API tools faq
paste
Guest User

Untitled

a guest
May 4th, 2017
65
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.22 KB | None | 0 0
raw download clone embed print report
  1. 00402000 > $ 68 C2B54000 PUSH sfbypass.0040B5C2 ; /Buffer = sfbypass.0040B5C2
  2. 00402005 . 68 FF000000 PUSH 0FF ; |BufSize = FF (255.)
  3. 0040200A . FF15 CEC04000 CALL DWORD PTR DS:[<&KERNEL32.GetTempPat>; \GetTempPathA
  4. 00402010 . 68 C1B64000 PUSH sfbypass.0040B6C1 ; /TempName = sfbypass.0040B6C1
  5. 00402015 . 6A 00 PUSH 0 ; |Unique = 0
  6. 00402017 . 68 24B84000 PUSH sfbypass.0040B824 ; |Prefix = ""
  7. 0040201C . 68 C2B54000 PUSH sfbypass.0040B5C2 ; |Path = ""
  8. 00402021 . FF15 CAC04000 CALL DWORD PTR DS:[<&KERNEL32.GetTempFil>; \GetTempFileNameA
  9. 00402027 . 68 C1B64000 PUSH sfbypass.0040B6C1 ; /FileName = ""
  10. 0040202C . FF15 AEC04000 CALL DWORD PTR DS:[<&KERNEL32.DeleteFile>; \DeleteFileA
  11. 00402032 . 6A 00 PUSH 0
  12. 00402034 . 68 C1B64000 PUSH sfbypass.0040B6C1 ; /path = ""
  13. 00402039 . FF15 CCC14000 CALL DWORD PTR DS:[<&crtdll._mkdir>] ; \_mkdir
  14. 0040203F . 83C4 08 ADD ESP,8
  15. 00402042 . 68 C1B64000 PUSH sfbypass.0040B6C1 ; /Path = ""
  16. 00402047 . FF15 8AC14000 CALL DWORD PTR DS:[<&shlwapi.PathAddBack>; \PathAddBackslashA
  17. 0040204D . E8 04000000 CALL sfbypass.00402056
  18. 00402052 . 6232 BOUND ESI,QWORD PTR DS:[EDX]
  19. 00402054 65 DB 65 ; CHAR 'e'
  20. 00402055 00 DB 00
  21. 00402056 . 68 C1B64000 PUSH sfbypass.0040B6C1 ; |ConcatString = ""
  22. 0040205B . FF15 C6C04000 CALL DWORD PTR DS:[<&KERNEL32.lstrcatA>] ; \lstrcatA
  23. 00402061 . 89C6 MOV ESI,EAX
  24. 00402063 . 6A 00 PUSH 0 ; /hTemplateFile = NULL
  25. 00402065 . 68 80000000 PUSH 80 ; |Attributes = NORMAL
  26. 0040206A . 6A 02 PUSH 2 ; |Mode = CREATE_ALWAYS
  27. 0040206C . 6A 00 PUSH 0 ; |pSecurity = NULL
  28. 0040206E . 6A 00 PUSH 0 ; |ShareMode = 0
  29. 00402070 . 68 00000040 PUSH 40000000 ; |Access = GENERIC_WRITE
  30. 00402075 . 68 C1B64000 PUSH sfbypass.0040B6C1 ; |FileName = ""
  31. 0040207A . FF15 AAC04000 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA
  32. 00402080 . 3B05 90B94000 CMP EAX,DWORD PTR DS:[40B990]
  33. 00402086 . A3 90B94000 MOV DWORD PTR DS:[40B990],EAX
  34. 0040208B . 6A 00 PUSH 0 ; /pOverlapped = NULL
  35. 0040208D . 68 94B94000 PUSH sfbypass.0040B994 ; |pBytesWritten = sfbypass.0040B994
  36. 00402092 . 68 C2070000 PUSH 7C2 ; |nBytesToWrite = 7C2 (1986.)
