issuhub.com

Reversing : The Hacker's Guide to Reverse Engineering

(ff) #1 
It looks like the Trojan is looking to chat with someone. Care to guess with

whom? Here’s a hint: he’s wearing a black hat. Well, at least in security book

illustrations he does, it’s actually more likely that he’s just a bored teenager

wearing a baseball cap. Regardless, the program is clearly trying to connect to

an IRC server in order to communicate with an attacker who is most likely its

original author. The specific address being referenced is g.hackarmy.tk,

which was invalid at the time of writing (and is most likely going to remain

invalid). This address was probably unregistered very early on, as soon as the

antivirus companies discovered that it was being used for backdoor access to

infected machines. You can safely assume that this address originally pointed

to some IRC server, either one set up specifically for this purpose or one of the

many legitimate public servers.

Connecting to the Server


To really test the Trojan’s backdoor capabilities, I set up an IRC server on a sep-

arate virtual machine and named it g.hackarmy.tk, so that the Trojan con-

nects to it when it is launched. You’re welcome to try this out if you want, but

you’re probably going to learn plenty by just reading through my accounts of

this experience. To make this reversing session truly effective, I was combining

a conventional reversing session with some live chats with the backdoor

through IRC.

Stepping through the code that follows the connection of the socket, you

can see a function that seems somewhat interesting and unusual, shown in

Listing 8.5.

004014EC PUSH EBP

004014ED MOV EBP,ESP

004014EF PUSH EBX

004014F0 PUSH ESI

004014F1 PUSH EDI

004014F2 CALL <JMP.&KERNEL32.GetTickCount>

004014F7 PUSH EAX ; seed

004014F8 CALL <JMP.&CRTDLL.srand>

004014FD POP ECX

004014FE CALL <JMP.&CRTDLL.rand>

00401503 MOV EDX,EAX

00401505 AND EDX,80000003

0040150B JGE SHORT ZoneLock.00401512

0040150D DEC EDX

0040150E OR EDX,FFFFFFFC

00401511 INC EDX

00401512 MOV EBX,EDX

00401514 ADD EBX,4

00401517 MOV ESI,0

Listing 8.5 A random string-generation function.

296 Chapter 8

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.