🔍 Mock Test 1: Malware Analysis

A Beginner's Guide to Reverse Engineering with IDA

Learn how to analyze mock_1.exe step by step

📚 Table of Contents

1. Introduction - What You'll Learn 🎯

Welcome! This tutorial teaches you how to analyze malware like a professional. You'll learn:

  • ✅ How to use IDA Pro (the industry-standard tool)
  • ✅ How to read assembly code and opcodes
  • ✅ How to identify encryption algorithms
  • ✅ How to decrypt encrypted files
  • ✅ How to answer exam questions with proper citations
⏱️ Time Limit: 2 hours (exam simulation)
📁 Binary: mock_1.exe
🎯 Goal: Understand encryption and decrypt Settings.ini

What is mock_1.exe?

It's a Windows program that:

  1. Reads a file called input.txt
  2. Picks one of 7 key files (key0 to key6) based on the day of the week
  3. Encrypts the input using a simple cipher
  4. Writes the result to output.txt

2. Setup - Getting Started with IDA 🛠️

Files You Need:

File Description Size
mock_1.exe The malware binary we're analyzing 9.5 KB
Settings.ini Encrypted message (our target!) 20 bytes
key0 - key7 Key files (8 files total) Various
mock_1.c Source code (for reference) 2.4 KB

Step 1: Verify the Binary

md5sum mock_1.exe # Expected: b184c31f067377516da9f4d2228ee8c9

Step 2: Open in IDA Free

1 Launch IDA Free (or IDA Pro)
2 File → Open and select mock_1.exe
3 Accept all defaults in the dialog boxes
4 Wait for auto-analysis - Look for "Idle" in bottom left
💡 Pro Tip: IDA analyzes the binary automatically. Once you see "Idle", it's ready!

3. Static Analysis Basics 🔍

Before opening IDA, let's gather basic information:

File Type Analysis

$ file mock_1.exe mock_1.exe: PE32 executable (console) Intel 80386

What this means: It's a 32-bit Windows executable

String Analysis

$ strings mock_1.exe | grep key key0 key1 key2 key3 key4 key5 key6
⚠️ Important Finding: Only key0-key6 are mentioned! key7 is NOT used by the program!

Encrypted File Analysis

$ xxd -l 20 Settings.ini 00000000: 196a 38fd 68be 2075 57dc 42cb 5168 5f72 .j8.h. uW.B.Qh_r 00000010: 76f0 7526 v.u&

This is our encrypted message - 20 bytes of gibberish!

Which Key Was Used?

$ stat Settings.ini | grep Modify Modify: 2016-02-05 08:07:20

February 5, 2016 was a Friday

Friday = Day 5 = key5 was used!

4. IDA Pro Basics for Beginners 🎓

Essential IDA Hotkeys

Key Function What It Shows
Shift+F12 Strings Window All text strings in the program
Shift+F3 Functions Window List of all functions
X Cross-References Where is this item used?
Space Graph/Text View Toggle between views
F5 Decompile Convert to C-like code
G Jump to Address Go to specific location

Understanding Assembly Code

Address Opcode Instruction Comment -------- ---------- ---------------- ----------------- 00401234 mov eax, 5 Move 5 into EAX EAX = 5 00401239 add eax, 3 Add 3 to EAX EAX = 5 + 3 = 8 0040123E call func Call a function Jump to func
💡 Reading Assembly:
  • Address: Where the instruction is located in memory
  • Opcode: The actual machine code (in hex)
  • Instruction: Human-readable assembly command
  • Comment: IDA's notes (or your own)

Common Instructions You'll See

Instruction Meaning Example
mov Move/Copy data mov eax, 5 → EAX = 5
add Addition add eax, ebx → EAX = EAX + EBX
sub Subtraction sub eax, 10 → EAX = EAX - 10
cmp Compare cmp eax, 6 → Compare EAX with 6
call Call function call _time → Call time()
jmp Jump jmp loc_401234 → Go to address

5. Question 1a: How Key Files Are Used 📂

📝 EXAM QUESTION:
State how mock_1.exe uses the key files (key0 … key7). Cite relevant opcodes to support your claims.

