Unknown algorithm in forloop

Ask your beginner questions here.
Post Reply
crypt3r
Posts: 2
Joined: Wed Mar 16, 2016 7:37 pm

Unknown algorithm in forloop

Post by crypt3r » Wed Jun 22, 2016 1:15 pm

Hello Guys,
i am reversing a malware sample .but getting stucked in a loop below.the line writeen in the bold letter generated random letter like "/2","/lm32" etc to EDX.The thing is that ECX doesnot contains any contents memory ,so only register address will be added

004011F7 > 8BD4 MOV EDX,ESP
004011F9 . 03E1 ADD ESP,ECX
004011FB . 4C DEC ESP
004011FC . 66:8B3C24 MOV DI,WORD PTR [ESP]
00401200 . 8BE2 MOV ESP,EDX
00401202 . 8BD6 MOV EDX,ESI
00401204 . 03D1 ADD EDX,ECX
00401206 . 50 PUSH EAX
00401207 . 03C2 ADD EAX,EDX
00401209 . 2D 01000000 SUB EAX,1
0040120E . 81E7 FFFF0000 AND EDI,0FFFF
00401214 . 52 PUSH EDX
00401215 . 8BD7 MOV EDX,EDI
00401217 . 8810 MOV BYTE PTR [EAX],DL
00401219 . 5A POP EDX
0040121A . 58 POP EAX
0040121B . 49 DEC ECX
0040121C . 83F9 00 CMP ECX,0
0040121F . 0F84 02000000 JE test.00401227
00401225 .^ EB D0 JMP SHORT test.004011F7
i am adding the below screenshots before stepin and afetr stepout.
please let me know what is happening there
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Unknown algorithm in forloop

Post by EP_X0FF » Wed Jun 22, 2016 2:19 pm

Maybe you will attach file instead?
Ring0 - the source of inspiration

User avatar
Vrtule
Posts: 464
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Re: Unknown algorithm in forloop

Post by Vrtule » Wed Jun 22, 2016 4:40 pm

EXC seems to indicate how many loop iterations to execute. It seems not to contain any memory address. I see no write access through EXC (and no write access to EXC itself except that decrement at the end of each loop). I am quite unsure what you'd like to know.

TSION
Posts: 14
Joined: Wed Feb 03, 2016 10:35 pm

Re: Unknown algorithm in forloop

Post by TSION » Sun Jul 31, 2016 9:18 pm

Vrtule wrote:EXC seems to indicate how many loop iterations to execute. It seems not to contain any memory address. I see no write access through EXC (and no write access to EXC itself except that decrements at the end of each loop). I am quite unsure what you'd like to know.
To extend on what was previously stated in Vrtules analysis my best guess from looking at your analysis attempts is that this For-looping algorithm seems to be iterating through some type of C:\Windows\System32 directory, but as of reading this post I am unsure what your goal in understanding this particular algorithm, what you should do to gain an understanding is maybe transform the Asm snippets you are unsure of into Psudeo C-Code/C++ Code, there are many effective tools at doing this. Such as Ida Decompiler(x64/x86) and so on. In the furture you should post more details on the assumptions/insights of your analysis so that we can better answer your questions.

Post Reply