REBlog
October 19th, 2007, 20:27
While analyzing a malware sample today, I came across an interesting function. It uses red-herring local variables and red-herring global variables, and even once you get rid of that code, it's still unclear as to what the function does.
Since you don't have access to the callers of this function, I'll tell you this:
And to in case you think I'm "hiring cheap labor" to analyze this for me, I'll pull a Raymond Chen ("http://blogs.msdn.com/oldnewthing/archive/2006/05/23/604743.aspx") and say that the MD5 of my analysis is F2F3648B9BE371B4682B728A7A3D920F. Once the correct answer is posted, I'll post my analysis which hashes to that MD5.
Here's the function:
And here's the raw byte-code for the function above:
http://malwareanalysis.com/CommunityServer/blogs/geffner/archive/2007/01/12/17.aspx
Since you don't have access to the callers of this function, I'll tell you this:
Your challenge? Tell me what the function does. Your prize? You get to choose the name of the next malware family that I name. Stipulations:
The first argument is a null-terminated ASCII string.
The second argument is a null-terminated ASCII string.
The third argument is an integer.
The winner is the first person to post a comment that correctly and fully describes in high-level English (not in code) what the function does.
Cannot refer to the name of a person, place, or time.
Cannot refer to anything obscene or offensive.
Cannot be found in a dictionary or web-search.
Cannot use camel-casing for compounding words -- must begin with one uppercase letter and end with all lowercase letters.
Must be a "generic" name (for example, shouldn't contain the word "bot" or "worm", since I have no idea what class of malware I'll end up naming next).
Must be humanly pronouncable.
Must be between four and eight letters in length.
I have final discretion over the name in case you think of something "bad" that isn't covered by one of the rules above.
And to in case you think I'm "hiring cheap labor" to analyze this for me, I'll pull a Raymond Chen ("http://blogs.msdn.com/oldnewthing/archive/2006/05/23/604743.aspx") and say that the MD5 of my analysis is F2F3648B9BE371B4682B728A7A3D920F. Once the correct answer is posted, I'll post my analysis which hashes to that MD5.
Here's the function:
Code:
sub_0 proc near
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push esi
push edi
mov esi, [ebp+arg_4]
mov [ebp+var_8], 697A259Dh
xor [ebp+var_8], 182Ch
inc dword ptr ds:42C094h
and [ebp+var_C], 0
and [ebp+var_4], 0
jmp short loc_94
; ---------------------------------------------------------------------------
loc_2A: ; CODE XREF: sub_0+A6j
xor ebx, ebx
add [ebp+var_8], 3AA5h
inc dword ptr ds:42C094h
xor edi, edi
jmp short loc_81
; ---------------------------------------------------------------------------
loc_3D: ; CODE XREF: sub_0+8Fj
mov eax, [ebp+var_4]
add eax, edi
mov edx, [ebp+arg_0]
movsx eax, byte ptr [edx+eax]
movsx edx, byte ptr [esi+edi]
cmp eax, edx
jnz short loc_52
inc ebx
loc_52: ; CODE XREF: sub_0+4Fj
mov ecx, esi
or eax, 0FFFFFFFFh
loc_57: ; CODE XREF: sub_0+5Cj
inc eax
cmp byte ptr [ecx+eax], 0
jnz short loc_57
cmp ebx, eax
jnz short loc_72
inc [ebp+var_C]
mov eax, [ebp+arg_8]
cmp [ebp+var_C], eax
jnz short loc_72
mov eax, [ebp+var_4]
jmp short loc_C0
; ---------------------------------------------------------------------------
loc_72: ; CODE XREF: sub_0+60j
; sub_0+6Bj
mov eax, 43C9h
mul [ebp+var_8]
mov [ebp+var_10], eax
mov [ebp+var_8], eax
inc edi
loc_81: ; CODE XREF: sub_0+3Bj
mov ecx, esi
or eax, 0FFFFFFFFh
loc_86: ; CODE XREF: sub_0+8Bj
inc eax
cmp byte ptr [ecx+eax], 0
jnz short loc_86
cmp edi, eax
jb short loc_3D
inc [ebp+var_4]
loc_94: ; CODE XREF: sub_0+28j
mov eax, [ebp+arg_0]
mov ecx, eax
or eax, 0FFFFFFFFh
loc_9C: ; CODE XREF: sub_0+A1j
inc eax
cmp byte ptr [ecx+eax], 0
jnz short loc_9C
cmp [ebp+var_4], eax
jb short loc_2A
mov eax, 0FFFFh
jmp short loc_C0
; ---------------------------------------------------------------------------
mov eax, 514Ah
mul dword ptr [ebp-8]
mov [ebp-10h], eax
mov eax, [ebp-10h]
mov [ebp-8], eax
loc_C0: ; CODE XREF: sub_0+70j
; sub_0+ADj
pop edi
pop esi
pop ebx
leave
retn
sub_0 endp
And here's the raw byte-code for the function above:
5589E583EC105356578B750CC745F89D257A698175F82C180000FF0594C04200
8365F4008365FC00EB6A31DB8145F8A53A0000FF0594C0420031FFEB448B45FC
01F88B55080FBE04020FBE143E39D075014389F183C8FF40803C010075F939C3
7510FF45F48B45103945F475058B45FCEB4EB8C9430000F765F88945F08945F8
4789F183C8FF40803C010075F939C772ACFF45FC8B450889C183C8FF40803C01
0075F93945FC7282B8FFFF0000EB11B84A510000F765F88945F08B45F08945F8
5F5E5BC9C3
http://malwareanalysis.com/CommunityServer/blogs/geffner/archive/2007/01/12/17.aspx