Finding the Answer in IDA - Step by Step

1 Open Strings Window
Press Shift+F12 to see all strings
2 Find Key Strings
Look for "key0", "key1", etc. in the list
Address String --------- ------ 0x004040D0 "key0" 0x004040D5 "key1" 0x004040DA "key2" 0x004040DF "key3" 0x004040E4 "key4" 0x004040E9 "key5" 0x004040EE "key6"
❗ Critical Finding: Only 7 strings! key7 is NOT present in the code!
3 Find Where "key0" is Used
Double-click on "key0" → Press X for cross-references
4 Look for stat() Function
You'll find code that calls _stat to get file size
; Check file size mov [esp], offset aKey0 ; "key0" call sub_4014B8 ; fsize() function ; Inside fsize(): 004014CB call _stat ; ← Get file info!
🎯 Opcode to Cite: call _stat at address 0x004014CB
5 Find the SWITCH Statement
Keep scrolling to find time-related functions
004015F1 call _time ; Get current time 004015FD call _localtime ; Convert to local time 00401602 mov eax, [eax+18h] ; Access tm_wday! 0040160B cmp eax, 6 ; Compare with 6

Understanding the SWITCH Statement

┌─────────────────┐ │ Get Day (0-6) │ └────────┬────────┘ │ ┌────────▼────────┐ │ Compare ≤ 6? │ └────────┬────────┘ │ ┌─────────────┼─────────────┐ │ │ │ Day 0 Day 1 Day 2 ... Day 6 │ │ │ │ key0 key1 key2 ... key6

✅ ANSWER TO QUESTION 1a:

mock_1.exe uses key files as follows:

  1. File Size Checking:
    • All key files (key0-key6) are accessed via stat()
    • Opcode: call _stat at 0x004014CB
    • Purpose: Get file size for each key file
  2. Key Selection:
    • Only key0-key6 are referenced (7 files)
    • key7 is never used (no string reference)
    • String addresses: 0x004040D0 through 0x004040EE
  3. SWITCH-CASE Structure:
    • Uses jump table for efficient selection
    • Opcode: cmp eax, 6 at 0x0040160B
    • Handles cases 0-6 only

6. Question 1b: Key Selection Criterion ⏰

📝 EXAM QUESTION:
What is the key selection criterion of mock_1.exe? Cite relevant opcodes to support your claim.

Analyzing the Time Functions

004015F1 call _time ; time_t time(time_t *timer) 004015FD call _localtime ; struct tm *localtime(...) 00401602 mov eax, [eax+18h] ; ← KEY LINE!

Understanding struct tm

The localtime() function returns a pointer to a struct tm:

Field Offset Description
tm_sec +0x00 Seconds (0-59)
tm_min +0x04 Minutes (0-59)
tm_hour +0x08 Hours (0-23)
tm_mday +0x0C Day of month (1-31)
tm_mon +0x10 Month (0-11)
tm_year +0x14 Years since 1900
tm_wday +0x18 Day of week (0-6)
🎯 The Critical Line:
mov eax, [eax+18h]

Offset 0x18 (24 in decimal) = tm_wday field!
This is the DAY OF THE WEEK!

Day of Week Values

tm_wday Value Day Name Key Used
0 Sunday key0
1 Monday key1
2 Tuesday key2
3 Wednesday key3
4 Thursday key4
5 Friday key5 ← Settings.ini!
6 Saturday key6

✅ ANSWER TO QUESTION 1b:

The key selection criterion is day of the week (tm_wday).


Mechanism:

  1. Get System Time:
    • Opcode: call _time at 0x004015F1
  2. Convert to Local Time:
    • Opcode: call _localtime at 0x004015FD
    • Returns pointer to struct tm
  3. Extract Day of Week:
    • Opcode: mov eax, [eax+18h] at 0x00401602
    • Accesses tm_wday field at offset 0x18
    • Value range: 0-6 (0=Sunday, 6=Saturday)
  4. Validate Range:
    • Opcode: cmp eax, 6 at 0x0040160B

7. Question 2a: Encryption Method 🔐

📝 EXAM QUESTION:
Explain how the file input.txt is encrypted. Cite relevant opcodes to support your claims.

