issuhub.com

Reversing : The Hacker's Guide to Reverse Engineering

(ff) #1 
The next sequence takes the random string and produces a string that is

later sent to the IRC server. Let’s take a look at that code.

00402ABB PUSH EAX ; <%s>

00402ABC PUSH ZoneLock.0040519E ; <%s> = “USER”

00402AC1 LEA EAX,DWORD PTR SS:[EBP-204]

00402AC7 PUSH EAX ; <%s>

00402AC8 PUSH ZoneLock.00405199 ; <%s> = “NICK”

00402ACD PUSH ZoneLock.004054C5 ; format =

“%s %s %s %s “x.com” “x” :x”

00402AD2 LEA EAX,DWORD PTR SS:[EBP-508]

00402AD8 PUSH EAX ; s

00402AD9 CALL <JMP.&CRTDLL.sprintf>

Considering that EAXcontains the address of the randomly generated

string, you should now know exactly what that string is for: it is the user name

the backdoor will be using when connecting to the server.

The preceding sequence produced the following message, and will always

produce the same message—the only difference is going to be the randomly

generated name string.

NICK vsorpy USER vsorpy “x.com” “x” :x

If you look at RFC 1459, the IRC protocol specifications, you can see that this

string means that a new user called vsorpyis being registered with the server.

This username is going to represent this particular system in the IRC chat. The

random-naming scheme was probably created in order to enable multiple

clients to connect to the same server without conflicts. The architecture actu-

ally supports convenient communication with multiple infected systems at the

same time.

Joining the Channel


After connecting to the IRC server, the program and the IRC server enter into

a brief round of standard IRC protocol communications that is just typical pro-

tocol handshaking. The next important even takes place when the IRC server

notifies the client whether or not the server has a MOTD (Message of the Day)

set up. Based on this information, the program enters into the code sequence

that follows, which decides how to enter into the communications channels

inside which the attacker will be communicating with the Backdoor.

00402D80 JBE SHORT ZoneLock.00402DA7

00402D82 PUSH ZoneLock.004050B6 ; <%s> = “grandad”

00402D87 PUSH ZoneLock.004050B0 ; <%s> = “##g##”

00402D8C PUSH ZoneLock.004051A3 ; <%s> = “JOIN”

00402D91 PUSH ZoneLock.004054AC ; format = “%s %s %s”

298 Chapter 8

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.