appeler une api sur un autre processus avec multi parameters
Publié : dim. 18/juin/2017 17:35
Salut les pures 
le code utilise l'api "CreateRemoteThread" de microsoft, avec mon code vous avez la possibilité d'appeler une "api" avec plusieurs paramètres contrairement a "CreateRemoteThread" qui support qu'un seul paramètre
.
c’est moi l'auteur de "shellcode"
, et il contient que des instructions 
le code utilise l'api "CreateRemoteThread" de microsoft, avec mon code vous avez la possibilité d'appeler une "api" avec plusieurs paramètres contrairement a "CreateRemoteThread" qui support qu'un seul paramètre
.c’est moi l'auteur de "shellcode"
, et il contient que des instructions
Code : Tout sélectionner
;By Celtic88 @
;Seulement à des fins éducatives
;Original https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437(v=vs.85).aspx
;À propos : Créer un thread distant Avec plusieurs paramètres
;seulement 32bit
Structure RemoteCallFunction
FunctionAddress.i;L'adresse de la fonction a appelée
NumberPar.b;Nombre de paramètres de fonction
ArrayPar.i[9];valeur ou point de paramètre, le nombre maximale de paramètres est fixé a 9
EndStructure
Procedure RemoteCallFuncWriteData(hProcess,*Data, DataSize); ecrire dans le processus les données
Protected lpShellBuffer = VirtualAllocEx_(hProcess, 0, DataSize, #MEM_COMMIT | #MEM_RESERVE, #PAGE_EXECUTE_READWRITE)
If lpShellBuffer
WriteProcessMemory_(hProcess, lpShellBuffer, *Data, DataSize, 0)
ProcedureReturn lpShellBuffer
EndIf
EndProcedure
Procedure RemoteCallFuncFreeData(hProcess,lpBuffer);nettoyer
ProcedureReturn VirtualFreeEx_(hProcess,lpBuffer,0, #MEM_RELEASE)
EndProcedure
Procedure RemoteCallFuncCall(hProcess,pCall,pCallpar,WAITReturn=1);appeler la fonction
Protected hRemoteThread = CreateRemoteThread_(hProcess, 0, 0, pCall, pCallpar, 0, 0)
If hRemoteThread
If WAITReturn
WaitForSingleObject_(hRemoteThread, #INFINITE);Attendez jusqu'à la fin de l'appel
Protected lpDWORD.l
GetExitCodeThread_(hRemoteThread,@lpDWORD);obtenir le retour
ProcedureReturn lpDWORD
EndIf
EndIf
EndProcedure
Macro RemoteCallFuncIni(hProcess);Initialise le "bytecode assembly"
RemoteCallFuncWriteData(hProcess,?ShellCodeRemoteCallFunc_BIN, ?EndShellCodeRemoteCallFunc_BIN-?ShellCodeRemoteCallFunc_BIN)
EndMacro
Macro RemoteCallFuncWriteString(hProcess,STR); ecrire dans le processus un text
RemoteCallFuncWriteData(hProcess,@Str, StringByteLength(STR)+2)
EndMacro
;Exemple:
Define sinfo.STARTUPINFO,pinfo.PROCESS_INFORMATION,hProcess
CreateProcess_(0,"notepad.exe",0,0,0,0,0,0,@sinfo,@pinfo);créer un nouveau Processus ou vous pouvez utiliser "OpenProcess" pour ouvrire un programme deja lancé
hProcess=pinfo\hProcess
pCall=RemoteCallFuncIni(hProcess);obtenir l'adress de "bytecode"
