[spam][crazy] bomb malware
Karl
gmkarl at gmail.com
Wed Dec 15 06:38:28 PST 2021
making sure I share these relations
On Tue, Dec 14, 2021, 7:59 AM wrote:
> Hi K,
>
> do I understand it correctly that you are trying to reverse engineer
> some malware? Did you have experience with it before starting to work on
> this particular malware?
> I find the topic quite interesting...
>
> Best regards,
>
>
> On 12/14/2021 1:42 PM, Karl wrote:
> > The first thing I notice here is that the function takes a _lot_ of
> > parameters. This is more poignant because it makes the assembly
> > complex, but back in the entrypoint we saw what values were passed for
> > each one of these parameters.
> >
> >
> > **************************************************************
> > *
> > *
> > * FUNCTION
> > *
> >
> > **************************************************************
> > int __cdecl FUN_0804d23f(undefined *
> > param_1, int param_
> > int EAX:4 <RETURN>
> > undefined * Stack[0x4]:4 param_1
> > XREF[1]: 0804d3e9(R)
> > int Stack[0x8]:4 param_2
> > XREF[2]: 0804d268(R),
> >
> > 0804d3e2(R)
> > uint * * Stack[0xc]:4 param_3
> > XREF[1]: 0804d250(R)
> > undefined * Stack[0x10]:4 param_4
> > XREF[1]: 0804d26f(R)
> > undefined4 Stack[0x14]:4 param_5
> > XREF[1]: 0804d372(R)
> > undefined4 Stack[0x18]:4 param_6
> > XREF[1]: 0804d25c(R)
> > undefined4 Stack[0x1c]:4 param_7
> > XREF[1]: 0804d249(R)
> > undefined4 Stack[-0x14]:4 local_14
> > XREF[1]: 0804d32a(R)
> > undefined4 Stack[-0x1c]:4 local_1c
> > XREF[1]: 0804d323(R)
> > undefined4 Stack[-0x24]:4 local_24
> > XREF[1]: 0804d31d(R)
> > undefined4 Stack[-0x2c]:4 local_2c
> > XREF[2]: 0804d2ed(R),
> >
> > 0804d314(R)
> > undefined4 Stack[-0x54]:4 local_54
> > XREF[1]: 0804d2dc(R)
> > undefined1 Stack[-0x88]:1 local_88
> > XREF[2]: 0804d290(*),
> >
> > 0804d2ce(*)
> > undefined4 Stack[-0xac]:4 local_ac
> > XREF[1]: 0804d3f0(*)
> > FUN_0804d23f
> > XREF[1]: entry:08048180(c)
> > 0804d23f 55 PUSH EBP
> > 0804d240 57 PUSH EDI
> > 0804d241 56 PUSH ESI
> > 0804d242 53 PUSH EBX
> > 0804d243 81 ec 8c SUB ESP,0x8c
> > 00 00 00
> > 0804d249 8b 84 24 MOV EAX,dword ptr [ESP +
> param_7]
> > b8 00 00 00
> > 0804d250 8b bc 24 MOV EDI,dword ptr [ESP +
> param_3]
> > a8 00 00 00
> > 0804d257 a3 b8 e0 MOV [DAT_0804e0b8],EAX
> > = ??
> > 04 08
> > 0804d25c 8b 84 24 MOV EAX,dword ptr [ESP +
> param_6]
> > b4 00 00 00
> > 0804d263 a3 c8 e0 MOV [DAT_0804e0c8],EAX
> > = ??
> > 04 08
> > 0804d268 8b 84 24 MOV EAX,dword ptr [ESP +
> param_2]
> > a4 00 00 00
> > 0804d26f 8b ac 24 MOV EBP,dword ptr [ESP +
> param_4]
> > ac 00 00 00
> > 0804d276 8d 14 87 LEA EDX,[EDI + EAX*0x4]
> > 0804d279 8d 42 04 LEA EAX,[EDX + 0x4]
> > 0804d27c a3 bc e0 MOV [DAT_0804e0bc],EAX
> > = ??
> > 04 08
> > 0804d281 3b 07 CMP EAX,dword ptr [EDI]
> > 0804d283 75 06 JNZ LAB_0804d28b
> > 0804d285 89 15 bc MOV dword ptr
> > [DAT_0804e0bc],EDX = ??
> > e0 04 08
> > LAB_0804d28b
> > XREF[1]: 0804d283(j)
> > 0804d28b 51 PUSH ECX
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 6481 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20211215/5b5b8897/attachment.txt>
More information about the cypherpunks
mailing list