Free Advertising Forums | Free Advertising Board | Post Free Ads Forum | Free Advertising Forums Directory | Best Free Advertising Methods | Advertising Forums - View Single Post

**3xkfen5o3k5u** · 10-07-2011, 05:48 PM

| Back to logs list

35442 2006 年 06 月 19 日 01:03 Reading (loading. ..) Comments (1) Category: Personal Diary
Information Source: Evil Octal Security Team (www.eviloctal.com)
of the article: Hunshimowang
The article has been sent to \
and \
yesterday on the \Looking to find the goal of holding the suspect file. Analysis a bit, first declare that I am food. Badly written, do not scold me. The paper is wrong, please also advise. Is insufficient, hope to add. Thank you.
first check shell
ASPack 2.12 -> Alexey Solodovnikov
0041E001> 60 PUSHAD / / entry code
0041E002 E8 03000000 CALL randll32.0041E00A / / F8 to run this HR ESP F9
0041E007 - E9 EB045D45 JMP 459EE4F7
0041E00C 55 PUSH EBP
0041E00D C3 RETN
0041E3B0 / 75 08 JNZ SHORT randll32.0041E3BA / / F9 to run here
0041E3B2 | B8 01000000 MOV EAX,red wing boots, 1
0041E3B7 | C2 0C00 RETN 0C
0041E3BA \ 68 BC494100 PUSH randll32.004149BC / / F8 down to here
0041E3BF C3 RETN
004149BC 55 PUSH EBP / / OEP
004149BD 8BEC MOV EBP, ESP
004149BF B9 04000000 MOV ECX,red wing heritage, 4
004149C4 6A 00 PUSH 0
004149C6 6A 00 PUSH 0
004149C8 49 DEC ECX
out to the OEP = 149BC DOWN, Import fix it. Written in Delphi.
OD after re-loading
shelling process. File was more than 140 K, very small, with the help of a simple analysis of the character a bit.
00413F37. 55 PUSH EBP
00413F38. 68 6B414100 PUSH randll_.0041416B
00413F3D. 64: FF30 PUSH DWORD PTR FS: [EAX]
00413F40. 64:8920 MOV DWORD PTR FS: [EAX],red wing store, ESP
00413F43. 8D45 FC LEA EAX,red wing sale, DWORD PTR SS: [EBP-4]
00413F46. BA B4414100 MOV EDX, randll_.004141B4;
run will visit the URL, read the information.
00413F4B. E8 ECFDFEFF CALL randll_.00403D3C
00413F50. 8D45 DC LEA EAX, DWORD PTR SS: [EBP-24]
00413F53. E8 84070000 CALL randll_.004146DC
00413F58. 8B55 DC MOV EDX, DWORD PTR SS: [EBP-24]
00413F5B. 8D45 F8 LEA EAX, DWORD PTR SS: [EBP-8]
00413F5E. B9 EC414100 MOV ECX, randll_.004141EC;
update.ini read finished, save the file will generate a update.ini Read the information
00413F63. E8 2400FFFF CALL randll_.00403F8C
00413F68. 8B45 F8 MOV EAX, DWORD PTR SS: [EBP-8]
00413F6B. E8 A032FFFF CALL randll_.00407210
00413F70. 84C0 TEST AL, AL
00413F72. 74 08 JE SHORT randll_.00413F7C
00413F74. 8B45 F8 MOV EAX, DWORD PTR SS: [EBP-8]
00413F77. E8 A432FFFF CALL randll_.00407220
00413F7C> 8B55 F8 MOV EDX, DWORD PTR SS: [EBP-8]
00413F7F. 8B45 FC MOV EAX,red wing motorcycle boots, DWORD PTR SS: [EBP-4]
00413F82. E8 85070000 CALL randll_.0041470C
00413F87. 84C0 TEST AL, AL
00413F89. 75 0D JNZ SHORT randll_.00413F98
00413F8B. 33C0 XOR EAX, EAX
00413F8D. 5A POP EDX
00413F8E. 59 POP ECX
00413F8F. 59 POP ECX
00413F90. 64:8910 MOV DWORD PTR FS: [EAX], EDX
00413F93. E9 DD010000 JMP randll_.00414175
00413F98> 8B4D F8 MOV ECX, DWORD PTR SS: [EBP-8]
00413F9B. B2 01 MOV DL, 1
00413F9D. A1 B82B4100 MOV EAX,red wing shoe store, DWORD PTR DS: [412BB8]
00413FA2. E8 C1ECFFFF CALL randll_.00412C68
00413FA7. 8945 F4 MOV DWORD PTR SS: [EBP-C], EAX
00413FAA. 6A 00 PUSH 0
00413FAC. 8D45 D8 LEA EAX, DWORD PTR SS: [EBP-28]
00413FAF. 50 PUSH EAX
00413FB0. B9 00424100 MOV ECX, randll_.00414200; filelist
00413FB5. BA 14424100 MOV EDX, randll_. 00414214; settings
00413FBA. 8B45 F4 MOV EAX, DWORD PTR SS: [EBP-C]
00413FBD. 8B18 MOV EBX, DWORD PTR DS: [EAX]
00413FBF. FF13 CALL DWORD PTR DS: [EBX]
00413FC1. 8B45 D8 MOV EAX, DWORD PTR SS: [EBP-28]
filelist and settings have a look inside the content updatetl.txt very clear.