OpenLibrary(0,"user32.dll")
RemoteCallFunction.RemoteCallFunction\FunctionAddress=GetFunction(0,"MessageBoxW");pour obtenir l'adress de MessageBoxW sur user32.dll,ils ont tous le même address
;https://msdn.microsoft.com/en-us/library/windows/desktop/ms645505(v=vs.85).aspx
RemoteCallFunction\NumberPar=4;cette function contain 4 paramètres
; INT WINAPI MessageBox(
; _In_opt_ HWND hWnd, ======> 0 integer
; _In_opt_ LPCTSTR lpText,, ======> point sur le text = "By Celtic88"+#CRLF$ +"MessageBox injected succefully ."+#CRLF$ +"Click ok to close 'notepad'"
; _In_opt_ LPCTSTR lpCaption,, ======> "Demo"
; _In_ UINT uType, ======> 0 integer
; );
RemoteCallFunction\ArrayPar[0]=0;_In_opt_ HWND hWnd
mrsg$="By Celtic88"+#CRLF$ +"MessageBox injected succefully ."+#CRLF$ +"Click ok to close 'notepad'"
RemoteCallFunction\ArrayPar[1]=RemoteCallFuncWriteString(hProcess,mrsg$);_In_opt_ LPCTSTR lpText
RemoteCallFunction\ArrayPar[2]=RemoteCallFuncWriteString(hProcess,"Demo");_In_opt_ LPCTSTR lpCaption
RemoteCallFunction\ArrayPar[3]=0;_In_ UINT uType
pCallpar=RemoteCallFuncWriteData(hProcess,@RemoteCallFunction, SizeOf(RemoteCallFunction));ecrire les paramètre dans Processus
RemoteCallFuncCall(hProcess,pCall,pCallpar,1);appeler la fonction dans le processus
RemoteCallFuncFreeData(hProcess,RemoteCallFunction\ArrayPar[1]);libérer la mémoire
RemoteCallFuncFreeData(hProcess,RemoteCallFunction\ArrayPar[2]);libérer la mémoire
RemoteCallFuncFreeData(hProcess,pCallpar);libérer la mémoire
OpenLibrary(0,"kernel32.dll")
RemoteCallFunction.RemoteCallFunction\FunctionAddress=GetFunction(0,"ExitProcess")
; VOID WINAPI ExitProcess(
; _In_ UINT uExitCode
; );
RemoteCallFunction\NumberPar=1
RemoteCallFunction\ArrayPar[0]=1;_In_ UINT uExitCode
pCallpar=RemoteCallFuncWriteData(hProcess,@RemoteCallFunction, SizeOf(RemoteCallFunction))
RemoteCallFuncCall(hProcess,pCall,pCallpar,1)
DataSection
ShellCodeRemoteCallFunc_BIN:
Data.q $86D8B5355E58955 ,$BE0F242C8B242C89 ,$2C8B1475DB21045D ,$244489580075FF24 ,$2A8E9042454FF04 ,$5DBE0F242C8B0000 ,$2C8B1C7501FB8304 ,$244489580075FF24 ,$75FF5D55242C8B08 ,$280E90C2454FF05 ,$5DBE0F242C8B0000 ,$2C8B257502FB8304 ,$244489580075FF24 ,$75FF5D55242C8B0C ,$FF5D5504246C8B09 ,$4FE9142454FF0575 ,$BE0F242C8B000002 ,$8B2E7503FB83045D ,$4489580075FF242C ,$FF5D55242C8B1024 ,$5D5504246C8B0D75 ,$5508246C8B0975FF ,$1C2454FF0575FF5D ,$242C8B00000215E9 ,$7504FB83045DBE0F ,$580075FF242C8B37 ,$55242C8B14244489 ,$4246C8B1175FF5D ,$246C8B0D75FF5D55 ,$6C8B0975FF5D5508 ,$FF0575FF5D550C24 ,$1D2E9242454 ,$83045DBE0F242C8B ,$FF242C8B407505FB ,$8B18244489580075 ,$8B1575FF5D55242C ,$1175FF5D5504246C ,$75FF5D5508246C8B ,$FF5D550C246C8B0D ,$5D5510246C8B0975 ,$E92C2454FF0575FF ,$F242C8B00000186 ,$497506FB83045DBE ,$89580075FF242C8B ,$5D55242C8B1C2444 ,$5504246C8B1975FF ,$8246C8B1575FF5D ,$246C8B1175FF5D55 ,$6C8B0D75FF5D550C ,$8B0975FF5D551024 ,$575FF5D5514246C ,$131E9342454FF ,$45DBE0F242C8B00 ,$242C8B527507FB83 ,$20244489580075FF ,$1D75FF5D55242C8B ,$75FF5D5504246C8B ,$FF5D5508246C8B19 ,$5D550C246C8B1575 ,$5510246C8B1175FF ,$14246C8B0D75FF5D ,$246C8B0975FF5D55 ,$54FF0575FF5D5518 ,$8B000000D3E93C24 ,$FB83045DBE0F242C ,$75FF242C8B587508 ,$2C8B242444895800 ,$6C8B2175FF5D5524 ,$8B1D75FF5D550424 ,$1975FF5D5508246C ,$75FF5D550C246C8B ,$FF5D5510246C8B15 ,$5D5514246C8B1175 ,$5518246C8B0D75FF ,$1C246C8B0975FF5D ,$2454FF0575FF5D55 ,$BE0F242C8B6FEB44 ,$8B617508FB83045D ,$4489580075FF242C ,$FF5D55242C8B2824 ,$5D5504246C8B2575 ,$5508246C8B2175FF ,$C246C8B1D75FF5D ,$246C8B1975FF5D55 ,$6C8B1575FF5D5510 ,$8B1175FF5D551424 ,$D75FF5D5518246C ,$75FF5D551C246C8B ,$FF5D5520246C8B09 ,$2EB4C2454FF0575 ,$C35D5B04C483C031 ,$0
EndShellCodeRemoteCallFunc_BIN:
EndDataSection
;shellcode
; 0: 55 PUSH ebp
; 1: 89 e5 MOV ebp,esp
; 3: 55 PUSH ebp
; 4: 53 PUSH ebx
; 5: 8b 6d 08 MOV ebp,DWORD PTR [ebp+0x8]
; 8: 89 2c 24 MOV DWORD PTR [esp],ebp
; b: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; e: 0f be 5d 04 MOVSX ebx,BYTE PTR [ebp+0x4]
; 12: 21 DB And ebx,ebx
; 14: 75 14 JNE 0x2a
; 16: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 19: ff 75 00 PUSH DWORD PTR [ebp+0x0]
; 1c: 58 POP eax
; 1d: 89 44 24 04 MOV DWORD PTR [esp+0x4],eax
; 21: ff 54 24 04 CALL DWORD PTR [esp+0x4]
; 25: e9 a8 02 00 00 JMP 0x2d2
; 2a: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 2d: 0f be 5d 04 MOVSX ebx,BYTE PTR [ebp+0x4]
; 31: 83 fb 01 CMP ebx,0x1
; 34: 75 1c JNE 0x52
; 36: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 39: ff 75 00 PUSH DWORD PTR [ebp+0x0]
; 3c: 58 POP eax
; 3d: 89 44 24 08 MOV DWORD PTR [esp+0x8],eax
; 41: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 44: 55 PUSH ebp
; 45: 5d POP ebp
; 46: ff 75 05 PUSH DWORD PTR [ebp+0x5]
; 49: ff 54 24 0c CALL DWORD PTR [esp+0xc]
; 4d: e9 80 02 00 00 JMP 0x2d2
; 52: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 55: 0f be 5d 04 MOVSX ebx,BYTE PTR [ebp+0x4]
; 59: 83 fb 02 CMP ebx,0x2
; 5c: 75 25 JNE 0x83
; 5e: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 61: ff 75 00 PUSH DWORD PTR [ebp+0x0]
; 64: 58 POP eax
; 65: 89 44 24 0c MOV DWORD PTR [esp+0xc],eax
; 69: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 6c: 55 PUSH ebp
; 6d: 5d POP ebp
; 6e: ff 75 09 PUSH DWORD PTR [ebp+0x9]
; 71: 8b 6c 24 04 MOV ebp,DWORD PTR [esp+0x4]
; 75: 55 PUSH ebp
; 76: 5d POP ebp
; 77: ff 75 05 PUSH DWORD PTR [ebp+0x5]
; 7a: ff 54 24 14 CALL DWORD PTR [esp+0x14]
; 7e: e9 4f 02 00 00 JMP 0x2d2
