&KERNEL32.VirtualPro>; \VirtualProtect
005E16BF |. 58 POP EAX
005E16C0 |. 8B38 MOV EDI,DWORD PTR DS:[EAX]
005E16C2 |. 8D75 3A LEA ESI,DWORD PTR SS:[EBP+3A]
005E16C5 |. B9 05000000 MOV ECX,5
005E16CA |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[EDI]
005E16CC |. 61 POPAD
005E16CD \. C3 RETN
Binary:
Code:
60 E8 0C 00 00 00 00 00 6B 00 99 83 44 00 00 00 6C 00 5D 8D 45 00 8D 5D 04 8D 4D 08 8B 00 8B 1B
8B 09 89 18 50 51 6A 40 6A 30 53 FF 15 F4 62 5E 00 58 8B 38 8D 75 3A B9 05 00 00 00 F3 A4 61 C3
Usage:
Replace the second dword in the table, this example it's 00448399. Then you need to change the size in virtualprotect and after the virtual protect you change mov ecx,22 to the size of you code. Now add your code after the retn (don't skip any lines).
Example:
Code:
typedef void *(__cdecl ShellCode_t) ();
ShellCode_t ShellCode;
void Execute ()
{
char *shellCode = "\x60\xE8\x0C\x00\x00\x00\x00\x00\x6B\x00\x99\x83\x44\x00\x00\x00\x6C\x00\x5D\x8D\x45\x00\x8D\x5D\x04\x8D\x4D\x08\x8B\x00\x8B\x1B\x8B\x09\x89\x18\x50\x51\x6A\x40\x6A\x30\x53\xFF\x15\xF4\x62\x5E\x00\x58\x8B\x38\x8D\x75\x3A\xB9\x05\x00\x00\x00\xF3\xA4\x61\xC3";
DWORD dwProtect;
VirtualProtect (shellCode, 66, PAGE_EXECUTE, &dwProtect);
ShellCode = (ShellCode_t)shellCode;
ShellCode ();
}