;===================================================================================
; code by laomms 2007.4.25
;===================================================================================
.386
.model flat, stdcall
option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include w2k\ntstatus.inc
include w2k\ntddk.inc
include w2k\ntoskrnl.inc
includelib d:\masm32\lib\w2k\ntoskrnl.lib
include Strings.mac
include rockey.Inc
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.DATA
IDstring db 'jhksoft 200010182003218<',0
Buffer1 db 72 dup(0)
Buffer2 dw 0
Buffer3 db 0
db 0
Buffer4 db 4 dup(0)
Buffer5 db 4 dup(0)
Buffer6 db 0
db 0
Buffer7 db 0
db 0
Buffer8 db 0
db 0
Buffer9 db 0
db 0
Buffer10 db 256 dup(0)
.const
CCOUNTED_UNICODE_STRING " ;设备名称
CCOUNTED_UNICODE_STRING " ;符号连接
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
DriverEntry proc pDriverObject:PDRIVER_OBJECT,RegistryPath:PUNICODE_STRING ;驱动入口
LOCAL deviceNameUnicodeString,deviceLinkUnicodeString:UNICODE_STRING
LOCAL status:NTSTATUS
LOCAL pDeviceObject:PVOID
mov status,STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice, pDriverObject, 0, addr DONGLE_DEVICE_NAME, FILE_DEVICE_UNKNOWN, \ ;创建虚拟设备
0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS ;使用NT_SUCCESS宏检测函数调用是否成功
invoke IoCreateSymbolicLink, addr SymbolicLinkName, addr DONGLE_DEVICE_NAME ;创建符号连接
.if eax == STATUS_SUCCESS ;检测函数调用是否成功
mov eax, pDriverObject
assume eax:PTR DRIVER_OBJECT
mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)], offset DispatchCreateClose ;设置IRP派遣例程和卸载例程
mov [eax].MajorFunction[IRP_MJ_CLEANUP*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)], offset DispatchControl
mov [eax].DriverUnload, offset DriverUnload
assume eax:nothing
mov status, STATUS_SUCCESS
.else
invoke IoDeleteDevice, pDeviceObject
.endif
.endif
mov eax, status
ret
DriverEntry endp
DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
mov eax, pIrp
assume eax:ptr _IRP
mov [eax].IoStatus.Status, STATUS_SUCCESS
and [eax].IoStatus.Information, 0
assume eax:nothing
fastcall IofCompleteRequest, pIrp, IO_NO_INCREMENT
mov eax, STATUS_SUCCESS
ret
DispatchCreateClose endp
DriverUnload proc pDriverObject:PDRIVER_OBJECT
invoke IoDeleteSymbolicLink, addr SymbolicLinkName
mov eax, pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
ret
DriverUnload endp
DispatchControl proc near
var_76 = byte ptr -76h
var_74 = dword ptr -74h
var_50 = dword ptr -50h
var_4C = dword ptr -4Ch
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_1 = byte ptr -1
pIrp = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 74h
mov eax, [ebp+pIrp]
push ebx
push esi
push edi
mov ecx, [eax+60h]
cmp dword ptr [ecx+0Ch], 0A410E400h
jnz @@35
mov esi, [eax+0Ch]
push 0Ah
pop ecx
lea edi, [ebp+var_74]
push 27h
rep movsd
pop eax
@@1:
mov cl, [ebp+eax-75h]
xor byte ptr [ebp+eax+var_74], cl
dec eax
jnz @@1
mov al, byte ptr [ebp+var_74+1]
mov cl, byte ptr [ebp+var_74]
sub ecx, eax
and ecx, 0FFh
mov esi, ecx
mov al, byte ptr [ebp+esi+var_74]
mov cl, al
movzx eax, al
and cl, 0Fh
inc esi
shr eax, 4
test al, 0FEh
