1427 lines
22 KiB
NASM
1427 lines
22 KiB
NASM
|
format PE GUI 4.0
|
||
|
section '.text' code readable executable
|
||
|
entry start
|
||
|
start:
|
||
|
xor ebx, ebx
|
||
|
push ofn
|
||
|
call [GetOpenFileNameA]
|
||
|
test eax, eax
|
||
|
jnz @f
|
||
|
push ebx
|
||
|
call [ExitProcess]
|
||
|
@@:
|
||
|
call [GetVersion]
|
||
|
test eax, eax
|
||
|
sets [b9x]
|
||
|
js install_9x
|
||
|
mov [img_name+2], bl
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push 3
|
||
|
push ebx
|
||
|
push 3
|
||
|
push 80000000h
|
||
|
push dn
|
||
|
call [CreateFileA]
|
||
|
inc eax
|
||
|
jnz @f
|
||
|
norights:
|
||
|
push 10h
|
||
|
push ebx
|
||
|
push norightsmsg
|
||
|
mbx:
|
||
|
push ebx
|
||
|
call [MessageBoxA]
|
||
|
push ebx
|
||
|
call [ExitProcess]
|
||
|
@@:
|
||
|
lea esi, [eax-1]
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push 12
|
||
|
push sdn
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push 0x2D1080
|
||
|
push esi
|
||
|
call [DeviceIoControl]
|
||
|
test eax, eax
|
||
|
jnz @f
|
||
|
cnr:
|
||
|
push esi
|
||
|
call [CloseHandle]
|
||
|
jmp norights
|
||
|
@@:
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push 20h
|
||
|
push pi
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push 0x74004
|
||
|
push esi
|
||
|
call [DeviceIoControl]
|
||
|
test eax, eax
|
||
|
jz cnr
|
||
|
push esi
|
||
|
call [CloseHandle]
|
||
|
cmp [sdn], 7
|
||
|
jz @f
|
||
|
push 10h
|
||
|
push 0
|
||
|
push nohd
|
||
|
jmp mbx
|
||
|
@@:
|
||
|
mov al, byte [sdn+4]
|
||
|
or al, 80h
|
||
|
mov [mtldr_code+7], al
|
||
|
mov eax, [pi]
|
||
|
mov edx, [pi+4]
|
||
|
shrd eax, edx, 9
|
||
|
shr edx, 9
|
||
|
jz @f
|
||
|
m1e: push 10h
|
||
|
push ebx
|
||
|
push m1
|
||
|
jmp mbx
|
||
|
@@:
|
||
|
install_cmn:
|
||
|
mov [mtldr_code+8], eax
|
||
|
mov esi, img_name
|
||
|
mov edi, img_real_name
|
||
|
mov byte [esi+2], '\'
|
||
|
push 256
|
||
|
push edi
|
||
|
push esi
|
||
|
call [GetShortPathNameA]
|
||
|
cmp eax, 256
|
||
|
jb @f
|
||
|
push 10h
|
||
|
push ebx
|
||
|
push ptl
|
||
|
jmp mbx
|
||
|
@@:
|
||
|
test eax, eax
|
||
|
jnz @f
|
||
|
push esi edi
|
||
|
mov ecx, 256/4
|
||
|
rep movsd
|
||
|
pop edi esi
|
||
|
@@:
|
||
|
cmp byte [edi], 0
|
||
|
jz lcd
|
||
|
cmp byte [edi], 'A'
|
||
|
jb lcc
|
||
|
cmp byte [edi], 'Z'
|
||
|
ja lcc
|
||
|
add byte [edi], 20h
|
||
|
lcc:
|
||
|
inc edi
|
||
|
jmp @b
|
||
|
lcd:
|
||
|
mov esi, img_real_name
|
||
|
cmp [b9x], 0
|
||
|
jnz @f
|
||
|
cmp byte [esi], 'c'
|
||
|
jnz notc
|
||
|
@@:
|
||
|
push 256/4
|
||
|
pop ecx
|
||
|
lea edi, [esi+ecx*4]
|
||
|
rep movsd
|
||
|
mov edi, esi
|
||
|
xor eax, eax
|
||
|
or ecx, -1
|
||
|
repnz scasb
|
||
|
dec edi
|
||
|
std
|
||
|
mov al, '\'
|
||
|
repnz scasb
|
||
|
cld
|
||
|
inc edi
|
||
|
inc edi
|
||
|
mov eax, 'mtld'
|
||
|
stosd
|
||
|
mov al, 'r'
|
||
|
stosb
|
||
|
jmp cmn
|
||
|
notc:
|
||
|
mov dword [mtldr_name], 'C:\m'
|
||
|
mov dword [mtldr_name+4], 'tldr'
|
||
|
mov edi, mtldr_name+8
|
||
|
cmn:
|
||
|
and word [edi], 0
|
||
|
mf:
|
||
|
push mtldr_name
|
||
|
call [GetFileAttributesA]
|
||
|
inc eax
|
||
|
jnz @f
|
||
|
call [GetLastError]
|
||
|
cmp eax, 2
|
||
|
jz fo
|
||
|
@@:
|
||
|
cmp byte [edi], 0
|
||
|
jnz @f
|
||
|
mov byte [edi], '0'
|
||
|
jmp mf
|
||
|
@@:
|
||
|
cmp byte [edi], '9'
|
||
|
jae @f
|
||
|
mfi:
|
||
|
inc byte [edi]
|
||
|
jmp mf
|
||
|
@@:
|
||
|
ja @f
|
||
|
mov byte [edi], 'A'
|
||
|
jmp mf
|
||
|
@@:
|
||
|
cmp byte [edi], 'Z'
|
||
|
jb mfi
|
||
|
nomx: push 10h
|
||
|
push ebx
|
||
|
push nom
|
||
|
jmp mbx
|
||
|
fo:
|
||
|
cmp [b9x], 0
|
||
|
jnz install_9x_2
|
||
|
call write_mtldr1
|
||
|
push ecx
|
||
|
call [GetVersion]
|
||
|
pop ecx
|
||
|
cmp al, 6
|
||
|
jae install_vista
|
||
|
mov al, 2
|
||
|
mov edi, tmp_data
|
||
|
neg ecx
|
||
|
add ecx, 2000h - mtldr_code_size
