/*##################################################
------------------------------------------------
Calling MessageBoxA The Hard Way by Ayrbyte
------------------------------------------------
?? %% %% $$$$$ >> > :: ;;;;;;;;
?? ? %% %% $$ $$ || >> > :: ;; ;;
????? %%%% $$$$$ ||___ >>> ::::: ;;;;;;;
?? ?? %% $$$$ || || > :: ;;
%%%%%%%% $$ $$ ||__|| >>>>> ::::: ;;;;;;;;
______________>>Ayrbyte<<_______________
Gamerz From b-compi | Pasukan Berkompi
compiler : WxDevc++
tested on : Windows 7 Ultimate
##################################################*/
using namespace std;
int main(){
// Menggunakan intel style assembly syntax
__asm__(".intel_syntax noprefix\n");
__asm__(
//;--->Menemukan Address LoadLibraryA<---
"XOR ESI,ESI\n"
"XOR ECX,ECX\n" //; ECX = 0
"MOV ESI,FS:[ECX + 0x30]\n" //; ESI = &(PEB) ([FS:0x30])
"MOV ESI,[ESI + 0x0C]\n" //; ESI = PEB->Ldr
"MOV ESI,[ESI + 0x1C]\n" //; ESI = PEB->Ldr.InInitOrder
"xor ebx,ebx\n"
"next_module1:\n"
"inc ebx\n"
"MOV EBP,[ESI + 0x08]\n" //; EBP = InInitOrder[X].base_address
"MOV EDI,[ESI + 0x20]\n" //; EBP = InInitOrder[X].module_name (unicode)
"MOV ESI,[ESI]\n" //; ESI = InInitOrder[X].flink (next module)
"mov eax,0x11111111\n"
"mov ecx,0x11111114\n"
"sub ecx,eax\n"
"mov edx,ecx\n" //; ecx = 3 kernel32 berada di urutan ke 3
"CMP ebx,edx\n"
"JNE next_module1\n" //; No: mencoba module berikutnya.
//; EBP berisi base address kernel32
"mov eax,0x11111111\n"
"mov ecx,0x11112111\n"
"sub ecx,eax\n"
"add ebp,ecx\n" //; offset awal kernel32.dll
"mov eax,0x11111111\n"
"mov ecx,0x11162975\n"
"sub ecx,eax\n"
"mov eax,ecx\n"
"add ebp,eax\n" //; EBP ditambah 51864 agar menjadi offset LoadLibrary A
//;--->Meload user32 library<---
//;memasukkan 'user32' string ke stack
"mov edx,esp\n"
"add edx,32\n"
"mov ecx,0x72657375\n" //;75657375h = 'user' dalam format little endian
"mov ds:[edx],ecx\n" //;memasukkan 'user' ke stack
"mov eax,0x11111111\n"
"mov ecx,0x11114344\n"
"sub ecx,eax\n" //;membuat ecx terisi oleh 3233h = '32' dalam format little endian
"mov ds:[edx+4],ecx\n" //;memasukkan '32' ke stack
//;sekarang edx menjadi offset string 'user32'
"push edx\n" //;push 'user32'
"call ebp\n" //;Calling kernel32dll.LoadLibraryA
"add esp,4\n"
//;--->Menemukan Address MessageBoxA<---
"XOR ESI,ESI\n"
"XOR ECX,ECX\n" //; ECX = 0
"MOV ESI,FS:[ECX + 0x30]\n" //; ESI = &(PEB) ([FS:0x30])
"MOV ESI,[ESI + 0x0C]\n" //; ESI = PEB->Ldr
"MOV ESI,[ESI + 0x1C]\n" //; ESI = PEB->Ldr.InInitOrder
"xor ebx,ebx\n"
"next_module2:\n"
"inc ebx\n"
"MOV EBP,[ESI + 0x08]\n" //; EBP = InInitOrder[X].base_address
"MOV EDI,[ESI + 0x20]\n" //; EBP = InInitOrder[X].module_name (unicode)
"MOV ESI,[ESI]\n" //; ESI = InInitOrder[X].flink (next module)
"mov eax,0x11111111\n"
"mov ecx,0x11111119\n"
"sub ecx,eax\n"
"mov edx,ecx\n" //; ecx = 9 user32 berada di urutan ke 9
"CMP ebx,edx\n"
"JNE next_module2\n" //; No: mencoba module berikutnya.
