Lab 18-5 Solutions
The program in the Lab18-05.exe file is Lab07-01.exe packed with WinUpack. When we load this file into PEiD, it’s recognized as being packed with WinUpack 0.39. However, the file’s PE header is badly damaged. If we load it into OllyDbg, IDA Pro, or PEview, we get several errors that make it impossible to view information from the PE header.
We load the file into OllyDbg and see an error stating “Bad or unknown format of 32-bit executable file.” OllyDbg can load the file, but it can’t find the entry point for the unpacking stub and instead breaks at the system breakpoint, which occurs well before the unpacking stub.
Because we have not even reached the unpacking stub, most of our techniques will not work. We could step-into and ...
Get Practical Malware Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.