Debugging

We will be using x86dbg for our debug session. Remember that we decompressed the file using UPX. It would be wise to open the decompressed version instead of the original whatami.exe file.  Opening the compressed will be fine but we will have to go through debugging the UPX packed code.

Unlike IDA Pro, x86dbg is not able to recognize the WinMain function where the real code starts. In addition, after opening the file, the instruction pointer may still be somewhere in the NTDLL memory space. And to avoid being in an NTDLL region during startup, we may need to make a short configuration change in x86dbg.

Select Options->Preference. Under the Events tab, uncheck System Breakpoint and TLS Callbacks. Click on the Save button and then ...

Get Mastering Reverse Engineering now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.