issuhub.com

Reversing : The Hacker's Guide to Reverse Engineering

(ff) #1 
004035C2 IDIV ECX

004035C4 MOV ECX,EDX

004035C6 SHL ESI,CL

004035C8 ADD ESI,DWORD PTR [EBP-6C]

004035CB MOV DWORD PTR [EBP-6C],ESI

004035CE JMP SHORT Defender.004035A4

It is easy to see in the debugger that [EBP-68]contains the current string’s

length (calculated earlier) and that [EBP-64]contains the address to the cur-

rent string. It then enters a loop that takes each character in the string and

shifts it left by the current index [EBP-68]modulo 24, and then adds the

result into an accumulator at [EBP-6C]. This produces a 32-bit number that is

like a checksum of the string. It is not clear at this point why this checksum is

required. After all the characters are processed, the following code is executed:

004035D0 CMP DWORD PTR [EBP-6C],39DBA17A

004035D7 JNZ SHORT Defender.004035F1

If [EBP-6C]doesn’t equal 39DBA17Athe function proceeds to compute the

same checksum on the next NTDLL export entry. If it is 39DBA17Athe loop

stops. This means that one of the entries is going to produce a checksum of

39DBA17A. You can put a breakpoint on the line that follows the JNZin the

code (at address 004035D9) and let the program run. This will show you

which function the program is looking for. When you do that Olly breaks, and

you can now go to [EBP-64]to see which name is currently loaded. It is

NtAllocateVirtualMemory. So, it seems that the function is somehow

interested in NtAllocateVirtualMemory, the Native API equivalent of

VirtualAlloc, the documented Win32 API for allocating memory pages.

After computing the exact address of NtAllocateVirtualMemory

(which is stored at [EBP-10]) the function proceeds to call the API. The fol-

lowing is the call sequence:

0040365F RDTSC

00403661 AND EAX,7FFF0000

00403666 MOV DWORD PTR [EBP-C],EAX

00403669 PUSH 4

0040366B PUSH 3000

00403670 LEA EAX,DWORD PTR [EBP-4]

00403673 PUSH EAX

00403674 PUSH 0

00403676 LEA EAX,DWORD PTR [EBP-C]

00403679 PUSH EAX

0040367A PUSH -1

0040367C CALL DWORD PTR [EBP-10]

Notice the RDTSCinstruction at the beginning. This is an unusual instruc-

tion that you haven’t encountered before. Referring to the Intel Instruction Set

388 Chapter 11

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.