# Reverse Engineering Simple Windows Executable Files **1. Overview of the Session:** * **Objective:** Demonstrate how to reverse engineer simple Windows executable files. * **Files to Analyze: (say)** * **C-Sharp Compiled Program:** `re_test_Desktopapp1.exe` * **Native Executable File:** `re_lotsastuff.exe` * **Tools and Setup:** * Restored Windows VM image. * FakeNet tool running to intercept outgoing network traffic. * Course files copied into the VM. **2. Analysis of C-Sharp Compiled Program:** * **File Identification:** * Used **Detect It Easy** to identify the file type. * `re_test_Desktopapp1.exe` identified as a PE32 file compiled from a .NET source. * **Decompilation with dnSpy:** * **dnSpy:** A .NET decompiler tool used to show the equivalent source in C#. * **Process:** 1. Drag and drop the sample into the dnSpy console to begin decompilation. 2. Navigate to the function or method indicated at the entry point. * **Code Analysis:** * The code performs the following: 1. Displays a message box with the text "for educational purposes only". 2. Attempts to open a webpage from `phishing.website.com`. 3. Runs CMD, which opens a command prompt. * **Using MSDN References:** Helpful in understanding the behavior of the code, particularly the functions and methods used. **3. Debugging the Program:** * **Setting Breakpoints:** * Set a breakpoint at the first line of code where the text variable is set ("for educational purposes only"). * Use **F9** to set the breakpoint. * **Starting Debugging:** * Press **F5** to start debugging. * Use **F10** to step over or **F11** to step into the code. * **Observations During Debugging:** * The program displays the message box as expected. * Encountered an issue with the `open read` function that attempts to read contents from `phishing.website.com/dotnet`. * The function fails, possibly due to coding issues. It's advisable to note this behavior and revisit it later with more information. * The final observed behavior is the execution of CMD. **4. Key Takeaways:** * **C-Sharp Language Knowledge:** Understanding C# syntax is beneficial when analyzing .NET programs to grasp malware behavior better. * **Breakpoint Usage:** Setting breakpoints at crucial points (e.g., entry points) helps in observing program behavior systematically. * **Documentation Practice:** It's good practice to document all behaviors and potential issues encountered during analysis for further investigation. **5. Transition to Native Executable Analysis:** * After analyzing the C-Sharp compiled program, the next step is to move on to analyzing the native executable file `re_lotsastuff.exe`.