Skip to content

Lab 8: Compound Expressions

Overview

The purpose of this lab is to practice identifying and understanding compound expressions.

Getting Started

You will need to load the malware specimens in IDA Pro. To go to a specific address press G.

Part 1: Dexter (First Expression)

For this exercise examine the dexter malware (found at c:\malware\dexter\dexter.exe) There is an if-else statement at address 0x0040494C

Question 1.1

Identify the number of variables in the condition

Answer

There is one

Question 1.2

Identify the variables evaluated in the condition

Answer

[ebp+var_4]

Question 1.3

Identify the start of the second code block (for the else)

Answer

0x404963

Question 1.4

Identify the addresses of the code block executed if the condition is met

Answer

0x40495E and 0x404961

Question 1.5

Identify the ending address of the if-else statement

Answer

0x404966

Question 1.6

Identify the addresses of the code block executed if the condition is not met

Answer

Just one instruction at address 0x404963

Question 1.7

In your own words, describe the conditions when the first and second code blocks will be executed

Answer

If [ebp+var_4] is not equal to 0x0F, and is not equal to 0x10, and is not equal to 0x13 then EAX has the value 0xFFFFFFFF. Else EAX has the value [ebp+var_4]

Note: If you apply DeMorgan's laws, it would be equally valid but the blocks for the if and else would be reversed.

Part 2: Dexter (Second Expression)

For this exercise examine the dexter malware (found at c:\malware\dexter\dexter.exe). There is an if-else statement at address 0x4040D3:

Question 2.1

Identify the number of variables in the condition

Answer

Two

Question 2.2

Identify the variables evaluated in the condition

Answer

[ebp+Msg] and [ebp+lParam]

Question 2.3

Identify the start of the second code block (for the else)

Answer

0x40410C

Question 2.4

Identify the addresses of the code block executed if the condition is met

Answer

0x4040E2 through 0x404108

Question 2.5

Identify the ending address of the if-else statement

Answer

0x404122

Question 2.6

Identify the addresses of the code block executed if the condition is not met

Answer

0x40410C through 0x404122

Question 2.7

In your own words, describe the conditions when the first and second code blocks will be executed

Answer

If [ebp+Msg] is equal to 0x11 or [ebp+lParam] is equal to 0x80000000, then the first code block is executed. Otherwise the second code block is executed.

Note: If you apply DeMorgan's laws, it would be equally valid but the blocks for the if and else would be reversed.

Exercise Part 3: Avzhan

For this exercise examine the avzhan malware (found at c:\malware\avzhan\avzhan.exe). There is an if-else statement at address 0x401B11:

Question 3.1

Identify the number of variables in the condition

Answer

Technically there are two, as each byte of AX is being evaulated.

Question 3.2

Identify the variables evaluated in the condition

Answer

AL and AH

Question 3.3

Identify the start of the second code block (for the else)

Answer

0x401B2F

Question 3.4

Identify the addresses of the code block executed if the condition is met

Answer

0x401B23 through 0x401B2E

Question 3.5

Identify the ending address of the if-else statement

Answer

0x401B4A

Question 3.6

Identify the addresses of the code block executed if the condition is not met

Answer

0x401B2F through 0x401B4A

Question 3.7

In your own words, describe the conditions when the first and second code blocks will be executed

Answer

The variable [esp+190h+WSAData.wVersion] refers to the Windows Sockets version.

If the low byte of the variable is equal to 2, and the high byte is equal to 1, then the first code block is executed. Else the second code block is executed.

Note: If you apply DeMorgan's laws, it would be equally valid but the blocks for the if and else would be reversed.