💀 Expert

Code Analysis & Assembly

When static analysis hits a wall and dynamic analysis is thwarted by anti-vm checks, you must dive into the code itself. This requires reading the raw instructions the CPU executes.

The Portable Executable (PE) Format

Before reading code, you must understand where it lives. Windows executables follow the PE format.

DOS Header

Starts with "MZ". Legacy support.

DOS Stub

"This program cannot be run in DOS mode."

PE Header

Starts with "PE". Architecture, Timestamp.

Optional Header

Entry Point, Image Base, Subsystem.

Section Table

Headers for .text, .data, etc.

.text Section

Executable Code (Instructions).

.data / .rdata

Global Variables, Imports, Constants.

.rsrc Section

Icons, Images, Strings, Version Info.

.reloc Section

Relocation information for ASLR.

React Flow

x86/x64 Assembly Crash Course

Registers (The CPU's Workspace)

EAX/RAX: Accumulator. Used for arithmetic and return values.
EBX/RBX: Base. General purpose.
ECX/RCX: Counter. Used in loops.
ESP/RSP: Stack Pointer. Points to the top of the stack.
EIP/RIP: Instruction Pointer. Points to the next instruction to execute.

Common Instructions

MOV dst, src: Copy data from src to dst.
PUSH/POP: Add/Remove values from the stack.
ADD/SUB: Arithmetic operations.
CMP a, b: Compare two values (sets flags).
JZ/JNZ: Jump if Zero / Jump if Not Zero (based on CMP).
CALL: Execute a function.

Tool: Ghidra (The Decompiler)

Ghidra is an NSA-developed reverse engineering suite. It translates assembly back into C-like pseudocode, making it much easier to understand logic.

Basic Workflow

New Project: File > New Project > Non-Shared.
Import File: Drag and drop your malware sample.
Analyze: Double click the file to open the CodeBrowser. When asked to analyze, click "Yes" and use defaults.
Decompile: Click on a function in the "Symbol Tree" (on the left). The "Decompiler" window (on the right) will show the C code.
Rename Variables: Right-click a variable like iVar1 and select "Rename Variable" to give it a meaningful name based on context.

Tool: x64dbg (The Debugger)

While Ghidra is for static analysis, x64dbg allows you to step through the code while it runs.

Debugging Steps

Open: File > Open > Select your malware.
Entry Point: The debugger will pause at the "System Breakpoint". Press F9 (Run) once to reach the "Entry Point" of the malware.
Stepping:
- F7 (Step Into): Go inside a function call.
- F8 (Step Over): Execute the function but don't go inside it.
Breakpoints: Press F2 on a line to toggle a breakpoint. The execution will stop there.
Modifying Execution: You can double-click the Z-flag (Zero Flag) in the registers view to flip it, forcing a JZ/JNZ jump to go the other way. This is great for bypassing checks!