8.12 Handwritten assembly code.
pop ebp
retn
slgcs endp
(it is just a call tosltrgatime64()
and division of its result by 10 (3.9 on page 497))
And win32-version:
_slgcs proc near ; CODE XREF: _dbgefgHtElResetCount+15
; _dbgerRunActions+1528
db 66h
nop
push ebp
mov ebp, esp
mov eax, [ebp+8]
mov dword ptr [eax], 0
call ds:impGetTickCount@0 ; GetTickCount()
mov edx, eax
mov eax, 0CCCCCCCDh
mul edx
shr edx, 3
mov eax, edx
mov esp, ebp
pop ebp
retn
_slgcs endp
It is just the result ofGetTickCount()^43 divided by 10 (3.9 on page 497).
Voilà! That’s why the win32 version and the Linux x86 version show different results, because they are
generated by differentOSfunctions.
Drainapparently impliesconnectinga specific table column to a specific function.
We will add support of the tablekqfd_tab_registry_0to oracle tables^44 , now we can see how the table
column’s variables areconnectedto a specific functions:
[X$KSUTM] [kqfd_OPN_ksutm_c] [kqfd_tabl_fetch] [NULL] [NULL] [kqfd_DRN_ksutm_c]
[X$KSUSGIF] [kqfd_OPN_ksusg_c] [kqfd_tabl_fetch] [NULL] [NULL] [kqfd_DRN_ksusg_c]
OPN, apparently stands for,open, andDRN, apparently, fordrain.
8.12 Handwritten assembly code
8.12.1 EICAR test file
This .COM-file is intended for testing antivirus software, it is possible to run in in MS-DOS and it prints this
string: “EICAR-STANDARD-ANTIVIRUS-TEST-FILE!”^45.
Its important property is that it’s consists entirely of printable ASCII-symbols, which, in turn, makes it
possible to create it in any text editor:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Let’s decompile it:
; initial conditions: SP=0FFFEh, SS:[SP]=0
0100 58 pop ax
; AX=0, SP=0
0101 35 4F 21 xor ax, 214Fh
; AX = 214Fh and SP = 0
0104 50 push ax
(^43) MSDN
(^44) yurichev.com
(^45) wikipedia