Skip to content

Lab 7: Loops

Overview

The purpose of this exercise is to help you recognize and understand loops.

Getting Started

You will need to load the malware specimens into IDA Pro. To go to a specific address press G.

Hint

To help identify the loops, look for backwards jumps.

Part 1: NetWiredRC (First Loop)

For this exercise examine the netwiredrc malware (found at c:\malware\netwiredrc\netwiredrc.exe).

There is a loop somewhere between the addresses 0x00408D5A through 0x00408DBC.

Question 1.1

Identify the addresses and instructions of the stopping condition

Answer

The cmp [ebp+var_C], 13h at address 0x408DB6, and the jle short loc_408D6E at address 0x408DB6

Question 1.2

Identify the address and instruction that updates the control variable

Answer

The add [ebp+var_C], 1 at address 0x408DAE

Question 1.3

Identify the control variables

Answer

[ebp+var_C]

Question 1.4

Identify the addresses and instructions of the loop initialization

Answer

mov [ebp+var_C], 0 at address 0x408D5E

Question 1.5

Identify the address range for the body of the loop

Answer

0x408D6E to 0x408DB2 (some people may consider 0x408DBA as part of the body).

Part 2: NetWiredRC (Second Loop)

For this exercise examine the netwiredrc malware (found at c:\malware\netwiredrc\netwiredrc.exe).

There is a loop somewhere between the addresses 0x0040B494 through 0x0040B4B5.

Hint

The lea instruction is increasing the value of the EAX register by one. It does not modify the flags register.

Question 2.1

Identify the addresses and instructions of the stopping condition

Answer

The cmp [edx+eax], bl at address 0x40B4A8, and the jz short loc_40B49F at address 0x40B4AE

Question 2.2

Identify the address and instruction that updates the control variable

Answer

The lea eax, [eax+1] at address 0x40B4AB.

Question 2.3

Identify the control variables

Answer

The EAX register.

Question 2.4

Identify the addresses and instructions of the loop initialization

Answer

The xor eax, eax at address 0x40B499.

Question 2.5

Identify the address range for the body of the loop

Answer

0x40B49F to 0x40B4A5 (some people may consider the instructions up to 0x40B4AE as part of the body).