daily pastebin goal
4%
SHARE
TWEET

Untitled

a guest Nov 24th, 2013 654 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ##PROGEA MOVICON SCADA/HMI Software##
  2. ##TCPUploadServer - port:10651 ##
  3.  
  4. looop:
  5.  
  6. .text:10016D7C cmp     dword_10049548, 4 --------> dword_1... = 0
  7. .text:10016D83 jnb     short loc_10016DBA              
  8.  
  9. .text:10016D85 mov     ecx, dword_10049548
  10. .text:10016D8B movsx   edx, byte_10048454[ecx]
  11. .text:10016D92 mov     eax, [ebp+var_18]
  12. .text:10016D95 mov     ecx, [eax+694h]
  13. .text:10016D9B mov     eax, [ebp+var_14]
  14. .text:10016D9E movzx   ecx, byte ptr [ecx+eax]
  15. .text:10016DA2 cmp     edx, ecx                 ---->>>> compare bytes (1st to 4th)  : 4d, 6f , 76 , 58
  16. .text:10016DA4 jnz     short loc_10016DB5
  17.  
  18.  
  19. .text:10016DA6 mov     edx, dword_10049548 ---->>> edx = 0
  20. .text:10016DAC add     edx, 1           -----> inc edx
  21. .text:10016DAF mov     dword_10049548, edx
  22.  
  23. .text:10016DB5 loc_10016DB5:
  24. .text:10016DB5 jmp     loc_10016EC0
  25.  
  26. .text:10016EC0 loc_10016EC0:
  27. .text:10016EC0 cmp     dword_10049548, 6
  28. .text:10016EC7 jnz     loc_100171D6
  29.  
  30. .text:10016ECD cmp     dword_10049544, 0
  31. .text:10016ED4 jnz     loc_100171D6
  32.  
  33. .text:100171D6 loc_100171D6:
  34. .text:100171D6 jmp     loc_10016D67
  35.  
  36. .text:10016D67 loc_10016D67:
  37. .text:10016D67 mov     edx, [ebp+var_14] ---->>> edx = dword_10049548 = 0
  38. .text:10016D6A add     edx, 1 ----> increase edx
  39. .text:10016D6D mov     [ebp+var_14
  40. --loop-
  41.  
  42. ## when dword_10049548 / edx becomes equal to "4"
  43. this func will be called:
  44.  
  45. .text:10016DC3 mov     eax, [ebp+var_18]
  46. .text:10016DC6 mov     ecx, [eax+694h]
  47. .text:10016DCC mov     edx, [ebp+var_14]
  48. .text:10016DCF mov     al, [ecx+edx]
  49. .text:10016DD2 mov     byte_10049540, al
  50. .text:10016DD7 movzx   ecx, byte_10049540
  51. .text:10016DDE cmp     ecx, 31h          --->> ecx stores 5th byte of our packet (should be 31 or upper)
  52. .text:10016DE1 jge     short loc_10016E14  
  53.  
  54.  
  55. .text:10016E14 loc_10016E14:  
  56. .text:10016E14 mov     eax, dword_10049548 ; ---> 4
  57. .text:10016E19 add     eax, 1           --> 5
  58. .text:10016E1C mov     dword_10049548, eax
  59. .text:10016E21 jmp     loc_10016EC0
  60.  
  61.  
  62. .text:10016EC0 loc_10016EC0:
  63. .text:10016EC0 cmp     dword_10049548, 6 --->still not equal to 6, go to last func in loop again & make it equal to 6
  64. .text:10016EC7 jnz     loc_100171D6
  65.  
  66.  
  67. ### when dword_10049548 becomes equal to 6,  call this sub_funk:
  68.  
  69. .text:10016ECD cmp     dword_10049544, 0  --> dword_10049544 stores 6th byte of packet and we must set it ZERO to pass this cmp
  70. .text:10016ED4 jnz     loc_100171D6
  71.  
  72. ## and here is the func where we wanna go :)
  73. .text:10016EDA movzx   edx, byte_10049540
  74. .text:10016EE1 mov     [ebp+var_20], edx
  75. .text:10016EE4 mov     eax, [ebp+var_20]
  76. .text:10016EE7 sub     eax, 30h
  77. .text:10016EEA mov     [ebp+var_20], eax
  78. .text:10016EED cmp     [ebp+var_20], 44h ; switch 69 cases
  79. .text:10016EF1 ja      loc_100171C2
  80.  
  81. There are some issues in different opcodes.... This lesson left up to the reader.
  82. PoC kodunu yazan kurum, beni ve sektor calisanlarını sinayabilir ;)
  83. - Celil UNUVER , SignalSEC Ltd.
RAW Paste Data
Top