CMSC449_A-3

docx

School

University of Maryland, Baltimore County *

*We aren’t endorsed by this school

Course

449

Subject

Computer Science

Date

Jan 9, 2024

Type

docx

Pages

5

Uploaded by ChefOryxMaster925

Report
CMSC 449 Malware Analysis HW 3 Name: Ricky Kapoor Assigned: 10/4/2023 Due: 10/13/2022 by 11:59pm Hint 1: Chapters 4 and 6 of your Practical Malware Analysis textbook are very useful references! Hint 2: If you’re unsure about the instructions which use ESP and EBP, make sure to review the slides and recordings about the cdecl calling convention! Part 1 (30 pts): start: PUSH EBP MOV EBP, ESP MOV EDI, dword ptr [EBP+0x8] XOR EAX, EAX MOV AL, 0x20 MOV ECX, 0xFFFFFFFF REPNE SCASB ; Hint: which registers does this use? NEG ECX MOV EAX, ECX MOV ESI, dword ptr [EBP+0x8] MOV EDI, dword ptr [EBP+0xC] REP MOVSB MOV ESP, EBP POP EBP RETN 1) Explain what this assembly code does in a few sentences. (8 pts) It sets up a stack frame, initializes some registers, and performs a memory copy operation. Specifically, it takes two pointers as arguments (at [EBP+0x8] and [EBP+0xC]), where the first pointer points to the source data and the second points to the destination. It then calculates the length of the data to be copied by using SCASB instruction (which counts the number of bytes before a certain value, in this case, 0x20). The length is stored in ECX. Afterward, it copies the data from source to destination using MOVSB in a loop that repeats ECX times (the REP prefix). Finally, it cleans up the stack frame and returns. 2) Write a C function whose behavior is equivalent to the assembly code above. (10 pts) int function1(char* arg1, char* arg2) { unsigned char * edi = arg1; unsigned char al = 0x20 ; int ecx = -1 ; while (*edi++ != al && --ecx); ecx = -ecx;
for ( int i = 0 ; i < ecx; i++) { dest[i] = src[i]; } return ecx; } int main(){ char arg1[] = “Malware Analysis”; char arg2[256]; function1(arg1, arg2); } 3) Let arg1 point to the string “Malware Analysis” and let arg2 point to an empty buffer. Code has been provided for you in the main() function above to do this. Answer the following: a) When function1() returns, what is stored in the buffer that arg2 points to? (6 pts) The provided assembly code and C function perform a memory copy operation up to the first occurrence of the value 0x20 (which is a space character). In the C equivalent function, this corresponds to copying until a space character is encountered in the source string. Given the string "Malware Analysis", the copy operation will stop after copying "Malware". Therefore, after function1() returns, the buffer that arg2 points to will contain the string "Malware". b) What is the value that function1() returns? (6 pts) In the provided code, since the string "Malware Analysis" contains spaces, the loop will iterate until the first space is encountered. ecx will be decremented by the number of characters in the string until the space is found. In this specific case, ecx will become 6 (since "Malware" has 7 characters and the loop will terminate when it encounters the space). After negating ecx, it remains as 6. Therefore, the value that function1() returns in this case is 6. Part 2 (30 pts): start: PUSH EBP MOV EBP, ESP MOV ECX, dword ptr [EBP+8] MOV ESI, dword ptr [EBP+0xC] MOV dword ptr [EBP-0x4], 0 JMP loc_2 loc_1: MOV EAX, dword ptr [EBP-0x4] ; Corrected from [EBP+0x4] ADD EAX, ECX MOV EDX, dword ptr [EAX] XOR EDX, ESI MOV byte ptr [EAX], DL ADD dword ptr [EBP-0x4], 0x1
loc_2: MOV EAX, dword ptr [EBP-0x4] CMP dword ptr [ECX + EAX], 0 JNZ loc_1 MOV ESP, EBP POP EBP RETN 4) Explain what this assembly code does in a few sentences. (8 pts) This code snippet essentially performs an XOR operation between each character in a string (pointed to by ECX) and a value specified by the second argument (ESI). It continues this process until it encounters the null terminator, effectively encoding or decoding a string depending on the value of ESI. 5) Write a C function whose behavior is equivalent to the above assembly code. (10 pts) int function2(char* arg1, int arg2) { int i = 0 ; while (arg1[i] != '\0' ) { arg1[i] ^= arg2; i++; } return i; } int main(){ char arg1[] = “\xef\xf9\xe3\xb1\xe4\xf3\xb6\xf7\xf8\xb6\xf7\xe5\xe5\xf3\ xfb\xf4\xfa\xef\xb6\xfb\xf7\xe5\xe2\xf3\xe4\xb7\x96”; int arg2 = 0x96; function2(arg1, arg2); } 6) Let arg1 be a pointer to the string “\xef\xf9\xe3\xb1\xe4\xf3\xb6\xf7\xf8\xb6\xf7\xe5\xe5\xf3\xfb\ xf4\xfa\xef\xb6\xfb\xf7\xe5\xe2\xf3\xe4\xb7\x96” and let arg2 be the hexadecimal integer 0x96. This has been provided for you in the main() function above. (Note that arg1 has been corrected!) Answer the following questions: a) When function2() returns, what is the value of the string that arg1 points to? (8 pts) “Information security is important”. b) What value does function2() return? (4 pts) “31”. Part 3 (40 pts): start: PUSH EBP
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MOV EBP, ESP MOV EBX, 1 MOV ECX, dword ptr [EBP+0x8] MOV ESI, dword ptr [EBP+0xC] MOV EDI, dword ptr [EBP+0x10] MOV EAX, ECX XOR EDX, EDX DIV EDI MOV ECX, EDX loc_1: CMP ESI, 0 JZ loc_4 MOV EDX, ESI AND EDX, 0x1 CMP EDX, 0x1 JNZ loc_3 loc_2: MOV EAX, ECX MUL EBX DIV EDI MOV EBX, EDX loc_3: SHR ESI, 1 MOV EAX, ECX MUL EAX DIV EDI MOV ECX, EDX loc_4 MOV EAX, EBX MOV ESP, EBP POP EBP RETN 7) Explain what this function does in a few sentences. (10 pts) This function is likely implementing a modular exponentiation algorithm, which is a common operation in number theory and cryptography. It calculates arg1^arg2 mod arg3. 8) Write a C function whose behavior is equivalent to the above assembly code. (Hint: be very careful about variables which store 32-bit or 64-bit values. Use int for 32-bit integers and long long int for 64-bit integers) (15 pts) long long int function3(int c, int d, int n) { long long int result = 1 ; while (d > 0 ) { if (d % 2 == 1 ) {
result = (result * c) % n; } d = d >> 1 ; c = ((long long int)c * c) % n; } return result; } int main(){ int c = 16775; int d = 10497; int n = 45349; function3(c, d, n); } 9) Call function3() with c = 16775, d = 10497, and n = 45349. This has been given to you in the main() function above. What value does the function return? (15 pts) “34132”.

