To try out the tools we have learned about, let's try doing some static analysis on ch4_2.exe. To help out, here's a list of what we need to find:
File information:
file type
imported DLLs and APIs text strings
file hash What the file does
Jumping right into getting file information, we will use TrID (http://mark0.net/soft- trid-e.html) to identify the file type. Execute the following line:
trid cha4_2.exe
The TrID result tells us that we have here a Windows 32-bit executable file that is UPX packed:
Knowing that this is a UPX packed file, we can try the UPX (https://upx.github.io/) tool's decompress feature to help us restore the file back to its original form before it was packed. A packed file is a compressed executable file that decompresses and then executes the program during runtime. The primary purpose of a packed file is to reduce the file size of executables while retaining the program's original behavior. We will be discussing more about packers in Chapter 10, Packing and Encryption, of this book. For now, let's just unpack this file with the UPX tool using the -d parameter:
upx -d cha4_2.exe
This results to the file being expanded back to its original form:
And if we use TrID this time, we should get a different result:
It is still a Windows executable file, so we can use CFF Explorer to check for more information:
On the left pane, if we select Import Directory, we should see a list of imported library files and API functions it will use, as shown here:
Clicking on USER32.dll, we see that the MessageBoxA API is going to be used by the program.
Using the bintext (http://b2b-download.mcafee.com/products/tools/foundstone/
bintext303.zip) tool, we can see a list of text strings found in the file:
These appear to be the notable text strings, which suggest that the program checks for the time and displays various greetings. It will probably retrieve a file from the internet. It may do something about the File.txt file. But all these are just educated guesses, which makes good practice for reversing, as it helps use to build an overview of the relationship between each aspect of our analysis:
000000001134 000000402134 0 The system time is: %02d:%02d 000000001158 000000402158 0 Nice Night!
000000001164 000000402164 0 Good Morning 000000001174 000000402174 0 Good Afternoon 000000001184 000000402184 0 Good Evening 000000001198 000000402198 0
https://raw.githubusercontent.com/PacktPublishing/Mastering-Reverse-Enginee ring/master/ch4/encmsg.bin
000000001200 000000402200 0 File.txt 00000000122C 00000040222C 0 Reversing
The hash (MD5, SHA1, SHA256) of a file will help as a reference to every file we analyze.
There are a lot of file hash-generating tools available in the internet. To generate the hashes of this file, we chose a tool called HashMyFiles. This is a tool compiled for Windows OS and can be added to the context menu (right-click) of the Windows Explorer:
It can display the file's CRC, MD5, SHA1, SHA-256, SHA-512, and SHA-384, as follows:
MD5: 38b55d2148f2b782163a3a92095435af
SHA1: d3bdb435d37f843bf68560025aa77239df7ebb36 CRC: 0bfe57ff
SHA256: 810c0ac30aa69248a41c175813ede941c79f27ddce68a91054a741460246e0ae SHA512:
a870b7b9d6cc4d86799d6db56bc6f8ad811fb6298737e26a52a706b33be6fe7a8993f9acdbe 7fe1308f9dbf61aa1dd7a95015bab72b5c6af7b7359850036890e
SHA384:
b0425bb66c1d327d7819f13647dc50cf2214bf00e5fb89de63bcb442535860e13516de870cb
We should not forget the file size and the creation time using a simple file property check:
The Modified date is more relevant in terms of when the file was actually compiled. The Created date is when the file was written or copied to the directory where it is now. That means that the first time the file was built, both the Created and Modified dates were the
To statically analyze the file's behavior, we will be using a disassembly tool known as IDA Pro. A freeware version of IDA Pro can be found at https://www.hex-rays.com/products/
ida/support/download_freeware.shtml. But, if you can afford the luxury of its paid version, which we highly recommend, please do purchase it. We find the features and supported architectures of the paid version way better. But for this book, we will be using every available tool that does not require purchasing.
There are currently two known free versions of IDA Pro. We have made backups of the tool available at https://github.com/PacktPublishing/Mastering-Reverse-Engineering/
tree/master/tools/Disassembler%20Tools. And since we are dealing with a 32-bit Windows executable file, select the 32-bit version.
Once IDA Pro is installed, open up cha4_2.exe inside. Wait for the auto-analysis to complete and it will redirct the disassembly to the WinMain function:
Scrolling down will show more disassembly code that we learned in Chapter 3, The Low- Level Language. For deadlisting behaviors, we usually look for instructions that call APIs.
The very first API we encounter is a call to GetSystemTime:
Following the code, we encounter these API functions in this sequence:
vsprintf_s 1.
MessageBoxA 2.
InternetOpenA 3.
InternetConnectW 4.
InternetOpenUrlA 5.
memset 6.
InternetReadFile 7.
InternetCloseHandle 8.
strcpy_s 9.
CreateFileA 10.
WriteFile 11.
CloseHandle 12.
RegCreateKeyExW 13.
RegSetValueExA 14.
With what we learned in Chapter 3, The Low Level Language, try to follow the code and deduce what the file will do without executing it. To help out, here are the expected behaviors of the program:
Displaying a message depending on the current system time. The messages can 1. be one of the following:
Good Morning
Reading the contents of a file from the internet, decrypting the contents, and 2. saving it to a file named File.txt.
Making a registry key, HKEY_CURRENT_USER\Software\Packt, and storing the 3. same decrypted data in the Reversing registry value.
This may take a long time for beginners, but with continuous practice, analysis will be done at a fast pace.
Summary
Both approaches to analysis, static and dynamic, have their means to extract information and are required to properly analyze a file. Before doing dynamic analysis, it is
recommended to start with static analysis first. We stick to our goal of generating an analysis report from the information we get. The analyst is not limited to using just the tools and resources outlined here to conduct an analysis—any information from the internet is useful, but validating it with your own analysis will stand as proof. Taking all items from the file, such as notable text strings, imported API functions, system changes, code flows, and possible blocks of behaviors are important, as these may be useful when building an overview of the file.
The result of the static analysis draws together the approach and resources that need to be prepared for dynamic analysis. For example, if the static analysis identified the file as a Win32 PE file executable, then tools for analyzing PE files will need to be prepared.
As part of dynamic analysis, we discussed about Virtual Allocated Space (VAS) and how a program is mapped in memory along with its library dependencies. This information comes in handy when attempting reversing in further chapters.
We also introduced a few tools that we can use to engage in both static and dynamic
approaches, and ended this chapter with a brief exercise on a 32-bit Windows PE executable file. In the next chapter, we will show more use of some of these tools as we reverse-
engineer files.