Set breakpoint the tail jump and resume execution our program

compared to the 0xF30D12A5 (arg_0) at . If the result is equal to 0xF30D12A5, the function will return 1, which will cause the malware to terminate. In other words, sub_401000 is taking the process name and turning it into a num-ber, and then seeing if that number is equal to a preset value. sub_401000 is a simple string-hashing function. Given the parameter "vmware", it returns 0xF30D12A5. The malware is cleverly using a string hash to avoid using the string vmware in the comparison, which would have made easy pickings for the malware analyst.

To permanently disable this final anti-VM check, we can NOP-out the call to sub_401130 at 0x40145D. This forces the malware to skip the check and go straight to the process-replacement code because the xor at  in Listing 17-16L ensures that the EAX register will be 0.

 Check the process listing for processes beginning with the string vmware in any combination of uppercase and lowercase letters.

Lab 18-1 Solutions

00409F49 DB 00
00409F4A DB 00
00409F4B DB 00
00409F4C DB 00
00409F4D DB 00
00409F4E DB 00

Lab 18-2 Solutions

First, we run PEiD on the Lab18-02.exe file, and we learn that the packer is FSG 1.0 -> dulek/xt. To unpack this program manually, we first load it into OllyDbg. Several warnings state that the file may be packed. Since we already know that, we just click through the warnings.

Listing 18-2L: Code at the OEP that has not been analyzed by OllyDbg

Depending on your version, OllyDbg may not have disassembled this code because it did not realize that it is code. This is somewhat common and unpredictable when dealing with packed programs, and it can be a sign that the code is part of the original code, rather than part of the unpacking stub.