; 83: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 86: 0f be 5d 04 MOVSX ebx,BYTE PTR [ebp+0x4]
; 8a: 83 fb 03 CMP ebx,0x3
; 8d: 75 2e JNE 0xbd
; 8f: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 92: ff 75 00 PUSH DWORD PTR [ebp+0x0]
; 95: 58 POP eax
; 96: 89 44 24 10 MOV DWORD PTR [esp+0x10],eax
; 9a: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 9d: 55 PUSH ebp
; 9e: 5d POP ebp
; 9f: ff 75 0d PUSH DWORD PTR [ebp+0xd]
; a2: 8b 6c 24 04 MOV ebp,DWORD PTR [esp+0x4]
; a6: 55 PUSH ebp
; a7: 5d POP ebp
; a8: ff 75 09 PUSH DWORD PTR [ebp+0x9]
; ab: 8b 6c 24 08 MOV ebp,DWORD PTR [esp+0x8]
; af: 55 PUSH ebp
; b0: 5d POP ebp
; b1: ff 75 05 PUSH DWORD PTR [ebp+0x5]
; b4: ff 54 24 1c CALL DWORD PTR [esp+0x1c]
; b8: e9 15 02 00 00 JMP 0x2d2
; bd: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; c0: 0f be 5d 04 MOVSX ebx,BYTE PTR [ebp+0x4]
; c4: 83 fb 04 CMP ebx,0x4
; c7: 75 37 JNE 0x100
; c9: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; cc: ff 75 00 PUSH DWORD PTR [ebp+0x0]
; cf: 58 POP eax
; d0: 89 44 24 14 MOV DWORD PTR [esp+0x14],eax
; d4: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; d7: 55 PUSH ebp
; d8: 5d POP ebp
; d9: ff 75 11 PUSH DWORD PTR [ebp+0x11]
; dc: 8b 6c 24 04 MOV ebp,DWORD PTR [esp+0x4]
; e0: 55 PUSH ebp
; e1: 5d POP ebp
; e2: ff 75 0d PUSH DWORD PTR [ebp+0xd]
; e5: 8b 6c 24 08 MOV ebp,DWORD PTR [esp+0x8]
; e9: 55 PUSH ebp
; ea: 5d POP ebp
; eb: ff 75 09 PUSH DWORD PTR [ebp+0x9]
; ee: 8b 6c 24 0c MOV ebp,DWORD PTR [esp+0xc]
; f2: 55 PUSH ebp
; f3: 5d POP ebp
; f4: ff 75 05 PUSH DWORD PTR [ebp+0x5]
; f7: ff 54 24 24 CALL DWORD PTR [esp+0x24]
; fb: e9 d2 01 00 00 JMP 0x2d2
; 100: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 103: 0f be 5d 04 MOVSX ebx,BYTE PTR [ebp+0x4]
; 107: 83 fb 05 CMP ebx,0x5
; 10a: 75 40 JNE 0x14c
; 10c: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 10f: ff 75 00 PUSH DWORD PTR [ebp+0x0]
; 112: 58 POP eax
; 113: 89 44 24 18 MOV DWORD PTR [esp+0x18],eax
; 117: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 11a: 55 PUSH ebp
; 11b: 5d POP ebp
; 11c: ff 75 15 PUSH DWORD PTR [ebp+0x15]
; 11f: 8b 6c 24 04 MOV ebp,DWORD PTR [esp+0x4]
; 123: 55 PUSH ebp
; 124: 5d POP ebp
; 125: ff 75 11 PUSH DWORD PTR [ebp+0x11]
; 128: 8b 6c 24 08 MOV ebp,DWORD PTR [esp+0x8]
; 12c: 55 PUSH ebp
; 12d: 5d POP ebp
; 12e: ff 75 0d PUSH DWORD PTR [ebp+0xd]
; 131: 8b 6c 24 0c MOV ebp,DWORD PTR [esp+0xc]
; 135: 55 PUSH ebp
; 136: 5d POP ebp
; 137: ff 75 09 PUSH DWORD PTR [ebp+0x9]
; 13a: 8b 6c 24 10 MOV ebp,DWORD PTR [esp+0x10]
; 13e: 55 PUSH ebp
; 13f: 5d POP ebp
; 140: ff 75 05 PUSH DWORD PTR [ebp+0x5]
; 143: ff 54 24 2c CALL DWORD PTR [esp+0x2c]
; 147: e9 86 01 00 00 JMP 0x2d2
; 14c: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 14f: 0f be 5d 04 MOVSX ebx,BYTE PTR [ebp+0x4]
