Reverse Engineering re_lotsastuff.exe
1. Initial File Analysis:
File Type Identification:
Used Detect It Easy to determine the file type.
re_lotsastuff.exe
is a PE32 (32-bit) file, compiled with C++.
2. Disassembly with IDA Pro:
Tool Used: IDA Pro (free version recommended for beginners; latest version recommended for professional reverse engineers).
Disassembly Process:
Opened the file in IDA Pro, which shows the disassembled code in a flowchart format.
Understanding X86 Assembly Language:
Registers: Act as variables in low-level code.
Basic Instructions:
MOV: Moves data to a register (e.g.,
MOV eax, 3
).ADD: Adds values (e.g.,
ADD eax, 4
).XOR: Performs a bitwise XOR (e.g.,
XOR eax, 8
).SUB: Subtracts values (e.g.,
SUB eax, ecx
).
Function Calls in Assembly:
Typically involves PUSH instructions to pass arguments, followed by a CALL instruction.
Main Function: Identified by four PUSH instructions followed by a CALL. The last PUSH often points to the base memory address.
3. Debugging with x32dbg:
Tool Used: x32dbg (part of the x64dbg family, used for debugging 32-bit Windows executables).
Setting Up the Debugger:
Opened the sample in x32dbg. The initial disassembly code pointed to the Anti-DLL module.
To reach the program’s entry point:
Press F9 to continue running until it reaches the entry point.
Locating the Main Function:
Address Identification: Located the main function’s address (
@401480
) using IDA Pro (switch to text mode to see memory addresses).Setting a Breakpoint:
Used Ctrl+G to navigate to the address.
Set a breakpoint with F2 or by right-clicking and selecting “Breakpoint”.
Pressed F9 to run the sample until it reached the main function.
4. Analyzing the Main Function:
Step-by-Step Debugging:
Used F7 (step into) or F8 (step over) to debug each line of assembly code.
MessageBox API: First encountered API, displaying the message "for educational purposes only".
ShellExecute Function:
Inspected the contents of the stack frame.
The ShellExecute function attempted to open a suspicious website (
attacker.website.net
).Due to FakeNet running, it redirected to a dummy page instead.
Windows API Behavior:
Goal: Identify the sequence of Windows API calls.
Importance: Inspect parameters and understand them using MSDN or Microsoft libraries.
5. Key Takeaways:
X86 Assembly Language: Fundamental understanding of assembly language and instructions is crucial for analyzing disassembled code.
Debugging Skills: Proficiency in using tools like x32dbg and setting breakpoints is essential for thorough analysis.
API Analysis: Inspecting and understanding Windows API calls helps in identifying the behavior of the executable.
Documentation: Always document the sequence of API calls and any suspicious behaviors for further analysis.
Last updated