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push ecx
|
||
|
push edi
|
||
|
push esi
|
||
|
rep stosb
|
||
|
call [WriteFile]
|
||
|
push esi
|
||
|
call [CloseHandle]
|
||
|
push bootini
|
||
|
mov edi, systitle+1
|
||
|
mov esi, ostitle
|
||
|
mov byte [edi-1], '"'
|
||
|
@@:
|
||
|
lodsb
|
||
|
test al, al
|
||
|
jz @f
|
||
|
stosb
|
||
|
jmp @b
|
||
|
@@:
|
||
|
mov word [edi], '"'
|
||
|
push bootini
|
||
|
call [GetFileAttributesA]
|
||
|
push eax
|
||
|
and al, not 1
|
||
|
push eax
|
||
|
push bootini
|
||
|
call [SetFileAttributesA]
|
||
|
push bootini
|
||
|
push systitle
|
||
|
push mtldr_name
|
||
|
push mtldr_name
|
||
|
push mtldr_name
|
||
|
call [CharToOemA]
|
||
|
push osstr
|
||
|
call [WritePrivateProfileStringA]
|
||
|
xchg eax, [esp]
|
||
|
push eax
|
||
|
push bootini
|
||
|
call [SetFileAttributesA]
|
||
|
pop eax
|
||
|
test eax, eax
|
||
|
jnz suci
|
||
|
; failed, delete written mtldr
|
||
|
call delete_mtldr
|
||
|
push 10h
|
||
|
push ebx
|
||
|
push insterr
|
||
|
jmp mbx
|
||
|
suci:
|
||
|
push 40h
|
||
|
push suct
|
||
|
push succ
|
||
|
jmp mbx
|
||
|
|
||
|
install_9x:
|
||
|
mov al, [img_name]
|
||
|
or al, 20h
|
||
|
sub al, 'a'-1
|
||
|
mov byte [regs], al
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push 3
|
||
|
push ebx
|
||
|
push 3
|
||
|
push 80000000h
|
||
|
push vwin32
|
||
|
call [CreateFileA]
|
||
|
inc eax
|
||
|
jz norights
|
||
|
dec eax
|
||
|
xchg eax, esi
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push 28
|
||
|
push regs
|
||
|
push 28
|
||
|
push regs
|
||
|
push 1
|
||
|
push esi
|
||
|
call [DeviceIoControl]
|
||
|
push eax
|
||
|
push esi
|
||
|
call [CloseHandle]
|
||
|
pop eax
|
||
|
test eax, eax
|
||
|
@@: jz norights
|
||
|
mov al, [diskinfobuf+3]
|
||
|
cmp al, 0xFF
|
||
|
jz @b
|
||
|
cmp al, 80h
|
||
|
jb norights
|
||
|
mov [mtldr_code+7], al
|
||
|
cmp dword [diskinfobuf+12], 0
|
||
|
jnz m1e
|
||
|
mov eax, [diskinfobuf+8]
|
||
|
jmp install_cmn
|
||
|
|
||
|
install_9x_2:
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push 3
|
||
|
push ebx
|
||
|
push 1
|
||
|
push 80000000h
|
||
|
push config
|
||
|
call [CreateFileA]
|
||
|
inc eax
|
||
|
jnz @f
|
||
|
ie2:
|
||
|
push 10h
|
||
|
push ebx
|
||
|
push insterr2
|
||
|
jmp mbx
|
||
|
@@:
|
||
|
dec eax
|
||
|
xchg eax, esi
|
||
|
push ebx
|
||
|
push esi
|
||
|
call [GetFileSize]
|
||
|
inc eax
|
||
|
jz ie2
|
||
|
dec eax
|
||
|
xchg eax, ebp
|
||
|
push 4
|
||
|
push 1000h
|
||
|
push ebp
|
||
|
push ebx
|
||
|
call [VirtualAlloc]
|
||
|
xchg eax, edi
|
||
|
test edi, edi
|
||
|
jz ie2
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push ebp
|
||
|
push edi
|
||
|
push esi
|
||
|
call [ReadFile]
|
||
|
push esi
|
||
|
call [CloseHandle]
|
||
|
push ebx
|
||
|
push 80h
|
||
|
push 2
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push 40000000h
|
||
|
push config
|
||
|
call [CreateFileA]
|
||
|
inc eax
|
||
|
jz ie2
|
||
|
dec eax
|
||
|
xchg eax, esi
|
||
|
mov eax, dword [edi]
|
||
|
or eax, 0x20202000
|
||
|
cmp eax, '[men'
|
||
|
jz menu
|
||
|
push ostitle
|
||
|
call [lstrlenA]
|
||
|
cmp eax, 17
|
||
|
ja bt1
|
||
|
push esi edi
|
||
|
mov esi, ostitle
|
||
|
mov edi, mtldr_code+23Ah
|
||
|
mov ecx, eax
|
||
|
rep movsb
|
||
|
mov dword [edi], '? [y'
|
||
|
mov dword [edi+4], '/n]:'
|
||
|
mov word [edi+8], ' '
|
||
|
pop edi esi
|
||
|
jmp ct1
|
||
|
bt1:
|
||
|
push img_real_name+3
|
||
|
call [lstrlenA]
|
||
|
add eax, mtldr_code_size+1+100h
|
||
|
mov word [mtldr_code+0x19], ax
|
||
|
ct1:
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push 8
|
||
|
push install
|
||
|
push esi
|
||
|
call [WriteFile]
|
||
|
cfgd:
|
||
|
mov eax, mtldr_name
|
||
|
push eax
|
||
|
push eax
|
||
|
push eax
|
||
|
call [CharToOemA]
|
||
|
call [lstrlenA]
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push eax
|
||
|
