from the address at ESIto the address at EDIuntil ECXis zero. For each
DWORDthat is copied ECXis decremented once, and ESI and EDIare both
incremented by four (the sequence is copying 32 bits at a time). The second
REP MOVSperforms a byte-by-byte copying of the last 3 bytes if needed. This
is needed only for blocks whose size isn’t 32-bit-aligned.
Let’s see what is being copied in this sequence. ESIis loaded with [EBP+8]
which is NTDLL’s base address, and is incremented by the value at
[EAX+2C]. Going back a bit you can see that EAXcontains that same PE
header address you were looking at earlier. If you go back to the PE headers
you dumped earlier from WinDbg, you can see that Offset +2c is BaseOf
Code. EDIis loaded with an address within your newly allocated memory
block, at the point right after the table you’ve just filed. Essentially, this
sequence is copying all the code in NTDLL into this memory buffer.
So here’s what you have so far. You have a memory block that is allocated in
runtime, with a specific effort being made to put it at a random address. This
code contains a table of checksums of the names of all exported functions from
NTDLL alongside their RVAs. Right after this table (in the same block) you
have a copy of the entire NTDLL code section. Figure 11.15 provides a graphic
visualization of this interesting and highly unusual data structure.
Now, if I saw this kind of code in an average application I would probably
think that I was witnessing the work of a mad scientist. In a serious copy pro-
tection this makes a lot of sense. This is a mechanism that allocates a memory
block at a random virtual address and creates what is essentially an obfuscated
interface into the operating system module. You’ll soon see just how effective
this interface is at interfering with reversing efforts (which one can only
assume is the only reason for its existence).
The huge function proceeds into calling another function, at 4030E5. This
function starts out with two interesting loops, one of which is:00403108 CMP ESI,190BC2
0040310E JE SHORT Defender.0040311E
00403110 ADD ECX,8
00403113 MOV ESI,DWORD PTR [ECX]
00403115 CMP ESI,EBX
00403117 JNZ SHORT Defender.00403108This loop goes through the export table and compares each string checksum
with 190BC2. It is fairly easy to see what is happening here. The code is look-
ing for a specific API in NTDLL. Because it’s not searching by strings but by
this checksum you have no idea which API the code is looking for—the API’s
name is just not available. Here’s what happens when the entry is found:0040311E MOV ECX,DWORD PTR [ECX+4]
00403121 ADD ECX,EDI
00403123 MOV DWORD PTR [EBP-C],ECX392 Chapter 11