Category:Architecture/x86-assembly/Examples

From aldeid
Jump to navigation Jump to search

Decryption Rountine

Description

In the below example, we are analyzing a malware (Lab09-01.exe from the book "Practical Malware Analysis") that requires a password to be dynamically analyzed. The password is checked by sub_402510 as depicted below:

Check string length

.text:00402510 sub_402510      proc near               ; CODE XREF: _main+3E�p
.text:00402510
.text:00402510 var_4           = byte ptr -4
.text:00402510 arg_0           = dword ptr  8
.text:00402510
.text:00402510                 push    ebp
.text:00402511                 mov     ebp, esp
.text:00402513                 push    ecx
.text:00402514                 push    edi
.text:00402515                 mov     edi, [ebp+arg_0]
.text:00402518                 or      ecx, 0FFFFFFFFh
.text:0040251B                 xor     eax, eax
.text:0040251D                 repne scasb
.text:0040251F                 not     ecx
.text:00402521                 add     ecx, 0FFFFFFFFh
.text:00402524                 cmp     ecx, 4          ; Check whether string provided in argument is 4 characters long
.text:00402527                 jz      short loc_40252D
.text:00402529                 xor     eax, eax
.text:0040252B                 jmp     short loc_4025A0

First letter

.text:0040252D loc_40252D:                             ; CODE XREF: sub_402510+17�j
.text:0040252D                 mov     eax, [ebp+arg_0] ; move arg_0 (string) to EAX
.text:00402530                 mov     cl, [eax]       ; move effective address of EAX to CL. CL contains 1st letter of string
.text:00402532                 mov     [ebp+var_4], cl ; mov CL (1st letter) to var_4
.text:00402535                 movsx   edx, [ebp+var_4] ; mov var_4 (1st letter) to EDX
.text:00402539                 cmp     edx, 61h        ; check whether EDX (1st letter) is 0x61 ("a" in ASCII)
.text:0040253C                 jz      short loc_402542
.text:0040253E                 xor     eax, eax
.text:00402540                 jmp     short loc_4025A0

Second letter

.text:00402542 loc_402542:                             ; CODE XREF: sub_402510+2C�j
.text:00402542                 mov     eax, [ebp+arg_0] ; move arg_0 (string) to EAX
.text:00402545                 mov     cl, [eax+1]     ; move 2nd letter to CL
.text:00402548                 mov     [ebp+var_4], cl ; move CL (2nd letter) to var_4
.text:0040254B                 mov     edx, [ebp+arg_0] ; move arg_0 (string) to EDX
.text:0040254E                 mov     al, [ebp+var_4] ; move var_4 (2nd letter) to AL
.text:00402551                 sub     al, [edx]       ; Substract 1st letter from 2nd letter (compute distance between 1st and 2nd letter)
.text:00402553                 mov     [ebp+var_4], al ; Save distance between 1st and 2nd letter to var_4
.text:00402556                 movsx   ecx, [ebp+var_4] ; Save distance between 1st and 2nd letter to ECX
.text:0040255A                 cmp     ecx, 1          ; Check whether distance between 1st and 2nd letter is 1.
.text:0040255A                                         ; As 1st letter is supposed to be "a", it checks whether 2nd letter is "b"
.text:0040255D                 jz      short loc_402563
.text:0040255F                 xor     eax, eax
.text:00402561                 jmp     short loc_4025A0

Third letter

.text:00402563 loc_402563:                             ; CODE XREF: sub_402510+4D�j
.text:00402563                 mov     al, [ebp+var_4] ; var_4 (dist = 1) saved to AL
.text:00402566                 mov     dl, 63h         ; move 0x63 ("c") to DL
.text:00402568                 imul    dl              ; Calculates AL (1) * DL ("c"), stores answer to AX (AX="c")
.text:0040256A                 mov     [ebp+var_4], al ; move AL ("c") to var_4
.text:0040256D                 movsx   eax, [ebp+var_4] ; mov var_4 ("c") to EAX
.text:00402571                 mov     ecx, [ebp+arg_0] ; move arg_0 (string) to ECX
.text:00402574                 movsx   edx, byte ptr [ecx+2] ; move 3rd letter to EDX
.text:00402578                 cmp     eax, edx        ; Check whether 3rd letter is "c"
.text:0040257A                 jz      short loc_402580
.text:0040257C                 xor     eax, eax
.text:0040257E                 jmp     short loc_4025A0

Fourth letter

.text:00402580 loc_402580:                             ; CODE XREF: sub_402510+6A�j
.text:00402580                 mov     al, [ebp+var_4] ; Save var_4 ("c") to AL
.text:00402583                 add     al, 1           ; Add 1 to AL ("d")
.text:00402585                 mov     [ebp+var_4], al ; save AL to var_4 ("d")
.text:00402588                 movsx   ecx, [ebp+var_4] ; move var_4 to ECX ("d")
.text:0040258C                 mov     edx, [ebp+arg_0] ; mov arg_0 (string) to EDX
.text:0040258F                 movsx   eax, byte ptr [edx+3] ; Save 4th letter to EAX
.text:00402593                 cmp     ecx, eax        ; Check whether 4th letter is "d"
.text:00402595                 jz      short loc_40259B
.text:00402597                 xor     eax, eax
.text:00402599                 jmp     short loc_4025A0

This category currently contains no pages or media.