push mtldr_name
|
||
|
push esi
|
||
|
call [WriteFile]
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push 2
|
||
|
push newline
|
||
|
push esi
|
||
|
call [WriteFile]
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push ebp
|
||
|
push edi
|
||
|
push esi
|
||
|
call [WriteFile]
|
||
|
push esi
|
||
|
call [CloseHandle]
|
||
|
call write_mtldr1
|
||
|
push ostitle
|
||
|
call [lstrlenA]
|
||
|
cmp eax, 11
|
||
|
jbe @f
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push ld2sz
|
||
|
push ld2
|
||
|
push esi
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push eax
|
||
|
push ostitle
|
||
|
push esi
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push ld1sz
|
||
|
push ld1
|
||
|
push esi
|
||
|
call [WriteFile]
|
||
|
call [WriteFile]
|
||
|
call [WriteFile]
|
||
|
@@:
|
||
|
push esi
|
||
|
call [CloseHandle]
|
||
|
jmp suci
|
||
|
menu:
|
||
|
push edi
|
||
|
or ecx, -1
|
||
|
mes:
|
||
|
mov al, 0xA
|
||
|
repnz scasb
|
||
|
cmp byte [edi], '['
|
||
|
jz med
|
||
|
cmp dword [edi], 'menu'
|
||
|
jnz mes
|
||
|
cmp dword [edi+4], 'item'
|
||
|
jnz mes
|
||
|
cmp byte [edi+8], '='
|
||
|
jnz mes
|
||
|
mov eax, [edi+9]
|
||
|
or eax, ' '
|
||
|
cmp eax, 'koli'
|
||
|
jnz mes
|
||
|
mov eax, [edi+13]
|
||
|
and eax, 0xFFFFFF
|
||
|
or eax, ' '
|
||
|
cmp eax, 'bri'
|
||
|
jnz mes
|
||
|
movzx eax, byte [edi+16]
|
||
|
or al, 0x20
|
||
|
mov [menuitems+eax], 1
|
||
|
jmp mes
|
||
|
med:
|
||
|
cmp word [edi-4], 0x0A0D
|
||
|
jnz @f
|
||
|
dec edi
|
||
|
dec edi
|
||
|
jmp med
|
||
|
@@:
|
||
|
sub edi, [esp]
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push edi
|
||
|
push dword [esp+12]
|
||
|
push esi
|
||
|
call [WriteFile]
|
||
|
add [esp], edi
|
||
|
sub ebp, edi
|
||
|
mov ecx, 7
|
||
|
cmp [menuitems+0x20], 0
|
||
|
jnz @f
|
||
|
cmp [menuitems+','], 0
|
||
|
jz mef
|
||
|
@@:
|
||
|
mov eax, '0'
|
||
|
mel1:
|
||
|
cmp [menuitems+eax], 0
|
||
|
jz med1
|
||
|
inc eax
|
||
|
cmp al, '9'+1
|
||
|
jb mel1
|
||
|
jnz @f
|
||
|
mov al, 'a'
|
||
|
jmp mel1
|
||
|
@@:
|
||
|
cmp al, 'z'
|
||
|
jbe mel1
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push ebp
|
||
|
push dword [esp+12]
|
||
|
push esi
|
||
|
call [WriteFile]
|
||
|
push esi
|
||
|
call [CloseHandle]
|
||
|
jmp nomx
|
||
|
med1:
|
||
|
mov [menuitem+7], al
|
||
|
mov ecx, 8
|
||
|
mef:
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push ecx
|
||
|
push menuitem
|
||
|
push esi
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push ecx
|
||
|
push menuitem
|
||
|
push esi
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push 9
|
||
|
push mis
|
||
|
push esi
|
||
|
call [WriteFile]
|
||
|
call [WriteFile]
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push title9xsz
|
||
|
push title9x
|
||
|
push esi
|
||
|
call [WriteFile]
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push ostitle
|
||
|
call [lstrlenA]
|
||
|
push eax
|
||
|
push ostitle
|
||
|
push esi
|
||
|
call [WriteFile]
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push title9x2sz
|
||
|
push title9x2
|
||
|
push esi
|
||
|
call [WriteFile]
|
||
|
call [WriteFile]
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push 11
|
||
|
push sec9x2
|
||
|
push esi
|
||
|
call [WriteFile]
|
||
|
mov byte [mtldr_code+1], 37h
|
||
|
pop edi
|
||
|
jmp cfgd
|
||
|
|
||
|
install_vista:
|
||
|
push esi
|
||
|
call [CloseHandle]
|
||
|
mov edi, sbn
|
||
|
call adjust_privilege
|
||
|
mov edi, srn
|
||
|
call adjust_privilege
|
||
|
push ebx
|
||
|
push ebx
|
||
|
call [CoInitializeEx]
|
||
|
test eax, eax
|
||
|
js we
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push 3
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push -1
|
||
|
push ebx
|
||
|
call [CoInitializeSecurity]
|
||
|
test eax, eax
|
||
|
jns @f
|
||
|
we2:
|
||
|
call [CoUninitialize]
|
||
|
we:
|
||
