hi all,

(i apologize for this question ,but i am newbie in Re,so please be indulgent.)

i am traying to analyse an exe file,that seems to be a malware (only loadlibrary and getProcAress in import and many crypted strings + many debugger traps)

ida give me this:
seg000 00401000 00446BC6 R W . para 0001 public DATA 32 0000 0000 0000 FFFFFFFF FFFFFFFF

seg001 00447000 00453578 R W . para 0002 public DATA 32 0000 0000 0000 FFFFFFFF FFFFFFFF

seg002 00454000 0045FE94 R W . para 0003 public DATA 32 0000 0000 0000 FFFFFFFF FFFFFFFF

.yP 00460000 00488000 R W . para 0004 public DATA 32 0000 0000 0000 FFFFFFFF FFFFFFFF

and the core sub ,i think this is for decryption but dont understand what it's realy do

sub_4602E7 proc near ; CODE XREF: sub_4602DC+35p
.yP:004602E7 pusha ; push all registers ,(edi is the last pushed !?)
.yP:004602E8 call $+5 ;no idea
.yP:004602ED pop ebp
.yP:004602EE sub ebp, offset dword_423F23
.yP:004602F4 mov edx, ebp
.yP:004602F6 add edx, offset dword_423F72
.yP:004602FC push edx
.yP:004602FD call nullsub_2 ;only retn in nullsub_2
.yP:00460302 retn
.yP:00460302 sub_4602E7 endp ; sp = -24h


and this: also i have an idea what is that ,but it's not clear (i say it before ,realy newbie :(
sub_46031F proc near ; CODE XREF: sub_4602DC:loc_46030Cp
.yP:0046031F xor eax, eax
.yP:00460321 push dword ptr fs:[eax]
.yP:00460324 mov fs:[eax], esp
.yP:00460327 int 3 ; Trap to Debugger
.yP:00460328 retn
.yP:00460328 sub_46031F endp ; sp = -4

hope sameone will anser all those stupid,lame ... :( questions :unsure: :unsure:

>and the core sub ,i think this is for decryption but dont understand what it's realy do

i add some comments

.yP:004602E7 pusha ; push all registers
.yP:004602E8 call $+5 ;calls next line (004602ed)
.yP:004602ED pop ebp ;put return address in ebp (ret addr = 004602ed)
.yP:004602EE sub ebp, offset dword_423F23 (these 3 lines calculates a new address where to jump)
.yP:004602F4 mov edx, ebp
.yP:004602F6 add edx, offset dword_423F72
.yP:004602FC push edx ; push calculated address
.yP:004602FD call nullsub_2 ;dont care about this
.yP:00460302 retn ; go to calculated address (should be 0046033C)


>and this: also i have an idea what is that ,but it's not clear (i say it before ,realy newbie :(
>.yP:0046031F xor eax, eax
>.yP:00460321 push dword ptr fs:[eax]
>.yP:00460324 mov fs:[eax], esp
>.yP:00460327 int 3 ; Trap to Debugger
>.yP:00460328 retn
this code simply installs an exception handler (in fs:0) and uses the int3 to raise an exception and jump to that handler.
When you are on int3 look at 7ffde000, get the pointer you see at that location, then look at that pointer + 4, you will have the address of the handler that is executed when an exception is thrown. 7ffde000 is valid assuming that your thread is the first, you should check FS segment base to check what address to use (ollydbg writes FS segment base). Fo further information read documents about structured exception handling and thread environment block
Bye!
AndreaGeddon

This file maybe protect by yoda's protector.(as the section name 'yP' ;) )
Now the source of this protector is available on sourceforge.
You can get it and have better understand. :P
Regards!