[spam][crazy] bomb malware

Karl gmkarl at gmail.com
Tue Dec 14 04:42:23 PST 2021 

The first thing I notice here is that the function takes a _lot_ of
parameters.  This is more poignant because it makes the assembly
complex, but back in the entrypoint we saw what values were passed for
each one of these parameters.


**************************************************************
                             *
                   *
                             *  FUNCTION
                   *

**************************************************************
                             int __cdecl FUN_0804d23f(undefined *
param_1, int param_
             int               EAX:4          <RETURN>
             undefined *       Stack[0x4]:4   param_1
               XREF[1]:     0804d3e9(R)
             int               Stack[0x8]:4   param_2
               XREF[2]:     0804d268(R),

                            0804d3e2(R)
             uint * *          Stack[0xc]:4   param_3
               XREF[1]:     0804d250(R)
             undefined *       Stack[0x10]:4  param_4
               XREF[1]:     0804d26f(R)
             undefined4        Stack[0x14]:4  param_5
               XREF[1]:     0804d372(R)
             undefined4        Stack[0x18]:4  param_6
               XREF[1]:     0804d25c(R)
             undefined4        Stack[0x1c]:4  param_7
               XREF[1]:     0804d249(R)
             undefined4        Stack[-0x14]:4 local_14
               XREF[1]:     0804d32a(R)
             undefined4        Stack[-0x1c]:4 local_1c
               XREF[1]:     0804d323(R)
             undefined4        Stack[-0x24]:4 local_24
               XREF[1]:     0804d31d(R)
             undefined4        Stack[-0x2c]:4 local_2c
               XREF[2]:     0804d2ed(R),

                            0804d314(R)
             undefined4        Stack[-0x54]:4 local_54
               XREF[1]:     0804d2dc(R)
             undefined1        Stack[-0x88]:1 local_88
               XREF[2]:     0804d290(*),

                            0804d2ce(*)
             undefined4        Stack[-0xac]:4 local_ac
               XREF[1]:     0804d3f0(*)
                             FUN_0804d23f
      XREF[1]:     entry:08048180(c)
        0804d23f 55              PUSH       EBP
        0804d240 57              PUSH       EDI
        0804d241 56              PUSH       ESI
        0804d242 53              PUSH       EBX
        0804d243 81 ec 8c        SUB        ESP,0x8c
                 00 00 00
        0804d249 8b 84 24        MOV        EAX,dword ptr [ESP + param_7]
                 b8 00 00 00
        0804d250 8b bc 24        MOV        EDI,dword ptr [ESP + param_3]
                 a8 00 00 00
        0804d257 a3 b8 e0        MOV        [DAT_0804e0b8],EAX
                      = ??
                 04 08
        0804d25c 8b 84 24        MOV        EAX,dword ptr [ESP + param_6]
                 b4 00 00 00
        0804d263 a3 c8 e0        MOV        [DAT_0804e0c8],EAX
                      = ??
                 04 08
        0804d268 8b 84 24        MOV        EAX,dword ptr [ESP + param_2]
                 a4 00 00 00
        0804d26f 8b ac 24        MOV        EBP,dword ptr [ESP + param_4]
                 ac 00 00 00
        0804d276 8d 14 87        LEA        EDX,[EDI + EAX*0x4]
        0804d279 8d 42 04        LEA        EAX,[EDX + 0x4]
        0804d27c a3 bc e0        MOV        [DAT_0804e0bc],EAX
                      = ??
                 04 08
        0804d281 3b 07           CMP        EAX,dword ptr [EDI]
        0804d283 75 06           JNZ        LAB_0804d28b
        0804d285 89 15 bc        MOV        dword ptr
[DAT_0804e0bc],EDX                     = ??
                 e0 04 08
                             LAB_0804d28b
      XREF[1]:     0804d283(j)
        0804d28b 51              PUSH       ECX

More information about the cypherpunks mailing list