  37. 00402097 . 68 00AE4000 PUSH sfbypass.0040AE00 ; |Buffer = sfbypass.0040AE00
  38. 0040209C . FF35 90B94000 PUSH DWORD PTR DS:[40B990] ; |hFile = FFFFFFFF
  39. 004020A2 . FF15 BEC04000 CALL DWORD PTR DS:[<&KERNEL32.WriteFile>>; \WriteFile
  40. 004020A8 . 813D 94B94000 >CMP DWORD PTR DS:[40B994],7C2
  41. 004020B2 . FF35 90B94000 PUSH DWORD PTR DS:[40B990] ; /hObject = FFFFFFFF
  42. 004020B8 . FF15 A6C04000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
  43. 004020BE . E8 05000000 CALL sfbypass.004020C8
  44. 004020C3 . 2E: PREFIX CS: ; Superfluous prefix
  45. 004020C4 . 64:6C INS BYTE PTR ES:[EDI],DX ; I/O command
  46. 004020C6 . 6C INS BYTE PTR ES:[EDI],DX ; I/O command
  47. 004020C7 00 DB 00
  48. 004020C8 . 68 C1B64000 PUSH sfbypass.0040B6C1 ; |ConcatString = ""
  49. 004020CD . FF15 C6C04000 CALL DWORD PTR DS:[<&KERNEL32.lstrcatA>] ; \lstrcatA
  50. 004020D3 . 6A 00 PUSH 0 ; /hTemplateFile = NULL
  51. 004020D5 . 68 80000000 PUSH 80 ; |Attributes = NORMAL
  52. 004020DA . 6A 02 PUSH 2 ; |Mode = CREATE_ALWAYS
  53. 004020DC . 6A 00 PUSH 0 ; |pSecurity = NULL
  54. 004020DE . 6A 00 PUSH 0 ; |ShareMode = 0
  55. 004020E0 . 68 00000040 PUSH 40000000 ; |Access = GENERIC_WRITE
  56. 004020E5 . 68 C1B64000 PUSH sfbypass.0040B6C1 ; |FileName = ""
  57. 004020EA . FF15 AAC04000 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA
  58. 004020F0 . 3B05 90B94000 CMP EAX,DWORD PTR DS:[40B990]
  59. 004020F6 . A3 90B94000 MOV DWORD PTR DS:[40B990],EAX
  60. 004020FB . 6A 00 PUSH 0 ; /pOverlapped = NULL
  61. 004020FD . 68 94B94000 PUSH sfbypass.0040B994 ; |pBytesWritten = sfbypass.0040B994
  62. 00402102 . 68 007E0000 PUSH 7E00 ; |nBytesToWrite = 7E00 (32256.)
  63. 00402107 . 68 00304000 PUSH sfbypass.00403000 ; |Buffer = sfbypass.00403000
  64. 0040210C . FF35 90B94000 PUSH DWORD PTR DS:[40B990] ; |hFile = FFFFFFFF
  65. 00402112 . FF15 BEC04000 CALL DWORD PTR DS:[<&KERNEL32.WriteFile>>; \WriteFile
  66. 00402118 . 813D 94B94000 >CMP DWORD PTR DS:[40B994],7E00
  67. 00402122 . 74 00 JE SHORT sfbypass.00402124
  68. 00402124 > 833D 90B94000 >CMP DWORD PTR DS:[40B990],-1
  69. 0040212B . 74 0C JE SHORT sfbypass.00402139
  70. 0040212D . FF35 90B94000 PUSH DWORD PTR DS:[40B990] ; /hObject = FFFFFFFF
  71. 00402133 . FF15 A6C04000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
  72. 00402139 > 68 C1B64000 PUSH sfbypass.0040B6C1 ; /FileName = ""
  73. 0040213E . FF15 BAC04000 CALL DWORD PTR DS:[<&KERNEL32.LoadLibrar>; \LoadLibraryA
  74. 00402144 . A3 87B94000 MOV DWORD PTR DS:[40B987],EAX
  75. 00402149 . E8 04000000 CALL sfbypass.00402152
  76. 0040214E . 42 INC EDX
  77. 0040214F . 3245 00 XOR AL,BYTE PTR SS:[EBP]
  78. 00402152 /$ FF35 87B94000 PUSH DWORD PTR DS:[40B987] ; |hModule = NULL
  79. 00402158 |. FF15 C2C04000 CALL DWORD PTR DS:[<&KERNEL32.GetProcAdd>; \GetProcAddress
  80. 0040215E |. A3 8BB94000 MOV DWORD PTR DS:[40B98B],EAX
  81. 00402163 |. 31C0 XOR EAX,EAX
  82. 00402165 |. FF15 8BB94000 CALL DWORD PTR DS:[40B98B]
  83. 0040216B |. FF35 87B94000 PUSH DWORD PTR DS:[40B987] ; /hLibModule = NULL
  84. 00402171 |. FF15 B6C04000 CALL DWORD PTR DS:[<&KERNEL32.FreeLibrar>; \FreeLibrary
  85. 00402177 |. 68 C1B64000 PUSH sfbypass.0040B6C1 ; /FileName = ""
  86. 0040217C |. FF15 AEC04000 CALL DWORD PTR DS:[<&KERNEL32.DeleteFile>; \DeleteFileA
  87. 00402182 |. 68 C1B64000 PUSH sfbypass.0040B6C1 ; /Path = ""
  88. 00402187 |. FF15 86C14000 CALL DWORD PTR DS:[<&shlwapi.PathRemoveF>; \PathRemoveFileSpecA
  89. 0040218D |. 6A 00 PUSH 0
  90. 0040218F |. 68 C1B64000 PUSH sfbypass.0040B6C1 ; /path = ""
  91. 00402194 |. FF15 C8C14000 CALL DWORD PTR DS:[<&crtdll._rmdir>] ; \_rmdir
  92. 0040219A |. 83C4 08 ADD ESP,8
  93. 0040219D |. FF35 94B94000 PUSH DWORD PTR DS:[40B994] ; /ExitCode = 0
  94. 004021A3 \. FF15 B2C04000 CALL DWORD PTR DS:[<&KERNEL32.ExitProces>; \ExitProcess
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!