Reference no: EM132557782 , Length: 9 pages

Section 1 - Computer Architecture Review Questions

Question 1. Briefly describe the process of compilation. In your discussion, include the role of the high-level languages, low-level languages, machine code, opcodes, and binary form.

Question 2. If you reverse engineer a sample of malware that was compiled using an interpreted language, explain why the disassembly will not produce processor specific assembly (such as x86).

Question 3. List and explain the three hardware components of the Von Neumann architecture. Further define the main components of the CPU.

Question 4. A program is a dormant piece of software stored on disk. A compiled Windows program contains the sections discussed in week 1 (.code/.text, .data, etc). Once a program begins execution, the operating system loads it into memory. A program in execution (i.e. loaded into memory) is called a process. List and briefly define the four major sections of main memory (RAM) for a process.

Question 5. Endianness is something to be aware of when looking at data in memory. Suppose you observe the following value at a specific memory location on an x86 architecture: 0x0100ABC0. You suspect this represents an IPv4 address. What is the IP address?

Question 6. Which x86 register is used to store the address of the next instruction to execute?

Question 7. Suppose the EAX register contains the value 0xA7025F31. What are the values of AX, AH, and AL?

Section 2 - Disassembly Exercise

Load lab2-1.exe into IDA to observe the disassembly. This program does not do anything interesting. We are studying it to practice our assembly skills. Make sure the entire binary is analyzed by IDA before you begin navigating. You will know when IDA is done with analysis when you see the following "finished" message:

Click on Options -> General then place a check mark next to Line Prefixes. This option shows the relative memory addresses in IDA-View. We also want to see the opcodes, so enter 6 into the Number of opcode bytes entry.

Navigate to the Functions Window and go to functionsub_401020.

Question 1) The first two instruction in this function are establishing the stack frame. It is normal to always see this code upon function entry. How many bytes of object code (opcodes) is requires to establish the stack frame?

Question 2) What are the values in the eax and edx registers after the instruction at 0x00401025 has executed?

Question 3) What are the value in the eax and edx registers after the instruction at 0x0040102A has executed?

Question 4) What are the value in the eax and edx registers after the instruction at 0x0040102C has executed?

Question 5) What is the opcode for push eax?

Question 6) How many parameters does function sub_401000 have?

Question 7) In this case, what are the values of the parameters passed to sub_401000?

Question 8) Double click on sub_401000 to analyze the function. How many local variables are there?

Question 9) What are the values of [ebp+arg_0] and [ebp+arg_4]?

Question 10) In which register do value returning functions normally store their return value?

Question 11) What value does function sub_401000 return?

Question 12) Click the back arrow on the upper left of your IDA display to return to the calling function. Explain the code at 0x0040103E. What will be the values of the ZF and CF bits in the flags register?

Section 3 - Reverse Engineering Exercise

Load lab2-2.exe into IDA to observe the disassembly. Make sure the entire binary is analyzed before you begin navigating. You will know when IDA is done with analysis when you see the following "finished" message:

Click on Options -> General then place a check mark next to Line Prefixes. This option shows the relative memory addresses in IDA-View.

Navigate to the Functions Window and go to function sub_401030.

Question 1) How many parameters are in sub_401030? How many local variables?

So sub_401030 is actually our int main(int argc, char* argv[]) function. Unfortunately, IDA does not recognize it as the entry point. You can rename the function by right-clicking on sub_401030 and giving a new name that is more intuitive. Let's call it MAIN.

Since we know the function prototype is the main function defined above, we can rename the arguments to enhance our readability of the program. Since arguments are pushed onto the stack in right to left order, the first argument is always the one closest to EBP. Therefore, arg_0 is int argc. Right-click on arg_0 and rename as argc. This is our argument counter, which holds an integer value that indicates the number of command-line arguments passed to the program when it is executed. Rename arg_4 to argv. argv is a character array that contains the command line arguments.

Question 2) Show a screenshot like the one below with the function and the arguments renamed.

Question 3) At 0x00401036, what value is being compared to argc?

Question 4) What is the address of the next instruction executed if the values from problem three are not equivalent?

The at address 0x0040103C through 0x00401047 is grabbing the first element of the argv array, or argv[0], and storing it into the eax register. At 0x00401050 and at 0x00401089, we see the same function, sub_4010B1, being called. This function is the standard C printf function. Rename sub_4010B1 to printf. You may wish to quickly research the C printf function if you are not familiar.

Question 5) What are the arguments being passed to the printf function when it is called at 0x00401050?

Question 6)  Explain the purpose of the three instructions at 0x00401055,0x00401058, and 0x0040105A.

Question 7)  What is the purpose of the code block at loc_401098?

Question 8)  Now we need to analyze the code block at loc_40105C. Under what conditions does this code get executed? Remember, it has to do with the instruction at 0x00401036.

Instructions 0x0040105C through 0x00401067 are grabbing the second value in argv, or argv[1], and storing it into eax. This value is then passed as an argument to sub_401160. This function is the C standard atoi function. Rename sub_401160 to atoi. The atoi function (ASCII to Integer) takes an ASCII character as a parameter and returns a decimal value. For example:

As you can see, the atoi function takes an ASCII character, in this case ‘7', and returns the actual decimal value of 7. If a use enters ‘7' in a keyboard, the value 0x37 (or 55 in decimal) is what gets recorded, not the decimal value 7. The atoi function is commonly used to resolve human integer input into its logical meaning.

The value returned from atoi gets stored into var_4. It is then passed to sub_401000 as an argument. We don't know what that function does yet, we will have to reverse engineer it. For now, skip over it and let's finish analyzing the rest of this code. We will go back to that function later.

Question 9)  What gets stored in var_8?

Question 10) What gets printed at the call to printf at 0x0040108E?

Question 11) Double-click on aD:

This brings you to the location in the binary where this string is stored. At which address and section (text, data, rsrc, etc) is this string stored?

Question 12) Now go back and double-click on sub_401000 to analyze its code. Try to reverse engineer this function. It is a tricky one, since it involves recursion. Explain your conclusion.

Question 13) Summarize the overall functionality of the program. Execute the program to validate your analysis.

Extra Challenge.

Write a C program (or pseudo-code) equivalent of the lab2-2.exe.

Attachment:- Malware Forensics.rar