COMP4101  LAB  EXERCISE  #5

Introduction

In this COMP4101 assessed lab exercise, you are going to use IDA (or Ghidra) to disassemble the program contained in the file Lab05.zip (this file is encrypted with the password: infected). This  .zip file contains a single, simple program Lab05-01.exe, which has been written using

anti-disassembly techniques. This program is perfectly benign, so it is safe to run it1 .

The aim of this lab exercise is to get you used to analysing programs that have been written using anti-disassembly techniques, and so the questions below are designed to guide your analysis. You will find that the true meaning of the program is obscured in both IDA Pro and Ghidra until you have unpicked the anti-disassembly techniques. You should then be able to see how the program works and answer the questions below.

This lab is part of the continuous assessment for the module, and so you will need to answer the questions below and submit your answers via Moodle when complete. You may well find it helpful to  refer to chapters four, six and fifteen of ‘Practical  Malware Analysis’ while attempting this exercise.

Note  You will  almost  certainly  need to  ‘patch’2   (replace)  certain  instructions to  get  IDA, to disassemble the file correctly. Use the opcode 0x90, the NOP instruction, to replace any bytes that are fouling the disassembler. You may also need to‘Undefine' and re-‘Create Function’3  in IDA to ensure it properly decodes it after it has been patched. Similar approaches will be needed in

Ghidra.

Questions

You should use IDA Pro or Ghidra to answer the following questions about the provided sample. The questions should get progressively harder as you progress through them.

1.  Which techniques (as described in Chapter 15 of Practical Malware Analysis) are being used in this program to hinder disassembly? Include any variations on the technique…            [4 marks]

2.   How many times is each technique used in the file?                                                     [4 marks]

3.   Some of the anti-disassembly techniques use rogue opcodes to cause the disassembler to mis- decode the instructions. Which opcodes are used?                                                     [2 marks]

4.  Various command line arguments will cause the program to print messages other than“Wrong answer guess again”. List which argument(s) when passed to the program on the command line cause it to print out a different message and what messages are printed?              [8 marks]