jnz @@5
movzx ax, cl
mov Buffer2, ax
movzx eax, byte ptr [ebp+esi+var_74]
mov ecx, eax
shr eax, 4
shl eax, 1
shr eax, 2
mov edx, eax
and ecx, 0Fh
shr edx, 1
mov [ebp+var_8], ecx
jz @@3
@@2:
movzx edi, byte ptr [ebp+esi+var_74+1]
inc esi
shl ecx, 8
add ecx, edi
dec edx
jnz @@2
mov [ebp+var_8], ecx
@@3:
and eax, 1
cmp al, 1
jnz @@8
movzx eax, byte ptr [ebp+esi+var_74+1]
inc esi
shr eax, 4
@@4:
shl ecx, 4
add eax, ecx
mov [ebp+var_1], 1
mov [ebp+var_8], eax
jmp @@9
@@5:
mov al, byte ptr [ebp+esi+var_74]
and [ebp+var_8], 0
mov dl, al
and eax, 0Fh
shr dl, 4
movzx cx, cl
movzx dx, dl
shl eax, 1
shl ecx, 4
shr eax, 2
add edx, ecx
inc eax
mov ecx, eax
mov Buffer2, dx
shr ecx, 1
jz @@7
@@6:
movzx edx, byte ptr [ebp+esi+var_74+1]
mov edi, [ebp+var_8]
inc esi
shl edi, 8
add edx, edi
dec ecx
mov [ebp+var_8], edx
jnz @@6
@@7:
and eax, 1
cmp al, 1
jnz @@8
movzx eax, byte ptr [ebp+esi+var_74+1]
mov ecx, [ebp+var_8]
inc esi
shr eax, 4
jmp @@4
@@8:
and [ebp+var_1], 0
@@9:
xor ebx, ebx
mov [ebp+var_1C], ebx
@@10:
and [ebp+ebx*4+var_4C], 0
cmp [ebp+var_1], 0
lea edx, [ebp+ebx*4+var_4C]
jz @@12
mov al, byte ptr [ebp+esi+var_74]
and eax, 0Fh
mov ecx, eax
shr ecx, 1
inc ecx
mov edi, ecx
shr edi, 1
jz @@15
mov [ebp+var_24], edi
@@11:
movzx edi, byte ptr [ebp+esi+var_74+1]
mov ebx, [edx]
inc esi
shl ebx, 8
add edi, ebx
dec [ebp+var_24]
mov [edx], edi
jnz @@11
jmp @@14
@@12:
movzx ecx, byte ptr [ebp+esi+var_74+1]
inc esi
mov eax, ecx
and ecx, 0Fh
shr eax, 4
mov [edx], ecx
mov ecx, eax
shr ecx, 1
mov edi, ecx
shr edi, 1
jz @@15
mov [ebp+var_24], edi
@@13:
movzx edi, byte ptr [ebp+esi+var_74+1]
mov ebx, [edx]
inc esi
shl ebx, 8
add edi, ebx
dec [ebp+var_24]
mov [edx], edi
jnz @@13
@@14:
mov ebx, [ebp+var_1C]
@@15:
and ecx, 1
cmp cl, 1
jnz @@16
movzx edx, byte ptr [ebp+esi+var_74+1]
mov edi, [ebp+ebx*4+var_4C]
inc esi
lea ecx, [ebp+ebx*4+var_4C]
mov [ebp+var_1], 1
shr edx, 4
shl edi, 4
add edx, edi
mov [ecx], edx
jmp @@17
@@16:
and [ebp+var_1], 0
@@17:
test al, 1
jnz @@19
test ebx, ebx
jnz @@18
mov eax, [ebp+var_8]
add [ebp+var_4C], eax
jmp @@21
@@18:
mov eax, [ebp+ebx*4+var_50]
add [ebp+ebx*4+var_4C], eax
jmp @@21
@@19:
test ebx, ebx
jnz @@20
inc eax
shr eax, 1
push eax
push 10h
call func
mov ecx, [ebp+var_8]
sub ecx, eax
add [ebp+var_4C], ecx
jmp @@21
@@20:
inc eax
lea edi, [ebp+ebx*4+var_4C]
shr eax, 1
push eax
push 10h
call func
mov ecx, [edi-4]
sub ecx, eax
add [edi], ecx
@@21:
inc ebx
cmp ebx, 7
mov [ebp+var_1C], ebx
jb @@10
pusha
lea edx, [ebp+var_2C]
lea eax, Buffer3
lea ecx, [ebp+var_8]
mov ecx, [ecx]
mov [edx], ecx
cmp ecx, 0
jz @@22
mov cx, [ecx]
mov [eax], cx
@@22:
lea edx, [ebp+var_30]
lea eax, Buffer4
lea ecx, [ebp+var_4C]
mov ecx, [ecx]
mov [edx], ecx
mov ecx, [ecx]
mov [eax], ecx
lea edx, [ebp+var_20]
lea eax, Buffer5
lea ecx, [ebp+var_4C]
add ecx, 4
mov ecx, [ecx]
mov [edx], ecx
mov ecx, [ecx]
mov [eax], ecx
lea edx, [ebp+var_10]
lea eax, Buffer6
lea ecx, [ebp+var_4C]
add ecx, 8
mov ecx, [ecx]
mov [edx], ecx
mov cx, [ecx]
mov [eax], cx
lea edx, [ebp+var_C]
lea eax, Buffer7
lea ecx, [ebp+var_4C]
add ecx, 0Ch
