you have assembly: sub_13144FF6 proc near NumberOfBytesWritten= dword ptr -4 push ebp mov ebp, esp push ecx pu
Posted: Fri Jun 10, 2022 11:55 am
you have assembly:
sub_13144FF6 proc near
NumberOfBytesWritten= dword ptr -4
push ebp
mov ebp, esp
push ecx
push
100h
; size_t
push
0
; int
push offset byte_1314CA1C ; void *
call memset
add esp, 0Ch
push
100h
; uSize
push offset Data ;
lpBuffer
call GetWindowsDirectoryA
push offset aPwsbandook2_ex ;
"pwsbandook2.exe"
push offset aS_1 ;
"\\%s"
push offset byte_1314CA1C ; char *
call sprintf
add esp, 0Ch
push
0
; hTemplateFile
push
80h
; dwFlagsAndAttributes
push
2
; dwCreationDisposition
push
0
; lpSecurityAttributes
push
0
; dwShareMode
push
40000000h ;
dwDesiredAccess
push offset byte_1314CA1C ; char *
push offset Data ; char
*
call strcat
pop ecx
pop ecx
push
eax
; lpFileName
call CreateFileA
mov dword_1314E32C, eax
push
0
; lpOverlapped
lea eax, [ebp+NumberOfBytesWritten]
push
eax
; lpNumberOfBytesWritten
push
0
; lpFileSizeHigh
push
hFile ;
hFile
call GetFileSize
push
eax
; nNumberOfBytesToWrite
push
lpBuffer ; lpBuffer
push dword_1314E32C ; hFile
call WriteFile
push dword_1314E32C ; hObject
call CloseHandle
xor eax, eax
leave
retn
sub_13144FF6 endp
1) define input argument to CreateFile contains
the path and the filename
2) how to find the path and file name
sub_13144FF6 proc near
NumberOfBytesWritten= dword ptr -4
push ebp
mov ebp, esp
push ecx
push
100h
; size_t
push
0
; int
push offset byte_1314CA1C ; void *
call memset
add esp, 0Ch
push
100h
; uSize
push offset Data ;
lpBuffer
call GetWindowsDirectoryA
push offset aPwsbandook2_ex ;
"pwsbandook2.exe"
push offset aS_1 ;
"\\%s"
push offset byte_1314CA1C ; char *
call sprintf
add esp, 0Ch
push
0
; hTemplateFile
push
80h
; dwFlagsAndAttributes
push
2
; dwCreationDisposition
push
0
; lpSecurityAttributes
push
0
; dwShareMode
push
40000000h ;
dwDesiredAccess
push offset byte_1314CA1C ; char *
push offset Data ; char
*
call strcat
pop ecx
pop ecx
push
eax
; lpFileName
call CreateFileA
mov dword_1314E32C, eax
push
0
; lpOverlapped
lea eax, [ebp+NumberOfBytesWritten]
push
eax
; lpNumberOfBytesWritten
push
0
; lpFileSizeHigh
push
hFile ;
hFile
call GetFileSize
push
eax
; nNumberOfBytesToWrite
push
lpBuffer ; lpBuffer
push dword_1314E32C ; hFile
call WriteFile
push dword_1314E32C ; hObject
call CloseHandle
xor eax, eax
leave
retn
sub_13144FF6 endp
1) define input argument to CreateFile contains
the path and the filename
2) how to find the path and file name