Modifying Program Execution in Practice

The last example in this chapter comes from a real virus that performed differently depending on the language settings of the computer infected. If the language setting was simplified Chinese, the virus uninstalled itself from the machine and caused no damage. If the language setting was English, it displayed a pop-up with a poorly translated message saying, “You luck’s so good.” If the language setting was Japanese or Indonesian, the virus overwrote the hard drive with garbage data in an effort to destroy the computer. Let’s see how we could analyze what this program would do on a Japanese system without actually changing our language settings.

Listing 8-7 shows the assembly code for differentiating between language settings. The program first calls the function GetSystemDefaultLCID. Next, based on the return value, the program calls one of three different functions: The locale IDs for English, Japanese, Indonesian, and Chinese are 0x0409, 0x0411, 0x0421, and 0x0C04, respectively.

Example 8-6. Assembly for differentiating between language settings

00411349   call    GetSystemDefaultLCID 0041134F  ❶mov     [ebp+var_4], eax 00411352   cmp     [ebp+var_4], 409h 00411359   jnz     short loc_411360 0041135B   call    sub_411037 00411360   cmp     [ebp+var_4], 411h 00411367   jz      short loc_411372 00411369   cmp     [ebp+var_4], 421h 00411370   jnz     short loc_411377 00411372   call    sub_41100F 00411377   cmp     [ebp+var_4], 0C04h 0041137E   jnz     short loc_411385 00411380   call    sub_41100A

The code calls the function at 0x411037 if the language is English, 0x41100F if the language is Japanese or Indonesian, and 0x411001 if the language is Chinese. In order to analyze this properly, we need to execute the code that runs when the system locale setting is Japanese or Indonesian. We can use a debugger to force the code to run this code path without changing the settings on our system by setting a breakpoint at ❶ to change the return value. Specifically, if you were running on a US English system, EAX would store the value 0x0409. You could change EAX in the debugger to 0x411, and then continue running the program so that it would execute the code as if you were running on a Japanese language system. Of course, you would want to do this only in a disposable virtual machine.