mov ecx, [ecx]
mov [edx], ecx
mov cx, [ecx]
mov [eax], cx
lea edx, [ebp+var_14]
lea eax, Buffer8
lea ecx, [ebp+var_4C]
add ecx, 10h
mov ecx, [ecx]
mov [edx], ecx
mov cx, [ecx]
mov [eax], cx
lea edx, [ebp+var_18]
lea eax, Buffer9
lea ecx, [ebp+var_4C]
add ecx, 14h
mov ecx, [ecx]
mov [edx], ecx
mov cx, [ecx]
mov [eax], cx
lea edx, [ebp+var_28]
lea edi, Buffer10
lea esi, [ebp+var_4C]
add esi, 18h
mov esi, [esi]
mov [edx], esi
cmp esi, 0
jz @@23
mov ecx, 78h
rep movsb
@@23:
popa
movzx eax, Buffer2
nop
dec eax
jz @@34
dec eax
dec eax
jz @@33
dec eax
dec eax
jz @@32
sub eax, 3
jz @@29
sub eax, 4
jz @@26
dec eax
dec eax
jnz @@35
mov eax, [ebp+var_10]
mov cx, [eax]
cmp cx, 62h
jnz @@25
mov word ptr [eax], 0FFE2h
mov eax, [ebp+var_C]
mov word ptr [eax], 248h
@@24:
mov eax, [ebp+var_14]
mov word ptr [eax], 8
mov eax, [ebp+var_18]
mov word ptr [eax], 9961h
jmp @@35
@@25:
cmp cx, 21h
jnz @@35
mov word ptr [eax], 0FFF5h
mov eax, [ebp+var_C]
mov word ptr [eax], 310h
jmp @@24
@@26:
mov eax, [ebp+var_10]
mov ax, [eax]
cmp ax, 8
jz @@27
cmp ax, 9
jz @@27
cmp ax, 0Ah
jz @@27
mov eax, [ebp+var_C]
and word ptr [eax], 0
jmp @@28
@@27:
mov eax, [ebp+var_C]
mov word ptr [eax], 1
@@28:
mov eax, [ebp+var_10]
mov word ptr [eax], 6
mov eax, [ebp+var_C]
mov word ptr [eax], 1
mov eax, [ebp+var_14]
and word ptr [eax], 0
jmp @@35
@@29:
mov eax, [ebp+var_20]
mov eax, [eax]
cmp eax, 1000h
jnz @@30
mov eax, [ebp+var_10]
mov word ptr [eax], 3EDEh
mov eax, [ebp+var_C]
mov word ptr [eax], 3D9h
mov eax, [ebp+var_14]
mov word ptr [eax], 0E4FEh
mov eax, [ebp+var_18]
mov word ptr [eax], 0F406h
jmp @@35
@@30:
cmp eax, 112000h
mov eax, [ebp+var_10]
jnz @@31
mov word ptr [eax], 0CD34h
mov eax, [ebp+var_C]
mov word ptr [eax], 0C955h
mov eax, [ebp+var_14]
mov word ptr [eax], 21A5h
mov eax, [ebp+var_18]
mov word ptr [eax], 0A2EFh
jmp @@35
@@31:
mov word ptr [eax], 39E3h
mov eax, [ebp+var_C]
mov word ptr [eax], 58DEh
mov eax, [ebp+var_14]
mov word ptr [eax], 0DE5Ch
mov eax, [ebp+var_18]
mov word ptr [eax], 10A4h
jmp @@35
@@32:
push 10h
mov edx, offset Buffer1
pop ecx
xor eax, eax
mov edi, edx
mov esi, offset IDstring ; "jhksoft 200010182003218<"
rep stosd
mov edi, esi
or ecx, 0FFFFFFFFh
repne scasb
not ecx
dec ecx
mov edi, edx
mov eax, ecx
shr ecx, 2
rep movsd
mov ecx, eax
mov eax, [ebp+var_C]
and ecx, 3
rep movsb
movzx ecx, word ptr [eax]
mov eax, [ebp+var_10]
mov edi, [ebp+var_28]
movzx esi, word ptr [eax]
mov eax, ecx
add esi, edx
shr ecx, 2
rep movsd
mov ecx, eax
and ecx, 3
rep movsb
jmp @@35
@@33:
mov eax, [ebp+var_2C]
and word ptr [eax], 0
mov eax, [ebp+var_20]
mov dword ptr [eax], 1
jmp @@35
@@34:
mov eax, [ebp+var_30]
mov dword ptr [eax], 2BE534C1h
@@35:
mov ecx, [ebp+pIrp] ; Irp
xor dl, dl ; PriorityBoost
mov eax, [ecx+0Ch]
and word ptr [eax], 0
and dword ptr [ecx+18h], 0
mov dword ptr [ecx+1Ch], 2
call ds:IofCompleteRequest
pop edi
pop esi
xor eax, eax
pop ebx
leave
retn 8
DispatchControl endp
func proc near
mov ecx, [esp+4]
mov eax, [esp+8]
cmp ecx, 1
jbe @exit
dec ecx
@@:
imul eax, [esp+4]
dec ecx
jnz @b
@exit:
ret
func endp
end DriverEntry