; 153: 83 fb 06 CMP ebx,0x6
; 156: 75 49 JNE 0x1a1
; 158: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 15b: ff 75 00 PUSH DWORD PTR [ebp+0x0]
; 15e: 58 POP eax
; 15f: 89 44 24 1c MOV DWORD PTR [esp+0x1c],eax
; 163: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 166: 55 PUSH ebp
; 167: 5d POP ebp
; 168: ff 75 19 PUSH DWORD PTR [ebp+0x19]
; 16b: 8b 6c 24 04 MOV ebp,DWORD PTR [esp+0x4]
; 16f: 55 PUSH ebp
; 170: 5d POP ebp
; 171: ff 75 15 PUSH DWORD PTR [ebp+0x15]
; 174: 8b 6c 24 08 MOV ebp,DWORD PTR [esp+0x8]
; 178: 55 PUSH ebp
; 179: 5d POP ebp
; 17a: ff 75 11 PUSH DWORD PTR [ebp+0x11]
; 17d: 8b 6c 24 0c MOV ebp,DWORD PTR [esp+0xc]
; 181: 55 PUSH ebp
; 182: 5d POP ebp
; 183: ff 75 0d PUSH DWORD PTR [ebp+0xd]
; 186: 8b 6c 24 10 MOV ebp,DWORD PTR [esp+0x10]
; 18a: 55 PUSH ebp
; 18b: 5d POP ebp
; 18c: ff 75 09 PUSH DWORD PTR [ebp+0x9]
; 18f: 8b 6c 24 14 MOV ebp,DWORD PTR [esp+0x14]
; 193: 55 PUSH ebp
; 194: 5d POP ebp
; 195: ff 75 05 PUSH DWORD PTR [ebp+0x5]
; 198: ff 54 24 34 CALL DWORD PTR [esp+0x34]
; 19c: e9 31 01 00 00 JMP 0x2d2
; 1a1: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 1a4: 0f be 5d 04 MOVSX ebx,BYTE PTR [ebp+0x4]
; 1a8: 83 fb 07 CMP ebx,0x7
; 1ab: 75 52 JNE 0x1ff
; 1ad: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 1b0: ff 75 00 PUSH DWORD PTR [ebp+0x0]
; 1b3: 58 POP eax
; 1b4: 89 44 24 20 MOV DWORD PTR [esp+0x20],eax
; 1b8: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 1bb: 55 PUSH ebp
; 1bc: 5d POP ebp
; 1bd: ff 75 1d PUSH DWORD PTR [ebp+0x1d]
; 1c0: 8b 6c 24 04 MOV ebp,DWORD PTR [esp+0x4]
; 1c4: 55 PUSH ebp
; 1c5: 5d POP ebp
; 1c6: ff 75 19 PUSH DWORD PTR [ebp+0x19]
; 1c9: 8b 6c 24 08 MOV ebp,DWORD PTR [esp+0x8]
; 1cd: 55 PUSH ebp
; 1ce: 5d POP ebp
; 1cf: ff 75 15 PUSH DWORD PTR [ebp+0x15]
; 1d2: 8b 6c 24 0c MOV ebp,DWORD PTR [esp+0xc]
; 1d6: 55 PUSH ebp
; 1d7: 5d POP ebp
; 1d8: ff 75 11 PUSH DWORD PTR [ebp+0x11]
; 1db: 8b 6c 24 10 MOV ebp,DWORD PTR [esp+0x10]
; 1df: 55 PUSH ebp
; 1e0: 5d POP ebp
; 1e1: ff 75 0d PUSH DWORD PTR [ebp+0xd]
; 1e4: 8b 6c 24 14 MOV ebp,DWORD PTR [esp+0x14]
; 1e8: 55 PUSH ebp
; 1e9: 5d POP ebp
; 1ea: ff 75 09 PUSH DWORD PTR [ebp+0x9]
; 1ed: 8b 6c 24 18 MOV ebp,DWORD PTR [esp+0x18]
; 1f1: 55 PUSH ebp
; 1f2: 5d POP ebp
; 1f3: ff 75 05 PUSH DWORD PTR [ebp+0x5]
; 1f6: ff 54 24 3c CALL DWORD PTR [esp+0x3c]
; 1fa: e9 d3 00 00 00 JMP 0x2d2
; 1ff: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 202: 0f be 5d 04 MOVSX ebx,BYTE PTR [ebp+0x4]
; 206: 83 fb 08 CMP ebx,0x8
; 209: 75 58 JNE 0x263
; 20b: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 20e: ff 75 00 PUSH DWORD PTR [ebp+0x0]
; 211: 58 POP eax
; 212: 89 44 24 24 MOV DWORD PTR [esp+0x24],eax
