- IDA Pro
- Lab15-01.exe SHA256: 1120d5ee34d2cd4519ea551cd4c8b1544b9a5993aba33774ffc854cec34001e1
- Detection Rate: 0/53
- Analyzed on 2016-03-18
Compilation Date: 2011-02-04 15:22:33
- View report here
Analyze the sample found in the file Lab15-01.exe. This is a command-line
program that takes an argument and prints “Good Job!” if the argument
matches a secret code.
1. What anti-disassembly technique is used in this binary?
Xor was used followed by jz to trick the disassembler into making a jump. An opcode “E8” is used to make IDA Pro disassemble the code wrongly.
We can undefine the code and reanalyze the code as shown below.
2. What rogue opcode is the disassembly tricked into disassembling?
E8 was used to trick the dis assembler.
3. How many times is this technique used?
5 times. Just count the number of 0xE8(refer to figure 2) you can find.
4. What command-line argument will cause the program to print
Based on the analysis of the following codes, we need to pass in a pass phrase “pdq“.