mirror of
https://github.com/aljazceru/securedorg.github.io.git
synced 2026-01-29 02:54:30 +01:00
updating image paths
This commit is contained in:
Amanda Rousseau
@@ -7,7 +7,7 @@ title: Static Analysis
|
||||
|
||||
# Section 5: Static Analysis #
|
||||
|
||||
|
||||
|
||||
|
||||
Static analysis is like reading a map for directions on where to go. As you follow through this map you capture notes on what things might look interesting when you actually begin your journey.
|
||||
|
||||
@@ -20,17 +20,17 @@ This section will teach you how to jump into code in static disassembly then ren
|
||||
### Possible Packer?
|
||||
Notice in CFF explorer that there is UPX in the header.
|
||||
|
||||
|
||||
|
||||
|
||||
When you open the executable in IDA, you will notice large section of non-disassembled code.
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/triage4.png)
|
||||
[](https://securedorg.github.io/RE101/images/triage4.png)
|
||||
|
||||
Because UPX is a common packer, there are many tools that offer unpacking for UPX. Open the executable in PE Explorer which will unpack the binary automatically. Save the file with a name to identify it as unpacked.
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/triage5.png)
|
||||
[](https://securedorg.github.io/RE101/images/triage5.png)
|
||||
|
||||
---
|
||||
|
||||
@@ -52,14 +52,14 @@ Navigate to the **Strings** window.
|
||||
|
||||
Here is an interesting string that we should start with:
|
||||
|
||||
|
||||
|
||||
|
||||
This string is a typical registry key path to allow programs to autorun/startup on reboot. This is considered a [persistence](https://securedorg.github.io/RE101/section2.1/#persistence) mechanism. Double Click the string.
|
||||
|
||||
Using the **X** key we can jump to the reference of that string in the assembly code.
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/static2.gif)
|
||||
[](https://securedorg.github.io/RE101/images/static2.gif)
|
||||
|
||||
This function is offset **00401340**. Notice in that function is setting a registry key using Window API [RegOpenKeyEx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms724897%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396).
|
||||
|
||||
@@ -103,24 +103,24 @@ Right before the first **push 0** there is a **mov esi,eax** which means esi = e
|
||||
When a function returns, the return value is stored in **eax**. So let's look into the function that is being called. It takes a string as the first argument (that is a wicked string), while the second argument might be the string length. Press Enter to jump to the function.
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/static3.png)
|
||||
[](https://securedorg.github.io/RE101/images/static3.png)
|
||||
|
||||
Scroll down until you find **xor al, 5Ah**. Eventually you will be able to recognize when a string loop is being processed in assembly. In this case, it is **xor** a byte with **5Ah** which is **Z** in [ascii](http://www.asciitable.com/).
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/static4.png)
|
||||
[](https://securedorg.github.io/RE101/images/static4.png)
|
||||
|
||||
We can assume that this function is doing some kind of Xor encoding. So let's rename this function as XorDecode. We will need this information later when we debug in Section 6.
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/static5.png)
|
||||
[](https://securedorg.github.io/RE101/images/static5.png)
|
||||
|
||||
Let's use the tool **XORSearch** to see if we can find some interesting xor decoded strings. Open the terminal **cmd.exe** from the start bar, and navigate to the XORSearch.exe
|
||||
|
||||
```XORSearch.exe <Path to UnknownUnpacked.exe> "A string to test"```
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/static6.png)
|
||||
[](https://securedorg.github.io/RE101/images/static6.png)
|
||||
|
||||
**"Yo this is dope!"** How weird.
|
||||
|
||||
@@ -131,14 +131,14 @@ Let's use the tool **XORSearch** to see if we can find some interesting xor deco
|
||||
Let's navigate to the start of the program using the **X** key. Use the spacebar to toggle between graph view and text view.
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/static7.gif)
|
||||
[](https://securedorg.github.io/RE101/images/static7.gif)
|
||||
|
||||
It's easy to trace back through the program disassembly, but let's look at some control flow assembly instructions. Remember **jmp, jne, jnz, jnb** are control flow functions.
|
||||
|
||||
**Jump Examples**
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/static9.gif)
|
||||
[](https://securedorg.github.io/RE101/images/static9.gif)
|
||||
|
||||
```assembly
|
||||
jz loc_401962 ; jump to offset loc_401962 if the previous condition is zero
|
||||
@@ -151,7 +151,7 @@ jle short loc_401634 ; jump to relative offset 401634 if the previous condition
|
||||
Next scroll down through and find the order of API function calls in the program. You should make note of all the function offsets.
|
||||
|
||||
*Click Image to Enlarge*
|
||||
[](https://securedorg.github.io/images/static8.gif)
|
||||
[](https://securedorg.github.io/RE101/images/static8.gif)
|
||||
|
||||
Some of the more interesting API Calls from the image above. Look up what each function does, many are self explanatory.
|
||||
|
||||
@@ -171,6 +171,6 @@ Some of the more interesting API Calls from the image above. Look up what each f
|
||||
|
||||
Now you know how to navigate the disassembly forward and backwards to get to interesting routines. The next step is making a rough path to follow for deeper analysis in Section 6.
|
||||
|
||||
|
||||
|
||||
|
||||
[Section 4 <- Back](https://securedorg.github.io/RE101/section4) | [Next -> Section 6](https://securedorg.github.io/RE101/section6)
|
||||
|
||||
Reference in New Issue
Block a user