Finding Binary Clones with Opstrings & Function Digests: Part III

(a)

test,jz,call,and,loc,test,jz,call,and,loc,test,jz,call,and,loc,ret

...
16 . BE52429A4DB568969503A30A27D4CB24 rtcshare.exe- ??1CShareErrorInfo@@UAE@XZ
16 . BE52429A4DB568969503A30A27D4CB24 rend.dll - ??1CObjectWithSite@@QAE@XZ
16 . BE52429A4DB568969503A30A27D4CB24 query.dll-?_Cleanup@CDbParameter@@AAEXXZ
16 . BE52429A4DB568969503A30A27D4CB24 qedit.dll - ?Release@CDXDataPtr@@QAEXXZ
 ...

7D9D7AFB             	?_Cleanup@CDbParameter@@AAEXXZ: ;;; query.dll
7D9D7AFB 8BFF         		mov 	edi,edi
7D9D7AFD 56              		push  	esi
7D9D7AFE 8BF1              		mov  	esi,ecx
7D9D7B00 8B06           		mov  	eax,[esi]
7D9D7B02 85C0            		test 	eax,eax
7D9D7B04 7409            		jz  	loc_7D9D7B0F
7D9D7B06 50              		push 	eax
7D9D7B07 E81EC40B00       		call 	_CoTaskMemFree@4
7D9D7B0C 832600          		and  	dword ptr [esi],0
7D9D7B0F             	loc_7D9D7B0F:
7D9D7B0F 8B4604          		mov  	eax,[esi+4]
7D9D7B12 85C0            		test 	eax,eax
7D9D7B14 740A             		jz  	loc_7D9D7B20
7D9D7B16 8B08            		mov  	ecx,[eax]
7D9D7B18 50             		push 	eax
7D9D7B19 FF5108         		call  	dword ptr [ecx+8]
7D9D7B1C 83660400       		and   	dword ptr [esi+4],0
7D9D7B20               	loc_7D9D7B20:
7D9D7B20 8B4608       		mov  	eax,[esi+8]
7D9D7B23 85C0          		test  	eax,eax
7D9D7B25 740A           		jz   	loc_7D9D7B31
7D9D7B27 50               		push 	eax
7D9D7B28 E8FDC30B00        		call 	_CoTaskMemFree@4
7D9D7B2D 83660800        		and  	dword ptr [esi+8],0
7D9D7B31             	loc_7D9D7B31:
7D9D7B31 5E            		pop  	esi
7D9D7B32 C3              		ret

5DA13F91            	??1CObjectWithSite@@QAE@XZ: ;;; rend.dll
5DA13F91 56              		push  	esi
5DA13F92 8BF1            		mov  	esi,ecx
5DA13F94 8B4604         		mov  	eax,[esi+4]
5DA13F97 85C0            		test 	eax,eax
5DA13F99 C706AC17A15D    		mov  	dword ptr [esi],offset 
   ??_7CRendezvous@@6BCObjectWithSite@@@
5DA13F9F 740B             		jz   	loc_5DA13FAC
5DA13FA1 50              		push 	eax
5DA13FA2 E819EF0000       		call	??3@YAXPAX@Z
5DA13FA7 83660400       		and	dword ptr [esi+4],0
5DA13FAB 59              		pop 	ecx
5DA13FAC             	loc_5DA13FAC:
5DA13FAC 8B460C         		mov 	eax,[esi+0Ch]
5DA13FAF 85C0            		test	eax,eax
5DA13FB1 740A             		jz  	loc_5DA13FBD
5DA13FB3 8B08             		mov 	ecx,[eax]
5DA13FB5 50              		push 	eax
5DA13FB6 FF5108          		call  	dword ptr [ecx+8]
5DA13FB9 83660C00        		and  	dword ptr [esi+0Ch],0
5DA13FBD               	loc_5DA13FBD:
5DA13FBD 8B4610           		mov 	eax,[esi+10h]
5DA13FC0 85C0             		test 	eax,eax
5DA13FC2 740B             		jz   	loc_5DA13FCF
5DA13FC4 50                		push 	eax
5DA13FC5 E8F6EE0000      		call  	??3@YAXPAX@Z
5DA13FCA 83661000         		and  	dword ptr [esi+10h],0
5DA13FCE 59              		pop 	ecx
5DA13FCF               	loc_5DA13FCF:
5DA13FCF 5E              		pop  	esi
5DA13FD0 C3              		ret

Figure 3: A false positive: (a) a function digest; (b) a few of the 30 functions in XP with this digest; and (c) and (d) two disassemblies showing that the code doesn't really match.