Try it yourself

To try out the tools we have learned about, let's try doing some static analysis on ch4_2.exe. To help out, here's a list of what we need to find:

  • File information:
    • file type
    • imported DLLs and APIs
    • text strings
    • file hash
  • What the file does

Jumping right into getting file information, we will use TrID (http://mark0.net/soft-trid-e.html) to identify the file type. Execute the following line:

trid cha4_2.exe

The TrID result tells us that we have here a Windows 32-bit executable file that is UPX packed:

Knowing that this is a UPX packed file, we can try the UPX (https://upx.github.io/) tool's decompress feature to help us ...

Get Mastering Reverse Engineering now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.