Lab 15-1 Solutions

Short Answers

This program uses false conditional branches: an xor eax, eax, followed by jz.
The program tricks the disassembler into disassembling the opcode 0xE8, the first of a 5-byte call instruction, which immediately follows the jz instruction.
The false conditional branch technique is used five times in this program.
The command-line argument pdq will cause the program to print “Good Job!”

Detailed Analysis

First, we load the file into IDA Pro and scroll to the main function at address 0x401000. A few lines from the start of the function, memory address 0x0040100E, we see the first signs of anti-disassembly, as shown in Example C-120.

Example C-120. jz jumping into the middle of a call instruction

00401006 83 7D 08 02 cmp dword ...

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Practical Malware Analysis by Michael Sikorski, Andrew Honig

Lab 15-1 Solutions

Short Answers

Detailed Analysis

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly