A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #28737  by crypt3r
 Wed Jun 22, 2016 1:15 pm
Hello Guys,
i am reversing a malware sample .but getting stucked in a loop below.the line writeen in the bold letter generated random letter like "/2","/lm32" etc to EDX.The thing is that ECX doesnot contains any contents memory ,so only register address will be added

004011F7 > 8BD4 MOV EDX,ESP
004011F9 . 03E1 ADD ESP,ECX
004011FB . 4C DEC ESP
004011FC . 66:8B3C24 MOV DI,WORD PTR [ESP]
00401200 . 8BE2 MOV ESP,EDX
00401202 . 8BD6 MOV EDX,ESI
00401204 . 03D1 ADD EDX,ECX
00401206 . 50 PUSH EAX
00401207 . 03C2 ADD EAX,EDX
00401209 . 2D 01000000 SUB EAX,1
0040120E . 81E7 FFFF0000 AND EDI,0FFFF
00401214 . 52 PUSH EDX
00401215 . 8BD7 MOV EDX,EDI
00401217 . 8810 MOV BYTE PTR [EAX],DL
00401219 . 5A POP EDX
0040121A . 58 POP EAX
0040121B . 49 DEC ECX
0040121C . 83F9 00 CMP ECX,0
0040121F . 0F84 02000000 JE test.00401227
00401225 .^ EB D0 JMP SHORT test.004011F7
i am adding the below screenshots before stepin and afetr stepout.
please let me know what is happening there
Attachments
1.jpg
after stepin
1.jpg (257.71 KiB) Viewed 359 times
2.jpg
before stepin
2.jpg (200.54 KiB) Viewed 359 times
 #28738  by EP_X0FF
 Wed Jun 22, 2016 2:19 pm
Maybe you will attach file instead?
 #28739  by Vrtule
 Wed Jun 22, 2016 4:40 pm
EXC seems to indicate how many loop iterations to execute. It seems not to contain any memory address. I see no write access through EXC (and no write access to EXC itself except that decrement at the end of each loop). I am quite unsure what you'd like to know.
 #28964  by TSION
 Sun Jul 31, 2016 9:18 pm
Vrtule wrote:EXC seems to indicate how many loop iterations to execute. It seems not to contain any memory address. I see no write access through EXC (and no write access to EXC itself except that decrements at the end of each loop). I am quite unsure what you'd like to know.
To extend on what was previously stated in Vrtules analysis my best guess from looking at your analysis attempts is that this For-looping algorithm seems to be iterating through some type of C:\Windows\System32 directory, but as of reading this post I am unsure what your goal in understanding this particular algorithm, what you should do to gain an understanding is maybe transform the Asm snippets you are unsure of into Psudeo C-Code/C++ Code, there are many effective tools at doing this. Such as Ida Decompiler(x64/x86) and so on. In the furture you should post more details on the assumptions/insights of your analysis so that we can better answer your questions.