From 0b6e2a8eb882eaab58c2c1994ee1f1f6c1fb7a01 Mon Sep 17 00:00:00 2001 From: "SECURED.ORG" Date: Thu, 10 Aug 2017 16:16:31 -0700 Subject: [PATCH] Update re102_section3.1.md --- RE102/re102_section3.1.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/RE102/re102_section3.1.md b/RE102/re102_section3.1.md index 84ba125..184e325 100644 --- a/RE102/re102_section3.1.md +++ b/RE102/re102_section3.1.md @@ -13,7 +13,8 @@ Go ahead and open IDAfree and load the malware. Give IDA some time to parse all The previous page talked about the delphi structure. Note: IDAPro provides better delphi library support and will automatically name library references for you. You should be able to identify the InitExe and the array of classes at offset [dword](https://msdn.microsoft.com/en-us/library/cc230318.aspx?f=255&MSPPError=-2147217396) at `0045BB5C`. Double-click on offset `dword_45BB5C`. Notice that this looks like the array discussed on the previous page. -![alt text](https://securedorg.github.io/RE102/images/Section3.1_delphi2.gif "Section3.1_delphi2") +*Click to Englarge* +[![alt text](https://securedorg.github.io/RE102/images/Section3.1_delphi2.gif "Section3.1_delphi2")](https://securedorg.github.io/RE102/images/Section3.1_delphi2.gif) --- @@ -27,7 +28,8 @@ In the information gathering stage, the strings revealed that there was some jun Double-Click the first instance of the junk data. At this point is should show you the location in the IDA View. Scroll up until you see a `unk` reference to the start of this data. It should say `unk_45CCD4`. You want to follow this reference in the code by selecting and then press ‘x’ to open the xrefs menu. This menu shows all the functions and locations that reference the object. Select the only function present and press `ok`. -![alt text](https://securedorg.github.io/RE102/images/Section3.1_junkstrings.gif "Section3.1_junkstrings") +*Click to Englarge* +[![alt text](https://securedorg.github.io/RE102/images/Section3.1_junkstrings.gif "Section3.1_junkstrings")](https://securedorg.github.io/RE102/images/Section3.1_junkstrings.gif) IDA should have landed you in the function that is using this data. Notice anything fishy about this function? @@ -67,4 +69,4 @@ As you are building your route, any API call or string is helpful in identifying Take this time to make some nice travel directions. The next page will have what your directions should look like. -[Section 3 <- Back](https://securedorg.github.io/RE102/section3) | [Next -> Section 3.2](https://securedorg.github.io/RE102/section3.2) \ No newline at end of file +[Section 3 <- Back](https://securedorg.github.io/RE102/section3) | [Next -> Section 3.2](https://securedorg.github.io/RE102/section3.2)