10-07-2011, 05:48 PM	#16
3xkfen5o3k5u Commander In Chief Join Date: Oct 2010 Posts: 1,125	\| Back to logs list 35442 2006 年 06 月 19 日 01:03 Reading (loading. ..) Comments (1) Category: Personal Diary Information Source: Evil Octal Security Team (www.eviloctal.com) of the article: Hunshimowang The article has been sent to \ and \ yesterday on the \Looking to find the goal of holding the suspect file. Analysis a bit, first declare that I am food. Badly written, do not scold me. The paper is wrong, please also advise. Is insufficient, hope to add. Thank you. first check shell ASPack 2.12 -> Alexey Solodovnikov 0041E001> 60 PUSHAD / / entry code 0041E002 E8 03000000 CALL randll32.0041E00A / / F8 to run this HR ESP F9 0041E007 - E9 EB045D45 JMP 459EE4F7 0041E00C 55 PUSH EBP 0041E00D C3 RETN 0041E3B0 / 75 08 JNZ SHORT randll32.0041E3BA / / F9 to run here 0041E3B2 \| B8 01000000 MOV EAX,red wing boots, 1 0041E3B7 \| C2 0C00 RETN 0C 0041E3BA \ 68 BC494100 PUSH randll32.004149BC / / F8 down to here 0041E3BF C3 RETN 004149BC 55 PUSH EBP / / OEP 004149BD 8BEC MOV EBP, ESP 004149BF B9 04000000 MOV ECX,red wing heritage, 4 004149C4 6A 00 PUSH 0 004149C6 6A 00 PUSH 0 004149C8 49 DEC ECX out to the OEP = 149BC DOWN, Import fix it. Written in Delphi. OD after re-loading shelling process. File was more than 140 K, very small, with the help of a simple analysis of the character a bit. 00413F37. 55 PUSH EBP 00413F38. 68 6B414100 PUSH randll_.0041416B 00413F3D. 64: FF30 PUSH DWORD PTR FS: [EAX] 00413F40. 64:8920 MOV DWORD PTR FS: [EAX],red wing store, ESP 00413F43. 8D45 FC LEA EAX,red wing sale, DWORD PTR SS: [EBP-4] 00413F46. BA B4414100 MOV EDX, randll_.004141B4; run will visit the URL, read the information. 00413F4B. E8 ECFDFEFF CALL randll_.00403D3C 00413F50. 8D45 DC LEA EAX, DWORD PTR SS: [EBP-24] 00413F53. E8 84070000 CALL randll_.004146DC 00413F58. 8B55 DC MOV EDX, DWORD PTR SS: [EBP-24] 00413F5B. 8D45 F8 LEA EAX, DWORD PTR SS: [EBP-8] 00413F5E. B9 EC414100 MOV ECX, randll_.004141EC; update.ini read finished, save the file will generate a update.ini Read the information 00413F63. E8 2400FFFF CALL randll_.00403F8C 00413F68. 8B45 F8 MOV EAX, DWORD PTR SS: [EBP-8] 00413F6B. E8 A032FFFF CALL randll_.00407210 00413F70. 84C0 TEST AL, AL 00413F72. 74 08 JE SHORT randll_.00413F7C 00413F74. 8B45 F8 MOV EAX, DWORD PTR SS: [EBP-8] 00413F77. E8 A432FFFF CALL randll_.00407220 00413F7C> 8B55 F8 MOV EDX, DWORD PTR SS: [EBP-8] 00413F7F. 8B45 FC MOV EAX,red wing motorcycle boots, DWORD PTR SS: [EBP-4] 00413F82. E8 85070000 CALL randll_.0041470C 00413F87. 84C0 TEST AL, AL 00413F89. 75 0D JNZ SHORT randll_.00413F98 00413F8B. 33C0 XOR EAX, EAX 00413F8D. 5A POP EDX 00413F8E. 59 POP ECX 00413F8F. 59 POP ECX 00413F90. 64:8910 MOV DWORD PTR FS: [EAX], EDX 00413F93. E9 DD010000 JMP randll_.00414175 00413F98> 8B4D F8 MOV ECX, DWORD PTR SS: [EBP-8] 00413F9B. B2 01 MOV DL, 1 00413F9D. A1 B82B4100 MOV EAX,red wing shoe store, DWORD PTR DS: [412BB8] 00413FA2. E8 C1ECFFFF CALL randll_.00412C68 00413FA7. 8945 F4 MOV DWORD PTR SS: [EBP-C], EAX 00413FAA. 6A 00 PUSH 0 00413FAC. 8D45 D8 LEA EAX, DWORD PTR SS: [EBP-28] 00413FAF. 50 PUSH EAX 00413FB0. B9 00424100 MOV ECX, randll_.00414200; filelist 00413FB5. BA 14424100 MOV EDX, randll_. 00414214; settings 00413FBA. 8B45 F4 MOV EAX, DWORD PTR SS: [EBP-C] 00413FBD. 8B18 MOV EBX, DWORD PTR DS: [EAX] 00413FBF. FF13 CALL DWORD PTR DS: [EBX] 00413FC1. 8B45 D8 MOV EAX, DWORD PTR SS: [EBP-28] filelist and settings have a look inside the content updatetl.txt very clear.

Sponsored Links