Lab 16-2 Solutions

Short Answers

  1. When you run Lab16-02.exe from the command line, it prints a usage string asking for a four-character password.

  2. If you input an incorrect password, the program will respond “Incorrect password, Try again.”

  3. The correct command-line password is byrr.

  4. The strncmp function is called at 0x40123A.

  5. The program immediately terminates when loaded into OllyDbg using the default settings.

  6. The program contains a .tls section.

  7. The TLS callback starts at 0x401060.

  8. The FindWindowA function is used to terminate the malware. It looks for a window with the class name OLLYDBG and terminates the program if it is found. You can change the window class name using an OllyDbg plug-in like PhantOm, or NOP-out the call to exit at 0x40107C.

  9. At first, ...

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial