It appears if you have two labels in some auto-assembler code, beginning with the same sequence of characters, the program seems to only recognise the first label, and any reference to the second label, actually references the first one. For instance look at the following sample code:
- Code: Select all
Label(ending)
Label(ending2)
Label(srcString)
42fb0a:
jmp 4b00f2
4b00f2:
pushad
pushfd
test eax, eax
jz ending
cld
mov ecx, e //only compare first 2 words
mov edi, eax
mov esi, srcString
repe cmpsb
jne ending
popfd
popad
mov eax, srcString
jmp ending2
ending:
popfd
popad
ending2:
push eax
lea eax, dword ptr[ebx+4c]
push eax
jmp 42fb0f
srcString:
db "Reader Utility (hijacked)"
db 0
The 'jmp ending2' instruction actually ends up as 'jmp ending' if you look at the output:
- Code: Select all
0042FB0A: JMP 004B00F2
004B00F2: PUSHAD
004B00F3: PUSHFD
004B00F4: TEST EAX, EAX
004B00F6: JE 004B0120
004B00FC: CLD
004B00FD: MOV ECX, E
004B0103: MOV EDI, EAX
004B0105: MOV ESI, 4B0131
004B010B: REPE CMPSB
004B010D: JNZ 004B0120
004B0113: POPFD
004B0114: POPAD
004B0115: MOV EAX, 4B0131
004B011B: JMP 004B0120
004B0120: POPFD
004B0121: POPAD
004B0122: PUSH EAX
004B0124: LEA EAX, DWORD PTR [EBX+4C]
004B012A: PUSH EAX
004B012C: JMP 0042FB0F
004B0131: 52 65 61 64 65 72 20 55 74 69 6C 69 74 79 20 28 68 69 6A 61 63 6B 65 64 29
004B014A: 00
The jmp at 4b011b jumps to the sample address as the jnz at 4b010d does. It appears that perhaps when a label is being checked, mhs makes a decision on which label is being referenced as soon as it matches an existing label, without fully comparing the whole of the label.
I have tried a few other samples, with different names and only using characters, but the problem still seems to exist.
