网上有些MD5_CTX结构的定义应该是有问题的.
/* Data structure for MD5 (Message-Digest) computation */
typedef struct {
ULONG i[2]; /* number of _bits_ handled mod 2^64 */
ULONG buf[4]; /* scratch buffer */
unsigned char in[64]; /* input buffer */
unsigned char digest[16]; /* actual digest after MD5Final call */
} MD5_CTX;
有些又是:
typedef struct {
UINT4 state[4];
UINT4 count[2];
unsigned char buffer[64];
} MD5_CTX;
;md5 hash calc
.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\comdlg32.inc
include \masm32\include\masm32.inc
include \masm32\include\gdi32.inc
include \masm32\include\shell32.inc
include \masm32\include\advapi32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\comdlg32.lib
includelib \masm32\lib\masm32.lib
includelib \masm32\lib\gdi32.lib
includelib \masm32\lib\shell32.lib
includelib \masm32\lib\advapi32.lib
WndProc proto :DWORD, :DWORD, :DWORD, :DWORD
.const
IDI_SM equ 1 ;图标
IDC_EDIT_TEXT equ 1001
IDC_EDIT_128 equ 1002
IDC_EDIT_CHG equ 1003
IDC_BUTTON_OK equ 1004
IDC_OUTTYPE equ 1005
IDC_OUTTYPE2 equ 1006
RGB MACRO red, green, blue
xor eax, eax
mov al, blue ; blue
rol eax, 8
mov al, green ; green
rol eax, 8
mov al, red ; red
ENDM
MD5_CTX struct
state dd 2 dup (?)
count dd 4 dup (?)
digest dw 16 dup (?)
buffer dw 64 dup (?)
MD5_CTX ends
.data
szDlgName db "md5hash_dialog", 0
hInstance dd ?
advdll db "advapi32.dll",0
md5init db 'MD5Init',0
md5update db 'MD5Update',0
md5final db 'MD5Final',0
format db '%02X',0
format2 db '%02x',0
outtype dd 1
.data?
string db 256 dup(?)
contex MD5_CTX <>
buffer db 64 dup (?)
tempbuffer db 64 dup (?)
.code
start:
invoke GetModuleHandle, NULL
mov hInstance, eax
invoke DialogBoxParam, hInstance, offset szDlgName, 0, WndProc, 0
invoke ExitProcess, eax
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
local hBrush :dword
local rect:RECT
local LogBrush:LOGBRUSH
.if uMsg == WM_CLOSE
invoke EndDialog, hWnd, 0
.elseif uMsg == WM_INITDIALOG
invoke LoadIcon, hInstance, IDI_SM
invoke SendMessage, hWnd, WM_SETICON, ICON_SMALL, eax
invoke CheckDlgButton,hWnd,IDC_OUTTYPE,BST_CHECKED ;默认大写方式输出HASH
.elseif uMsg == WM_CTLCOLORSTATIC
RGB 180,100,100
invoke SetBkColor,wParam,eax
invoke GetStockObject,HOLLOW_BRUSH
ret
.elseif uMsg == WM_ERASEBKGND
mov LogBrush.lbStyle,BS_SOLID
RGB 180,100,100
mov LogBrush.lbColor,eax
invoke CreateBrushIndirect,addr LogBrush
mov hBrush,eax
invoke GetClientRect,hWnd,addr rect
invoke FillRect,wParam,addr rect,hBrush
mov eax,TRUE
ret
.elseif uMsg == WM_COMMAND
mov eax, wParam
mov edx, eax
shr edx, 16
movzx eax, ax
.if edx == BN_CLICKED ;处理按键消息
.if eax == IDC_BUTTON_OK ;生成
invoke GetDlgItemText, hWnd, IDC_EDIT_TEXT, offset string,255
invoke LoadLibrary,offset advdll
mov edi,eax
invoke GetProcAddress,edi,offset md5init
mov esi,eax
push offset contex
call esi
invoke GetProcAddress,edi,offset md5update
mov esi,eax
invoke lstrlen,offset string
push eax
push offset string
push offset contex
call esi
invoke GetProcAddress,edi,offset md5final
mov esi,eax
push offset contex
call esi
mov esi,offset contex
add esi,88d
xor ebx,ebx
.while ebx<16
xor eax,eax
movzx ax,byte ptr [esi]
.if outtype == 1
invoke wsprintf,offset buffer,offset format,ax ;大写
.else
invoke wsprintf,offset buffer,offset format2,ax ;小写
.endif
invoke lstrcat,offset tempbuffer,offset buffer
inc esi
inc ebx
.endw
invoke SetDlgItemText, hWnd, IDC_EDIT_128, offset tempbuffer
mov esi,offset tempbuffer
add esi,8
mov edi,esi
add edi,16
xor eax,eax
mov [edi],eax
invoke SetDlgItemText, hWnd, IDC_EDIT_CHG,esi
invoke RtlZeroMemory,offset tempbuffer,64
.elseif eax == IDC_OUTTYPE
mov outtype,1
.elseif eax == IDC_OUTTYPE2
mov outtype,0
.endif
.endif ;end of bn_clicked
.else
mov eax, FALSE
ret
.endif
mov eax, TRUE
ret
WndProc endp
end start
主要难度还是处理一些不常用的非客户区消息:)
不过真的要写完美我想应该要判断系统中窗口的风格,我这儿只是经典风格,如果是XP风格就难看咯.