Finding the Encrypt Function

1 Search for "Encrypting" String
Press Shift+F12 and search for "Encrypting"
2 Find Cross-References
Double-click → Press X → Jump to the function

The Encryption Loop

; Read byte from input.txt 00401476 mov eax, [ebp+var_24] ; Load file pointer mov [esp], eax call ds:fgetc ; ← Read input byte mov [ebp+var_18], eax ; Store as 'x' ; Check for EOF cmp DWORD PTR [ebp+var_18], -1 je loop_end ; Read byte from key file 00401430 mov eax, [ebp+var_20] mov [esp], eax call ds:fgetc ; ← Read key byte mov [ebp+var_14], eax ; Store as 'y' ; Check key EOF cmp DWORD PTR [ebp+var_14], -1 jne no_rewind ; REWIND if key reached end 00401444 mov eax, [ebp+var_20] mov [esp], eax call ds:rewind ; ← Reset key to start! ; Read first byte again call ds:fgetc mov [ebp+var_14], eax no_rewind: ; THE ENCRYPTION OPERATION 0040145F mov edx, [ebp+var_18] ; Load input byte mov eax, [ebp+var_14] ; Load key byte add edx, eax ; ← ADD OPERATION! ; Write encrypted byte 0040146B mov eax, [ebp+var_1C] mov [esp+4], eax mov [esp], edx call fputc ; ← Write output
🔑 THE ENCRYPTION SECRET:
add edx, eax at 0x0040145F

This is an ADD cipher, NOT XOR!
Formula: encrypted = (input + key) mod 256

Circular Key Mechanism

Input: H e l l o W o r l d ! Key: A B C [EOF - REWIND] ↓ ↓ ↓ ↓ Key: A B C A B C A B C A B Result: Input[i] + Key[i % key_length]
💡 Why Rewind?
If the input file is longer than the key file, the key repeats from the beginning. This is called a "circular" or "repeating" key.

✅ ANSWER TO QUESTION 2a:

The file input.txt is encrypted using a simple ADD cipher with a circular key.


Process:

  1. Byte-by-Byte Reading:
    • Read input byte: call ds:fgetc at 0x00401476
    • Read key byte: call ds:fgetc at 0x00401430
  2. Circular Key:
    • If key reaches EOF: call ds:rewind at 0x00401444
    • Key repeats from beginning
  3. ADD Encryption:
    • Opcode: add edx, eax at 0x0040145F
    • Formula: encrypted = (input + key) mod 256
    • Byte arithmetic wraps at 256
  4. Write Output:
    • call fputc at 0x0040146B

8. Question 2b: Decryption Process 🔓

📝 EXAM QUESTION:
Given that settings.ini is in ASCII text and encoded by mock_1.exe, explain how you could decrypt the settings.ini. Describe the decryption process using the first byte.

Understanding the Inverse Operation

If encryption is ADDITION, then decryption is SUBTRACTION:

ENCRYPTION: plaintext + key = ciphertext DECRYPTION: ciphertext - key = plaintext

Step 1: Identify the Correct Key

$ stat Settings.ini | grep Modify Modify: 2016-02-05 08:07:20 February 5, 2016 = Friday = Day 5 = key5

Step 2: Get First Byte Values

$ xxd -l 1 Settings.ini 00000000: 19 . First byte of Settings.ini: 0x19 (25 decimal) $ xxd -l 1 key5 00000000: c5 . First byte of key5: 0xC5 (197 decimal)

Step 3: Perform Decryption

1 Subtract: 25 - 197 = -172
2 Handle Negative (Modulo 256): -172 + 256 = 84
3 Convert to ASCII: 84 = 'T'

Why Modulo 256?

During encryption, the ADD operation "wraps around" at 256:

Original: 'T' = 84 Key byte: 197 Add: 84 + 197 = 281 Overflow: 281 - 256 = 25 ← This is stored Decryption reverses this: Encrypted: 25 Key byte: 197 Subtract: 25 - 197 = -172 Fix: -172 + 256 = 84 = 'T' ✓

✅ ANSWER TO QUESTION 2b:

Decryption Formula: plaintext = (encrypted - key) mod 256


First Byte Decryption:

  1. Identify Key File:
    • Settings.ini date: Feb 5, 2016 (Friday)
    • Use key5
  2. Get Values:
    • Encrypted[0] = 0x19 (25)
    • Key5[0] = 0xC5 (197)
  3. Calculate:
    • 25 - 197 = -172
    • -172 mod 256 = -172 + 256 = 84
    • 84 = 'T' in ASCII
  4. Verification:
    • Encrypt: 84 + 197 = 281
    • 281 mod 256 = 25 ✓

9. Question 3: Decrypt the Message 💬

📝 EXAM QUESTION:
Given that settings.ini is in ASCII text and encoded by mock_1.exe, write down the decrypted message from settings.ini.

