From 13c0c915f35d98c29b1bc3a5391b1e1e8d69c46d Mon Sep 17 00:00:00 2001 From: "SECURED.ORG" Date: Thu, 10 Aug 2017 22:56:23 -0700 Subject: [PATCH] Update re102_section5.md --- RE102/re102_section5.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/RE102/re102_section5.md b/RE102/re102_section5.md index bf64ca9..28db654 100644 --- a/RE102/re102_section5.md +++ b/RE102/re102_section5.md @@ -25,7 +25,7 @@ There are no strings for us to investigate and there are no functions parsed by ## String Obfuscation ## -The first function call sub_404C1E doesn’t look like something interesting, so move on to the next function call to `sub_402B1C`. This function is a jump-wrapper for the function `sub_4059A3`. +The first function call `sub_404C1E` doesn’t look like something interesting, so move on to the next function call to `sub_402B1C`. This function is a jump-wrapper for the function `sub_4059A3`. Notice anything strange about the immediate values being placed onto the stack? These are actually strings. Breaking up strings and pushing them onto the stack is a common of hiding strings from malware analysts. Go ahead right-click these numbers and convert it to a string (R). @@ -99,4 +99,4 @@ After `jz loc_405272` there is a call to [esp+1Ch] this is actually calling a Wi The next page will go over debugging the decrypted_shellcode.exe with x32dbg. -[Section 4.3 <- Back](https://securedorg.github.io/RE102/section4.3) | [Next -> Section 5.1](https://securedorg.github.io/RE102/section5.1) \ No newline at end of file +[Section 4.3 <- Back](https://securedorg.github.io/RE102/section4.3) | [Next -> Section 5.1](https://securedorg.github.io/RE102/section5.1)