shows a section of code from a password-protected piece of malware that requires that a special key be input in order to configure the malware. We see an important check and conditional jump (JNZ) at ❶ decide if the key is accepted. If the jump is taken, Bad key will be printed; otherwise, it will print Key Accepted!. A simple way to force the program to go the keyaccepted route is to apply a patch. As shown in , highlight the conditional jump instruction, right-click, and select Binary ▶ Fill with NOPs, as at ❷. This will change the JNZ instruction to NOPs, and the program will think that a key has been accepted.

.

. Select Save File, as shown at ❷, to save it to disk.

Notice that contains the same code as , except the JNZ instruction has been replaced by two NOP instructions. This procedure would permanently store NOPs at that location in the executable on disk, meaning that any key will be accepted by the malware permanently. This technique can be useful when you wish to permanently modify a piece of malware in order to make it easier to analyze.

Назад: Exception Handling

Дальше: Analyzing Shellcode

Отправить

sss

sss

×

Войти в систему

Войти с помощью соц. сетей: