; s2 ; ; ; s1 ; strcmp in .NET

Generator qr bidimensional barcode in .NET ; s2 ; ; ; s1 ; strcmp
; s2 ; ; ; s1 ; strcmp
Visual Studio .NET qr code iso/iec18004 readerin .net
Using Barcode Control SDK for Visual Studio .NET Control to generate, create, read, scan barcode image in Visual Studio .NET applications.
The preceding sequence is important: It compares a string from [EBP-60], which is the nickname of the user who s sending the current private message (essentially the attacker) with a string from a global variable. It also looks as if this is an array of strings, each element being up to 0x50 (80 in decimal)
QR printing with .net
use visual studio .net qr code 2d barcode creator toencode qr bidimensional barcode on .net
Reversing Malware
recognizing qr code on .net
Using Barcode recognizer for .NET Control to read, scan read, scan image in .NET applications.
characters long. While I was first stepping through this sequence, all of these four strings were empty. This made the code proceed to the code sequence that follows instead of calling into a longish function at 00403016 that would have been called if there was a match on one of the usernames. Let s look at what the function does next (when the usernames don t match).
Bar Code barcode library for .net
Using Barcode recognizer for visual .net Control to read, scan read, scan image in visual .net applications.
00402F29 00402F2E 00402F33 00402F38 00402F3E 00402F3F 00402F44 00402F4A 00402F4B 00402F4C PUSH ZoneLock.004050BE ; PUSH ZoneLock.00405110 ; PUSH ZoneLock.004054A1 ; LEA EAX,DWORD PTR SS:[EBP-260] PUSH EAX ; CALL <JMP.&CRTDLL.sprintf> LEA EAX,DWORD PTR SS:[EBP-260] PUSH EAX ; PUSH ESI ; CALL <JMP.&CRTDLL.strcmp> <%s> = tounge <%s> = morris format = %s %s s
Barcode barcode library in .net
generate, create bar code none on .net projects
s2 s1
QR Code barcode library on .net c#
use .net qr codes implementation todevelop quick response code with c#
This is an interesting sequence. The first part uses sprintf to produce the string morris tounge, which is then checked against the current message being processed. If there is a mismatch, the function performs one more check on the current command string (even though it s been confirmed to be PRIVMSG), and returns. If the current command is !morris tounge , the program stores the originating username in the currently available slot on that string array from 004051C5. That is, upon receiving this Morris message, the program is storing the name of the user it s currently talking to in an array. This is the array that starts at 004051C5; the same array that was scanned for the attacker s name earlier. What does this tell you It looks like the string !morris tounge is the secret password for the Backdoor program. It will only start processing commands from a user that has transmitted this particular message! One unusual thing about the preceding code snippet that generates and checks whether this is the correct password is that the sprintf call seems to be redundant. Why not just call strcmp with a pointer to the full morris tounge string Why construct it in runtime if it s a predefined, hard-coded string A quick search for other references to this address shows that it is static; there doesn t seem to be any other place in the code that modifies this sequence in any way. Therefore, the only reason I can think of is that the author of this program didn t want the string morris tounge to actually appear in the program in one piece. If you look at the code snippet, you ll see that each of the words come from a different area in the program s data section. This is essentially a primitive antireversing scheme that s supposed to make it a bit more difficult to find the password string when searching through the program binary.
Generate qr code iso/iec18004 on .net
use aspx qr barcode generator todevelop qr-codes on .net
Control qr code size in vb
to display qr codes and quick response code data, size, image with visual basic barcode sdk
Now that we have the password, you can type it into our IRC program and try to establish a real communications channel with the backdoor. Obtaining a basic list of supported commands is going to be quite easy. I ve already mentioned a routine at 00403016 that appears to process the supported commands. Disassembling this function to figure out the supported commands is an almost trivial task; one merely has to look for calls to string-comparison functions and examine the strings being compared. The function that does this is far too long to be included here, but let s take a look at a typical sequence that checks the incoming message.
PDF417 barcode library for .net
using .net framework crystal tomake pdf-417 2d barcode on asp.net web,windows application
0040308B 00403090 00403096 00403097 0040309C 0040309F 004030A1 004030A3 004030A8 004030AD 004030B2 004030B7 004030BD 004030BE 004030C3 004030C6 004030C8 004030CA 004030CF 004030D4 004030D9 004030DF 004030E0 PUSH ZoneLock.0040511B ; LEA EAX,DWORD PTR SS:[EBP-200] PUSH EAX ; CALL <JMP.&CRTDLL.strcmp> ADD ESP,8 OR EAX,EAX JNZ SHORT ZoneLock.004030B2 CALL ZoneLock.00401AA0 MOV EAX,3 JMP ZoneLock.00403640 PUSH ZoneLock.00405126 ; LEA EAX,DWORD PTR SS:[EBP-200] PUSH EAX ; CALL <JMP.&CRTDLL.strcmp> ADD ESP,8 OR EAX,EAX JNZ SHORT ZoneLock.004030D4 MOV EAX,3 JMP ZoneLock.00403640 PUSH ZoneLock.00405138 ; LEA EAX,DWORD PTR SS:[EBP-200] PUSH EAX ; CALL <JMP.&CRTDLL.strcmp> s2 = dontuseme s1
.NET 3 of 9 drawerin .net
use .net framework code 3 of 9 generation touse barcode code39 on .net
.net Vs 2010 Crystal code 128 implementationwith .net
using .net crystal toencode code 128b with asp.net web,windows application
GS1 128 barcode library with c#
using .net winforms crystal toassign ean 128 with asp.net web,windows application
Control barcode 39 size on word documents
barcode 39 size in word documents
2D Barcode implement in .net
use sql server 2005 reporting services matrix barcode creation todraw 2d barcode for .net
Qr-codes barcode library with .net
using sql server 2005 reporting services toconnect qr code on asp.net web,windows application