Debugging

We will be using x86dbg for our debug session. Remember that we decompressed the file using UPX. It would be wise to open the decompressed version instead of the original whatami.exe file.  Opening the compressed will be fine but we will have to go through debugging the UPX packed code.

Unlike IDA Pro, x86dbg is not able to recognize the WinMain function where the real code starts. In addition, after opening the file, the instruction pointer may still be somewhere in the NTDLL memory space. And to avoid being in an NTDLL region during startup, we may need to make a short configuration change in x86dbg.

Select Options->Preference. Under the Events tab, uncheck System Breakpoint and TLS Callbacks. Click on the Save button and then ...

Get Mastering Reverse Engineering now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.