klaymen
July 30th, 2008, 18:06
Hi all,
I'm studying a piece of malware, and this one splits some of its functions into one-command-chunks that look like this (you can see the prolog of a function there, "sub1Ptr" is a global dword):
actSub1: mov ds:sub1Ptr, offset actSub2
jmp ds:sub1Ptr
...
actSub2: push ebp
mov ds:sub1Ptr, offset actSub3
jmp ds:sub1Ptr
...
actSub3: mov ebp, esp
mov ds:sub1Ptr, offset actSub4
jmp ds:sub1Ptr
....
Of course those chunks are not one after the other, but scattered around, and of course there are many such "threads", all nicely mixed together. It shouldn't be too difficult to reorder those chunks and reorganize the whole functions, some scripts might do it (I'm not experienced in that, but it might be an exercise). Nevertheless, I'm pretty sure there's already a tool around that can fix this kind of stuff, ideally for Ollydbg or IdaPro (or on binary level)? Thanks in advance for any hint.
klaymen
I'm studying a piece of malware, and this one splits some of its functions into one-command-chunks that look like this (you can see the prolog of a function there, "sub1Ptr" is a global dword):
actSub1: mov ds:sub1Ptr, offset actSub2
jmp ds:sub1Ptr
...
actSub2: push ebp
mov ds:sub1Ptr, offset actSub3
jmp ds:sub1Ptr
...
actSub3: mov ebp, esp
mov ds:sub1Ptr, offset actSub4
jmp ds:sub1Ptr
....
Of course those chunks are not one after the other, but scattered around, and of course there are many such "threads", all nicely mixed together. It shouldn't be too difficult to reorder those chunks and reorganize the whole functions, some scripts might do it (I'm not experienced in that, but it might be an exercise). Nevertheless, I'm pretty sure there's already a tool around that can fix this kind of stuff, ideally for Ollydbg or IdaPro (or on binary level)? Thanks in advance for any hint.
klaymen