00402E9F MOV EAX,DWORD PTR SS:[EBP+8] ;
00402EA2 INC EAX ;
00402EA3 PUSH EAX ; s1
00402EA4 CALL <JMP.&CRTDLL.strstr> ; strstr
00402EA9 ADD ESP,8
00402EAC MOV EDX,EAX
00402EAE ADD EDX,2
00402EB1 MOV ESI,EDX
00402EB3 JNZ SHORT ZoneLock.00402EBC
00402EB5 XOR EAX,EAX
00402EB7 JMP ZoneLock.00403011
00402EBC MOVSX EAX,BYTE PTR DS:[ESI]
00402EBF MOVSX EDX,BYTE PTR DS:[4050C5]
00402EC6 CMP EAX,EDX
00402EC8 JE SHORT ZoneLock.00402ED1
00402ECA XOR EAX,EAXAfter confirming that the command string is actually PRIVMSG, the pro-
gram skips the colon character that denotes the beginning of the message (in
the strstrcall), and proceeds to compare the first character of the actual
message with a character from 004050C5. When you look at that memory
address in the debugger, you can see that it appears to contain a hard-coded
exclamation mark (!) character. If the first character is not an exclamation
mark, the program exits the function and goes back to wait for the next server
transmission. So, it looks as if backdoor commands start with an exclamation
mark. The next code sequence appears to perform another kind of check on
your private messages. Let’s take a look.00402EED XOR EDI,EDI
00402EEF LEA EAX,DWORD PTR SS:[EBP-60]
00402EF2 PUSH EAX ; s2
00402EF3 IMUL EAX,EDI,50 ;
00402EF6 LEA EAX,DWORD PTR DS:[EAX+4051C5] ;
00402EFD PUSH EAX ; s1
00402EFE CALL <JMP.&CRTDLL.strcmp> ; strcmp
00402F03 ADD ESP,8
00402F06 OR EAX,EAX
00402F08 JNZ SHORT ZoneLock.00402F0D
00402F0A XOR EBX,EBX
00402F0C INC EBX
00402F0D INC EDI
00402F0E CMP EDI,3
00402F11 JLE SHORT ZoneLock.00402EEFThe preceding sequence is important: It compares a string from [EBP-60],
which is the nickname of the user who’s sending the current private message
(essentially the attacker) with a string from a global variable. It also looks as
if this is an array of strings, each element being up to 0x50(80 in decimal)300 Chapter 8