|
call delete_mtldr
|
||
|
push 10h
|
||
|
push ebx
|
||
|
push wmierr
|
||
|
jmp mbx
|
||
|
@@:
|
||
|
push ebx
|
||
|
push esp
|
||
|
push IID_IWbemLocator
|
||
|
push 1
|
||
|
push ebx
|
||
|
push CLSID_WbemLocator
|
||
|
call [CoCreateInstance]
|
||
|
pop edi
|
||
|
test eax, eax
|
||
|
js we2
|
||
|
push ebx
|
||
|
push esp
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push ns
|
||
|
push edi
|
||
|
mov esi, [edi]
|
||
|
call dword [esi+12]
|
||
|
push eax
|
||
|
push edi
|
||
|
call dword [esi+8]
|
||
|
pop eax
|
||
|
pop edi
|
||
|
test eax, eax
|
||
|
js we2
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push 3
|
||
|
push 3
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push 10
|
||
|
push edi
|
||
|
call [CoSetProxyBlanket]
|
||
|
test eax, eax
|
||
|
jns @f
|
||
|
we3:
|
||
|
mov eax, [edi]
|
||
|
push edi
|
||
|
call dword [eax+8]
|
||
|
jmp we2
|
||
|
@@:
|
||
|
xor esi, esi
|
||
|
push osp
|
||
|
push osn
|
||
|
push bs
|
||
|
call call_method
|
||
|
test eax, eax
|
||
|
js we3
|
||
|
mov esi, guid
|
||
|
mov ebp, menuitems
|
||
|
push esi
|
||
|
call [CoCreateGuid]
|
||
|
push 2000h/2
|
||
|
push ebp
|
||
|
push esi
|
||
|
call [StringFromGUID2]
|
||
|
mov esi, [varout+8]
|
||
|
push con
|
||
|
push bs
|
||
|
call call_method
|
||
|
jns @f
|
||
|
wecei:
|
||
|
mov ebp, coerr
|
||
|
wece:
|
||
|
mov eax, [esi]
|
||
|
push esi
|
||
|
call dword [eax+8]
|
||
|
mov eax, [edi]
|
||
|
push edi
|
||
|
call dword [eax+8]
|
||
|
call [CoUninitialize]
|
||
|
call delete_mtldr
|
||
|
push 10h
|
||
|
push ebx
|
||
|
push ebp
|
||
|
jmp mbx
|
||
|
@@:
|
||
|
pop eax
|
||
|
push esi
|
||
|
push eax
|
||
|
mov ebp, tmp_data
|
||
|
mov dword [vartmpstr+8], ebp
|
||
|
mov dword [vari32+8], 0x12000004
|
||
|
push 2000h/2
|
||
|
push ebp
|
||
|
push -1
|
||
|
push ostitle
|
||
|
push ebx
|
||
|
push ebx
|
||
|
call [MultiByteToWideChar]
|
||
|
mov esi, [varout+8]
|
||
|
push ssen
|
||
|
push bo
|
||
|
call call_method
|
||
|
mov ebp, setproperr
|
||
|
js wece2
|
||
|
sub dword [esp], 24
|
||
|
mov byte [vari32+8], 2
|
||
|
push 2000h/2
|
||
|
push tmp_data
|
||
|
push -1
|
||
|
push mtldr_name+2
|
||
|
push ebx
|
||
|
push ebx
|
||
|
call [MultiByteToWideChar]
|
||
|
push ssen
|
||
|
push bo
|
||
|
call call_method
|
||
|
js wece2
|
||
|
mov dword [vari32+8], 0x11000001
|
||
|
mov ecx, tmp_data
|
||
|
mov dword [ecx], '\' + ('?' shl 16)
|
||
|
mov dword [ecx+4], '?' + ('\' shl 16)
|
||
|
xor eax, eax
|
||
|
mov dword [ecx+12], eax
|
||
|
mov al, [mtldr_name+1]
|
||
|
shl eax, 16
|
||
|
mov al, [mtldr_name]
|
||
|
mov dword [ecx+8], eax
|
||
|
push spden
|
||
|
push bo
|
||
|
call call_method
|
||
|
js wece2
|
||
|
mov eax, [esi]
|
||
|
push esi
|
||
|
call dword [eax+8]
|
||
|
pop eax
|
||
|
pop esi
|
||
|
push eax
|
||
|
push oon
|
||
|
push bs
|
||
|
call call_method
|
||
|
mov ebp, orerr
|
||
|
js wece3
|
||
|
pop eax
|
||
|
push esi
|
||
|
push eax
|
||
|
mov esi, [varout+8]
|
||
|
mov dword [vari32+8], 0x24000001
|
||
|
push gen
|
||
|
push bo
|
||
|
call call_method
|
||
|
js wece2
|
||
|
push esi
|
||
|
mov esi, [varout+8]
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push varout
|
||
|
push ebx
|
||
|
push idsn
|
||
|
mov eax, [esi]
|
||
|
push esi
|
||
|
call dword [eax+16]
|
||
|
push eax
|
||
|
mov eax, [esi]
|
||
|
push esi
|
||
|
call dword [eax+8]
|
||
|
pop eax
|
||
|
pop esi
|
||
|
test eax, eax
|
||
|
js wece2
|
||
|
push esi
|
||
|
cmp word [varout], 2008h
|
||
|
jnz wece4
|
||
|
mov esi, [varout+8]
|
||
|
cmp word [esi], 1
|
||
|
jnz wece4
|
||
|
push dword [esi+20]
|
||
|
mov eax, [esi+16]
|
||
|
inc eax
|
||
|
push eax
|
||
|
push esp
|
||
|
push esi
|
||
|
call [SafeArrayRedim]
|
||
|
pop ecx
|
||
|
pop ecx
|
||
|
test eax, eax
|
||
|
js wece4
|
||
|
push menuitems
|
||
|
call [SysAllocString]
|
||
|
test eax, eax
|
