live_dont_exist
April 4th, 2012, 08:26
Hi All,
I was reversing a piece of malware keeping in mind the tips in the previous thread ("http://www.woodmann.com/forum/showthread.php?14500-Static-Disassembly-Best-way-forward&p=92152#post92152") I started and have come a long way thanks to that.
While reversing however I came upon an interesting thing. The Entry Point of the program seemed to be differently detected in Olly 2.01 and IDA Pro. Olly was configured to stop on WinMain if it was known but it seemed to stop at a point much before IDA did.
So I'm saying... Olly stopped at 404EDD while IDA stopped at 403D50. Now the interesting thing was, if I started at the Entry Point detected by Olly and worked my way forward from there, I eventually arrive at 403D50 [The IDA entry point] and then everything is similar. Also, all that code till 403D50 did not seem to be too important from a "malware behavior" perspective.
So it seems that there is some intelligence built into IDA which is detecting known assembly code and not "showing" it to the user directly, giving him a better point to start analyzing from.
Could someone confirm this behaviour please? What is correct and why?
Thanks
Arvind
I was reversing a piece of malware keeping in mind the tips in the previous thread ("http://www.woodmann.com/forum/showthread.php?14500-Static-Disassembly-Best-way-forward&p=92152#post92152") I started and have come a long way thanks to that.
While reversing however I came upon an interesting thing. The Entry Point of the program seemed to be differently detected in Olly 2.01 and IDA Pro. Olly was configured to stop on WinMain if it was known but it seemed to stop at a point much before IDA did.
So I'm saying... Olly stopped at 404EDD while IDA stopped at 403D50. Now the interesting thing was, if I started at the Entry Point detected by Olly and worked my way forward from there, I eventually arrive at 403D50 [The IDA entry point] and then everything is similar. Also, all that code till 403D50 did not seem to be too important from a "malware behavior" perspective.
So it seems that there is some intelligence built into IDA which is detecting known assembly code and not "showing" it to the user directly, giving him a better point to start analyzing from.
Could someone confirm this behaviour please? What is correct and why?
Thanks
Arvind