If you look closely at the address that the JMPat 004041F4is going to you’ll
notice that it’s very far from where you are at the moment—right at the begin-
ning of this function actually. To refresh your memory, here’s the code at that
location:00403401 CMP DWORD PTR SS:[EBP-8],0
00403405 JE SHORT Defender.0040346DYou may or may not remember this, but the line immediately preceding
00403401 was setting [EBP-8]to 1, which seemed a bit funny considering it
was immediately checked. Well, here’s the answer—there is encrypted code at
the end of the function that sets this variable to zero and jumps back to that
same position. Since the conditional jump is taken this time, you land at
40346D, which is a sequence that appears to be very similar to the decryption
sequence you studied in the beginning. Still, it is somewhat different, and
observing its effect in the debugger reveals the obvious: it is reencrypting the
code in this function.
There’s no reason to get into the details of this logic, but there are several
details that are worth mentioning. After the encryption sequence ends, the fol-
lowing code is executed:004034D0 MOV DWORD PTR DS:[406008],EAX
004034D5 PUSH Defender.004041FD
004034DA POP EBX
004034DB JMP EBXThe first line saves the value in EAXinto a global variable. EAXseems to con-
tain some kind of a checksum of the encrypted code. Also, the PUSH, POP, JMP
sequence is the exact same code that originally jumped into the decrypted
code, only it has been modified to jump to the end of the function.Back at the Entry Point
After the huge function you’ve just dissected returns, the entry point routine
makes the traditional call into NtDelayExecutionand calls into another
internal function, at 404202. The following is a full listing for this function:00404202 MOV EAX,DWORD PTR DS:[406004]
00404207 MOV ECX,EAX
00404209 MOV EAX,DWORD PTR DS:[EAX]
0040420B JMP SHORT Defender.00404219
0040420D CMP EAX,66B8EBBB
00404212 JE SHORT Defender.00404227
00404214 ADD ECX,8
00404217 MOV EAX,DWORD PTR DS:[ECX]402 Chapter 11