making sure I share these relations On Tue, Dec 14, 2021, 7:59 AM wrote: Hi K, do I understand it correctly that you are trying to reverse engineer some malware? Did you have experience with it before starting to work on this particular malware? I find the topic quite interesting... Best regards, On 12/14/2021 1:42 PM, Karl wrote: > The first thing I notice here is that the function takes a _lot_ of > parameters. This is more poignant because it makes the assembly > complex, but back in the entrypoint we saw what values were passed for > each one of these parameters. > > > ************************************************************** > * > * > * FUNCTION > * > > ************************************************************** > int __cdecl FUN_0804d23f(undefined * > param_1, int param_ > int EAX:4 > undefined * Stack[0x4]:4 param_1 > XREF[1]: 0804d3e9(R) > int Stack[0x8]:4 param_2 > XREF[2]: 0804d268(R), > > 0804d3e2(R) > uint * * Stack[0xc]:4 param_3 > XREF[1]: 0804d250(R) > undefined * Stack[0x10]:4 param_4 > XREF[1]: 0804d26f(R) > undefined4 Stack[0x14]:4 param_5 > XREF[1]: 0804d372(R) > undefined4 Stack[0x18]:4 param_6 > XREF[1]: 0804d25c(R) > undefined4 Stack[0x1c]:4 param_7 > XREF[1]: 0804d249(R) > undefined4 Stack[-0x14]:4 local_14 > XREF[1]: 0804d32a(R) > undefined4 Stack[-0x1c]:4 local_1c > XREF[1]: 0804d323(R) > undefined4 Stack[-0x24]:4 local_24 > XREF[1]: 0804d31d(R) > undefined4 Stack[-0x2c]:4 local_2c > XREF[2]: 0804d2ed(R), > > 0804d314(R) > undefined4 Stack[-0x54]:4 local_54 > XREF[1]: 0804d2dc(R) > undefined1 Stack[-0x88]:1 local_88 > XREF[2]: 0804d290(*), > > 0804d2ce(*) > undefined4 Stack[-0xac]:4 local_ac > XREF[1]: 0804d3f0(*) > FUN_0804d23f > XREF[1]: entry:08048180(c) > 0804d23f 55 PUSH EBP > 0804d240 57 PUSH EDI > 0804d241 56 PUSH ESI > 0804d242 53 PUSH EBX > 0804d243 81 ec 8c SUB ESP,0x8c > 00 00 00 > 0804d249 8b 84 24 MOV EAX,dword ptr [ESP + param_7] > b8 00 00 00 > 0804d250 8b bc 24 MOV EDI,dword ptr [ESP + param_3] > a8 00 00 00 > 0804d257 a3 b8 e0 MOV [DAT_0804e0b8],EAX > = ?? > 04 08 > 0804d25c 8b 84 24 MOV EAX,dword ptr [ESP + param_6] > b4 00 00 00 > 0804d263 a3 c8 e0 MOV [DAT_0804e0c8],EAX > = ?? > 04 08 > 0804d268 8b 84 24 MOV EAX,dword ptr [ESP + param_2] > a4 00 00 00 > 0804d26f 8b ac 24 MOV EBP,dword ptr [ESP + param_4] > ac 00 00 00 > 0804d276 8d 14 87 LEA EDX,[EDI + EAX*0x4] > 0804d279 8d 42 04 LEA EAX,[EDX + 0x4] > 0804d27c a3 bc e0 MOV [DAT_0804e0bc],EAX > = ?? > 04 08 > 0804d281 3b 07 CMP EAX,dword ptr [EDI] > 0804d283 75 06 JNZ LAB_0804d28b > 0804d285 89 15 bc MOV dword ptr > [DAT_0804e0bc],EDX = ?? > e0 04 08 > LAB_0804d28b > XREF[1]: 0804d283(j) > 0804d28b 51 PUSH ECX