When you run Lab16-02.exe from the command line, it prints a usage string asking for a four-character password.
If you input an incorrect password, the program will respond “Incorrect password, Try again.”
The correct command-line password is
strncmp function is called at 0x40123A.
The program immediately terminates when loaded into OllyDbg using the default settings.
The program contains a
The TLS callback starts at 0x401060.
FindWindowA function is used to terminate the malware.
It looks for a window with the class name
OLLYDBG and terminates
the program if it is found. You can change the window class name using an OllyDbg plug-in like
PhantOm, or NOP-out the call to exit at 0x40107C.
At first, ...