by axis
2007-03-28

近日在写exploit的时候需要用到一些其他语言的call ebx的跳转地址，但是metasploit的opcode DB没有包括繁体中文、日文、韩文机器的跳转地址，所以费了点时间收集了下，在这里要感谢傲少提供的机器给我去找地址。现在贴到这里，方便大家。


简体中文windows的通用跳转地址：(2k/XP/2k3)
0x7ffa45f3 jmp ecx \xff\xe1
0x7ffa4967 jmp ebp \xff\xe5
0x7ffa4a1b jmp ebx \xff\xe3
0x7ffa6773 push ebx,retn \x53\xc3 (0x7ffa6772 是 pop edx)
0x7ffd1769 -- 0x7ffd1779 jmp eax \xff\xe0
0x7ffc01b0 pop esi,retn \x5e\xc3
0x7ffa54cf 0x7ffaf780 jmp edx \xff\xe2

7FFA1571 58 POP EAX
7FFA1572 BF 58C058C2 MOV EDI,C258C058
7FFA1577 58 POP EAX
7FFA1578 C3 RETN



韩文版windows 2003 sp1上的 KR
kr 2k3 sp1
71ab1346 call eax ws2_32.dll
71ab4340 jmp eax ws2_32.dll
71ac273f call ecx ws2_32.dll
71ab6e3b jmp ecx ws2_32.dll
71ab5fb0 call ebx ws2_32.dll
71ab596b call esi ws2_32.dll
71ab5503 call edi ws2_32.dll
71ab5f62 pop edi, pop esi retn ws2_32.dll

可能是韩文版windows通用地址的（需确认） KR
7ffa6d56 call eax
7ffa78aa call edx
7ffa7306 call ecx
7ffa901a call ebx
7ffa4a1b jmp ebx
7ffa82a4 call esp
7ffa8b3c call esi
7ffa49d7 jmp esi




jp 2003 sp1 r2
日文 windows 2003 r2 SP1

7c999c86 call ebx ntdll.dll
7c9a96aa call ebx ntdll.dll
7c9b2c62 call ebx ntdll.dll
7c9834a3 jmp ebx ntdll.dll

7c9d1d1e jmp esp ntdll.dll
7c9585fb call eax ntdll.dll
7c99c6cb jmp eax ntdll.dll

7c95139e pop esi,pop ebp,retn ntdll.dll

7c951bc2 call ecx ntdll.dll
7c9c27bb call edx ntdll.dll
7c9523d7 call edi ntdll.dll
7c96a3c3 call esi ntdll.dll

71aa596b call edi ws2_32.dll
71aa5503 call edi ws2_32.dll
71aa5fb0 call ebx ws2_32.dll
71aa1346 call eax ws2_32.dll
71aa4340 jmp eax ws2_32.dll
71aa596b call esi ws2_32.dll
71aa5f62 pop edi,pop esi,retn ws2_32.dll



win tw 繁体中文windows通用地址(至少2k3 sp1)
7ffa2186 jmp ebx
7ffd1987 call eax (2k3 tw)
7ffaf9a8 jmp eax
7ffa46ad jmp ecx
7ffafffa jmp edx
7ffa24ce jmp esp
7ffa2b64 jmp esi
7ffa2eac jmp edi

71b75fb0 call ebx ws2_32.dll