; ---[ MSGTEST.ASM ]--------------------[ http://www.harmonysecurity.com ]---
 ;
 ; Example Win32 shellcode for eggtest. Will simply display a messagebox 
 ; and exit. Uses LoadLibraryA and GetProcAddress to obtain address of 
 ; function MessageBoxA. For a detailed description see the comments. My
 ; coding is arseways and my use of registers irrational [should be saving
 ; values onto the stack, doing something about all those nulls] but its only
 ; an example for eggtest, bite me :)
 ;
 ; There are three hardcoded addresses in this [all from kernel32.dll], you 
 ; will need to change them to go with your dll version. Use my getaddr app
 ; to find them. Other than those all addressing is relitive/dynamic.
 ;
 ; To compile use NASM:
 ;                     >nasmw -s -fbin -o msgtest.s msgtest.asm
 ;
 ; And to test use my eggtest application (get it at my site):
 ;                     >eggtest msgtest.s kernel32.dll
 ;
 ; ---[ Author: Steve Fewer ]-----------------[ info@harmonysecurity.com ]---

BITS 32
ORG 0x0

begin:
	jmp short data              ; jump down to data
start:
        pop esi                     ; save the data address
loadlib:
        push esi                    ; push string pointer of lib to load
        mov ecx, dword 0xBFF776D4   ; eax = address of LoadLibraryA
        call ecx                    ; call LoadLibraryA
        test eax, eax               ; test for fail
        jz exit                     ; exit if returned zero
        mov ecx, eax                ; store returned handle in ecx      
procaddr:
        lea eax, [esi+0x0B]         ; eax = pointer to string
        push eax                    ; push address onto stack
        push ecx                    ; push lib handle
        mov eax, dword 0xBFF76DAC   ; eax = address of GetProcAddress
        call eax                    ; call GetProcAddress
        test eax, eax               ; test for fail
        jz exit                     ; exit if returned zero
        mov ecx, eax                ; store returned address in ecx
msg:
        xor eax, eax                ; clear eax
        inc eax                     ; increase eax, eax = 1
        push eax                    ; push MB_OKCANCLE
        lea edx, [esi+0x17]         ; edx = pointer to string
        push edx                    ; push pointer to string
        push edx                    ; push pointer to string
        dec eax                     ; decrease eax, eax = 0
        push eax                    ; push NULL onto stack
        call ecx                    ; call MessageBoxA
exit:
        xor eax, eax                ; clear eax
        push eax                    ; push it onto stack
        mov eax, dword 0xBFF8D4CA   ; eax = address of ExitProcess
        call eax                    ; call ExitProcess
data:
        call start                  ; call start, eip is pushed onto stack
        db "USER32.DLL",0	    ; 11 bytes
        db "MessageBoxA",0	    ; 12 bytes
        db "PHEAR THE SCREAMING INTERRUPT!!!",0 ; 33 bytes