[spam][crazy] bomb malware
Karl
gmkarl at gmail.com
Tue Dec 14 03:31:38 PST 2021
I'm looking at this autogenerated ghidra decompilation. I labeled the
flag as a bool. PTR_DAT_0804e024 contains the address of DAT_0804e00c
which contains void at start.
The logic here is a little confusing. I'm trying to put comments inline below.
void FUN_080480c0(void)
{
code *pcVar1;
// code runs only once, sets a flag
if (BOOL_0804e080 == false) {
// loop dereferences the ptr, and continues only if it is nonzero
while (pcVar1 = *(code **)PTR_DAT_0804e024, pcVar1 != (code *)0x0) {
// ptr is incremented to _next_ value (since this is 32 bit code)
PTR_DAT_0804e024 = PTR_DAT_0804e024 + 4;
// _old_ value is derefenced and called?
(*pcVar1)();
}
BOOL_0804e080 = true;
}
return;
}
it looks like it needs to be called at the right time, and calls a
hidden function when that is done? and may also increment a pointer?
i'd like to review it again.
here's the disassembly:
**************************************************************
*
*
* FUNCTION
*
**************************************************************
undefined __cdecl FUN_080480c0(void)
undefined AL:1 <RETURN>
FUN_080480c0
XREF[1]: FUN_0804dbd6:0804dbe5(c)
080480c0 55 PUSH EBP
080480c1 89 e5 MOV EBP,ESP
080480c3 83 ec 08 SUB ESP,0x8
080480c6 80 3d 80 CMP byte ptr
[BOOL_0804e080],0x0 = ??
e0 04 08 00
080480cd 74 0c JZ LAB_080480db
080480cf eb 35 JMP LAB_08048106
LAB_080480d1
XREF[1]: 080480e4(j)
080480d1 83 c0 04 ADD EAX,0x4
080480d4 a3 24 e0 MOV [PTR_DAT_0804e024],EAX
= 0804e00c
04 08
080480d9 ff d2 CALL EDX
LAB_080480db
XREF[1]: 080480cd(j)
080480db a1 24 e0 MOV EAX,[PTR_DAT_0804e024]
= 0804e00c
04 08
080480e0 8b 10 MOV EDX,dword ptr [EAX]=>DAT_0804e00c
080480e2 85 d2 TEST EDX,EDX
080480e4 75 eb JNZ LAB_080480d1
080480e6 b8 00 00 MOV EAX,0x0
00 00
080480eb 85 c0 TEST EAX,EAX
080480ed 74 10 JZ LAB_080480ff
080480ef 83 ec 0c SUB ESP,0xc
080480f2 68 08 df PUSH 0x804df08
04 08
080480f7 e8 04 7f CALL SUB_00000000
fb f7
080480fc 83 c4 10 ADD ESP,0x10
LAB_080480ff
XREF[1]: 080480ed(j)
080480ff c6 05 80 MOV byte ptr
[BOOL_0804e080],0x1 = ??
e0 04 08 01
LAB_08048106
XREF[1]: 080480cf(j)
08048106 c9 LEAVE
08048107 c3 RET
More information about the cypherpunks
mailing list