issuhub.com

Reversing : The Hacker's Guide to Reverse Engineering

(ff) #1 
00402946 |JNZ SHORT ZoneLock.00402954

00402948 |PUSH 7530 ; Timeout = 30000. ms

0040294D |CALL <JMP.&KERNEL32.Sleep>

00402952 |JMP SHORT ZoneLock.0040299A

00402954 |CMP DWORD PTR DS:[EDI*4+405104],0

0040295C |JNZ SHORT ZoneLock.00402960

0040295E |XOR EDI,EDI

00402960 |PUSH DWORD PTR DS:[EDI*4+40510C]

00402967 |PUSH DWORD PTR DS:[EDI*4+405104]

0040296E |CALL ZoneLock.004029B1

00402973 |ADD ESP,8

00402976 |MOV ESI,EAX

00402978 |CMP ESI,1

0040297B |JNZ SHORT ZoneLock.0040298A

0040297D |PUSH DWORD PTR DS:[40464C] ; Timeout = 0. ms

00402983 |CALL <JMP.&KERNEL32.Sleep>

00402988 |JMP SHORT ZoneLock.00402990

0040298A |CMP ESI,3

0040298D |JE SHORT ZoneLock.0040299C

0040298F |INC EDI

00402990 |PUSH 1388 ; /Timeout = 5000. ms

00402995 |CALL <JMP.&KERNEL32.Sleep>

0040299A \JMP SHORT ZoneLock.00402939

Listing 8.4 (continued)


The first thing you’ll notice about the this code sequence is that it is a loop,
probably coded as an infinite loop (such as a while(1)statement). In its first
phase, the loop repeatedly calls the InternetGetConnectedStateAPI and
sleeps for 30 seconds if the API returns FALSE. As you’ve probably guessed, the
InternetGetConnectedStateAPI checks whether the computer is cur-
rently connected to the Internet. In reality, this API only checks whether the sys-
tem has a valid IP address—it doesn’t really check that it is connected to the
Internet. It looks as if the program is checking for a network connection and is
simply waiting for the system to become connected if it’s not already connected.
Once the connection check succeeds, the function calls another function,
004029B1, with the first parameter being a pointer to the hard-coded string
g.hackarmy.tk, and with the second parameter being 0x1A0B(6667 in dec-
imal). This function immediately calls into a function at 0040129C, which
calls the gethostbyname WinSock2 function on that g.hackarmy.tk
string, and proceeds to call the connectfunction to connect to that address.
The port number is set to the value from the second parameter passed earlier:



  1. In case you’re not sure what this port number is used for, a quick trip
    to the IANA Web site (the Internet Assigned Numbers Authority) at
    http://www.iana.orgshows that ports 6665 through 6669 are registered for IRCU,
    the Internet Relay Chat services.


Reversing Malware 295
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.