aljaz/securedorg.github.io
1
0
Fork 0
mirror of https://github.com/aljazceru/securedorg.github.io.git synced 2025-12-24 09:24:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

adding more static analysis

Browse Source
This commit is contained in:
Amanda Rousseau
2017-03-24 18:39:14 -07:00
parent c9b764d7b7
commit 075f0af3e2
2 changed files with 10 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
static.md
View File

@@ -11,7 +11,6 @@ Static analysis is like reading a map for directions on where to go. As you foll
This section will teach you how to jump into code in static disassembly then rename and comment on interesting assembly routines that we will debug in **Section 6**.
Most windows functions start at address **004010000**.
## LAB 2
@@ -36,16 +35,20 @@ So far we can assume:
* This exe is using a string encryption function
* This exe might be spawning a shell
Most windows programs start at address **004010000**.
---
### Jumping in!
Navigate to the **String** window.
Navigate to the **Strings** window.
Here is an interesting string that we should start with:
![alt text](https://securedorg.github.io/images/static1.png "Strings window")
This string is a typical registry key path to allow programs to autorun/startup on reboot. This is considered a [persistence](https://securedorg.github.io/RE101/section2.1/#persistence) mechanism. Double Click the string.
Using the **X** key we can jump to the reference of that string in the assembly code.
![alt text](https://securedorg.github.io/images/static2.gif "Strings window")
@@ -89,11 +92,11 @@ call ds: InternetOpenA
Right before the first **push 0** there is a **mov esi,eax** which means esi = eax.
When a function returns, the return value is stored in **eax**. So let's look into the function that is being called. It takes a string as the first argument (that is a wicked string), while the second argument might be the string length.
When a function returns, the return value is stored in **eax**. So let's look into the function that is being called. It takes a string as the first argument (that is a wicked string), while the second argument might be the string length. Press Enter to jump to the function.
![alt text](https://securedorg.github.io/images/static3.png "Unknown Function")
![alt text](https://securedorg.github.io/images/static3.png "Unknown Function")
Scroll down until you find **xor al, 5Ah**. Eventually you will be able to recognize when a string loop is being processed in assembly. In this case, it is **xor** a byte with **5Ah** which is **Z** in [ascii](http://www.asciitable.com/).
Scroll down until you find **xor al, 5Ah**. Eventually you will be able to recognize when a string loop is being processed in assembly. In this case, it is **xor** a byte with **5Ah** which is **Z** in [ascii](http://www.asciitable.com/).
![alt text](https://securedorg.github.io/images/static4.png "Xor routine")
@@ -153,4 +156,6 @@ Some of the more interesting API Calls from the image above. Look up what each f
Now you know how to navigate the disassembly forward and backwards to get to interesting routines. The next step is making a rough path to follow for deeper analysis in Section 6.
![alt text](https://securedorg.github.io/images/mapping.jpg "handwritten")
[Section 4 <- Back](https://securedorg.github.io/RE101/section4) | [Next -> Section 6](https://securedorg.github.io/RE101/section6)