[spam][crazy] bomb malware

Karl gmkarl at gmail.com
Wed Dec 15 06:38:28 PST 2021


making sure I share these relations

On Tue, Dec 14, 2021, 7:59 AM wrote:

> Hi K,
>
> do I understand it correctly that you are trying to reverse engineer
> some malware? Did you have experience with it before starting to work on
> this particular malware?
> I find the topic quite interesting...
>
> Best regards,
>


>
> On 12/14/2021 1:42 PM, Karl wrote:
> > The first thing I notice here is that the function takes a _lot_ of
> > parameters.  This is more poignant because it makes the assembly
> > complex, but back in the entrypoint we saw what values were passed for
> > each one of these parameters.
> >
> >
> > **************************************************************
> >                               *
> >                     *
> >                               *  FUNCTION
> >                     *
> >
> > **************************************************************
> >                               int __cdecl FUN_0804d23f(undefined *
> > param_1, int param_
> >               int               EAX:4          <RETURN>
> >               undefined *       Stack[0x4]:4   param_1
> >                 XREF[1]:     0804d3e9(R)
> >               int               Stack[0x8]:4   param_2
> >                 XREF[2]:     0804d268(R),
> >
> >                              0804d3e2(R)
> >               uint * *          Stack[0xc]:4   param_3
> >                 XREF[1]:     0804d250(R)
> >               undefined *       Stack[0x10]:4  param_4
> >                 XREF[1]:     0804d26f(R)
> >               undefined4        Stack[0x14]:4  param_5
> >                 XREF[1]:     0804d372(R)
> >               undefined4        Stack[0x18]:4  param_6
> >                 XREF[1]:     0804d25c(R)
> >               undefined4        Stack[0x1c]:4  param_7
> >                 XREF[1]:     0804d249(R)
> >               undefined4        Stack[-0x14]:4 local_14
> >                 XREF[1]:     0804d32a(R)
> >               undefined4        Stack[-0x1c]:4 local_1c
> >                 XREF[1]:     0804d323(R)
> >               undefined4        Stack[-0x24]:4 local_24
> >                 XREF[1]:     0804d31d(R)
> >               undefined4        Stack[-0x2c]:4 local_2c
> >                 XREF[2]:     0804d2ed(R),
> >
> >                              0804d314(R)
> >               undefined4        Stack[-0x54]:4 local_54
> >                 XREF[1]:     0804d2dc(R)
> >               undefined1        Stack[-0x88]:1 local_88
> >                 XREF[2]:     0804d290(*),
> >
> >                              0804d2ce(*)
> >               undefined4        Stack[-0xac]:4 local_ac
> >                 XREF[1]:     0804d3f0(*)
> >                               FUN_0804d23f
> >        XREF[1]:     entry:08048180(c)
> >          0804d23f 55              PUSH       EBP
> >          0804d240 57              PUSH       EDI
> >          0804d241 56              PUSH       ESI
> >          0804d242 53              PUSH       EBX
> >          0804d243 81 ec 8c        SUB        ESP,0x8c
> >                   00 00 00
> >          0804d249 8b 84 24        MOV        EAX,dword ptr [ESP +
> param_7]
> >                   b8 00 00 00
> >          0804d250 8b bc 24        MOV        EDI,dword ptr [ESP +
> param_3]
> >                   a8 00 00 00
> >          0804d257 a3 b8 e0        MOV        [DAT_0804e0b8],EAX
> >                        = ??
> >                   04 08
> >          0804d25c 8b 84 24        MOV        EAX,dword ptr [ESP +
> param_6]
> >                   b4 00 00 00
> >          0804d263 a3 c8 e0        MOV        [DAT_0804e0c8],EAX
> >                        = ??
> >                   04 08
> >          0804d268 8b 84 24        MOV        EAX,dword ptr [ESP +
> param_2]
> >                   a4 00 00 00
> >          0804d26f 8b ac 24        MOV        EBP,dword ptr [ESP +
> param_4]
> >                   ac 00 00 00
> >          0804d276 8d 14 87        LEA        EDX,[EDI + EAX*0x4]
> >          0804d279 8d 42 04        LEA        EAX,[EDX + 0x4]
> >          0804d27c a3 bc e0        MOV        [DAT_0804e0bc],EAX
> >                        = ??
> >                   04 08
> >          0804d281 3b 07           CMP        EAX,dword ptr [EDI]
> >          0804d283 75 06           JNZ        LAB_0804d28b
> >          0804d285 89 15 bc        MOV        dword ptr
> > [DAT_0804e0bc],EDX                     = ??
> >                   e0 04 08
> >                               LAB_0804d28b
> >        XREF[1]:     0804d283(j)
> >          0804d28b 51              PUSH       ECX
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 6481 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20211215/5b5b8897/attachment.txt>


More information about the cypherpunks mailing list