Python Decryption Script

#!/usr/bin/env python3 # Read encrypted file with open('Settings.ini', 'rb') as f: encrypted = f.read() # Read key5 (Friday) with open('key5', 'rb') as f: key = f.read() # Decrypt each byte decrypted = bytes((encrypted[i] - key[i]) % 256 for i in range(len(encrypted))) # Print result print(decrypted.decode('ascii'))

Byte-by-Byte Decryption Table

Byte # Encrypted Key5 Decrypted ASCII
1 0x19 (25) 0xC5 (197) 84 T
2 0x6A (106) 0x22 (34) 72 H
3 0x38 (56) 0xCF (207) 105 i
4 0xFD (253) 0x8A (138) 115 s
... ... ... ... ...

✅ ANSWER TO QUESTION 3:

THis is a mock test

(Note: Message includes a newline character at the end)

10. Question 4: Memory Forensics 🧠

📝 EXAM QUESTION:
Describe 3 artifacts that can be found using Memory Forensics.

✅ ANSWER TO QUESTION 4:

1. Process and Network Data Structures

Data structures that track running processes, network connections, and resources:

  • Process list (PID, parent PID, command line)
  • Active network connections (IP, ports)
  • Open file handles
  • Loaded DLL modules

Forensic Value: Identify malicious processes, hidden processes, and network activity


2. Passwords and Encryption Keys

Credentials and cryptographic keys in clear text:

  • User passwords (encrypted on disk, plain in RAM)
  • Encryption keys for real-time operations
  • Session tokens and authentication data
  • NTLM hashes, Kerberos tickets

Why in Memory: Software needs plaintext credentials for authentication and real-time encryption


3. Unpacked/Decrypted Executables

Malware that's packed or encrypted on disk must be decrypted in memory:

  • Packed malware (UPX, Themida, custom packers)
  • Encrypted code sections
  • Injected code in other processes
  • Shellcode and position-independent code

Why in Memory: CPU can only execute decoded instructions; packers are anti-analysis, not operational

11. Quick Reference Cheat Sheet 📋

IDA Hotkeys

Key Function
Shift+F12Strings window
Shift+F3Functions window
XCross-references
SpaceToggle graph/text view
F5Decompile to C
GJump to address
NRename variable
;Add comment

Key Findings Summary

Item Value
Binarymock_1.exe
MD5b184c31f067377516da9f4d2228ee8c9
Keys Usedkey0-key6 only (key7 NOT used)
Selection MethodDay of week (tm_wday)
Settings.ini Keykey5 (Friday, Feb 5, 2016)
EncryptionADD cipher: (input + key) mod 256
DecryptionSUB cipher: (encrypted - key) mod 256
Decrypted MessageTHis is a mock test

Critical Opcodes to Remember

Address Opcode Purpose
0x004014CBcall _statGet file size
0x004015F1call _timeGet system time
0x004015FDcall _localtimeConvert time
0x00401602mov eax, [eax+18h]Get tm_wday
0x0040160Bcmp eax, 6Validate day 0-6
0x00401476call ds:fgetcRead input byte
0x00401430call ds:fgetcRead key byte
0x00401444call ds:rewindCircular key
0x0040145Fadd edx, eaxADD encryption
0x0040146Bcall fputcWrite output

struct tm Offsets

+0x00 tm_sec Seconds (0-59) +0x04 tm_min Minutes (0-59) +0x08 tm_hour Hours (0-23) +0x0C tm_mday Day of month (1-31) +0x10 tm_mon Month (0-11) +0x14 tm_year Years since 1900 +0x18 tm_wday Day of week (0-6) ← THIS ONE! +0x1C tm_yday Day of year (0-365) +0x20 tm_isdst DST flag

Exam Tips

  • ✅ Always cite opcodes with addresses
  • ✅ Show your calculations step-by-step
  • ✅ Verify answers make sense (printable ASCII)
  • ✅ Check file dates to identify key
  • ✅ Remember: ADD cipher, NOT XOR
  • ✅ Handle negative numbers with modulo 256
↑ Back to Top 📂 View on GitHub