making sure I share these relations On Tue, Dec 14, 2021, 7:59 AM wrote:
Hi K,
do I understand it correctly that you are trying to reverse engineer some malware? Did you have experience with it before starting to work on this particular malware? I find the topic quite interesting...
Best regards,
The first thing I notice here is that the function takes a _lot_ of parameters. This is more poignant because it makes the assembly complex, but back in the entrypoint we saw what values were passed for each one of these parameters.
************************************************************** * * * FUNCTION *
************************************************************** int __cdecl FUN_0804d23f(undefined * param_1, int param_ int EAX:4 <RETURN> undefined * Stack[0x4]:4 param_1 XREF[1]: 0804d3e9(R) int Stack[0x8]:4 param_2 XREF[2]: 0804d268(R),
0804d3e2(R) uint * * Stack[0xc]:4 param_3 XREF[1]: 0804d250(R) undefined * Stack[0x10]:4 param_4 XREF[1]: 0804d26f(R) undefined4 Stack[0x14]:4 param_5 XREF[1]: 0804d372(R) undefined4 Stack[0x18]:4 param_6 XREF[1]: 0804d25c(R) undefined4 Stack[0x1c]:4 param_7 XREF[1]: 0804d249(R) undefined4 Stack[-0x14]:4 local_14 XREF[1]: 0804d32a(R) undefined4 Stack[-0x1c]:4 local_1c XREF[1]: 0804d323(R) undefined4 Stack[-0x24]:4 local_24 XREF[1]: 0804d31d(R) undefined4 Stack[-0x2c]:4 local_2c XREF[2]: 0804d2ed(R),
0804d314(R) undefined4 Stack[-0x54]:4 local_54 XREF[1]: 0804d2dc(R) undefined1 Stack[-0x88]:1 local_88 XREF[2]: 0804d290(*),
0804d2ce(*) undefined4 Stack[-0xac]:4 local_ac XREF[1]: 0804d3f0(*) FUN_0804d23f XREF[1]: entry:08048180(c) 0804d23f 55 PUSH EBP 0804d240 57 PUSH EDI 0804d241 56 PUSH ESI 0804d242 53 PUSH EBX 0804d243 81 ec 8c SUB ESP,0x8c 00 00 00 0804d249 8b 84 24 MOV EAX,dword ptr [ESP +
On 12/14/2021 1:42 PM, Karl wrote: param_7]
b8 00 00 00 0804d250 8b bc 24 MOV EDI,dword ptr [ESP +
param_3]
a8 00 00 00 0804d257 a3 b8 e0 MOV [DAT_0804e0b8],EAX = ?? 04 08 0804d25c 8b 84 24 MOV EAX,dword ptr [ESP +
param_6]
b4 00 00 00 0804d263 a3 c8 e0 MOV [DAT_0804e0c8],EAX = ?? 04 08 0804d268 8b 84 24 MOV EAX,dword ptr [ESP +
param_2]
a4 00 00 00 0804d26f 8b ac 24 MOV EBP,dword ptr [ESP +
param_4]
ac 00 00 00 0804d276 8d 14 87 LEA EDX,[EDI + EAX*0x4] 0804d279 8d 42 04 LEA EAX,[EDX + 0x4] 0804d27c a3 bc e0 MOV [DAT_0804e0bc],EAX = ?? 04 08 0804d281 3b 07 CMP EAX,dword ptr [EDI] 0804d283 75 06 JNZ LAB_0804d28b 0804d285 89 15 bc MOV dword ptr [DAT_0804e0bc],EDX = ?? e0 04 08 LAB_0804d28b XREF[1]: 0804d283(j) 0804d28b 51 PUSH ECX