Category:Architecture/x86-assembly/Examples
Jump to navigation
Jump to search
Decryption Rountine
Description
In the below example, we are analyzing a malware (Lab09-01.exe from the book "Practical Malware Analysis") that requires a password to be dynamically analyzed. The password is checked by sub_402510 as depicted below:
Check string length
.text:00402510 sub_402510 proc near ; CODE XREF: _main+3E�p
.text:00402510
.text:00402510 var_4 = byte ptr -4
.text:00402510 arg_0 = dword ptr 8
.text:00402510
.text:00402510 push ebp
.text:00402511 mov ebp, esp
.text:00402513 push ecx
.text:00402514 push edi
.text:00402515 mov edi, [ebp+arg_0]
.text:00402518 or ecx, 0FFFFFFFFh
.text:0040251B xor eax, eax
.text:0040251D repne scasb
.text:0040251F not ecx
.text:00402521 add ecx, 0FFFFFFFFh
.text:00402524 cmp ecx, 4 ; Check whether string provided in argument is 4 characters long
.text:00402527 jz short loc_40252D
.text:00402529 xor eax, eax
.text:0040252B jmp short loc_4025A0
First letter
.text:0040252D loc_40252D: ; CODE XREF: sub_402510+17�j
.text:0040252D mov eax, [ebp+arg_0] ; move arg_0 (string) to EAX
.text:00402530 mov cl, [eax] ; move effective address of EAX to CL. CL contains 1st letter of string
.text:00402532 mov [ebp+var_4], cl ; mov CL (1st letter) to var_4
.text:00402535 movsx edx, [ebp+var_4] ; mov var_4 (1st letter) to EDX
.text:00402539 cmp edx, 61h ; check whether EDX (1st letter) is 0x61 ("a" in ASCII)
.text:0040253C jz short loc_402542
.text:0040253E xor eax, eax
.text:00402540 jmp short loc_4025A0
Second letter
.text:00402542 loc_402542: ; CODE XREF: sub_402510+2C�j
.text:00402542 mov eax, [ebp+arg_0] ; move arg_0 (string) to EAX
.text:00402545 mov cl, [eax+1] ; move 2nd letter to CL
.text:00402548 mov [ebp+var_4], cl ; move CL (2nd letter) to var_4
.text:0040254B mov edx, [ebp+arg_0] ; move arg_0 (string) to EDX
.text:0040254E mov al, [ebp+var_4] ; move var_4 (2nd letter) to AL
.text:00402551 sub al, [edx] ; Substract 1st letter from 2nd letter (compute distance between 1st and 2nd letter)
.text:00402553 mov [ebp+var_4], al ; Save distance between 1st and 2nd letter to var_4
.text:00402556 movsx ecx, [ebp+var_4] ; Save distance between 1st and 2nd letter to ECX
.text:0040255A cmp ecx, 1 ; Check whether distance between 1st and 2nd letter is 1.
.text:0040255A ; As 1st letter is supposed to be "a", it checks whether 2nd letter is "b"
.text:0040255D jz short loc_402563
.text:0040255F xor eax, eax
.text:00402561 jmp short loc_4025A0
Third letter
.text:00402563 loc_402563: ; CODE XREF: sub_402510+4D�j
.text:00402563 mov al, [ebp+var_4] ; var_4 (dist = 1) saved to AL
.text:00402566 mov dl, 63h ; move 0x63 ("c") to DL
.text:00402568 imul dl ; Calculates AL (1) * DL ("c"), stores answer to AX (AX="c")
.text:0040256A mov [ebp+var_4], al ; move AL ("c") to var_4
.text:0040256D movsx eax, [ebp+var_4] ; mov var_4 ("c") to EAX
.text:00402571 mov ecx, [ebp+arg_0] ; move arg_0 (string) to ECX
.text:00402574 movsx edx, byte ptr [ecx+2] ; move 3rd letter to EDX
.text:00402578 cmp eax, edx ; Check whether 3rd letter is "c"
.text:0040257A jz short loc_402580
.text:0040257C xor eax, eax
.text:0040257E jmp short loc_4025A0
Fourth letter
.text:00402580 loc_402580: ; CODE XREF: sub_402510+6A�j
.text:00402580 mov al, [ebp+var_4] ; Save var_4 ("c") to AL
.text:00402583 add al, 1 ; Add 1 to AL ("d")
.text:00402585 mov [ebp+var_4], al ; save AL to var_4 ("d")
.text:00402588 movsx ecx, [ebp+var_4] ; move var_4 to ECX ("d")
.text:0040258C mov edx, [ebp+arg_0] ; mov arg_0 (string) to EDX
.text:0040258F movsx eax, byte ptr [edx+3] ; Save 4th letter to EAX
.text:00402593 cmp ecx, eax ; Check whether 4th letter is "d"
.text:00402595 jz short loc_40259B
.text:00402597 xor eax, eax
.text:00402599 jmp short loc_4025A0
This category currently contains no pages or media.