; 216: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 219: 55 PUSH ebp
; 21a: 5d POP ebp
; 21b: ff 75 21 PUSH DWORD PTR [ebp+0x21]
; 21e: 8b 6c 24 04 MOV ebp,DWORD PTR [esp+0x4]
; 222: 55 PUSH ebp
; 223: 5d POP ebp
; 224: ff 75 1d PUSH DWORD PTR [ebp+0x1d]
; 227: 8b 6c 24 08 MOV ebp,DWORD PTR [esp+0x8]
; 22b: 55 PUSH ebp
; 22c: 5d POP ebp
; 22d: ff 75 19 PUSH DWORD PTR [ebp+0x19]
; 230: 8b 6c 24 0c MOV ebp,DWORD PTR [esp+0xc]
; 234: 55 PUSH ebp
; 235: 5d POP ebp
; 236: ff 75 15 PUSH DWORD PTR [ebp+0x15]
; 239: 8b 6c 24 10 MOV ebp,DWORD PTR [esp+0x10]
; 23d: 55 PUSH ebp
; 23e: 5d POP ebp
; 23f: ff 75 11 PUSH DWORD PTR [ebp+0x11]
; 242: 8b 6c 24 14 MOV ebp,DWORD PTR [esp+0x14]
; 246: 55 PUSH ebp
; 247: 5d POP ebp
; 248: ff 75 0d PUSH DWORD PTR [ebp+0xd]
; 24b: 8b 6c 24 18 MOV ebp,DWORD PTR [esp+0x18]
; 24f: 55 PUSH ebp
; 250: 5d POP ebp
; 251: ff 75 09 PUSH DWORD PTR [ebp+0x9]
; 254: 8b 6c 24 1c MOV ebp,DWORD PTR [esp+0x1c]
; 258: 55 PUSH ebp
; 259: 5d POP ebp
; 25a: ff 75 05 PUSH DWORD PTR [ebp+0x5]
; 25d: ff 54 24 44 CALL DWORD PTR [esp+0x44]
; 261: eb 6f JMP 0x2d2
; 263: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 266: 0f be 5d 04 MOVSX ebx,BYTE PTR [ebp+0x4]
; 26a: 83 fb 08 CMP ebx,0x8
; 26d: 75 61 JNE 0x2d0
; 26f: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 272: ff 75 00 PUSH DWORD PTR [ebp+0x0]
; 275: 58 POP eax
; 276: 89 44 24 28 MOV DWORD PTR [esp+0x28],eax
; 27a: 8b 2c 24 MOV ebp,DWORD PTR [esp]
; 27d: 55 PUSH ebp
; 27e: 5d POP ebp
; 27f: ff 75 25 PUSH DWORD PTR [ebp+0x25]
; 282: 8b 6c 24 04 MOV ebp,DWORD PTR [esp+0x4]
; 286: 55 PUSH ebp
; 287: 5d POP ebp
; 288: ff 75 21 PUSH DWORD PTR [ebp+0x21]
; 28b: 8b 6c 24 08 MOV ebp,DWORD PTR [esp+0x8]
; 28f: 55 PUSH ebp
; 290: 5d POP ebp
; 291: ff 75 1d PUSH DWORD PTR [ebp+0x1d]
; 294: 8b 6c 24 0c MOV ebp,DWORD PTR [esp+0xc]
; 298: 55 PUSH ebp
; 299: 5d POP ebp
; 29a: ff 75 19 PUSH DWORD PTR [ebp+0x19]
; 29d: 8b 6c 24 10 MOV ebp,DWORD PTR [esp+0x10]
; 2a1: 55 PUSH ebp
; 2a2: 5d POP ebp
; 2a3: ff 75 15 PUSH DWORD PTR [ebp+0x15]
; 2a6: 8b 6c 24 14 MOV ebp,DWORD PTR [esp+0x14]
; 2aa: 55 PUSH ebp
; 2ab: 5d POP ebp
; 2ac: ff 75 11 PUSH DWORD PTR [ebp+0x11]
; 2af: 8b 6c 24 18 MOV ebp,DWORD PTR [esp+0x18]
; 2b3: 55 PUSH ebp
; 2b4: 5d POP ebp
; 2b5: ff 75 0d PUSH DWORD PTR [ebp+0xd]
; 2b8: 8b 6c 24 1c MOV ebp,DWORD PTR [esp+0x1c]
; 2bc: 55 PUSH ebp
; 2bd: 5d POP ebp
; 2be: ff 75 09 PUSH DWORD PTR [ebp+0x9]
; 2c1: 8b 6c 24 20 MOV ebp,DWORD PTR [esp+0x20]
; 2c5: 55 PUSH ebp
; 2c6: 5d POP ebp
; 2c7: ff 75 05 PUSH DWORD PTR [ebp+0x5]
; 2ca: ff 54 24 4c CALL DWORD PTR [esp+0x4c]
; 2ce: eb 02 JMP 0x2d2
; 2d0: 31 c0 XOr eax,eax
; 2d2: 83 c4 04 ADD esp,0x4
; 2d5: 5b POP ebx
; 2d6: 5d POP ebp
; 2d7: c3 RET
; 2d8: 00 00 ADD BYTE PTR [eax],al
