PRACTICAL MALWARE ANALYSIS: ANTI – DISASSEMBLY(LAB 15-01)

Tools Used

  1. IDA Pro

Sample:

  1. Lab15-01.exe SHA256: 1120d5ee34d2cd4519ea551cd4c8b1544b9a5993aba33774ffc854cec34001e1

VirusTotal:

  • Detection Rate: 0/53
  • Analyzed on 2016-03-18
  • Compilation Date: 2011-02-04 15:22:33
  • View report here

Lab 15-1
Analyze the sample found in the file Lab15-01.exe. This is a command-line
program that takes an argument and prints “Good Job!” if the argument
matches a secret code.
Questions
1. What anti-disassembly technique is used in this binary?

Xor was used followed by jz to trick the disassembler into making a jump. An opcode “E8” is used to make IDA Pro disassemble the code wrongly.

jmp
Figure 1. A confuse looking IDA Pro

We can undefine the code and reanalyze the code as shown below.

re-analyzed
Figure 2. Reanalyzing opcodes

2. What rogue opcode is the disassembly tricked into disassembling?

E8 was used to trick the dis assembler.

e8
Figure 3. E8 opcode

3. How many times is this technique used?

5 times. Just count the number of 0xE8(refer to figure 2) you can find.

4. What command-line argument will cause the program to print
“Good Job!”?

Based on the analysis of the following codes, we need to pass in a pass phrase “pdq“.

pdq_ida
Figure 4. decoding the pass phrase
pdq
Figure 5. Good Job!
Advertisements
PRACTICAL MALWARE ANALYSIS: ANTI – DISASSEMBLY(LAB 15-01)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s