Reference no: EM132732295
Lab: Breaking Protections
In this lab, you will break protections using the patching approach. You will mimic the activity described in the text (Reversing by Eilam) on pages 358-364 however, you will use IDA Pro instead of OllyDbg as used in the text. Each question in this assignment is worth 20 points.
Execute/Run Key4.exe file from the class site-you'll need this program later in the exercise.
Run the program key4.exe. Enter any data into the two boxes and select OK.
1 If you download the book from the Wiley website, download the entire code set for the text but only extract key4.exe. Because the code set contains a malware sample from another chapter, you may have to disable AV to get the zip file to successfully download. Once you've extracted key4.exe, you can delete the downloaded zip file (or a subsequent AV scan may take care of that for you).
Q1: What do the items in this list represent?
Double-left-click on each of these four items in turn. It is recommend that you switch to IDA View-A to text view (it defaults to graph view). Text view will be easier to match the notes in the text. While you can go back to Imports and repeat the steps above to get to your list, it is simpler to right-click on MessageBoxA in the disassembly and select "Jump to xref to operand" from the pop-up menu-it's the same list.
Q2: What are the offsets (the value after .text: on the left of your screen) for the four Call MessageBoxA instructions?
Find the section of code referenced in the text (page 362). We're going to patch the instruction at location 00401341 with NOPs just as in the book, however, the steps are different in IDA Pro.
Left-click anywhere in the line numbered 00401341, then from the main menu select Edit: Patch Program: Assemble. In the pop-up that appears, enter NOP then OK (see below).
Q3: What was this value, now showing db 15h, before we edited the JNZ instruction at location 00401341?
In the dialog box that opens for location 00401342, also enter NOP, then OK.
Recall the previous message box about inconsistency between the disassembly and the debugger? IDA Pro was basically telling us that the debugger is not running our changed version of the disassembly, but rather still running the original program. To apply our change, we're going to generate a file of changes using IDA Pro and then apply the changes to the original executable using a separate program. Use Ctrl-F2 to kill the debugger process if you haven't already (but don't quit IDA Pro or close our session - we need to save those changes).
From the IDA Pro main menu, select File: Produce File: Create DIF File. Use the default location (which will be where the key4.exe file is), and name the file key4 (IDA PRo will add the .dif extension).
Q5: Paste the dialog box that appears after entering data into the key4.exe input boxes and selecting OK.
Reference
Eilam, E. (2005). Reversing: Secrets of reverse engineering. Indianapolis, IN: Wiley Publishing, Inc.
Attachment:- Hands.rar