A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #12897  by R136a1
 Wed Apr 25, 2012 1:26 pm
Luckily they provide a MD5 hash: d5c12fcfeebbe63f74026601cd7f39b2

So if anyone has this sample, please upload!
 #12924  by R136a1
 Fri Apr 27, 2012 5:25 pm
While analysing the sample (d5c12fcfeebbe63f74026601cd7f39b2) in OllyDbg I came across an Anti-Debug function I don't understand.
This function just alters the return address on the stack, so when the return opcode is executed it jumps to a new location. Something like an code obfuscation construct. Nothing special one may think, but if I want to step over the function (F8) an exception occurs and I end up in kernel32.dll. If I single step through the function (F7) everything works as expected.
Code: Select all
Disassembly:
0001AD38	pushf
0001AD39	push    ebx
0001AD3A	push    eax
0001AD3B	mov     ebx, [esp+0Ch]
0001AD3F	and     eax, 0
0001AD42	jnz     short loc_1ACE0
0001AD44	not     eax
0001AD46	and     eax, 24F9h
0001AD4C	add     eax, [ebx-4]
0001AD4F	add     eax, [esp+0Ch+arg_0]
0001AD53	add     [esp+0Ch], eax
0001AD57	pop     eax
0001AD58	pop     ebx
0001AD59	popf
0001AD5A	retn    4
Can someone explain me why this happens?
 #14094  by sww
 Mon Jun 18, 2012 5:13 pm
My analysis on russian. English version will be soon.