//; EBP berisi base address user32
"mov eax,0x11111111\n"
"mov ecx,0x11112111\n"
"sub ecx,eax\n"
"add ebp,ecx\n" //; offset awal user32.dll
"mov eax,0x11111111\n"
"mov ecx,0x1116EB82\n"
"sub ecx,eax\n"
"mov eax,ecx\n"
"add ebp,eax\n" //; EBP ditambah 5DA71 agar menjadi offset MessageBoxA
//;--->Mempersiapkan String Untuk Judul Dan Isi Messagebox<---
"mov eax,0x11111111\n"
"mov ecx,0x11111295\n"
"sub ecx,eax\n"
"sub esp,ecx\n"
//;offset edx judul 'MessageBoxA By Ayrbyte'
"mov edx,esp\n"
"mov ecx,0x7373654D\n" //;'Mess'
"mov ds:[edx],ecx\n"
"mov ecx,0x42656761\n" //;'ageB'
"mov ds:[edx+4],ecx\n"
"mov ecx,0x2041786F\n" //;'oxA '
"mov ds:[edx+8],ecx\n"
"mov ecx,0x41207942\n" //;'By A'
"mov ds:[edx+12],ecx\n"
"mov ecx,0x79627279\n" //;'yrby'
"mov ds:[edx+16],ecx\n"
"mov eax,0x11111111\n"
"mov ecx,0x11117685\n"
"sub ecx,eax\n" //;'te'
"mov ds:[edx+20],ecx\n"
//;offset ebx+23 isi 'MessageBoxA 'the hard way' By Ayrbyte'
"mov ebx,edx\n"
"add ebx,20\n"
"mov ecx,0x7373654d\n" //;'Mess'
"mov ds:[ebx+4],ecx\n"
"mov ecx,0x42656761\n" //;'ageB'
"mov ds:[ebx+8],ecx\n"
"mov ecx,0x2041786F\n" //;'oxA '
"mov ds:[ebx+12],ecx\n"
"mov ecx,0x65687427\n" //;''the'
"mov ds:[ebx+16],ecx\n"
"mov ecx,0x72616820\n" //;' har'
"mov ds:[ebx+20],ecx\n"
"mov ecx,0x61772064\n" //;'d wa'
"mov ds:[ebx+24],ecx\n"
"mov ecx,0x42202779\n" //;'y' B'
"mov ds:[ebx+28],ecx\n"
"mov ecx,0x79412079\n" //;'y Ay'
"mov ds:[ebx+32],ecx\n"
"mov ecx,0x74796272\n" //;'rbyt'
"mov ds:[ebx+36],ecx\n"
"mov eax,0x11111111\n"
"mov ecx,0x11111176\n"
"sub ecx,eax\n" //;'e'
"mov ds:[ebx+40],ecx\n"
"add ebx,4\n"
//;--->Calling MessageBoxA<---
"xor eax,eax\n" //; eax = NULL / 0
"push eax\n"
"push edx\n"
"push ebx\n"
"push eax\n"
"call ebp\n" //;calling user32.MessageBoxA
//;--->Calling ExitProcess<---
"XOR ESI,ESI\n"
"XOR ECX,ECX\n" //; ECX = 0
"MOV ESI,FS:[ECX + 0x30]\n" //; ESI = &(PEB) ([FS:0x30])
"MOV ESI,[ESI + 0x0C]\n" //; ESI = PEB->Ldr
"MOV ESI,[ESI + 0x1C]\n" //; ESI = PEB->Ldr.InInitOrder
"xor ebx,ebx\n"
"next_module3:\n"
"inc ebx\n"
"MOV EBP,[ESI + 0x08]\n" //; EBP = InInitOrder[X].base_address
"MOV EDI,[ESI + 0x20]\n" //; EBP = InInitOrder[X].module_name (unicode)
"MOV ESI,[ESI]\n" //; ESI = InInitOrder[X].flink (next module)
"mov eax,0x11111111\n"
"mov ecx,0x11111113\n"
"sub ecx,eax\n"
"mov edx,ecx\n" //; ecx = 3 KERNELBASEDLL berada di urutan ke 3
"CMP ebx,edx\n"
"JNE next_module3\n" //; No: mencoba module berikutnya.
