改写前辈的shellcode（delphi版）

标题：改写前辈的shellcode（delphi版）
作者：天易love
时间：2009-01-21 21:17
链接：http://bbs.pediy.com/showthread.php?t=80819

注册第一天，终于找到一个板块可以发个贴。现将前辈combojiang的代码改写一下。再用OD抓shellcode很是方便。
program Project1;

procedure ShellcodeFunc();
var
  uLoadLibrary,uGetProcAddress,uKernelBase,flen:LongWord;
  FuncName :pchar;

begin
       asm
             jmp @Start
          @GetFunc:
              mov eax,uKernelBase
              mov eax,[eax+3ch]
              add eax,uKernelBase
              mov eax,[eax+78h]
              add eax,uKernelBase
              mov esi,eax
              mov ecx,[eax+18h]
              mov eax,[eax+20h]
              add eax,uKernelBase
              mov ebx,eax
              xor edx,edx
          @FindLoop:
              push ecx
              push esi
              mov eax,[eax]
              add eax,uKernelBase
              mov esi,FuncName
              mov edi,eax
              mov ecx,flen
              cld
              rep cmpsb
              pop esi
              je  @Found
              inc edx
              add ebx,4
              mov eax,ebx
              pop ecx
              loop @FindLoop
          @Found:
              add esp,4
              mov eax,esi
              mov eax,[eax+1ch]
              add eax,uKernelBase
              shl edx,2
              add eax,edx
              mov eax,[eax]
              add eax,uKernelBase
              jmp @Founded
              xor eax,eax
          @Founded:
              ret

          @Start:
              push esi
              push ecx
              xor eax, eax
              xor esi, esi
              mov esi, fs:[esi + 18h]
              mov eax, [esi+4]
              mov eax, [eax -1ch]
          @find_kernel32_base:
              dec eax
              xor ax, ax
              cmp word ptr [eax], 5a4dh
              jne @find_kernel32_base
              pop ecx
              pop esi
              mov uKernelBase,eax
              mov flen,0ch
              call @LL1
              DB  'L','o','a','d','L','i','b','r','a','r','y','A',0
          @LL1:
              pop eax
              mov FuncName,eax
              call @GetFunc
              mov uLoadLibrary,eax
              mov flen,0Eh
              call @LL2
              db  'G','e','t','P','r','o','c','A','d','d','r','e','s','s',0
          @LL2:
              pop eax
              mov FuncName,eax
              call @GetFunc
              mov uGetProcAddress,eax
              call  @l1
              db 'u','s','e','r','3','2','.','d','l','l',0
          @l1:
              call uLoadLibrary
              call @l2
              db  'M','e','s','s','a','g','e','B','o','x','A',0
          @l2:
              push eax
              call uGetProcAddress
              push 0
              call @l3
              db $cc,$ec,$d2,$d7,0
          @l3:
              call @l4
              db 'L','o','v','e',0
          @l4:
              push 0
              call eax
           {   MOV EAX,DWORD PTR FS:[0]    peaceclub的退出代码
          @L001:
              CMP DWORD PTR DS:[EAX],-1
              JE @L006
              MOV EAX,DWORD PTR DS:[EAX]
              MOV DWORD PTR FS:[0],EAX
              JMP @L001
          @L006:
              MOV EAX,DWORD PTR DS:[EAX+8]
              MOV EAX,DWORD PTR DS:[EAX+8]
              ADD EAX,13
              JMP EAX }
           call @l5
              db  'E','x','i','t','P','r','o','c','e','s','s',0
          @l5:
              push uKernelBase //shellcode之小小琢磨一文该处存在逻辑错误，不是
              call uGetProcAddress     //在user32.dll中找退出函数的地址
              push 0
              call eax
      end;
end;

begin
    ShellcodeFunc;
end.

//此外去掉了几个变量，因为没有必要
我看到有人讨论delphi写shellcode，我觉得没多大意义。