Reference no: EM132598331 , Length: 4 pages
Part 1 -Another Bomb
The binary bomber is back again. This bomb, bomb7.exe, has been equipped with anti-disassembly tactics to thwart reversing the key. Reverse engineer the bomb in IDA to diffuse the bomb. It requires a single key as a command line argument to diffuse.
This bomb is very similar to Lab 15-1 from our text book, except it has a different key. You may wish to attempt Lab 15-1 and read the solution on page 645 to help you diffuse this bomb.
1) Explain the anti-disassembly technique used and how it can be defeated in IDA.
2) What is the key to diffuse the bomb? Provide a screenshot of your diffused bomb.
Part 2 - Anti-Debugging
1) Suppose you observe the following code in your disassembly. Explain this code's purpose. Indicate how the location of the PEB is being referenced. What is the PEB?
2) Suppose you observe the following code. Explain this code's purpose and how it achieves its goal.
Part 3 - Packers
1) Lab7-3.exe is a simple program that only produces a pop-up message. Briefly observe at the program's section headers and observe that the virtual size and the raw size for .text and .data sections are roughly the same. Record the file's MD5. Pack the program using CFF Explorer's built-in UPX Utility. Observe the section headers of the packed version. What are your observations of the section headers of the packed version of this program? Why are there drastic differences between the virtual sizes and the raw sizes of each section? What is the MD5 of the packed program? Execute the packed program. Does it appear to operate normally? Finally, load the packed Lab7-1.exe into IDA to see what a packed disassembly may look like. You do not need to analyze the packed code, just simply observe how the disassembly of a packed program looks in IDA.
2) Explain, in general, how packers work. Include the role of the unpacking stub. Indicate where the entry point is for a normal unpacked executable and a packed executable. Why do packed executables execute normally as intended if the code section is compressed on disk?
Part 4 - Anti-Reversing Lab
Your goal for this lab is to get Lab7-4.exe to execute until completion. The software has implemented several anti-reversing techniques to thwart analysis. You must modify the dynamic and/or static binary to get the software to run to completion. You know you are successful when the program produces a pop-up message indicating success. Explain the anti-reversing techniques observed and how you bypassed them. Include screenshots as necessary. If you get the software to produce the success message, provide a screenshot. It is possible to forcefully produce the message without manually defeating each anti-analysis technique, but your goal is to discover and report all potential anti-reversing techniques.
Attachment:- Lab - Anti-Debugging.rar