2.6 KiB
layout, permalink, title
| layout | permalink | title |
|---|---|---|
| default | /RE101/section6/ | Dynamic Analysis |
Go Back to Reverse Engineering Malware 101
Section 6: Dynamic Analysis
LAB 3
Dynamic analysis is a deeper analysis of the program to understand hidden functionality not understood statically. The static analysis will serve as a guide for stepping through the program in a debugger.
Open the unpacked malware into the x64dbg debugger and IDAfree.
Rebasing the disassembler
Typically programs start at 004010000 but your debugger might start the program at a different address. You will need to rebase the program's address in the disassembler. In x64dbg, scroll up to find the very first address, this is the address that you will need to rebase.
Edit->Segements->Rebase Program.
Finding the starting point
You will need to sync the debugger and disassembler addresses so you can follow along in both. Let's start with the function offset xxxx1530.
- In IDA, open the functions tab and look for function xxxx1530. Where xxxx should match your rebase address ( If rebase is 01901000, then 01901530 ).
- In x64dbg, CTRL+G to jump to a specific address xxxx1530.
XOR Decode Function
Remember use the F2, F7, F8, F9 keys to navigate through the debugger.
In IDA, get the offset of the XorDecode function you saved prior.
In x64bdg find that same offset and add a comment that it is the Xor Decode function. Set a breakpoint using F2 on that function. Then run the program until the breakpoin using F9. Step into that function using F7.
Navigate down to the loop that does the Xor Encoding. Place a breakpoint on the same instructions shown below. Right click on the EBX register and select Follow in Dump. This location is where the decoded string will be stored. After you set your break points, press F9 to get to the start of the loop, then step through the loops until you see the decoded string.
