Reverse engineering is an important skill to develop that requires practice. The course textbook provides a plethora of exercises for doing using a number of tools that, while old, are representative of the techniques one would use in modern reverse engineering.
For each lab, a walkthrough in the textbook's appendix describes the process for completing it. For your lab notebook, however, we require that you
cs492. Note that if your browser blocks this download, you can perform the download using wget or curl.Lab01-01.dll. From these calls, what might this DLL be doing?PEview, examine the .data section to fiind where the malware is attempting to create its malicious file.Wininet.dll. What might this executable be doing?strings within cygwin to reconstruct the URL being requestedstrings) to find the cmd.exe command usedProcess Monitor (procmon) to monitor events from this binary to generate Figure 3-11Lmemcmp() is used to compare command strings received over the networkrobotwork is invokedDLLMain and sub_10004E79netcat with Apate DNS redirecting DNS queries to point locally (e.g. 127.0.0.1), execute the malware to generate Listing 6-3L. Note that for the netcat version on cygwin, the -p flag is not required (e.g. nc -l 80 brings up a listener on port 80).main. What does each one do?WinINet calls are used and explain what each one does.cmp does.strings in cygwin, identify the network resource being used by the malware (Note that the resource is encoded in unicode and you will need to pass -e l to the strings command to dump unicode strings instead of ASCII)rclsid and riid in memory.1qaz2wsx and ocl.exeWireshark, show the connect and its result. Note that the site is now a redirect to the book's page on NoStarch.TGAD section)Resource Hacker extracting TGADjmp is usedcall is usedmsutil32.sysProcessExplorer to show injection for Figure 12-1Lfn" isWireshark (turn off promiscuous mode)xor, then bring up Figure 13-1L, rename xorEncodexrefs to xorEncode to get to Listing 13-2LWinHex (winhex.com), open binary, and perform Figure 13-2LPEiD (softpedia.com) with caution (should be a Zip file), open binary, click on options, enable plug-ins, then restart tool. Run KANAL at bottom right arrow to obtain Listing 13-3Lxref to top-level function, bring up and rename base64index functionxref to base64index, bring up Listing 13-4L%s-%s sprintf)0x0040115A. Using the "Edit=>Patch program=>Change Byte" menu, Patch it. 0x004011D0. Patch it.0x00401215. Patch it.0x00401269. Patch it. 0x004012E6. Which two methods does it combine? Patch it to reveal Listing 15-7L.sub_40130F and sub_401386 do?jz checks are doingsub_401000 and Listing 16-1L. What does this code do?OllyDbg. Set a breakpoint at 0x00403554. What is the value of eax? Step over several instructions. What happens?Phant0m plug-in) to reset the flagOllyDbg step. What happens?0x00403573 and how to bypass it0x00403594 and how to bypass itOllyDbg to set the argument to "-in" and single-step to reach 0x004035D5NOP or skip the check and run again.0x004012CB and stepping into sub_401100. Does this check succeed? If so, NOP or skip the check and run again.0x004012DF and generate Listing 17-5LPEiD on binary and find section UPX2. Perform a "deep scan". What does PEiD return?OllyDbg, locate the jump to the unpacking stub by finding the register save instructionOllyDump to dump the program into a new executable and load the new executable in IDA ProF8) and see the program execute the code above.shellcode_launcher.exe into IDA Pro or Olly, set arguments to match the command line shown below Listing 19-12L. Find where the shellcode has been loaded and will be launched0x0401019 do?0x040101C do?0x0401055 do?