aljaz/securedorg.github.io
1
0
Fork 0
mirror of https://github.com/aljazceru/securedorg.github.io.git synced 2025-12-18 22:54:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update re102_section4.md

Browse Source
This commit is contained in:
SECURED.ORG
2017-08-11 11:01:31 -07:00
committed by GitHub
parent 2338b02438
commit 8fcce6148e
1 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
RE102/re102_section4.md
View File

@@ -30,6 +30,21 @@ Lets take a look at the arguments for `sub_45B5AC`. Remember in section 1.3 o
![alt text](https://securedorg.github.io/RE102/images/Section4_functionargs.png "Section4_functionargs") ![alt text](https://securedorg.github.io/RE102/images/Section4_functionargs.png "Section4_functionargs")
### Delphi calling convention ###
Remember that this is delphi so the calling convention uses registers eax, ecx, edx as first 3 arguments. The rest of the arguments are pushed on stack in reverse order.
```
push 3
push 4
mov ecx, 2
mov edx, 1
xor eax, eax
call function
xor eax,eax
retn 10
```
Based on previous sections, it should be already obvious to you what these values mean. You know that the malware recently called VirtualAlloc, and moved **junk 2** of size 0x65E4 into the new memory stored it in `[ebp+var_BEEB]`. If you click on `unk_45CCB4`, you will see that this data is only 0x20 (32 dec) bytes. So, the pseudo code for this function would be: Based on previous sections, it should be already obvious to you what these values mean. You know that the malware recently called VirtualAlloc, and moved **junk 2** of size 0x65E4 into the new memory stored it in `[ebp+var_BEEB]`. If you click on `unk_45CCB4`, you will see that this data is only 0x20 (32 dec) bytes. So, the pseudo code for this function would be:
``` ```