Explaining Malware Analysis – smart assembly trick (version 1.1)


Hello readers, how are you? Today I received a simple question from a student about the correct interpretation of the following assembly code:

  1. 00405035:    EB 03        JMP SHORT 0040503A
  2. 00405037:    5E        POP ESI
  3. 00405038:    EB 05        JMP SHORT 0040503F
  4. 0040503A:    E8 F8FFFFFF    CALL 00405037
  5. 0040503F:    83C6 07    ADD ESI, 7

Few comments follow:

  • Line 1 the code is executing a short jump to address 0x0040503A (Line 4). Please, you should note that EB is the opcode to “JMP SHORT” and 03 (argument) is the number of opcode-bytes until address 0x0040503A (Line 4). Indeed, three opcode-bytes (5E, EB and 05) exist until there.
  • Still at Line 1, we should remember that the EIP holds the address of next instruction that would be executed (0x00405037), so the sum confirms our explanation because 0x00405037 + 03 = 0x0040503A.
  • Due the previous JMP from Line 1, now we are at Line 4. The CALL instruction jumps to address 0x00405037 (Line 2). Before jumping, the CALL instruction saves the EIP (0x0040503F), which would be the next instruction to be executed, on the top of stack (ESP).
  • Still at Line 4, the opcode E8 F8FFFFFF
    is interesting because E8 means “CALL” and F8FFFFFF means “minus 8”. It makes sense. At line 4, EIP is equal to 0x0040503F (Line 5) and if we count the number of opcode-bytes (in reverse is E8 F8FFFFFF, EB 05, 5E) from address 0x0040503F until 0x00405037, so we have 8 opcode-bytes. At end, it works as a backward jump of 8 opcode-bytes.
  • At Line 2, the POP ESI instruction saves the value of top the stack (0x0040503F) into ESI.
  • At Line 3, the instruction JMP SHORT 0040503F takes the execution to Line 5.
  • At Line 5, the content of ESI register (0x0040503F) is added to 7 (0x00405046).

Honestly, I do not know from where comes this code above (probably from a malware), but it seems a nasty trick to get the EIP (0x00405046) to execute something such as either a shellcode or similar code.

Have a nice day.

Alexandre Borges

(LinkedIn: http://www.linkedin.com/in/aleborges and twitter: @ale_sp_brazil)

2 thoughts on “Explaining Malware Analysis – smart assembly trick (version 1.1)

  1. Well, it’s a lot easier and shorter to get EIP by making a “Call Next Instruction” then “POP ESI”, which is byte coded as (E8 00 00 00 00) . I always do it that way.

    Like

    • Fernookie,

      Thank you for the comment. Doubtless, we have several methods to get the EIP and you are right. However, I received this code from a student, so I have tried to keep it. At end, the original purpose was to explain the code.

      Once more, thank you for the message and feel free make new comments.

      I hope you have a nice day.

      Alexandre.

      Liked by 1 person

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s