Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: Lab 18-3 Solutions
Дальше: Lab 18-5 Solutions
that setting a breakpoint on the stack to search for the corresponding popad instruction may be a good strategy for this packer. We step-over the pushad instruction, as shown in at ❶... We then click the top of the stack at ❷ and select Breakpoint ▸ Hardware, on Access ▸ DWORD to set a breakpoint on the stack instruction.We press F9 to start the program again. The program eventually hits our breakpoint, and we see the code shown in .
.. This confirms our suspicions that this is the OEP.Example C-184. OEP after OllyDbg has analyzed the code
00403896 PUSH EBP 00403897 MOV EBP,ESP 00403899 PUSH -1 0040389B PUSH Lab18-04.0040B188 004038A0 PUSH Lab18-04.004064AC ; SE handler installation 004038A5 MOV EAX,DWORD PTR FS:[0] 004038AB PUSH EAX 004038AC MOV DWORD PTR FS:[0],ESP 004038B3 SUB ESP,10 004038B6 PUSH EBX 004038B7 PUSH ESI 004038B8 PUSH EDI 004038B9 MOV DWORD PTR SS:[EBP-18],ESP 004038BC CALL DWORD PTR DS:[40B0B8] ; kernel32.GetVersion
Next, we select Plugins ▸ OllyDump ▸ Dump Debugged Process. We click the Get EIP as OEP button, accept the default settings, and click Dump. In the dialog, we enter a filename to save a copy of the unpacked program.
Having dumped the program, run it to verify that it works properly. Then open it in IDA Pro to verify that it is unpacked and has the same functionality as Lab09-01.exe.
Назад: Lab 18-3 Solutions
Дальше: Lab 18-5 Solutions
Войти в систему
Войти с помощью соц. сетей:
. We then click the top of the stack at ❷ and select Breakpoint ▸ Hardware, on Access ▸ DWORD to set a breakpoint on the stack instruction.
We press F9 to start the program again. The program eventually hits our breakpoint, and we see the code shown in .
.
. This confirms our suspicions that this is the OEP.
Example C-184. OEP after OllyDbg has analyzed the code
00403896 PUSH EBP 00403897 MOV EBP,ESP 00403899 PUSH -1 0040389B PUSH Lab18-04.0040B188 004038A0 PUSH Lab18-04.004064AC ; SE handler installation 004038A5 MOV EAX,DWORD PTR FS:[0] 004038AB PUSH EAX 004038AC MOV DWORD PTR FS:[0],ESP 004038B3 SUB ESP,10 004038B6 PUSH EBX 004038B7 PUSH ESI 004038B8 PUSH EDI 004038B9 MOV DWORD PTR SS:[EBP-18],ESP 004038BC CALL DWORD PTR DS:[40B0B8] ; kernel32.GetVersion
Next, we select Plugins ▸ OllyDump ▸ Dump Debugged Process. We click the Get EIP as OEP button, accept the default settings, and click Dump. In the dialog, we enter a filename to save a copy of the unpacked program.
Having dumped the program, run it to verify that it works properly. Then open it in IDA Pro to verify that it is unpacked and has the same functionality as Lab09-01.exe.
Назад: Lab 18-3 Solutions
Дальше: Lab 18-5 Solutions
Войти в систему
Войти с помощью соц. сетей: