Proj 12x: Anti-Disassembly (Lab 15-1) (15 pts.)

• A Windows machine with IDA Pro. The Win 2008 Server virtual machine we've been using works fine.

Purpose

Indications of Anti-Disassembly

Click Options, General. Check "Line Prefixes". Enter a "Number of opcode bytes" of 6 and click OK.

Maximize the "IDA View-A" window.

Notice that the display is not in Graph Mode, but just a long linear chart of disassembled code.

Click in the "IDA View-A" window. Press the SPACEBAR.

A Warning box appears, saying that IDA can't display the code in graph mode because it can't identify the functions, as shown below.

This is a clue that something is confusing IDA Pro.

In IDA, scroll down past the blue header comments to see the actual code.

Notice that the "CODE XREF" labels are in red, as shown below. That indicates that the actual reference points inside this instruction, not at its starting byte. This is another indication that IDA has not beem able to correctly disassemble the code.

Fixing the Code at 401011

To correct the disassembly, in the left column, click any of the 401010 addresses. All three of them turn yellow.

On the keyboard, press d to convert these five bytes to data. A "Please confirm" box pops up. Click Yes.

The code now shows five bytes of data after the jz instruction, as shown below.

The jz resumes execution at location 401011, so we must tell IDA to interpret that address as code.

In the left column, click the 401011 address. On the keyboard, press c to convert these five bytes to code.

Three bytes starting at 401011 are now interpreted as a mov instruction, as shown below.

However, the byte at 401014 is still interpreted as data, and that makes the disassembly below it inaccurate as well.

In the left column, click the 401014 address. On the keyboard, press c to convert these five bytes to code. A "Please confirm" box pops up. Click Yes.

This guides IDA to disassemble another instruction correctly, but leaves another byte abandoned and interpreted as data at 401017, as shown below.

In the left column, click the 401017 address. On the keyboard, press c to convert these five bytes to code. A "Please confirm" box pops up. Click Yes.

Finally, IDA shows the correct code, without any stray "db" bytes in the middle, as shown below.

Fixing the Code at 401024

1. Tell IDA to interpret the bytes starting at 401023 as data
2. Tell IDA to interpret the bytes starting at 401024 as code
3. Tell IDA to interpret the bytes starting at 401027 as code
4. Tell IDA to interpret the bytes starting at 40102A as code
5. Tell IDA to interpret the bytes starting at 40102E as code
6. Tell IDA to interpret the bytes starting at 401031 as code
7. Tell IDA to interpret the bytes starting at 401033 as code
8. Tell IDA to interpret the bytes starting at 401037 as code

Fixing the Code at 401038

The correct disassembly shows a block of code starting at 401038 and ending with yet another use of the same trick to skip over a byte, as shown below.

Fixing the Code at 40104C

The correct disassembly shows a block of code starting at 401038 and ending with yet another use of the same trick to skip over a byte, as shown below.

Fixing the Code at 401063

Guide IDA to disassemble the code correctly.

The correct disassembly prints a message and ends with four pop instructions and a retn, as shown below.

Entering Graph Mode

Drag the mouse to highlight all the code from 401000 through the retn instruction at 401077. Then press p to tell IDA this is a function.

IDA finally switches to Graph Mode!

Scroll down and find the functions that prints out the message "Good Job!", as shown below.

Saving a Full-Desktop Image

Turning in your Project