Skip to content

Lab 6: Conditional Jumps

Overview

The purpose of this lab is to get you familiar with recognizing conditional jumps, and identifying the conditions when the jumps will and will not occur.

Part 1: Dexter

For this exercise examine the dexter malware (found at c:\malware\dexter\dexter.exe).

Questions

There are three conditional jumps somewhere between the addresses 0x00404270 through 0x004042B6. For each conditional jump:

  1. Identify the address of the jump instruction.
  2. Write out the acronym (e.g. jnle is jump if not less than or equal to).
  3. Identify the address of the instruction that describes the condition (the one that affects the flags register).
  4. In your own words, describe the conditions for the jump to occur.
Answer for Conditional Jump 1
  1. 0x40427B
  2. jbe is "jump if below or equal to"
  3. There is a cmp [ebp+Buffer.RegionSize], 0 at address 0x404277.
  4. Jump if [ebp+Buffer.RegionSize] is below or equal to 0.
Answer for Conditional Jump 2
  1. 0x404285
  2. jz is "jump if zero" (same as "jump if equal")
  3. There is a cmp [ebp+lpBaseAddress], 0 at address 0x404281.
  4. Jump if [ebp+lpBaseAddress] is equal to zero.
Answer for Conditional Jump 3
  1. 0x4042A1
  2. jbe is "jump if below or equal to"
  3. There is a cmp [ebp+Buffer.RegionSize], 64000h at address 0x40429A.
  4. Jump if [ebp+Buffer.RegionSize] is below or equal to 0x64000

Part 2: Avzhan

For this exercise examine the avzhan malware (found at c:\malware\avzhan\avzhan.exe)

Questions

There are two conditional jumps somewhere between the addresses 0x00405188 through 0x004051C0. For each conditional jump:

  1. Identify the address of the jump instruction.
  2. Write out the acronym (e.g. jnle is jump if not less than or equal to).
  3. Identify the address of the instruction that describes the condition (the one that affects the flags register).
  4. In your own words, describe the conditions for the jump to occur.
Answer for Conditional Jump 1
  1. 0x405195
  2. jz is "jump if zero" (same as "jump if equal")
  3. There is a cmp dword_40C5D0, 1 at address 0x40518E
  4. Jump if dword_40C5D0 is equal to 1
Answer for Conditional Jump 2
  1. 0x4051B2
  2. jnz is "jump if not zero" (same as "jump if not equal")
  3. There is a dec esi at address 0x4051B1
  4. Jump if esi is not 1

Part 3: ActiveX

For this exercise examine the activex malware (found at c:\malware\activex\activex.exe)

Questions

There are two conditional jumps somewhere between the addresses 0x00402B70 through 0x00402B86. For each conditional jump:

  1. Identify the address of the jump instruction.
  2. Write out the acronym (e.g. jnle is jump if not less than or equal to).
  3. Identify the address of the instruction that describes the condition (the one that affects the flags register).
  4. In your own words, describe the conditions for the jump to occur.
Answer for Conditional Jump 1
  1. 0x402B74
  2. jle is "jump if less than or equal to"
  3. There is a cmp eax, ecx at address 0x402B72
  4. Jump if EAX is less than or equal to ECX
Answer for Conditional Jump 2
  1. 0x402B7E
  2. jz is "jump if zero" (same as "jump if equal")
  3. There is a test al, al at address 0x402B7C
  4. Jump if AL is 0