Orer.exe Reverse Code Engineering #2

After many time from the second promised part, here the continuation of Orer’s Reverse Code Engineering.

At the Entry Point we have the injected, malicious code, in form of call, so let’s study this call:

010460D0        CALL orer.010460D5 ; Malicious Code Entry Point
010460D5        POP EBX
010460D6        SUB EBX,401005
...
010460EA       CALL orer.010461F7 ;Scan for 'MZ'
010460EF       MOV EBP,EAX ; In EAX the Executable memory address
010460F1       POP EAX
010460F2       PUSH EBP ;Put Exec address in stack
010460F3       PUSH 4014BD ; Empty Location
010460F8       PUSH 402711 ; Empty Location2
...
0104610B      PUSH EAX
0104610C      PUSH A5171D00
01046111      PUSH EBP      ;Exec Address
01046112      CALL orer.0104618D
01046117      OR EAX,EAX
01046119      JE orer.0104658D ;Go_Out
0104611F      PUSH 40
0104611F      PUSH 40
01046121      PUSH 1000
01046126      PUSH 1D95
0104612B      PUSH 0
0104612D      CALL EAX ;VirtualAlloc
01046137       MOV EDI,EAX
01046139       LEA EDX,DWORD PTR DS:[EBX+40114C] ;0104621c (ORER)
...
01046143      ADD EDX,1000
01046149      CALL orer.010461F7  ;Search_Loaded_Exec
0104614E     ADD EAX,DWORD PTR DS:[EAX+3C] ;(01000000 - is Explorer)
...
01046183     POP EBX
01046184     POP EAX
01046185     LEA ECX,DWORD PTR DS:[EAX+234]
0104618B    JMP ECX ;007E0234

Last Jump redirects code execution to Orer’s Main Thread, so here the Main Thread Code:

0840239      POP EDX   ; 00840239 (Not every time the same address, obviously)
0084023A    SUB EDX,401239
00840240     XCHG EDX,EBX
00840242     PUSHAD
00840243     LEA ESI,DWORD PTR DS:[EBX+402741]
00840249     LEA EDI,DWORD PTR DS:[EBX+402875]
...
0084026C    PUSH EAX
0084026D    PUSH EBP
0084026E    CALL 008400BD ;Obtain Functions
00840273    STOS DWORD PTR ES:[EDI] ;Function's Address is contained in EAX
00840274    CMP DWORD PTR DS:[ESI],0
00840277    LOOPDNE SHORT 0084024F
00840279    POPAD
0084027A   OR EDX,EDX
0084027C  JE SHORT 0084029A

The most intersing thing in this piece of code, is the IT Building, here the Imported Functions:

CreateFileA,GetFileAttrib, SetFileAttrib, MapViewOfFile, UnMapViewOfFile, GetFileSize, SetFileTime, GetFileType, CloseHandle, GetProcAddress, VirtualFree, GetTickCount, GetWindowDirectory, GetModuleFileName, GetTempPAthW, DeleteFileW/A, MoveFile,CopyFile, WriteFile,VirtualAlloc, VirtualProtect,Sleep, GetDriveType, CreateProcessW, WinExec, GetCurrentProcess, CreateToolHelp32Snapshot, Process32First, Process32Next,OpenProcess, SetFilePointer

Third part will be completed in a few days🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: