C/C++代写 - reverse engineering
时间:2020-12-07
40 points
Please read every question carefully and provide the screenshots (if required). Thank you.
1. For this question, please create a 2 column by 5 row table, then please put the
following code snippets into the respective column. The top row should be labeled
“Obfuscated” and “Not Obfuscated” (without the quotes) The color coding indicates a
“code pair” one part is obfuscated, and the other part is not obfuscated. Please put
them in the table appropriately. (10 points)
Mov ecx, 0x294a mov ecx, 0x410cb4
Sub ecx, 0x40e301
Call
Pop ebp
Sub ebp, 0x40e207 mov ebp, -0xab7
Mov edi, ptr[eax+a4] mov edi,
Rol edi, 7
Mov rax, 24h push 24h
Pop rax
Jmp 00801002h push 00801002h
Ret
2. Please determine the type of file used in ch4_2.exe (2 points)
3. Exception-based control flow, call-stack tampering, indirect control flow, and selfmodifying code are all common ___________________________techniques (2 points)
4. What is an order of steps for a Reverse Engineer? (2-3 sentences, or a bulleted list) (4
points)
5. The File operation is used for what? Provide an example and screenshot it. (4 points)
6. Write a simple program that sorts a set of 10 integers largest to smallest, then using
your favorite debugger, step into the main function and step through the code. Provide
at least 3 screenshots – your debugger screen selection, stepping into main, then step
once forward in your main function. (6 points for the 3 screenshots.)
7. Next, using the code in #6, show the memory registers after you step into main, THEN
show the memory registers after you STEP ONCE into the code. (4 points for
screenshots)
8. You run file on a piece of .exe code, you get nothing you can read. Strings does not yield
anything intelligible either. The file is packed. The following questions relate to this
hypothetical situation. This exercise becomes more challenging as you answer each
question. Good luck!
a. How do you unpack it? (1 point).
b. Once you unpack it, you see it is written in C. How do you convert it to Assembly?
(Name the webpage or tool you use) (1 point).
c. Once you see the assembly code you notice something that is not seemingly
possible. None of the assembly commands look normal (see below for point values)
The code you discover looks like this
Zzz zhr, zbz
Fbxx xzfbxzrzj
Zzz ZZZZZH ZZZ [zdz-24], zbz
This the only snippet of real assembly code (or rather code that looks normal you could find)
mov QWORD PTR [rbp-24], rax
mov esi, OFFSET FLAT:.LC0
mov edi, OFFSET FLAT:_ZSt4cout
call std::basic_ostream
>& std::operator<<
>(std::basic_ostream >&, char const*)
mov rbx, rax
mov rax, QWORD PTR [rbp-24]
mov rdi, rax
call asctime
mov rsi, rax
mov rdi, rbx
call std::basic_ostream
>& std::operator<<
>(std::basic_ostream >&, char const*)
mov eax, 0
C1, Please explain what is happening between the code you discovered, and the real code you
eventually found. (5 points)
C2, What is the algorithm used here (BONUS: + 5 points)
C3.What do you think this code snippet does? (5 points)
9. Rate the difficulty of Question #8 on a scale of 1-10, with 10 being the most difficult. (1
point)