1. Open the PE in Idapro and Find the Address of Main

In-class homework 5:

Download hw_5_in.zip and unzip to get hw_5_in.exe. Make sure you snapshot the VM before analysis. Answer the following questions.

*Using both IDAPro and OllyDbg will be more effective during the analysis. * - You will love IDAPro as it can go back whereas OllyDbg can only go forward or restart. Thus, step in/step over very slowly.

1.  Open the PE in IDAPro and find the address of _main.

2.  Press F8 to step over until you reach the address 0x403945, then Press F7 to step into the _main (the address should be exactly the one you found above). If overshoots, press restart (CTRL + F2) to start over. You will see:

Continue slowly using F7 until 0x00402AF8, Use F8 to step over this function. *Actually, this function is visualized by IDAPro as a __alloca_probe function that checks whether there is enough stack space to perform allocation call. *

Continue slowly to step in F7 and you see highlighted 0x00402AFD. What does this line do? (Hint: it may be easier to tell from IDAPro)

Continue F7 we can see it doesn’t go to the 1.00402B1D (JNZ Short). Let’s step into CALL 1.00401000.

3.  We start seeing bunch of registry key entry like this:

It tries to see a registry key is existed or not. Let’s continue:

Use the F7 to step in until you reach 0x402410 as shown below:

Use F7 until you reach:

What is the value in EDX at 0x00402442 ?

What is the ASCII code at 0x00402449 ?

What can you conclude by associating the EDX value and the ASCII code ?

Close OllyDbg and double click the program to confirm your conclusion here. You may want to restore your VM to the previous snapshot because the program has deleted itself.

4.  Next let us do this, recall previously at 0x00402AFD (at the end of Question 2), by default, it will not go to JNZ SHORT 0x00402B1D. Let’s make it go into that function by changing the argument to be “-in”, Debug->Argument and then use F7, we can see it goes to 0x00402B1D. Follow these procedures closely.

You will see:

From 0x00402B1D to 0x00402B2A, explain what the code is doing ?

(Hints: Suppose we know [EBP+8] is argc, the count of arguments; [EBP+C] is argv -> they are loaded into EAX and ECX, respectively. Basically, just need to figure out what ECX + EAX*4 – 4 is ? ECX + (EAX -1)*4 -> which argument address the it is trying to access ? ECX is the beginning and EAX is the count, each argument occupies 4. Is it the first argument? The second argument ? The third ? The last ?)

Take a snapshot of the values in the register to validate your findings. (Hint: you may want to see what is in EAX ultimately at 0x00402B2D)

5.  (Patching) Switch to IDAPro, jump to address 0x402510, we see something like this:

The flow progresses through each stage, whenever there is false, it clears EAX and jumps to the same function; the only success is to pass all the stages and reach 0x40259B on the bottom right corner. Rather than going into the massy encoding/decoding details here, our initial guess is that it performs some checking such as a passcode. Our goal here is to disable the checking using OllyDbg, which would always lead to successful check.

Note that at 0x40259B, it will finally “MOV EAX, 1” -> why not just doing this at the entry point to skip all the checking.

Our objective is to patch the entry point of the checking (0x402510) with MOV EAX,1 and RET. To do this, you need to find the opcodes for these instructions.

Check 0x0040259B, what opcode do you see? Take a snapshot. It should begin with B8…….

Use Google to search for the opcode for RET. What is it ?

(*Please check with me the opcode you found is correct*)

Go back to the entry point, select Binary -> Edit to patch the HEX at that location. Put the sequence of opcode you found into the third box: (make sure you uncheck the keep size box)

Right click and select Copy to executable -> All modifications. A new window will be opened with the changes you made, right click and select Save File, rename it to hw_5_in_patched.exe.

6.  Finally, let us confirm the patch is done correctly. Confirm your program can reach 0x00402B57 after the patch like the one below. Take a snapshot from your screen. Save the patched file for the rest in take home assignments.