004034DD 12 DB 12
004034DE 49 DB 49
004034DF 32 DB 32
004034E0 F6 DB F6
004034E1 9E DB 9E
004034E2 7D DB 7DHowever, you simply must tell Olly to reanalyze this memory to look for
anything meaningful. You do this by pressing Ctrl+A. It is immediately obvi-
ous that something has changed. Instead of meaningless bytes you now have
assembly language code. Scrolling down a few pages reveals that this is quite
a bit of code—dozens of pages of code actually. This is really the body of the
function you’re investigating: 4033D1. The code in Listing 11.7 was just the
decryption prologue. The full decrypted version of 4033D1is quite long and
would fill many pages, so instead I’ll just go over the general structure of the
function and what it does as a whole. I’ll include key code sections that are
worth investigating. It would be a good idea to have OllyDbg open and to let
the function decrypt itself so that you can look at the code while reading this—
there is quite a bit of interesting code in this function. One important thing to
realize is that it wouldn’t be practical or even useful to try to understand every
line in this huge function. Instead, you must try to recognize key areas in the
code and to understand their purpose.
Analyzing the Decrypted Code
The function starts out with some pointer manipulation on the NTDLL base
address you acquired earlier. The function digs through NTDLL’s PE header
until it gets to its export directory (OllyDbg tells you this because when the
function has the pointer to the export directory Olly will comment it as
ntdll.$$VProc_ImageExportDirectory). The function then goes
through each export and performs an interesting (and highly unusual) bit of
arithmetic on each function name string. Let’s look at the code that does this.
004035A4 MOV EAX,DWORD PTR [EBP-68]
004035A7 MOV ECX,DWORD PTR [EBP-68]
004035AA DEC ECX
004035AB MOV DWORD PTR [EBP-68],ECX
004035AE TEST EAX,EAX
004035B0 JE SHORT Defender.004035D0
004035B2 MOV EAX,DWORD PTR [EBP-64]
004035B5 ADD EAX,DWORD PTR [EBP-68]
004035B8 MOVSX ESI,BYTE PTR [EAX]
004035BB MOV EAX,DWORD PTR [EBP-68]
004035BE CDQ
004035BF PUSH 18
004035C1 POP ECXBreaking Protections 387