//; EBP berisi base address user32
"mov eax,0x11111111\n"
"mov ecx,0x11142637\n"
"sub ecx,eax\n"
"add ebp,ecx\n"
"call ebp\n" //; Calling KERNELBASEDLL.ExitProcess
//Kembali Menggunakan AT&T/UNIX assembly syntax
".att_syntax noprefix\n"
"ret\n"
);}
Code di atas tidak menggunakan string 0x00 karna itu bisa dubuat dalam bentuk shellcode juga ^_^
berikut bentuk Shellcodenya :
#include <iostream>
using namespace std;
char code[] =
"\x33\xF6\x33\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x33\xDB\x43\x8B\x6E"
"\x08\x8B\x7E\x20\x8B\x36\xB8\x11\x11\x11\x11\xB9\x14\x11\x11\x11\x2B\xC8\x8B"
"\xD1\x3B\xDA\x75\xE5\xB8\x11\x11\x11\x11\xB9\x11\x21\x11\x11\x2B\xC8\x03\xE9"
"\xB8\x11\x11\x11\x11\xB9\x75\x29\x16\x11\x2B\xC8\x8B\xC1\x03\xE8\x8B\xD4\x83"
"\xC2\x20\xB9\x75\x73\x65\x72\x89\x0A\xB8\x11\x11\x11\x11\xB9\x44\x43\x11\x11"
"\x2B\xC8\x89\x4A\x04\x52\xFF\xD5\x83\xC4\x04\x33\xF6\x33\xC9\x64\x8B\x71\x30"
"\x8B\x76\x0C\x8B\x76\x1C\x33\xDB\x43\x8B\x6E\x08\x8B\x7E\x20\x8B\x36\xB8\x11"
"\x11\x11\x11\xB9\x19\x11\x11\x11\x2B\xC8\x8B\xD1\x3B\xDA\x75\xE5\xB8\x11\x11"
"\x11\x11\xB9\x11\x21\x11\x11\x2B\xC8\x03\xE9\xB8\x11\x11\x11\x11\xB9\x82\xEB"
"\x16\x11\x2B\xC8\x8B\xC1\x03\xE8\xB8\x11\x11\x11\x11\xB9\x95\x12\x11\x11\x2B"
"\xC8\x2B\xE1\x8B\xD4\xB9\x4D\x65\x73\x73\x89\x0A\xB9\x61\x67\x65\x42\x89\x4A"
"\x04\xB9\x6F\x78\x41\x20\x89\x4A\x08\xB9\x42\x79\x20\x41\x89\x4A\x0C\xB9\x79"
"\x72\x62\x79\x89\x4A\x10\xB8\x11\x11\x11\x11\xB9\x85\x76\x11\x11\x2B\xC8\x89"
"\x4A\x14\x8B\xDA\x83\xC3\x14\xB9\x4D\x65\x73\x73\x89\x4B\x04\xB9\x61\x67\x65"
"\x42\x89\x4B\x08\xB9\x6F\x78\x41\x20\x89\x4B\x0C\xB9\x27\x74\x68\x65\x89\x4B"
"\x10\xB9\x20\x68\x61\x72\x89\x4B\x14\xB9\x64\x20\x77\x61\x89\x4B\x18\xB9\x79"
"\x27\x20\x42\x89\x4B\x1C\xB9\x79\x20\x41\x79\x89\x4B\x20\xB9\x72\x62\x79\x74"
"\x89\x4B\x24\xB8\x11\x11\x11\x11\xB9\x76\x11\x11\x11\x2B\xC8\x89\x4B\x28\x83"
"\xC3\x04\x33\xC0\x50\x52\x53\x50\xFF\xD5\x33\xF6\x33\xC9\x64\x8B\x71\x30\x8B"
"\x76\x0C\x8B\x76\x1C\x33\xDB\x43\x8B\x6E\x08\x8B\x7E\x20\x8B\x36\xB8\x11\x11"
"\x11\x11\xB9\x13\x11\x11\x11\x2B\xC8\x8B\xD1\x3B\xDA\x75\xE5\xB8\x11\x11\x11"
"\x11\xB9\x37\x26\x14\x11\x2B\xC8\x03\xE9\xFF\xD5";
int main(){((void (*)(void))code)();}
No comments:
Post a Comment