Explaining Malware Analysis – small anti-disassembly technique

Dear readers, how are you? First, I hope you have a nice Christmas season. Unfortunately, malwares continue destroying the world (even today, DEC/25/2015 – 03:12 AM) and stealing your information (password, credit cards, keys, and so on). Thus, I will show you an extremely simple (almost naïve) anti-disassembly technique used by malwares as a distractor during your analysis:


.text:0044203C push ebp

.text:0044203D mov ebp, esp

.text:0044203F sub esp, 4

.text:00442045 push 440000h

.text:0044204A add [esp+8+var_8], 2057h

.text:00442055 retn

.text:00442055 sub_44203C endp


.text:00442055 ; —————————————————————————

.text:00442056 dw 8BE9h

.text:00442058 ; —————————————————————————

.text:00442058 inc ebp

.text:00442059 or [eax+756C0178h], al

.text:0044205F push ds

.text:00442060 push offset dword_4420D0

.text:00442065 call sub_441444

.text:0044206A add esp, 4

.text:00442070 push dword ptr [ebp+8]

.text:00442073 call loc_4420A6

.text:00442078 add esp, 4

.text:0044207E add esp, 4

.text:00442084 pop ebp

.text:00442085 retn

The three highlighted lines contain a small trick. Indeed, they represent a simple jump to address 0x00442057. Why? Because the address 0x00440000 is pushed into stack and in next line the same value is added to 0x2057 resulting to 0x00442057. You should remember that result it kept on top of stack (ESP). Then, when the retn instruction is called, the result (0x00442057) is popped from stack into EIP and the flow is redirected to it. Sure, you need to change some data to code and vice versa during the analysis, but this time I only want to focus on this simple anti-disassembly technique.

It was extremely easy, was not it?

During next days I will show other small and nasty tricks used by malwares to make your analysis harder.

Have a nice day.

Alexandre Borges.

(LinkedIn: http://www.linkedin.com/in/aleborges and twitter: ale_sp_brazil)

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s