daily pastebin goal
68%
SHARE
TWEET

Untitled

a guest Nov 24th, 2013 664 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ##PROGEA MOVICON SCADA/HMI Software##
  2. ##TCPUploadServer - port:10651 ##
  3.  
  4. looop:
  5.  
  6. .text:10016D7C cmp     dword_10049548, 4 --------> dword_1... = 0
  7. .text:10016D83 jnb     short loc_10016DBA              
  8.  
  9. .text:10016D85 mov     ecx, dword_10049548
  10. .text:10016D8B movsx   edx, byte_10048454[ecx]
  11. .text:10016D92 mov     eax, [ebp+var_18]
  12. .text:10016D95 mov     ecx, [eax+694h]
  13. .text:10016D9B mov     eax, [ebp+var_14]
  14. .text:10016D9E movzx   ecx, byte ptr [ecx+eax]
  15. .text:10016DA2 cmp     edx, ecx                 ---->>>> compare bytes (1st to 4th)  : 4d, 6f , 76 , 58
  16. .text:10016DA4 jnz     short loc_10016DB5
  17.  
  18.  
  19. .text:10016DA6 mov     edx, dword_10049548 ---->>> edx = 0
  20. .text:10016DAC add     edx, 1           -----> inc edx
  21. .text:10016DAF mov     dword_10049548, edx
  22.  
  23. .text:10016DB5 loc_10016DB5:
  24. .text:10016DB5 jmp     loc_10016EC0
  25.  
  26. .text:10016EC0 loc_10016EC0:
  27. .text:10016EC0 cmp     dword_10049548, 6
  28. .text:10016EC7 jnz     loc_100171D6
  29.  
  30. .text:10016ECD cmp     dword_10049544, 0
  31. .text:10016ED4 jnz     loc_100171D6
  32.  
  33. .text:100171D6 loc_100171D6:
  34. .text:100171D6 jmp     loc_10016D67
  35.  
  36. .text:10016D67 loc_10016D67:
  37. .text:10016D67 mov     edx, [ebp+var_14] ---->>> edx = dword_10049548 = 0
  38. .text:10016D6A add     edx, 1 ----> increase edx
  39. .text:10016D6D mov     [ebp+var_14
  40. --loop-
  41.  
  42. ## when dword_10049548 / edx becomes equal to "4"
  43. this func will be called:
  44.  
  45. .text:10016DC3 mov     eax, [ebp+var_18]
  46. .text:10016DC6 mov     ecx, [eax+694h]
  47. .text:10016DCC mov     edx, [ebp+var_14]
  48. .text:10016DCF mov     al, [ecx+edx]
  49. .text:10016DD2 mov     byte_10049540, al
  50. .text:10016DD7 movzx   ecx, byte_10049540
  51. .text:10016DDE cmp     ecx, 31h          --->> ecx stores 5th byte of our packet (should be 31 or upper)
  52. .text:10016DE1 jge     short loc_10016E14  
  53.  
  54.  
  55. .text:10016E14 loc_10016E14:  
  56. .text:10016E14 mov     eax, dword_10049548 ; ---> 4
  57. .text:10016E19 add     eax, 1           --> 5
  58. .text:10016E1C mov     dword_10049548, eax
  59. .text:10016E21 jmp     loc_10016EC0
  60.  
  61.  
  62. .text:10016EC0 loc_10016EC0:
  63. .text:10016EC0 cmp     dword_10049548, 6 --->still not equal to 6, go to last func in loop again & make it equal to 6
  64. .text:10016EC7 jnz     loc_100171D6
  65.  
  66.  
  67. ### when dword_10049548 becomes equal to 6,  call this sub_funk:
  68.  
  69. .text:10016ECD cmp     dword_10049544, 0  --> dword_10049544 stores 6th byte of packet and we must set it ZERO to pass this cmp
  70. .text:10016ED4 jnz     loc_100171D6
  71.  
  72. ## and here is the func where we wanna go :)
  73. .text:10016EDA movzx   edx, byte_10049540
  74. .text:10016EE1 mov     [ebp+var_20], edx
  75. .text:10016EE4 mov     eax, [ebp+var_20]
  76. .text:10016EE7 sub     eax, 30h
  77. .text:10016EEA mov     [ebp+var_20], eax
  78. .text:10016EED cmp     [ebp+var_20], 44h ; switch 69 cases
  79. .text:10016EF1 ja      loc_100171C2
  80.  
  81. There are some issues in different opcodes.... This lesson left up to the reader.
  82. PoC kodunu yazan kurum, beni ve sektor calisanlarını sinayabilir ;)
  83. - Celil UNUVER , SignalSEC Ltd.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top