From 1341d60beb285144c32b41beef8d0c0b08f58d69 Mon Sep 17 00:00:00 2001 From: "SECURED.ORG" Date: Thu, 10 Aug 2017 16:20:04 -0700 Subject: [PATCH] Update re102_section5.2.md --- RE102/re102_section5.2.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/RE102/re102_section5.2.md b/RE102/re102_section5.2.md index a821c78..921d597 100644 --- a/RE102/re102_section5.2.md +++ b/RE102/re102_section5.2.md @@ -50,7 +50,8 @@ At the very end of the function it jumps to `loc_404777` where it calls `sub_403 If you follow the stack argument DWORD in the dump you can see the full strings. To view this, right click on the stack argument and select **Follow DWORD in dump**. -![alt text](https://securedorg.github.io/RE102/images/Section5.2_hardwarestrings.png "Section5.2_hardwarestrings") +*Click to Enlarge* +[![alt text](https://securedorg.github.io/RE102/images/Section5.2_hardwarestrings.png "Section5.2_hardwarestrings")](https://securedorg.github.io/RE102/images/Section5.2_hardwarestrings.png) Open regedit.exe in Windows and verify that this registry key exists under HKEY_LOCAL_MACHINE. If this key exists RegOpenKeyEx will return 0, if not 2. In the debugger, Step over **F8** this function call. Fortunately this VM was built with an IDE instead of scsi hardware. You can verify this by looking at Virtualbox’s storage settings. @@ -164,4 +165,4 @@ After DeviceIOControl is called do not take the jump after at `00405778` or `loc This jump should land you at `loc_402192` or `00402192`. **Congratulations!** You have made it past several VM evasion techniques. The next section will go over identifying a packer. -[Section 5.1 <- Back](https://securedorg.github.io/RE102/section5.1) | [Next -> Section 6](https://securedorg.github.io/RE102/section6) \ No newline at end of file +[Section 5.1 <- Back](https://securedorg.github.io/RE102/section5.1) | [Next -> Section 6](https://securedorg.github.io/RE102/section6)