Lab 15-1 Solutions
Short Answers
This program uses false conditional branches: an
xor eax, eax
, followed byjz
.The program tricks the disassembler into disassembling the opcode
0xE8
, the first of a 5-bytecall
instruction, which immediately follows thejz
instruction.The false conditional branch technique is used five times in this program.
The command-line argument
pdq
will cause the program to print “Good Job!”
Detailed Analysis
First, we load the file into IDA Pro and scroll to the main
function at address 0x401000. A few lines from the start of the function, memory address 0x0040100E,
we see the first signs of anti-disassembly, as shown in Example C-120.
Example C-120. jz
jumping into the middle of a call
instruction
00401006 83 7D 08 02 cmp dword ...
Get Practical Malware Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.