[Dshield] Worm Disassembly

Tom Liston tliston at premmag.com
Wed Aug 13 20:00:04 GMT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You probably should have un-UPXed the code before disassembling it.

- -TL

On 13 Aug 2003 at 13:22, Chris Ream wrote:

> Ok, I've been getting slammed with requests so here is the disassembly
> of one of the worms. I'll post the other one shortly and send my
> comments privately to those interested in discussing it.
> 
> For those examining it don't forget that windows programs written in c
> don't actually start executing code at void main() they do several
> things like loading environment variables and argc's before they jump to
> the actual code.
> 
> -Chris.
> chrisr at stopthemcold.com
- ---- >8 ---- Snip! 

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0 -- QDPGP 2.70 
Comment: Public key - http://www.hackbusters.net/pgp.txt

iQA/AwUBPzqYxKOq/X4cwCZKEQI43QCgvW0uN5AqOkEKT3mSOH4Risfo6ZsAnjS7
IVBCgM8OxXMG8zPzclO1Jn3U
=T3+j
-----END PGP SIGNATURE-----




More information about the list mailing list