TIP控件:
invoke CreateWindowEx,NULL,offset ToolTipClass,NULL,WS_POPUP or TTS_NOPREFIX or TTS_ALWAYSTIP\
or WS_EX_TOOLWINDOW or WS_EX_TOPMOST,CW_USEDEFAULT, CW_USEDEFAULT,CW_USEDEFAULT, CW_USEDEFAULT,\
hWnd, NULL, hInstance,NULL
mov hToolTip,eax
mov ti.cbSize,sizeof TOOLINFO
mov ti.uFlags,TTF_IDISHWND
push hWinMain
pop ti.hWnd
push hWinMain
pop ti.uId
mov ti.lpszText,LPSTR_TEXTCALLBACK
invoke SendMessage,hToolTip,TTM_ADDTOOL,0,addr ti
invoke SendMessage,hToolTip,TTM_ACTIVATE,1,0
;%
;加载最小化到托盘的标题栏图标
INVOKE ImageList_Create, 16, 14, ILC_COLOR32 , 2, 0
mov hImageListTitle, eax
INVOKE LoadBitmap, hInstance, IDB_TITLEBUTTONBMP
mov hBitmap, eax
INVOKE ImageList_Add, hImageListTitle, hBitmap, NULL
INVOKE DeleteObject, hBitmap
;托盘右键菜单
invoke CreatePopupMenu
mov hTrayMenu,eax
invoke AppendMenu,hTrayMenu,MF_STRING,IDM_EXITSERVER,offset exitserver
invoke AppendMenu,hTrayMenu,MF_STRING,IDM_RESTOREWIN,offset restorewin
通知消息部分:
mov edi,lParam
assume edi:ptr NMHDR
.if [edi].code == TTN_GETDISPINFO
mov eax,[edi].hwndFrom
.if eax == hToolTip
mov edi,lParam
assume edi:ptr TOOLTIPTEXT
mov eax,offset sztraytip
mov [edi].lpszText,eax
mov [edi].uFlags,TTF_IDISHWND
assume edi:nothing
.else
..........some other code...
.endif
.endif
WM消息部分:
.elseif uMsg==WM_SHELLNOTIFY
.if lParam==WM_RBUTTONUP
invoke GetCursorPos,addr Pt
invoke SetForegroundWindow,hWnd
invoke TrackPopupMenu,hTrayMenu,TPM_RIGHTALIGN,Pt.x,Pt.y,NULL,hWnd,NULL
invoke PostMessage,hWnd, WM_USER, 0, 0
.elseif lParam==WM_LBUTTONDOWN
invoke ShowWindow,hWnd,SW_RESTORE
invoke Shell_NotifyIcon,NIM_DELETE,addr note
invoke SetForegroundWindow,hWnd
invoke SendMessage,hWnd,WM_NCPAINT,0,0
.endif
.elseif uMsg==WM_ACTIVATE
invoke SendMessage,hWnd,WM_NCPAINT,0,0
.elseif uMsg==WM_NCPAINT
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
invoke GetWindowDC,hWnd
mov esi,eax
invoke GetWindowRect,hWnd,addr rc
mov edx,rc.left
mov edi,rc.right
sub edi,edx
sub edi,90;72
invoke ImageList_GetIcon,hImageListTitle,0,ILD_NORMAL
invoke DrawIconEx,esi,edi,6,eax,16,14,NULL,NULL,DI_IMAGE ;画小图标
invoke ReleaseDC,hWnd,esi
.elseif uMsg==WM_NCLBUTTONDOWN
invoke GetCursorPos,addr Pt
invoke GetWindowRect,hWnd,addr rc
mov edx,rc.left
mov edi,rc.top
mov eax,Pt.x
sub eax,edx
mov ecx,Pt.y
sub ecx,edi
mov esi,rc.right
sub esi,edx
sub esi,90;72
mov edi,esi
add edi,16
.if eax >= esi && ecx >= 6 && eax <= edi && ecx <= 20
invoke GetWindowDC,hWnd
mov edi,eax
invoke ImageList_GetIcon,hImageListTitle,1,ILD_NORMAL
invoke DrawIconEx,edi,esi,6,eax,16,14,NULL,NULL,DI_IMAGE ;画按下图标
invoke ReleaseDC,hWnd,edi
