The last example in this chapter comes from a real virus that performed differently depending on the language settings of the computer infected. If the language setting was simplified Chinese, the virus uninstalled itself from the machine and caused no damage. If the language setting was English, it displayed a pop-up with a poorly translated message saying, “You luck’s so good.” If the language setting was Japanese or Indonesian, the virus overwrote the hard drive with garbage data in an effort to destroy the computer. Let’s see how we could analyze what this program would do on a Japanese system without actually changing our language settings.

Listing 8-7 shows the assembly code for differentiating between language settings. The program first calls the function GetSystemDefaultLCID. Next, based on the return value, the program calls one of three different functions: The locale IDs for English, Japanese, Indonesian, and Chinese are 0x0409, 0x0411, 0x0421, and 0x0C04, respectively.

00411349   call    GetSystemDefaultLCID
0041134F  ❶mov     [ebp+var_4], eax
00411352   cmp     [ebp+var_4], 409h
00411359   jnz     short loc_411360
0041135B   call    sub_411037
00411360   cmp     [ebp+var_4], 411h
00411367   jz      short loc_411372
00411369   cmp     [ebp+var_4], 421h
00411370   jnz     short loc_411377
00411372   call    sub_41100F
00411377   cmp     [ebp+var_4], 0C04h
0041137E   jnz     short loc_411385
00411380   call    sub_41100A

The code calls the function at 0x411037 if the language is English, 0x41100F if the language is Japanese or Indonesian, and 0x411001 if the language is Chinese. In order to analyze this properly, we need to execute the code that runs when the system locale setting is Japanese or Indonesian. We can use a debugger to force the code to run this code path without changing the settings on our system by setting a breakpoint at ❶ to change the return value. Specifically, if you were running on a US English system, EAX would store the value 0x0409. You could change EAX in the debugger to 0x411, and then continue running the program so that it would execute the code as if you were running on a Japanese language system. Of course, you would want to do this only in a disposable virtual machine.