From 53bba96f506e16cc0be8317790729993f907c77d Mon Sep 17 00:00:00 2001 From: "SECURED.ORG" Date: Fri, 11 Aug 2017 12:12:16 -0700 Subject: [PATCH] Update re102_section3.1.md --- RE102/re102_section3.1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RE102/re102_section3.1.md b/RE102/re102_section3.1.md index 184e325..d0bf723 100644 --- a/RE102/re102_section3.1.md +++ b/RE102/re102_section3.1.md @@ -20,7 +20,7 @@ The previous page talked about the delphi structure. Note: IDAPro provides bette ## Junk Data ## -In the information gathering stage, the strings revealed that there was some junk data being referenced. Let’s actually look how those strings are being referenced in the disassembler. Scroll down until you see some junk strings in the DATA section in the IDA Strings panel. Each Portable Executable (PE) section has its own purpose. The DATA (.data) section is typically used for hardcoded global and static variables that were initialized at compile time [1]. This section is more commonly used for storing string references. To see a string referenced in the data section that looks like junk data might be an indicator of foul play. +In the information gathering stage, the strings revealed that there was some junk data being referenced. Let’s actually look how those strings are being referenced in the disassembler. Scroll down until you see some junk strings in the DATA section in the IDA Strings panel. Each Portable Executable (PE) section has its own purpose. The DATA (.data) section is typically used for hardcoded global and static variables that were initialized at compile time [[1]](https://msdn.microsoft.com/en-us/library/ms809762.aspx?f=255&MSPPError=-2147217396). This section is more commonly used for storing string references. To see a string referenced in the data section that looks like junk data might be an indicator of foul play. ![alt text](https://securedorg.github.io/RE102/images/Section3.1_PEstructure.png "Section3.1_PEstructure")[1](https://msdn.microsoft.com/en-us/library/ms809762.aspx?f=255&MSPPError=-2147217396)