Tools Used

  1. IDA Pro
  2. OllyDbg
  3. Cerbero Profiler


  1. Lab16-02.exe SHA256: 0c3031f630adc6cdd7b877fa1c2982909cde01dff612db5dd7df58cc778dd919


  • Detection Rate: 4/54
  • Analyzed on 2016-03-19
  • Compilation Date: 2011-11-03 04:19:52
  • View report here

Lab 16-2
Analyze the malware found in Lab16-02.exe using a debugger. The goal of this
lab is to figure out the correct password. The malware does not drop a malicious
1. What happens when you run Lab16-02.exe from the command line?

Picture worth a thousand words.

Figure 1. password required

2. What happens when you run Lab16-02.exe and guess the command-line

Figure 2. Incorrect password

3. What is the command-line password?

To get the command-line password, we can set breakpoint @0040123A to see what the malware is comparing the password against. However, on running the malware, the program simply terminates.

Figure 3. Callbacks

Seems like 0x00408033 subroutine was called before we reach main method. Analyzing it in IDA Pro, this subroutine is checking for OLLYDBG window via FindWindowA and it is also using OutputDebugString to detect for debugger. Just nop the function at let it return to bypass these checks.

Figure 4. byqrp@ss

and so we got the password… however this password is invalid when tried on the command line with debugger attached.

Lets look at the subroutine @00401090 which is called by the CreateThread function. This function is responsible for generating the password to check against.

Figure 5. BeingDebugged Flag

In the subroutine we can see that there is a check against BeingDebugged Flag… maybe this is the cause of it. Let’s fix the structure and see how it goes.

Figure 6. byrrp@ss

The decoded password is “byrrp@ss”. However the strncmp will only compare the first 4 characters.

Figure 7. Correct Password

4. Load Lab16-02.exe into IDA Pro. Where in the main function is strncmp


Figure 8. strncmp

5. What happens when you load this malware into OllyDbg using the
default settings?

The program just terminates. In fact even if I am running it in command line but ollydbg is running in the background, the application will also terminates.

6. What is unique about the PE structure of Lab16-02.exe?

There is a .tls section.

Figure 9. .tls section

7. Where is the callback located? (Hint: Use CTRL-E in IDA Pro.)

At address 0x00401060.

Figure 10. Ctrl-E

8. Which anti-debugging technique is the program using to terminate
immediately in the debugger and how can you avoid this check?

  1. OLLYDBG window via FindWindowA
  2. OutputDebugString to detect for debugger
  3. BeingDebugged Flag via fs:[30h]+2

9. What is the command-line password you see in the debugger after you
disable the anti-debugging technique?

refer to solution for question 3.

10. Does the password found in the debugger work on the command line?

refer to solution for question 3.

11. Which anti-debugging techniques account for the different passwords in
the debugger and on the command line, and how can you protect
against them?

  1. OutputDebugString (nop out the callback function)
  2. BeingDebuggedFlag (change the structure to set debug flag back to 0)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s