aljaz/securedorg.github.io
1
0
Fork 0
mirror of https://github.com/aljazceru/securedorg.github.io.git synced 2025-12-18 22:54:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update re102_section3.1.md

Browse Source
This commit is contained in:
SECURED.ORG
2017-08-10 16:16:31 -07:00
committed by GitHub
parent e5580b93fa
commit 0b6e2a8eb8
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
RE102/re102_section3.1.md
View File

@@ -13,7 +13,8 @@ Go ahead and open IDAfree and load the malware. Give IDA some time to parse all
The previous page talked about the delphi structure. Note: IDAPro provides better delphi library support and will automatically name library references for you. You should be able to identify the InitExe and the array of classes at offset [dword](https://msdn.microsoft.com/en-us/library/cc230318.aspx?f=255&MSPPError=-2147217396) at `0045BB5C`. Double-click on offset `dword_45BB5C`. Notice that this looks like the array discussed on the previous page.
![alt text](https://securedorg.github.io/RE102/images/Section3.1_delphi2.gif "Section3.1_delphi2")
*Click to Englarge*
[![alt text](https://securedorg.github.io/RE102/images/Section3.1_delphi2.gif "Section3.1_delphi2")](https://securedorg.github.io/RE102/images/Section3.1_delphi2.gif)
---
@@ -27,7 +28,8 @@ In the information gathering stage, the strings revealed that there was some jun
Double-Click the first instance of the junk data. At this point is should show you the location in the IDA View. Scroll up until you see a `unk` reference to the start of this data. It should say `unk_45CCD4`. You want to follow this reference in the code by selecting and then press x to open the xrefs menu. This menu shows all the functions and locations that reference the object. Select the only function present and press `ok`.
![alt text](https://securedorg.github.io/RE102/images/Section3.1_junkstrings.gif "Section3.1_junkstrings")
*Click to Englarge*
[![alt text](https://securedorg.github.io/RE102/images/Section3.1_junkstrings.gif "Section3.1_junkstrings")](https://securedorg.github.io/RE102/images/Section3.1_junkstrings.gif)
IDA should have landed you in the function that is using this data. Notice anything fishy about this function?
@@ -67,4 +69,4 @@ As you are building your route, any API call or string is helpful in identifying
Take this time to make some nice travel directions. The next page will have what your directions should look like.
[Section 3 <- Back](https://securedorg.github.io/RE102/section3) | [Next -> Section 3.2](https://securedorg.github.io/RE102/section3.2)
[Section 3 <- Back](https://securedorg.github.io/RE102/section3) | [Next -> Section 3.2](https://securedorg.github.io/RE102/section3.2)