while over them and end up hitting 'F' to reanalyse them as functions.

in ida pro one hits 'P' to do this

I'm looking at this autogenerated ghidra decompilation. I labeled the flag as a bool. PTR_DAT_0804e024 contains the address of DAT_0804e00c which contains void at start. The logic here is a little confusing. I'm trying to put comments inline below. void FUN_080480c0(void) { code *pcVar1; // code runs only once, sets a flag if (BOOL_0804e080 == false) { // loop dereferences the ptr, and continues only if it is nonzero while (pcVar1 = *(code **)PTR_DAT_0804e024, pcVar1 != (code *)0x0) { // ptr is incremented to _next_ value (since this is 32 bit code) PTR_DAT_0804e024 = PTR_DAT_0804e024 + 4; // _old_ value is derefenced and called? (*pcVar1)(); } BOOL_0804e080 = true; } return; } it looks like it needs to be called at the right time, and calls a hidden function when that is done? and may also increment a pointer? i'd like to review it again. here's the disassembly: ************************************************************** * * * FUNCTION * ************************************************************** undefined __cdecl FUN_080480c0(void) undefined AL:1 <RETURN> FUN_080480c0 XREF[1]: FUN_0804dbd6:0804dbe5(c) 080480c0 55 PUSH EBP 080480c1 89 e5 MOV EBP,ESP 080480c3 83 ec 08 SUB ESP,0x8 080480c6 80 3d 80 CMP byte ptr [BOOL_0804e080],0x0 = ?? e0 04 08 00 080480cd 74 0c JZ LAB_080480db 080480cf eb 35 JMP LAB_08048106 LAB_080480d1 XREF[1]: 080480e4(j) 080480d1 83 c0 04 ADD EAX,0x4 080480d4 a3 24 e0 MOV [PTR_DAT_0804e024],EAX = 0804e00c 04 08 080480d9 ff d2 CALL EDX LAB_080480db XREF[1]: 080480cd(j) 080480db a1 24 e0 MOV EAX,[PTR_DAT_0804e024] = 0804e00c 04 08 080480e0 8b 10 MOV EDX,dword ptr [EAX]=>DAT_0804e00c 080480e2 85 d2 TEST EDX,EDX 080480e4 75 eb JNZ LAB_080480d1 080480e6 b8 00 00 MOV EAX,0x0 00 00 080480eb 85 c0 TEST EAX,EAX 080480ed 74 10 JZ LAB_080480ff 080480ef 83 ec 0c SUB ESP,0xc 080480f2 68 08 df PUSH 0x804df08 04 08 080480f7 e8 04 7f CALL SUB_00000000 fb f7 080480fc 83 c4 10 ADD ESP,0x10 LAB_080480ff XREF[1]: 080480ed(j) 080480ff c6 05 80 MOV byte ptr [BOOL_0804e080],0x1 = ?? e0 04 08 01 LAB_08048106 XREF[1]: 080480cf(j) 08048106 c9 LEAVE 08048107 c3 RET

// this next line is 080480d1 . this line is jumped to (referenced XREF (j)) from 080480e4 LAB_080480d1 XREF[1]: 080480e4(j) // add 4 to the first active value (EAX is the first 32-bit register, the working memory of a cpu) 080480d1 83 c0 04 ADD EAX,0x4 // set PTR_DAT_0804e024 to EAX 080480d4 a3 24 e0 MOV [PTR_DAT_0804e024],EAX = 0804e00c // these are further bytecode bytes. the assembly statement is 5 bytes long (a3 24 e0 04 08) 04 08

There are a handful of different ways to notate assembly code. Luckily, I stumbled on what appears to be the same one. https://www.cs.virginia.edu/~evans/cs216/guides/x86.html#memory Some examples of mov instructions using address computations are: mov eax, [ebx] ; Move the 4 bytes in memory at the address contained in EBX into EAX mov [var], ebx ; Move the contents of EBX into the 4 bytes at memory address var. (Note, var is a 32-bit constant). mov eax, [esi-4] ; Move 4 bytes at memory address ESI + (-4) into EAX mov [esi+eax], cl ; Move the contents of CL into the byte at address ESI+EAX mov edx, [esi+4*ebx] ; Move the 4 bytes of data at address ESI+4*EBX into EDX So, [var] treats var as the memory address to read from or write to, and the MOV statements above are not dereferencing the pointer, but rather adjusting where it is pointing.

i'm seeing that pattern, with the skipped code calling a void pointer, elsewhere in the code. for something confusing like that, it's clearest to watch the system execute to see what is important. so it would make sense to move to code that i can run. this function is passed as a pointer in the entrypoint, and isn't immediately executed, so it's not of as much as interest as things that can be tested, to me, now.

i'm destabilising here. sounds like you want a quick summary of these binaries. a researcher for an antivirus group would likely have that. i'm not one, so i'm a lot slower. i really enjoy this work, it's very rare for me to be able to do something like this.

on with FUN_0804d23f !

people always say you should push your edge, challenge your fears! i'll be running it with a debugger so that it doesn't go too far. if you aren't a crazed homeless software developer, you'll want to have a vm or a dedicated offline system for something like this. $ gdb 776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00 (gdb)