Malware Analysis Homework

Learning Objectives

Can understand simple x86 machine instructions

Can interpret arithmetic and shift operators

Can interpret conditional jump statements

Can interpret looping constructs

Directions

Show the contents of the registers and memory after each of these short programs executes.

See https://www.felixcloutier.com/x86/ for unfamiliar instructions.

See https://www.calculator.net/hex-calculator.html for a hex calculator.

Problem #1:

1. Assume rbp initially holds address 0x48000

2. IDA set up these symbols for you

var_1C = dword ptr -1Ch

var_18 = dword ptr -18h

var_14 = dword ptr -14h

var_10 = dword ptr -10h

var_C = dword ptr -0Ch

var_8 = dword ptr -8

var_4 = dword ptr -4

3. Interpret this code

mov [rbp+var_4], 0Ah

mov [rbp+var_8], 14h

mov edx, [rbp+var_4]

mov eax, [rbp+var_8]

add eax, edx

mov [rbp+var_C], eax

mov eax, [rbp+var_8]

sub eax, [rbp+var_4]

mov [rbp+var_10], eax

mov eax, [rbp+var_4]

imul eax, [rbp+var_8]

mov [rbp+var_14], eax

mov eax, [rbp+var_14]

cdq

idiv [rbp+var_C]

mov [rbp+var_18], eax

mov eax, [rbp+var_8]

sar eax, 2

mov [rbp+var_1C], eax

4. Show the results of executing the code in the registers and memory. Express your answers in hex.

Registers

eax
ebx
ecx
edx
rbp	0x48000

Memory

0x47FDC
0x47FE0
0x47FE4
0x47FE8
0x47FEC
0x47FF0
0x47FF4
0x47FF8
0x47FFC
0x48000
0x48004
0x48008