Reverse Engineering re_lotsastuff.exe

1. Initial File Analysis:

  • File Type Identification:

    • Used Detect It Easy to determine the file type.

    • re_lotsastuff.exe is a PE32 (32-bit) file, compiled with C++.

2. Disassembly with IDA Pro:

  • Tool Used: IDA Pro (free version recommended for beginners; latest version recommended for professional reverse engineers).

  • Disassembly Process:

    • Opened the file in IDA Pro, which shows the disassembled code in a flowchart format.

    • Understanding X86 Assembly Language:

      • Registers: Act as variables in low-level code.

      • Basic Instructions:

        • MOV: Moves data to a register (e.g., MOV eax, 3).

        • ADD: Adds values (e.g., ADD eax, 4).

        • XOR: Performs a bitwise XOR (e.g., XOR eax, 8).

        • SUB: Subtracts values (e.g., SUB eax, ecx).

      • Function Calls in Assembly:

        • Typically involves PUSH instructions to pass arguments, followed by a CALL instruction.

        • Main Function: Identified by four PUSH instructions followed by a CALL. The last PUSH often points to the base memory address.

3. Debugging with x32dbg:

  • Tool Used: x32dbg (part of the x64dbg family, used for debugging 32-bit Windows executables).

  • Setting Up the Debugger:

    • Opened the sample in x32dbg. The initial disassembly code pointed to the Anti-DLL module.

    • To reach the program’s entry point:

      • Press F9 to continue running until it reaches the entry point.

  • Locating the Main Function:

    • Address Identification: Located the main function’s address (@401480) using IDA Pro (switch to text mode to see memory addresses).

    • Setting a Breakpoint:

      • Used Ctrl+G to navigate to the address.

      • Set a breakpoint with F2 or by right-clicking and selecting “Breakpoint”.

    • Pressed F9 to run the sample until it reached the main function.

4. Analyzing the Main Function:

  • Step-by-Step Debugging:

    • Used F7 (step into) or F8 (step over) to debug each line of assembly code.

    • MessageBox API: First encountered API, displaying the message "for educational purposes only".

    • ShellExecute Function:

      • Inspected the contents of the stack frame.

      • The ShellExecute function attempted to open a suspicious website (attacker.website.net).

      • Due to FakeNet running, it redirected to a dummy page instead.

    • Windows API Behavior:

      • Goal: Identify the sequence of Windows API calls.

      • Importance: Inspect parameters and understand them using MSDN or Microsoft libraries.

5. Key Takeaways:

  • X86 Assembly Language: Fundamental understanding of assembly language and instructions is crucial for analyzing disassembled code.

  • Debugging Skills: Proficiency in using tools like x32dbg and setting breakpoints is essential for thorough analysis.

  • API Analysis: Inspecting and understanding Windows API calls helps in identifying the behavior of the executable.

  • Documentation: Always document the sequence of API calls and any suspicious behaviors for further analysis.

PreviousReverse Engineering Simple Windows Executable FilesNextReverse Engineering re_lotsastuff.exe Using Ghidra

Last updated