[spam][crazy] bomb malware
Karl
gmkarl at gmail.com
Tue Dec 14 04:42:23 PST 2021
The first thing I notice here is that the function takes a _lot_ of
parameters. This is more poignant because it makes the assembly
complex, but back in the entrypoint we saw what values were passed for
each one of these parameters.
**************************************************************
*
*
* FUNCTION
*
**************************************************************
int __cdecl FUN_0804d23f(undefined *
param_1, int param_
int EAX:4 <RETURN>
undefined * Stack[0x4]:4 param_1
XREF[1]: 0804d3e9(R)
int Stack[0x8]:4 param_2
XREF[2]: 0804d268(R),
0804d3e2(R)
uint * * Stack[0xc]:4 param_3
XREF[1]: 0804d250(R)
undefined * Stack[0x10]:4 param_4
XREF[1]: 0804d26f(R)
undefined4 Stack[0x14]:4 param_5
XREF[1]: 0804d372(R)
undefined4 Stack[0x18]:4 param_6
XREF[1]: 0804d25c(R)
undefined4 Stack[0x1c]:4 param_7
XREF[1]: 0804d249(R)
undefined4 Stack[-0x14]:4 local_14
XREF[1]: 0804d32a(R)
undefined4 Stack[-0x1c]:4 local_1c
XREF[1]: 0804d323(R)
undefined4 Stack[-0x24]:4 local_24
XREF[1]: 0804d31d(R)
undefined4 Stack[-0x2c]:4 local_2c
XREF[2]: 0804d2ed(R),
0804d314(R)
undefined4 Stack[-0x54]:4 local_54
XREF[1]: 0804d2dc(R)
undefined1 Stack[-0x88]:1 local_88
XREF[2]: 0804d290(*),
0804d2ce(*)
undefined4 Stack[-0xac]:4 local_ac
XREF[1]: 0804d3f0(*)
FUN_0804d23f
XREF[1]: entry:08048180(c)
0804d23f 55 PUSH EBP
0804d240 57 PUSH EDI
0804d241 56 PUSH ESI
0804d242 53 PUSH EBX
0804d243 81 ec 8c SUB ESP,0x8c
00 00 00
0804d249 8b 84 24 MOV EAX,dword ptr [ESP + param_7]
b8 00 00 00
0804d250 8b bc 24 MOV EDI,dword ptr [ESP + param_3]
a8 00 00 00
0804d257 a3 b8 e0 MOV [DAT_0804e0b8],EAX
= ??
04 08
0804d25c 8b 84 24 MOV EAX,dword ptr [ESP + param_6]
b4 00 00 00
0804d263 a3 c8 e0 MOV [DAT_0804e0c8],EAX
= ??
04 08
0804d268 8b 84 24 MOV EAX,dword ptr [ESP + param_2]
a4 00 00 00
0804d26f 8b ac 24 MOV EBP,dword ptr [ESP + param_4]
ac 00 00 00
0804d276 8d 14 87 LEA EDX,[EDI + EAX*0x4]
0804d279 8d 42 04 LEA EAX,[EDX + 0x4]
0804d27c a3 bc e0 MOV [DAT_0804e0bc],EAX
= ??
04 08
0804d281 3b 07 CMP EAX,dword ptr [EDI]
0804d283 75 06 JNZ LAB_0804d28b
0804d285 89 15 bc MOV dword ptr
[DAT_0804e0bc],EDX = ??
e0 04 08
LAB_0804d28b
XREF[1]: 0804d283(j)
0804d28b 51 PUSH ECX
More information about the cypherpunks
mailing list