aljaz/securedorg.github.io
1
0
Fork 0
mirror of https://github.com/aljazceru/securedorg.github.io.git synced 2025-12-20 07:24:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

sentence fix

Browse Source
This commit is contained in:
Amanda Rousseau
2017-03-27 16:26:25 -07:00
parent 902c8d282b
commit b7ad00f083
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
static.md
View File

@@ -24,11 +24,12 @@ Notice in CFF explorer that there is UPX in the header.
When you open the executable in IDA, you will notice large section of non-disassembled code. When you open the executable in IDA, you will notice large section of non-disassembled code.
![alt text](https://securedorg.github.io/images/triage4.png "IDA UPX") [![alt text](https://securedorg.github.io/images/triage4.png "IDA UPX")](https://securedorg.github.io/images/triage4.png)
Because UPX is a common packer, there are many tools that offer unpacking for UPX. Open the executable in PE Explorer which will unpack the binary automatically. Save the file with a name to identify it as unpacked. Because UPX is a common packer, there are many tools that offer unpacking for UPX. Open the executable in PE Explorer which will unpack the binary automatically. Save the file with a name to identify it as unpacked.
![alt text](https://securedorg.github.io/images/triage5.png "Unpacking UPX") *Click Image to Enlarge*
[![alt text](https://securedorg.github.io/images/triage5.png "Unpacking UPX")](https://securedorg.github.io/images/triage5.png)
--- ---
@@ -56,7 +57,8 @@ This string is a typical registry key path to allow programs to autorun/startup
Using the **X** key we can jump to the reference of that string in the assembly code. Using the **X** key we can jump to the reference of that string in the assembly code.
![alt text](https://securedorg.github.io/images/static2.gif "Strings window") *Click Image to Enlarge*
[![alt text](https://securedorg.github.io/images/static2.gif "Strings window")](https://securedorg.github.io/images/static2.gif)
This function is offset **00401340**. Notice in that function is setting a registry key using Window API [RegOpenKeyEx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms724897%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396). This function is offset **00401340**. Notice in that function is setting a registry key using Window API [RegOpenKeyEx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms724897%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396).