Figure 11.14 Running PEiD on Defender.EXE reports “Nothing found.”
Reversing Defender’s Initialization Routine
Because the program doesn’t appear to directly call any APIs, there doesn’t
seem to be a specific API on which you could place a breakpoint to catch the
place in the code where the program is printing this message. Thus you don’t
really have a choice but to try your luck by examining the program’s entry
point and trying to find some interesting code that might shed some light on
this program. Let’s load the program in IDA and run a full analysis on it. You
can now take a quick look at the program’s entry point.
.h3mf85n:00404232 start proc near
.h3mf85n:00404232
.h3mf85n:00404232 var_8 = dword ptr -8
.h3mf85n:00404232 var_4 = dword ptr -4
.h3mf85n:00404232
.h3mf85n:00404232 push ebp
.h3mf85n:00404233 mov ebp, esp
.h3mf85n:00404235 push ecx
.h3mf85n:00404236 push ecx
.h3mf85n:00404237 push esi
.h3mf85n:00404238 push edi
.h3mf85n:00404239 call sub_402EA8
.h3mf85n:0040423E push eax
.h3mf85n:0040423F call loc_4033D1
.h3mf85n:00404244 mov eax, dword_406000
.h3mf85n:00404249 pop ecx
.h3mf85n:0040424A mov ecx, eax
.h3mf85n:0040424C mov eax, [eax]
.h3mf85n:0040424E mov edi, 6DEF20h
.h3mf85n:00404253 xor esi, esi
.h3mf85n:00404255 jmp short loc_404260
.h3mf85n:00404257 ; ----------------------------------------------------Listing 11.6 A disassembly of Defender’s entry point function, generated by IDA.
(continued)
Breaking Protections 377