Related Documents

WA3.pdf
SCS 100 Module Five Activity Template.docx
POLI_toProposal.docx
REL_whenGraph.docx
INT 220 Business Brief Template.docx
CMSC449_A-4.docx
CMSC449_A-6.docx
message (2).txt
Assignment Print View.pdf
blackmamba (1).docx
IMG_4194.png
submission_173827983.pdf
Recommended textbooks for you
Text book image
Operations Research : Applications and Algorithms
Computer Science
ISBN:9780534380588
Author:Wayne L. Winston
Publisher:Brooks Cole
Text book image
Systems Architecture
Computer Science
ISBN:9781305080195
Author:Stephen D. Burd
Publisher:Cengage Learning
Text book image
Management Of Information Security
Computer Science
ISBN:9781337405713
Author:WHITMAN, Michael.
Publisher:Cengage Learning,
Text book image
Enhanced Discovering Computers 2017 (Shelly Cashm...
Computer Science
ISBN:9781305657458
Author:Misty E. Vermaat, Susan L. Sebok, Steven M. Freund, Mark Frydenberg, Jennifer T. Campbell
Publisher:Cengage Learning
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781285867168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781305082168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
SEE MORE TEXTBOOKS
Recommended textbooks for you
Text book image
Operations Research : Applications and Algorithms
Computer Science
ISBN:9780534380588
Author:Wayne L. Winston
Publisher:Brooks Cole
Text book image
Systems Architecture
Computer Science
ISBN:9781305080195
Author:Stephen D. Burd
Publisher:Cengage Learning
Text book image
Management Of Information Security
Computer Science
ISBN:9781337405713
Author:WHITMAN, Michael.
Publisher:Cengage Learning,
Text book image
Enhanced Discovering Computers 2017 (Shelly Cashm...
Computer Science
ISBN:9781305657458
Author:Misty E. Vermaat, Susan L. Sebok, Steven M. Freund, Mark Frydenberg, Jennifer T. Campbell
Publisher:Cengage Learning
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781285867168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781305082168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
SEE MORE TEXTBOOKS