OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Friday, January 12 2007 21:44.00 CST

Modified: Friday, January 12 2007 21:44.00 CST

This is an imported entry. View original.

Printer Friendly ...

Function Analysis

Author: JasonGeffner

# Views: 1478

While analyzing a malware sample today, I came across an interesting function. It uses red-herring local variables and red-herring global variables, and even once you get rid of that code, its still unclear as to what the function does.

Since you dont have access to the callers of this function, Ill tell you this:

The first argument is a null-terminated ASCII string.
The second argument is a null-terminated ASCII string.
The third argument is an integer.

Your challenge? Tell me what the function does. Your prize? You get to choose the name of the next malware family that I name. Stipulations:

Cannot refer to the name of a person, place, or time.
Cannot refer to anything obscene or offensive.
Cannot be found in a dictionary or web-search.
Cannot use camel-casing for compounding words -- must begin with one uppercase letter and end with all lowercase letters.
Must be a "generic" name (for example, shouldnt contain the word "bot" or "worm", since I have no idea what class of malware Ill end up naming next).
Must be humanly pronouncable.
Must be between four and eight letters in length.
I have final discretion over the name in case you think of something "bad" that isnt covered by one of the rules above.

The winner is the first person to post a comment that correctly and fully describes in high-level English (not in code) what the function does.

And to in case you think Im "hiring cheap labor" to analyze this for me, Ill pull a Raymond Chen and say that the MD5 of my analysis is F2F3648B9BE371B4682B728A7A3D920F. Once the correct answer is posted, Ill post my analysis which hashes to that MD5.

Heres the function:

 sub_0           proc near

 var_10          = dword ptr -10h
 var_C           = dword ptr -0Ch
 var_8           = dword ptr -8
 var_4           = dword ptr -4
 arg_0           = dword ptr  8
 arg_4           = dword ptr  0Ch
 arg_8           = dword ptr  10h

                 push    ebp
                 mov     ebp, esp
                 sub     esp, 10h
                 push    ebx
                 push    esi
                 push    edi
                 mov     esi, [ebp+arg_4]
                 mov     [ebp+var_8], 697A259Dh
                 xor     [ebp+var_8], 182Ch
                 inc     dword ptr ds:42C094h
                 and     [ebp+var_C], 0
                 and     [ebp+var_4], 0
                 jmp     short loc_94
 ; ---------------------------------------------------------------------------

 loc_2A:                                 ; CODE XREF: sub_0+A6j
                 xor     ebx, ebx
                 add     [ebp+var_8], 3AA5h
                 inc     dword ptr ds:42C094h
                 xor     edi, edi
                 jmp     short loc_81
 ; ---------------------------------------------------------------------------

 loc_3D:                                 ; CODE XREF: sub_0+8Fj
                 mov     eax, [ebp+var_4]
                 add     eax, edi
                 mov     edx, [ebp+arg_0]
                 movsx   eax, byte ptr [edx+eax]
                 movsx   edx, byte ptr [esi+edi]
                 cmp     eax, edx
                 jnz     short loc_52
                 inc     ebx

 loc_52:                                 ; CODE XREF: sub_0+4Fj
                 mov     ecx, esi
                 or      eax, 0FFFFFFFFh

 loc_57:                                 ; CODE XREF: sub_0+5Cj
                 inc     eax
                 cmp     byte ptr [ecx+eax], 0
                 jnz     short loc_57
                 cmp     ebx, eax
                 jnz     short loc_72
                 inc     [ebp+var_C]
                 mov     eax, [ebp+arg_8]
                 cmp     [ebp+var_C], eax
                 jnz     short loc_72
                 mov     eax, [ebp+var_4]
                 jmp     short loc_C0
 ; ---------------------------------------------------------------------------

 loc_72:                                 ; CODE XREF: sub_0+60j
                                         ; sub_0+6Bj
                 mov     eax, 43C9h
                 mul     [ebp+var_8]
                 mov     [ebp+var_10], eax
                 mov     [ebp+var_8], eax
                 inc     edi

 loc_81:                                 ; CODE XREF: sub_0+3Bj
                 mov     ecx, esi
                 or      eax, 0FFFFFFFFh

 loc_86:                                 ; CODE XREF: sub_0+8Bj
                 inc     eax
                 cmp     byte ptr [ecx+eax], 0
                 jnz     short loc_86
                 cmp     edi, eax
                 jb      short loc_3D
                 inc     [ebp+var_4]

 loc_94:                                 ; CODE XREF: sub_0+28j
                 mov     eax, [ebp+arg_0]
                 mov     ecx, eax
                 or      eax, 0FFFFFFFFh

 loc_9C:                                 ; CODE XREF: sub_0+A1j
                 inc     eax
                 cmp     byte ptr [ecx+eax], 0
                 jnz     short loc_9C
                 cmp     [ebp+var_4], eax
                 jb      short loc_2A
                 mov     eax, 0FFFFh
                 jmp     short loc_C0
 ; ---------------------------------------------------------------------------
                 mov     eax, 514Ah
                 mul     dword ptr [ebp-8]
                 mov     [ebp-10h], eax
                 mov     eax, [ebp-10h]
                 mov     [ebp-8], eax

 loc_C0:                                 ; CODE XREF: sub_0+70j
                                         ; sub_0+ADj
                 pop     edi
                 pop     esi
                 pop     ebx
                 leave
                 retn
 sub_0           endp

And heres the raw byte-code for the function above:

5589E583EC105356578B750CC745F89D257A698175F82C180000FF0594C04200
8365F4008365FC00EB6A31DB8145F8A53A0000FF0594C0420031FFEB448B45FC
01F88B55080FBE04020FBE143E39D075014389F183C8FF40803C010075F939C3
7510FF45F48B45103945F475058B45FCEB4EB8C9430000F765F88945F08945F8
4789F183C8FF40803C010075F939C772ACFF45FC8B450889C183C8FF40803C01
0075F93945FC7282B8FFFF0000EB11B84A510000F765F88945F08B45F08945F8
5F5E5BC9C3

If you wish to comment on this blog entry, please do so on the original site it was imported from.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit