Simple IDC scripting

During the analysis of a worm (MD5: F992D9B391C04E1077FD93E22F40822C)
i stumbled on a pretty common way to obfuscate API calling

the routine takes two parameters: an array of API names and an array of dwords
used to store resolved addresses. Even if this technique is pretty straightforward
and trivial, it’s annoying reading the dissassembly without knowing which API is
being called.

A simple IDC script is a fast way to handle this problem. The script asks for the
same arguments of the routine an renames the locations in the dword array
with the corresponding API name, making the dissassembly easily readable.

before IDC script:

.code:004022A6 mov eax, ds:dword_4038F5
.code:004022AB push 1388h
.code:004022B0 push eax
.code:004022B1 push offset asc_4038BB ; “ProgramFiles”
.code:004022B6 call ds:dword_403E6B

after:

.code:004022A6 mov eax, ds:lpFilename
.code:004022AB push 1388h ; nSize
.code:004022B0 push eax ; lpBuffer
.code:004022B1 push offset Name ; “ProgramFiles”
.code:004022B6 call ds:GetEnvironmentVariableA

Advertisements


%d bloggers like this: