Hi K,
do I understand it correctly that you are trying to reverse engineer
some malware? Did you have experience with it before starting to work on
this particular malware?
I find the topic quite interesting...
Best regards,
On 12/14/2021 1:42 PM, Karl wrote:
> The first thing I notice here is that the function takes a _lot_ of
> parameters. This is more poignant because it makes the assembly
> complex, but back in the entrypoint we saw what values were passed for
> each one of these parameters.
>
>
> **************************************************************
> *
> *
> * FUNCTION
> *
>
> **************************************************************
> int __cdecl FUN_0804d23f(undefined *
> param_1, int param_
> int EAX:4 <RETURN>
> undefined * Stack[0x4]:4 param_1
> XREF[1]: 0804d3e9(R)
> int Stack[0x8]:4 param_2
> XREF[2]: 0804d268(R),
>
> 0804d3e2(R)
> uint * * Stack[0xc]:4 param_3
> XREF[1]: 0804d250(R)
> undefined * Stack[0x10]:4 param_4
> XREF[1]: 0804d26f(R)
> undefined4 Stack[0x14]:4 param_5
> XREF[1]: 0804d372(R)
> undefined4 Stack[0x18]:4 param_6
> XREF[1]: 0804d25c(R)
> undefined4 Stack[0x1c]:4 param_7
> XREF[1]: 0804d249(R)
> undefined4 Stack[-0x14]:4 local_14
> XREF[1]: 0804d32a(R)
> undefined4 Stack[-0x1c]:4 local_1c
> XREF[1]: 0804d323(R)
> undefined4 Stack[-0x24]:4 local_24
> XREF[1]: 0804d31d(R)
> undefined4 Stack[-0x2c]:4 local_2c
> XREF[2]: 0804d2ed(R),
>
> 0804d314(R)
> undefined4 Stack[-0x54]:4 local_54
> XREF[1]: 0804d2dc(R)
> undefined1 Stack[-0x88]:1 local_88
> XREF[2]: 0804d290(*),
>
> 0804d2ce(*)
> undefined4 Stack[-0xac]:4 local_ac
> XREF[1]: 0804d3f0(*)
> FUN_0804d23f
> XREF[1]: entry:08048180(c)
> 0804d23f 55 PUSH EBP
> 0804d240 57 PUSH EDI
> 0804d241 56 PUSH ESI
> 0804d242 53 PUSH EBX
> 0804d243 81 ec 8c SUB ESP,0x8c
> 00 00 00
> 0804d249 8b 84 24 MOV EAX,dword ptr [ESP + param_7]
> b8 00 00 00
> 0804d250 8b bc 24 MOV EDI,dword ptr [ESP + param_3]
> a8 00 00 00
> 0804d257 a3 b8 e0 MOV [DAT_0804e0b8],EAX
> = ??
> 04 08
> 0804d25c 8b 84 24 MOV EAX,dword ptr [ESP + param_6]
> b4 00 00 00
> 0804d263 a3 c8 e0 MOV [DAT_0804e0c8],EAX
> = ??
> 04 08
> 0804d268 8b 84 24 MOV EAX,dword ptr [ESP + param_2]
> a4 00 00 00
> 0804d26f 8b ac 24 MOV EBP,dword ptr [ESP + param_4]
> ac 00 00 00
> 0804d276 8d 14 87 LEA EDX,[EDI + EAX*0x4]
> 0804d279 8d 42 04 LEA EAX,[EDX + 0x4]
> 0804d27c a3 bc e0 MOV [DAT_0804e0bc],EAX
> = ??
> 04 08
> 0804d281 3b 07 CMP EAX,dword ptr [EDI]
> 0804d283 75 06 JNZ LAB_0804d28b
> 0804d285 89 15 bc MOV dword ptr
> [DAT_0804e0bc],EDX = ??
> e0 04 08
> LAB_0804d28b
> XREF[1]: 0804d283(j)
> 0804d28b 51 PUSH ECX