0040151C JMP SHORT ZoneLock.00401535
0040151E CALL <JMP.&CRTDLL.rand>
00401523 MOV EDI,DWORD PTR SS:[EBP+8]
00401526 MOV ECX,1A
0040152B CDQ
0040152C IDIV ECX
0040152E ADD EDX,61
00401531 MOV BYTE PTR DS:[EDI+ESI],DL
00401534 INC ESI
00401535 CMP ESI,EBX
00401537 JLE SHORT ZoneLock.0040151E
00401539 MOV EAX,DWORD PTR SS:[EBP+8]
0040153C MOV BYTE PTR DS:[EAX+ESI],0
00401540 POP EDI
00401541 POP ESI
00401542 POP EBX
00401543 POP EBP
00401544 RETNListing 8.5 A random string-generation function.
This generates some kind of random data (with the random seed taken from
the current tick counter). The buffer length is somewhat random; the default
length is 5 bytes, but it can go to anywhere from 2 to 8 bytes, depending on
whether randproduces a negative or positive integer. Once the primary loop
is entered, the function computes a random number for each byte, calculates a
modulo 0x1A(26 in decimal) for each random number, adds 0x61(97 in dec-
imal), and stores the result in the current byte in the buffer.
Observing the resulting buffer in OllyDbg exposes that the program is
essentially producing a short random string that is made up of lowercase let-
ters, and that the string is placed inside the caller-supplied buffer.
Notice how the modulo in Listing 8.5 is computed using the highly ineffiecient
IDIV instruction. This indicates that the Trojan was compiled with some kind of
Minimize Size compiler option (assuming that it was written in a high-level
language). If the compiler was aiming at generating high-performance code, it
would have used reciprocal multiplication to compute the modulo, which
would have produced far longer, yet faster code. This is not surprising
considering that the program originally came packed with UPX—the author of
this program was clearly aiming at making the executable as tiny as possible.
For more information on how to identify optimized division sequences and
other common arithmetic operations, refer to Appendix B.Reversing Malware 297