Lab 18-4 Solutions

We open the Lab18-04.exe file in PEiD and learn that it is packed with ASPack 2.12 -> Alexey Solodovnikov. We then open the malware in OllyDbg and see that the first instruction is pushad, which saves the registers onto the stack. We know from Chapter 18 that setting a breakpoint on the stack to search for the corresponding popad instruction may be a good strategy for this packer. We step-over the pushad instruction, as shown in Example C-181 at ❶.

Example C-181. Start of the unpacking stub

00411001  ❶PUSHAD
00411002   CALL Lab18-04.0041100A
00411007   JMP 459E14F7

We’re going to use the same technique that we used in the previous lab. Once we step-over the pushad instruction, our window looks like Figure C-68.

Figure C-68. Setting a ...

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Practical Malware Analysis by Michael Sikorski, Andrew Honig

Lab 18-4 Solutions

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly