blaquee

00403C1D   . E8 42320000    CALL <JMP.&ADVAPI32.LsaLookupNames>
00403C22   . E8 CF2F0000    CALL <JMP.&LZ32.LZStart>
00403C27   . 68 74064300    PUSH 5d8645f7.00430674                           ; /Password = "sslrfkjkdfai"
00403C2C   . 68 60064300    PUSH 5d8645f7.00430660                           ; |ServiceStartName = "z47sHc498Kw8I7Hk9Rk"
00403C31   . 8D55 F0        LEA EDX,DWORD PTR SS:[EBP-10]                    ; |
00403C34   . 68 84064300    PUSH 5d8645f7.00430684                           ; |pDependencies = 5d8645f7.00430684
00403C39   . 52             PUSH EDX                                         ; |pTagId
00403C3A   . 68 94064300    PUSH 5d8645f7.00430694                           ; |LoadOrderGroup = "kupgnvhjat"
00403C3F   . 68 4C064300    PUSH 5d8645f7.0043064C                           ; |BinaryPathName = "v451917V88JH88126q7"
00403C44   . 6A 2F          PUSH 2F                                          ; |ErrorControl = 2F

blaquee

00403A95   . 68 C0144000    PUSH 5d8645f7.004014C0                          ;  SE handler installation
00403A9A   . 64:FF35 000000>PUSH DWORD PTR FS:[0]
00403AA1   . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00403AA8   . 8D4D FC        LEA ECX,DWORD PTR SS:[EBP-4]
00403AAB   . 8D55 EC        LEA EDX,DWORD PTR SS:[EBP-14]
00403AAE   . 51             PUSH ECX
00403AAF   . 33FF           XOR EDI,EDI
00403AB1   . 52             PUSH EDX
00403AB2   . BE 40000000    MOV ESI,40
00403AB7   . 57             PUSH EDI

blaquee

00406BC0  /$ A1 DC054300    MOV EAX,DWORD PTR DS:[4305DC]   ; EAX immediately overwritten, result of GMH unused.
00406BC5  |. 8B0D 08064300  MOV ECX,DWORD PTR DS:[430608]
00406BCB  |. 0C 6C          OR AL,6C
00406BCD  |. A3 DC054300    MOV DWORD PTR DS:[4305DC],EAX
00406BD2  |. A1 D0054300    MOV EAX,DWORD PTR DS:[4305D0]
00406BD7  |. 0C 20          OR AL,20
00406BD9  |. 0BC8           OR ECX,EAX
00406BDB  |. 890D 08064300  MOV DWORD PTR DS:[430608],ECX
00406BE1  |. E8 3ACEFFFF    CALL 5d8645f7.00403A20          ; Function call that matters
00406BE6  |. E8 C5FAFFFF    CALL 5d8645f7.004066B0

blaquee

00406D63   . 58             POP EAX
00406D64   > 50             PUSH EAX
00406D65   . 56             PUSH ESI
00406D66   . 53             PUSH EBX
00406D67   . 53             PUSH EBX
00406D68   . FFD7           CALL EDI                                         ;  GetModuleHandleA
00406D6A   . 50             PUSH EAX
00406D6B   . E8 50FEFFFF    CALL 00406BC0

blaquee

push 20             ;push random value on stack
mov eax, 0x11111111 ;assign eax a random value
mov ecx, 10         ;assign ecx a value
mov ebx, 0x33333333 ;assign ebx a random value
xor eax, ebx        ;exclusive or eax with ebx
mov ebx, 20         ;assign new value to ebx
add eax, ecx        ;compute a sum of eax and ecx
pop eax             ;overwrite everything we just did on eax
ret

blaquee

#! /usr/bin/env python

import redis
import random
import pylibmc
import sys

r = redis.Redis(host = 'localhost', port = 6389)
mc = pylibmc.Client(['localhost:11222'])

blaquee

import string
import random
import os


def gen_domain(seed):
	multiplier = int(0x41C64E6D)
	#seed = 1600000
	domain = ""
	ebx = seed

blaquee

blaquee

#include <Windows.h>
#include <strsafe.h>
#include <Shlobj.h>
#include <string.h>

//the exported function
typedef void(__cdecl* display_message)(void);
//this can change
#define DLL_NAME L"\\display.dll"

blaquee

.text:00401CC1                 push    24h
.text:00401CC3                 call    sub_401980
.text:00401CC8                 mov     eax, dword_413D1C
.text:00401CCD                 mov     ecx, [eax+90h]
.text:00401CD3                 push    ecx
.text:00401CD4                 push    esi
.text:00401CD5                 call    get_embedded_exe
.text:00401CDA                 add     esp, 0Ch
.text:00401CDD                 test    eax, eax
.text:00401CDF                 jz      short loc_401CF6