[spam][crazy] bomb malware
Karl
gmkarl at gmail.com
Tue Dec 14 04:38:07 PST 2021
here it is after 'si'.
something to remember when doing this is that it is a very old
practice for binaries like this to detect whether or not they are
being run in a conventional debugger. so this approach can only get
you so far (and is very risky).
┌─Register group: general────────────────────────────────────────────┐
│eax 0x0 0
││ecx 0xffffc944 -14012
│
│edx 0x0 0 │
│ebx 0x0 0
││esp 0xffffc91c 0xffffc91c
││ebp 0x0 0x0
││esi 0x1 1
│
│edi 0x0 0 │
│eip 0x804d23f 0x804d23f │
│eflags 0x282 [ SF IF ]
││cs 0x23 35
││ss 0x2b 43
│
│ds 0x2b 43 │
┌────────────────────────────────────────────────────────────────────┐
│ > 0x804d23f push %ebp
││ 0x804d240 push %edi
│
│ 0x804d241 push %esi │
│ 0x804d242 push %ebx
││ 0x804d243 sub $0x8c,%esp
││ 0x804d249 mov 0xb8(%esp),%eax
││ 0x804d250 mov 0xa8(%esp),%edi
│
│ 0x804d257 mov %eax,0x804e0b8 │
│ 0x804d25c mov 0xb4(%esp),%eax │
│ 0x804d263 mov %eax,0x804e0c8
││ 0x804d268 mov 0xa4(%esp),%eax
│
│ 0x804d26f mov 0xac(%esp),%ebp │
│ 0x804d276 lea (%edi,%eax,4),%edx │
└────────────────────────────────────────────────────────────────────┘native
process 28422 In: L?? PC: 0x804d23f
0x0804816d in ?? ()
(gdb) ni
0x0804816e in ?? ()
(gdb) ni
0x0804816f in ?? ()
(gdb) ni
0x08048174 in ?? ()
(gdb) ni
0x08048179 in ?? ()
(gdb) ni
0x0804817a in ?? ()
(gdb) ni
0x0804817b in ?? ()
(gdb) ni
0x08048180 in ?? ()
(gdb) si
0x0804d23f in ?? ()
(gdb)
[0] < 19:bash 20:vim 21:gdb* Battery 100% | Tue 2021-12-14 07:36 -05
More information about the cypherpunks
mailing list