Lab 18-4 Solutions
We open the Lab18-04.exe file in PEiD and learn that it is packed with
ASPack 2.12 -> Alexey Solodovnikov. We then open the malware in OllyDbg and see that the first
instruction is pushad
, which saves the registers onto the stack.
We know from Chapter 18 that setting a breakpoint on the stack to
search for the corresponding popad
instruction may be a good
strategy for this packer. We step-over the pushad
instruction, as
shown in Example C-181 at ❶.
Example C-181. Start of the unpacking stub
00411001 ❶PUSHAD
00411002 CALL Lab18-04.0041100A
00411007 JMP 459E14F7
We’re going to use the same technique that we used in the previous lab. Once we
step-over the pushad
instruction, our window looks like Figure C-68.
Figure C-68. Setting a ...
Get Practical Malware Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.