API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 24th, 2013
977
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.89 KB | None | 0 0
raw download clone embed print report
  1. ##PROGEA MOVICON SCADA/HMI Software##
  2. ##TCPUploadServer - port:10651 ##
  3.  
  4. looop:
  5.  
  6. .text:10016D7C cmp dword_10049548, 4 --------> dword_1... = 0
  7. .text:10016D83 jnb short loc_10016DBA
  8.  
  9. .text:10016D85 mov ecx, dword_10049548
  10. .text:10016D8B movsx edx, byte_10048454[ecx]
  11. .text:10016D92 mov eax, [ebp+var_18]
  12. .text:10016D95 mov ecx, [eax+694h]
  13. .text:10016D9B mov eax, [ebp+var_14]
  14. .text:10016D9E movzx ecx, byte ptr [ecx+eax]
  15. .text:10016DA2 cmp edx, ecx ---->>>> compare bytes (1st to 4th) : 4d, 6f , 76 , 58
  16. .text:10016DA4 jnz short loc_10016DB5
  17.  
  18.  
  19. .text:10016DA6 mov edx, dword_10049548 ---->>> edx = 0
  20. .text:10016DAC add edx, 1 -----> inc edx
  21. .text:10016DAF mov dword_10049548, edx
  22.  
  23. .text:10016DB5 loc_10016DB5:
  24. .text:10016DB5 jmp loc_10016EC0
  25.  
  26. .text:10016EC0 loc_10016EC0:
  27. .text:10016EC0 cmp dword_10049548, 6
  28. .text:10016EC7 jnz loc_100171D6
  29.  
  30. .text:10016ECD cmp dword_10049544, 0
  31. .text:10016ED4 jnz loc_100171D6
  32.  
  33. .text:100171D6 loc_100171D6:
  34. .text:100171D6 jmp loc_10016D67
  35.  
  36. .text:10016D67 loc_10016D67:
  37. .text:10016D67 mov edx, [ebp+var_14] ---->>> edx = dword_10049548 = 0
  38. .text:10016D6A add edx, 1 ----> increase edx
  39. .text:10016D6D mov [ebp+var_14
  40. --loop-
  41.  
  42. ## when dword_10049548 / edx becomes equal to "4"
  43. this func will be called:
  44.  
  45. .text:10016DC3 mov eax, [ebp+var_18]
  46. .text:10016DC6 mov ecx, [eax+694h]
  47. .text:10016DCC mov edx, [ebp+var_14]
  48. .text:10016DCF mov al, [ecx+edx]
  49. .text:10016DD2 mov byte_10049540, al
  50. .text:10016DD7 movzx ecx, byte_10049540
  51. .text:10016DDE cmp ecx, 31h --->> ecx stores 5th byte of our packet (should be 31 or upper)
  52. .text:10016DE1 jge short loc_10016E14
  53.  
  54.  
  55. .text:10016E14 loc_10016E14:
  56. .text:10016E14 mov eax, dword_10049548 ; ---> 4
  57. .text:10016E19 add eax, 1 --> 5
  58. .text:10016E1C mov dword_10049548, eax
  59. .text:10016E21 jmp loc_10016EC0
  60.  
  61.  
  62. .text:10016EC0 loc_10016EC0:
  63. .text:10016EC0 cmp dword_10049548, 6 --->still not equal to 6, go to last func in loop again & make it equal to 6
  64. .text:10016EC7 jnz loc_100171D6
  65.  
  66.  
  67. ### when dword_10049548 becomes equal to 6, call this sub_funk:
  68.  
  69. .text:10016ECD cmp dword_10049544, 0 --> dword_10049544 stores 6th byte of packet and we must set it ZERO to pass this cmp
  70. .text:10016ED4 jnz loc_100171D6
  71.  
  72. ## and here is the func where we wanna go :)
  73. .text:10016EDA movzx edx, byte_10049540
  74. .text:10016EE1 mov [ebp+var_20], edx
  75. .text:10016EE4 mov eax, [ebp+var_20]
  76. .text:10016EE7 sub eax, 30h
  77. .text:10016EEA mov [ebp+var_20], eax
  78. .text:10016EED cmp [ebp+var_20], 44h ; switch 69 cases
  79. .text:10016EF1 ja loc_100171C2
  80.  
  81. There are some issues in different opcodes.... This lesson left up to the reader.
  82. PoC kodunu yazan kurum, beni ve sektor calisanlarını sinayabilir ;)
  83. - Celil UNUVER , SignalSEC Ltd.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!