mov clickmytitle,1
.else
mov clickmytitle,0
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
.endif
invoke SendMessage,hToolTip,TTM_POP,0,0
.elseif uMsg==WM_NCMOUSEMOVE
invoke GetCursorPos,addr Pt
invoke GetWindowRect,hWnd,addr rc
mov edx,rc.left
mov edi,rc.top
mov eax,Pt.x
sub eax,edx
mov ecx,Pt.y
sub ecx,edi
mov esi,rc.right
sub esi,edx
sub esi,90;72
mov edi,esi
add edi,16
.if eax >= esi && ecx >= 6 && eax <= edi && ecx <= 20
.if clickmytitle == 1
invoke GetWindowDC,hWnd
mov edi,eax
invoke ImageList_GetIcon,hImageListTitle,1,ILD_NORMAL
invoke DrawIconEx,edi,esi,6,eax,16,14,NULL,NULL,DI_IMAGE ;画小图标
invoke ReleaseDC,hWnd,edi
.endif
;;--------
push hWnd
pop msg.hwnd
mov msg.message,WM_MOUSEMOVE;
;mov msg.lParam,MAKELONG(Pt.x, Pt.y);
;lea eax,msg.lParam
;assume eax:ptr POINT
;mov ecx,Pt.x
;mov [eax].x,ecx
;mov ecx,Pt.y
;mov [eax].y,ecx
;assume eax:nothing
invoke SendMessage,hToolTip,TTM_RELAYEVENT,0,addr msg
;;--------
.else
invoke GetWindowDC,hWnd
mov edi,eax
invoke ImageList_GetIcon,hImageListTitle,0,ILD_NORMAL
invoke DrawIconEx,edi,esi,6,eax,16,14,NULL,NULL,DI_IMAGE ;画小图标
invoke ReleaseDC,hWnd,edi
invoke SendMessage,hToolTip,TTM_POP,0,0
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
;mov clickmytitle,0
.endif
.elseif uMsg==WM_NCLBUTTONUP
invoke GetCursorPos,addr Pt
invoke GetWindowRect,hWnd,addr rc
mov edx,rc.left
mov edi,rc.top
mov eax,Pt.x
sub eax,edx
mov ecx,Pt.y
sub ecx,edi
mov esi,rc.right
sub esi,edx
sub esi,90;72
mov edi,esi
add edi,16
.if eax >= esi && ecx >= 6 && eax <= edi && ecx <= 20
.if clickmytitle ==1
;;--------
mov note.cbSize,sizeof NOTIFYICONDATA
push hWnd
pop note.hwnd
mov note.uID,0
mov note.uFlags,NIF_ICON+NIF_MESSAGE+NIF_TIP
mov note.uCallbackMessage,WM_SHELLNOTIFY
invoke LoadIcon,hInstance,IDI_LINKSERVER;IDI_WINLOGO
mov note.hIcon,eax
invoke lstrcpy,addr note.szTip,addr AppName
invoke Shell_NotifyIcon,NIM_ADD,addr note
invoke ShowWindow,hWnd,SW_HIDE
;;--------
mov clickmytitle,0
.endif
.else
invoke GetWindowDC,hWnd
mov edi,eax
invoke ImageList_GetIcon,hImageListTitle,0,ILD_NORMAL
invoke DrawIconEx,edi,esi,6,eax,16,14,NULL,NULL,DI_IMAGE ;画小图标
invoke ReleaseDC,hWnd,edi
mov clickmytitle,0
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
.endif
随WINZIP10安装的那个WZFILEVIEW.FileViewCtrl.61控件的漏洞其实非常简单
覆盖SEH链中的第二个就可以了.不过实际利用中遇到几个怪问题:
1.一般的EB069090得改成0B,为什么哩,跳转地址后头不知道从哪儿多了四个FF,06+04=0AH的但是哩在网页代码头0A又是回车.所以只有改成0B,要不改成9090EB08:)不过还是搞不懂FF哪儿来的.
2.简中下测试,我发现超长串要经过widechartomulitbyte处理,这样的话eb0b9090和7ffa1571都会被转化.
想了半天想不出不让它转化的办法唉.不过英文2KSP4下测试成功率到还可以.