Reversing : The Hacker's Guide to Reverse Engineering

this file the program might be exposing itself, but then again the typical vic- tims of these kinds of programs are usually nont ...

0040266A INC EAX 0040266B CMP BYTE PTR DS:[ECX+EAX],0 0040266F JNZ SHORT ZoneLock.0040266A 00402671 MOV EBX,EAX 00402673 PUSH EB ...

ZoneLockup.exe” 004026FF PUSH ZoneLock.0040553D ; format = “qwer%s” 00402704 LEA EAX,DWORD PTR SS:[EBP-29C] 0040270A PUSH EAX ; ...

When the program is first launched, it runs some checks to see whether it has already been installed, and if not it installs its ...

00402946 |JNZ SHORT ZoneLock.00402954 00402948 |PUSH 7530 ; Timeout = 30000. ms 0040294D |CALL <JMP.&KERNEL32.Sleep> 0 ...

It looks like the Trojan is looking to chat with someone. Care to guess with whom? Here’s a hint: he’s wearing a black hat. Well ...

0040151C JMP SHORT ZoneLock.00401535 0040151E CALL <JMP.&CRTDLL.rand> 00401523 MOV EDI,DWORD PTR SS:[EBP+8] 00401526 M ...

The next sequence takes the random string and produces a string that is later sent to the IRC server. Let’s take a look at that ...

00402D96 LEA EAX,DWORD PTR SS:[EBP-260] 00402D9C PUSH EAX ; s 00402D9D CALL <JMP.&CRTDLL.sprintf> 00402DA2 ADD ESP,14 ...

00402E9F MOV EAX,DWORD PTR SS:[EBP+8] ; 00402EA2 INC EAX ; 00402EA3 PUSH EAX ; s1 00402EA4 CALL <JMP.&CRTDLL.strstr> ; ...

characters long. While I was first stepping through this sequence, all of these four strings were empty. This made the code proc ...

Now that we have the password, you can type it into our IRC program and try to establish a real communications channel with the ...

You start out by joining the ##g##channel and saying the password. You then send the “!info” command, to which the program respo ...

deletes the executable. You can probably guess that this is not an entirely triv- ial task—an executable program file cannot be ...

Table 8.1 (continued) COMMAND DESCRIPTION ARGUMENTS !info Displays some generic information regarding the infected host, includi ...

Conclusion Malicious programs can be treacherous and complicated. They will do their best to be invisible and seem as innocent a ...

PART III Cracking 14_574817 pt03.qxd 3/16/05 8:45 PM Page 307 ...

14_574817 pt03.qxd 3/16/05 8:45 PM Page 308 ...

309 The magnitude of piracy committed on all kinds of digital content such as music, software, and movies has become monstrous. ...

and has put them in the same (highly uncomfortable) position that software vendors have been in for years: They have absolutely ...