Exercise 6 on page 35 of the book Practical Reverse Engineering presents us with a malware samples.
These can be downloaded at the following page:
https://grsecurity.net/malware_research/
In this exercise, we are expected to have a look at the following routine sub_13842
:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| .text:00013842 sub_13842
.text:00013842 mov eax, [ecx+60h]
.text:00013845 push esi
.text:00013846 mov esi, [edx+8]
.text:00013849 dec byte ptr [ecx+23h]
.text:0001384C sub eax, 24h
.text:0001384F mov [ecx+60h], eax
.text:00013852 mov [eax+14h], edx
.text:00013855 movzx eax, byte ptr [eax]
.text:00013858 push ecx
.text:00013859 push edx
.text:0001385A call dword ptr [esi+eax*4+38h]
.text:0001385E pop esi
.text:0001385F retn
|
Firstly, we see that the function prototype takes two parameters, which are not saved on the stack but in the two registers ecx
and edx
. This can be deducted from the fact that these two registers are immediately referenced without prior initialization.