||
|
jz wece4
|
||
|
push eax
|
||
|
mov ecx, [esi+16]
|
||
|
add ecx, [esi+20]
|
||
|
dec ecx
|
||
|
push ecx
|
||
|
mov ecx, esp
|
||
|
push eax
|
||
|
push ecx
|
||
|
push esi
|
||
|
call [SafeArrayPutElement]
|
||
|
pop ecx
|
||
|
call [SysFreeString]
|
||
|
pop esi
|
||
|
push solen
|
||
|
push bo
|
||
|
call call_method
|
||
|
js wece2
|
||
|
push varout
|
||
|
call [VariantClear]
|
||
|
mov eax, [esi]
|
||
|
push esi
|
||
|
call dword [eax+8]
|
||
|
pop eax
|
||
|
pop esi
|
||
|
mov eax, [esi]
|
||
|
push esi
|
||
|
call dword [eax+8]
|
||
|
mov eax, [edi]
|
||
|
push edi
|
||
|
call dword [eax+8]
|
||
|
call [CoUninitialize]
|
||
|
jmp suci
|
||
|
wece4:
|
||
|
pop esi
|
||
|
wece2:
|
||
|
mov eax, [esi]
|
||
|
push esi
|
||
|
call dword [eax+8]
|
||
|
pop eax
|
||
|
pop esi
|
||
|
push eax
|
||
|
wece3:
|
||
|
mov dword [vartmpstr+8], menuitems
|
||
|
pop eax
|
||
|
push dop
|
||
|
push don
|
||
|
push bs
|
||
|
call call_method
|
||
|
pop eax
|
||
|
jmp wece
|
||
|
|
||
|
write_mtldr1:
|
||
|
push ebx
|
||
|
push 80h
|
||
|
push 2
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push 40000000h
|
||
|
push mtldr_name
|
||
|
call [CreateFileA]
|
||
|
inc eax
|
||
|
jnz @f
|
||
|
push 10h
|
||
|
push ebx
|
||
|
push noc
|
||
|
jmp mbx
|
||
|
@@:
|
||
|
dec eax
|
||
|
xchg eax, esi
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push mtldr_code_size
|
||
|
push mtldr_code
|
||
|
push esi
|
||
|
call [WriteFile]
|
||
|
push img_real_name
|
||
|
push img_real_name
|
||
|
call [CharToOemA]
|
||
|
mov edi, img_real_name+3
|
||
|
push edi
|
||
|
call [lstrlenA]
|
||
|
inc eax
|
||
|
push eax
|
||
|
push ebx
|
||
|
push tmp
|
||
|
push eax
|
||
|
push edi
|
||
|
push esi
|
||
|
call [WriteFile]
|
||
|
pop ecx
|
||
|
ret
|
||
|
delete_mtldr:
|
||
|
push mtldr_name
|
||
|
push mtldr_name
|
||
|
push mtldr_name
|
||
|
call [OemToCharA]
|
||
|
call [DeleteFileA]
|
||
|
ret
|
||
|
|
||
|
adjust_privilege:
|
||
|
cmp [advapi32], 0
|
||
|
jnz @f
|
||
|
push advapi32_name
|
||
|
call [LoadLibraryA]
|
||
|
mov [advapi32], eax
|
||
|
mov esi, eax
|
||
|
test esi, esi
|
||
|
jz ape
|
||
|
push opts
|
||
|
push esi
|
||
|
call [GetProcAddress]
|
||
|
mov [OpenProcessToken], eax
|
||
|
test eax, eax
|
||
|
jz ape
|
||
|
push lpvs
|
||
|
push esi
|
||
|
call [GetProcAddress]
|
||
|
mov [LookupPrivilegeValueA], eax
|
||
|
test eax, eax
|
||
|
jz ape
|
||
|
push atps
|
||
|
push esi
|
||
|
call [GetProcAddress]
|
||
|
mov [AdjustTokenPrivileges], eax
|
||
|
test eax, eax
|
||
|
jz ape
|
||
|
@@:
|
||
|
push ebx
|
||
|
push esp
|
||
|
push 28h
|
||
|
call [GetCurrentProcess]
|
||
|
push eax
|
||
|
call [OpenProcessToken]
|
||
|
test eax, eax
|
||
|
pop esi
|
||
|
jz ape
|
||
|
push 2
|
||
|
push ebx
|
||
|
push ebx
|
||
|
mov eax, esp
|
||
|
push 1
|
||
|
push eax
|
||
|
push edi
|
||
|
push ebx
|
||
|
call [LookupPrivilegeValueA]
|
||
|
test eax, eax
|
||
|
jz ape2
|
||
|
mov eax, esp
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push eax
|
||
|
push ebx
|
||
|
push esi
|
||
|
call [AdjustTokenPrivileges]
|
||
|
test eax, eax
|
||
|
jz ape2
|
||
|
add esp, 10h
|
||
|
push esi
|
||
|
call [CloseHandle]
|
||
|
ret
|
||
|
ape2:
|
||
|
add esp, 10h
|
||
|
push esi
|
||
|
call [CloseHandle]
|
||
|
ape:
|
||
|
push 10h
|
||
|
push ebx
|
||
|
push apf
|
||
|
jmp mbx
|
||
|
|
||
|
call_method:
|
||
|
push ebx
|
||
|
mov eax, esp
|
||
|
push ebx
|
||
|
push eax
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push dword [eax+8]
|
||
|
mov eax, [edi]
|
||
|
push edi
|
||
|
call dword [eax+24]
|
||
|
xchg edi, [esp]
|
||
|
test eax, eax
|
||
|
js r
|
||
|
push ebx
|
||
|
mov eax, esp
|
||
|
push ebx
|
||
|
push eax
|
||
|
push ebx
|
||
|
push dword [eax+16]
|
||
|
mov eax, [edi]
|
||
|
push edi
|
||
|
call dword [eax+76]
|
||
|
push eax
|
||
|
mov eax, [edi]
|
||
|
push edi
|
||
|
call dword [eax+8]
|
||
|
pop eax
|
||
|
pop edi
|
||
|
test eax, eax
|
||
|
js r
|
||
|
push ebx
|
||
|
push esp
|
||
|
push ebx
|
||
|
mov eax, [edi]
|
||
|
push edi
|
||
|
call dword [eax+60]
|
||
|
push eax
|
||
|
mov eax, [edi]
|
||
|
push edi
|
||
|
call dword [eax+8]
|
||
|
pop eax
|
||
|
pop edi
|
||
|
test eax, eax
|
||
|
js r
|
||
|
cml1:
|
||
|
mov eax, [esp+16]
|
||
|
add dword [esp+16], 8
|
||
|
cmp dword [eax], 0
|
||
|
jz cme1
|
||
|
push ebx
|
||
|
push dword [eax+4]
|
||
|
push ebx
|
||
|
push dword [eax]
|
||
|
mov eax, [edi]
|
||
|
push edi
|
||
|
call dword [eax+20]
|
||
|
test eax, eax
|
||
|
js r2
|
||
|
jmp cml1
|
||
|
cme1:
|
||
|
and dword [varout], 0
|
||
|
mov ecx, [esp+8]
|
||
|
test esi, esi
|
||
|
jz cms
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push varout
|
||
|
push ebx
|
||
|
push rpn
|
||
|
mov eax, [esi]
|
||
|
push esi
|
||
|
call dword [eax+16]
|
||
|
test eax, eax
|
||
|
js r2
|
||
|
cmp word [varout], 8
|
||
|
jnz r2
|
||
|
mov ecx, [varout+8]
|
||
|
cms:
|
||
|
pop edx
|
||
|
push edx
|
||
|
push ebx
|
||
|
mov eax, esp
|
||
|
push ebx
|
||
|
push eax
|
||
|
push edi
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push dword [eax+16]
|
||
|
push ecx
|
||
|
mov eax, [edx]
|
||
|
push edx
|
||
|
call dword [eax+96]
|
||
|
push eax
|
||
|
mov eax, [edi]
|
||
|
push edi
|
||
|
call dword [eax+8]
|
||
|
push varout
|
||
|
call [VariantClear]
|
||
|
pop eax
|
||
|
pop edi
|
||
|
test eax, eax
|
||
|
js r
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push varout
|
||
|
push ebx
|
||
|
push retvaln
|
||
|
mov eax, [edi]
|
||
|
push edi
|
||
|
call dword [eax+16]
|
||
|
test eax, eax
|
||
|
js r2
|
||
|
mov eax, 80000000h
|
||
|
cmp word [varout], 11
|
||
|
jnz r2
|
||
|
cmp word [varout+8], 0
|
||
|
jz r2
|
||
|
mov eax, [esp+16]
|
||
|
mov eax, [eax-4]
|
||
|
test eax, eax
|
||
|
jz r2
|
||
|
push ebx
|
||
|
push ebx
|
||
|
push varout
|
||
|
push ebx
|
||
|
push eax
|
||
|
mov eax, [edi]
|
||
|
push edi
|
||
|
call dword [eax+16]
|
||
|
test eax, eax
|
||
|
js r2
|
||
|
cmp word [varout], 13
|
||
|
setnz al
|
||
|
shl eax, 31
|
||
|
r2:
|
||
|
push eax
|
||
|
mov eax, [edi]
|
||
|
push edi
|
||
|
call dword [eax+8]
|
||
|
pop eax
|
||
|
r:
|
||
|
pop edi
|
||
|
test eax, eax
|
||
|
ret 8
|
||
|
|
||
|
ofn_hook:
|
||
|
cmp dword [esp+8], 2
|
||
|
jnz @f
|
||
|
push 260
|
||
|
push ostitle
|
||
|
push 23
|
||
|
push dword [esp+12+4]
|
||
|
call [GetDlgItemTextA]
|
||
|
@@:
|
||
|
xor eax, eax
|
||
|
ret 10h
|
||
|
|
||
|
section '.data' data readable writable
|
||
|
data resource from 'rsrc.res'
|
||
|
end data
|
||
|
|
||
|
align 4
|
||
|
ofn:
|
||
|
dd 76
|
||
|
dd 0
|
||
|
dd ofn_title_template
|
||
|
dd filter
|
||
|
dd 0
|
||
|
dd 0
|
||
|
dd 0
|
||
|
dd img_name
|
||
|
dd 100h
|
||
|
dd 0
|
||
|
dd 0
|
||
|
dd 0
|
||
|
dd ofn_title
|
||
|
dd 818A4h
|
||
|
dd 0
|
||
|
dd aImg
|
||
|
dd 0
|
||
|
dd ofn_hook
|
||
|
dd 0
|
||
|
ofn_title_template:
|
||
|
dw 1,-1
|
||
|
dd 0
|
||
|
dd 0
|
||
|
dd 56000444h
|
||
|
dw 2
|
||
|
dw 0,0,275,28
|
||
|
dw 0,0,0
|
||
|
dw 8
|
||
|
dd 0
|
||
|
du 'MS Sans Serif',0
|
||
|
align 4
|
||
|
dd 0
|
||
|
dd 0
|
||
|
dd 50010000h
|
||
|
dw 5,12,45,9
|
||
|
dw -1
|
||
|
dw 0
|
||
|
dw -1,82h
|
||
|
du 'Title:',0
|
||
|
dw 0
|
||
|
align 4
|
||
|
dd 0
|
||
|
dd 204h
|
||
|
dd 50010080h
|
||
|
dw 54,10,218,12
|
||
|
dw 23
|
||
|
dw 0
|
||
|
dw -1,81h
|
||
|
du 'KolibriOS',0
|
||
|
dw 0
|
||
|
|
||
|
filter db 'Image files (*.img)',0,'*.img',0,'All files',0,'*.*',0,0
|
||
|
ofn_title db 'Select KolibriOS image file',0
|
||
|
aImg db 'img',0
|
||
|
norightsmsg db 'Cannot query drive info.',10
|
||
|
db 'Probably it is invalid drive or you are not administrator',0
|
||
|
nohd db 'Image must be on hard disk!',0
|
||
|
m1 db 'Please mail to diamondz@land.ru',0
|
||
|
nom db "Too many mtldr's found!",0
|
||
|
noc db 'Cannot create mtldr file!',0
|
||
|
osstr db 'operating systems',0
|
||
|
bootini db 'c:\boot.ini',0
|
||
|
insterr db 'Cannot write to boot.ini. Probably you are not administrator.',0
|
||
|
insterr2 db 'Cannot open config.sys',0
|
||
|
ptl db 'Path is too long',0
|
||
|
succ db 'Installation successful!',0
|
||
|
suct db 'Success',0
|
||
|
vwin32 db '\\.\vwin32',0
|
||
|
config db 'C:\config.sys',0
|
||
|
sec9x2 db ']',13,10
|
||
|
install db 'install='
|
||
|
newline db 13,10
|
||
|
menuitem db 'kolibri',0
|
||
|
mis db 'menuitem='
|
||
|
title9x db ',Load '
|
||
|
title9xsz = $ - title9x
|
||
|
title9x2 db 13,10,13,10,'['
|
||
|
title9x2sz = $ - title9x2
|
||
|
ld1 db 'Load '
|
||
|
ld1sz = $ - ld1
|
||
|
ld2 db '? [y/n]: ',0
|
||
|
ld2sz = $ - ld2
|
||
|
apf db 'Cannot adjust backup and restore privileges',0
|
||
|
opts db 'OpenProcessToken',0
|
||
|
lpvs db 'LookupPrivilegeValueA',0
|
||
|
atps db 'AdjustTokenPrivileges',0
|
||
|
sbn db 'SeBackupPrivilege',0
|
||
|
srn db 'SeRestorePrivilege',0
|
||
|
wmierr db 'BCD WMI API: initialization error',0
|
||
|
coerr db 'Cannot create BCD object for KolibriOS loader',0
|
||
|
setproperr db 'Cannot create BCD element in object for KolibriOS loader',0
|
||
|
orerr db 'Cannot add KolibriOS loader in BCD display list',0
|
||
|
ns du 'root\wmi',0
|
||
|
retvaln du 'ReturnValue'
|
||
|
emptystr du 0
|
||
|
rpn du '__Relpath',0
|
||
|
bs du 'BcdStore',0
|
||
|
bo du 'BcdObject',0
|
||
|
osn du 'OpenStore',0
|
||
|
con du 'CreateObject',0
|
||
|
don du 'DeleteObject',0
|
||
|
oon du 'OpenObject',0
|
||
|
ssen du 'SetStringElement',0
|
||
|
spden du 'SetPartitionDeviceElement',0
|
||
|
gen du 'GetElement',0
|
||
|
solen du 'SetObjectListElement',0
|
||
|
fn du 'File',0
|
||
|
storen du 'Store',0
|
||
|
idn du 'Id',0
|
||
|
idsn du 'Ids',0
|
||
|
tn du 'Type',0
|
||
|
obn du 'Object',0
|
||
|
sn du 'String',0
|
||
|
dtn du 'DeviceType',0
|
||
|
aon du 'AdditionalOptions',0
|
||
|
pn du 'Path',0
|
||
|
en du 'Element',0
|
||
|
bg du '{9dea862c-5cdd-4e70-acc1-f32b344d4795}',0
|
||
|
|
||
|
align 4
|
||
|
advapi32 dd 0
|
||
|
|
||
|
regs:
|
||
|
dd 0
|
||
|
dd diskinfobuf
|
||
|
dd 86Fh
|
||
|
dd 440Dh
|
||
|
dd 0
|
||
|
dd 0
|
||
|
dd 1
|
||
|
|
||
|
diskinfobuf:
|
||
|
db 10h,0,0,0FFh
|
||
|
times 0Ch db 0
|
||
|
|
||
|
IID_IWbemLocator:
|
||
|
dd 0DC12A687h
|
||
|
dw 737Fh
|
||
|
dw 11CFh
|
||
|
db 88h, 4Dh, 00h, 0AAh, 00h, 4Bh, 2Eh, 24h
|
||
|
CLSID_WbemLocator:
|
||
|
dd 4590F811h
|
||
|
dw 1D3Ah
|
||
|
dw 11D0h
|
||
|
db 89h, 1Fh, 00h, 0AAh, 00h, 4Bh, 2Eh, 24h
|
||
|
IID_IWbemClassObject:
|
||
|
dd 0DC12A681h
|
||
|
dw 737Fh
|
||
|
dw 11CFh
|
||
|
db 88h, 4Dh, 00h, 0AAh, 00h, 4Bh, 2Eh, 24h
|
||
|
varemptystr:
|
||
|
dd 8, 0, emptystr, 0
|
||
|
vartmpstr:
|
||
|
dd 8, 0, menuitems, 0
|
||
|
varbootmgr:
|
||
|
dd 8, 0, bg, 0
|
||
|
vari32:
|
||
|
dd 3, 0, 10400008h, 0
|
||
|
vari32_pd:
|
||
|
dd 3, 0, 2, 0
|
||
|
osp:
|
||
|
dd fn, varemptystr
|
||
|
dd 0, storen
|
||
|
dd idn, vartmpstr
|
||
|
dd tn, vari32
|
||
|
dd 0, obn
|
||
|
dd tn, vari32
|
||
|
dd sn, vartmpstr
|
||
|
dd 0, 0
|
||
|
dd tn, vari32
|
||
|
dd dtn, vari32_pd
|
||
|
dd aon, varemptystr
|
||
|
dd pn, vartmpstr
|
||
|
dd 0, 0
|
||
|
dd idn, varbootmgr
|
||
|
dd 0, obn
|
||
|
dd tn, vari32
|
||
|
dd 0, en
|
||
|
dd tn, vari32
|
||
|
dd idsn, varout
|
||
|
dd 0, 0
|
||
|
|
||
|
dop:
|
||
|
dd idn, vartmpstr
|
||
|
dd 0, 0
|
||
|
|
||
|
data import
|
||
|
macro thunk a
|
||
|
{a#_thunk:dw 0
|
||
|
db `a,0}
|
||
|
dd 0,0,0, rva kernel32_name, rva kernel32_thunks
|
||
|
dd 0,0,0, rva user32_name, rva user32_thunks
|
||
|
dd 0,0,0, rva comdlg32_name, rva comdlg32_thunks
|
||
|
dd 0,0,0, rva ole32_name, rva ole32_thunks
|
||
|
dd 0,0,0, rva oleaut32_name, rva oleaut32_thunks
|
||
|
dd 0,0,0,0,0
|
||
|
kernel32_name db 'kernel32.dll',0
|
||
|
user32_name db 'user32.dll',0
|
||
|
advapi32_name db 'advapi32.dll',0
|
||
|
comdlg32_name db 'comdlg32.dll',0
|
||
|
ole32_name db 'ole32.dll',0
|
||
|
oleaut32_name db 'oleaut32.dll',0
|
||
|
|
||
|
kernel32_thunks:
|
||
|
GetVersion dd rva GetVersion_thunk
|
||
|
CreateFileA dd rva CreateFileA_thunk
|
||
|
DeviceIoControl dd rva DeviceIoControl_thunk
|
||
|
CloseHandle dd rva CloseHandle_thunk
|
||
|
GetFileAttributesA dd rva GetFileAttributesA_thunk
|
||
|
SetFileAttributesA dd rva SetFileAttributesA_thunk
|
||
|
GetLastError dd rva GetLastError_thunk
|
||
|
ReadFile dd rva ReadFile_thunk
|
||
|
WriteFile dd rva WriteFile_thunk
|
||
|
ExitProcess dd rva ExitProcess_thunk
|
||
|
WritePrivateProfileStringA dd rva WritePrivateProfileStringA_thunk
|
||
|
GetShortPathNameA dd rva GetShortPathNameA_thunk
|
||
|
lstrlenA dd rva lstrlenA_thunk
|
||
|
VirtualAlloc dd rva VirtualAlloc_thunk
|
||
|
GetFileSize dd rva GetFileSize_thunk
|
||
|
DeleteFileA dd rva DeleteFileA_thunk
|
||
|
MultiByteToWideChar dd rva MultiByteToWideChar_thunk
|
||
|
GetCurrentProcess dd rva GetCurrentProcess_thunk
|
||
|
LoadLibraryA dd rva LoadLibraryA_thunk
|
||
|
GetProcAddress dd rva GetProcAddress_thunk
|
||
|
dw 0
|
||
|
thunk GetVersion
|
||
|
thunk CreateFileA
|
||
|
thunk DeviceIoControl
|
||
|
thunk CloseHandle
|
||
|
thunk GetFileAttributesA
|
||
|
thunk SetFileAttributesA
|
||
|
thunk GetLastError
|
||
|
thunk ReadFile
|
||
|
thunk WriteFile
|
||
|
thunk ExitProcess
|
||
|
thunk WritePrivateProfileStringA
|
||
|
thunk GetShortPathNameA
|
||
|
thunk lstrlenA
|
||
|
thunk VirtualAlloc
|
||
|
thunk GetFileSize
|
||
|
thunk DeleteFileA
|
||
|
thunk MultiByteToWideChar
|
||
|
thunk GetCurrentProcess
|
||
|
thunk LoadLibraryA
|
||
|
thunk GetProcAddress
|
||
|
|
||
|
user32_thunks:
|
||
|
MessageBoxA dd rva MessageBoxA_thunk
|
||
|
CharToOemA dd rva CharToOemA_thunk
|
||
|
OemToCharA dd rva OemToCharA_thunk
|
||
|
GetDlgItemTextA dd rva GetDlgItemTextA_thunk
|
||
|
dw 0
|
||
|
thunk MessageBoxA
|
||
|
thunk CharToOemA
|
||
|
thunk OemToCharA
|
||
|
thunk GetDlgItemTextA
|
||
|
|
||
|
comdlg32_thunks:
|
||
|
GetOpenFileNameA dd rva GetOpenFileNameA_thunk
|
||
|
dw 0
|
||
|
thunk GetOpenFileNameA
|
||
|
|
||
|
ole32_thunks:
|
||
|
CoInitializeEx dd rva CoInitializeEx_thunk
|
||
|
CoUninitialize dd rva CoUninitialize_thunk
|
||
|
CoInitializeSecurity dd rva CoInitializeSecurity_thunk
|
||
|
CoCreateInstance dd rva CoCreateInstance_thunk
|
||
|
CoSetProxyBlanket dd rva CoSetProxyBlanket_thunk
|
||
|
CoCreateGuid dd rva CoCreateGuid_thunk
|
||
|
StringFromGUID2 dd rva StringFromGUID2_thunk
|
||
|
dw 0
|
||
|
thunk CoInitializeEx
|
||
|
thunk CoUninitialize
|
||
|
thunk CoInitializeSecurity
|
||
|
thunk CoCreateInstance
|
||
|
thunk CoSetProxyBlanket
|
||
|
thunk CoCreateGuid
|
||
|
thunk StringFromGUID2
|
||
|
|
||
|
oleaut32_thunks:
|
||
|
VariantClear dd rva VariantClear_thunk
|
||
|
SafeArrayRedim dd rva SafeArrayRedim_thunk
|
||
|
SafeArrayPutElement dd rva SafeArrayPutElement_thunk
|
||
|
SysAllocString dd rva SysAllocString_thunk
|
||
|
SysFreeString dd rva SysFreeString_thunk
|
||
|
dw 0
|
||
|
thunk VariantClear
|
||
|
thunk SafeArrayRedim
|
||
|
thunk SafeArrayPutElement
|
||
|
thunk SysAllocString
|
||
|
thunk SysFreeString
|
||
|
end data
|
||
|
|
||
|
mtldr_code:
|
||
|
file 'mtldr_for_installer'
|
||
|
mtldr_code_size = $ - mtldr_code
|
||
|
|
||
|
dn db '\\.\'
|
||
|
img_name rb 256
|
||
|
img_real_name rb 256
|
||
|
mtldr_name rb 256
|
||
|
tmp_data rb 2000h
|
||
|
ostitle rb 260
|
||
|
systitle rb 262
|
||
|
|
||
|
align 4
|
||
|
OpenProcessToken dd ?
|
||
|
LookupPrivilegeValueA dd ?
|
||
|
AdjustTokenPrivileges dd ?
|
||
|
tmp dd ?
|
||
|
sdn rd 3
|
||
|
pi rd 8
|
||
|
varout rd 4
|
||
|
guid rd 4
|
||
|
b9x db ?
|
||
|
menuitems rb 100h
|