This article records the procedure of analyzing Windows software and malware. You can also use the methods to crack a software, since all are about binary.

–Tools to use
PEiD, LordPE, ImportREC
IDA Pro, OllyDbg

0x01 Basic analysis

We can do many things after we got the binary: run it and monitor the changes(system, files, networks), drop it to PEView/IDA Pro/P to have a glance of the binary.

Moniter run

1. Prepare the Vmware, Windows XP or 7, don’t recommend higher version.
2. Install the monitor tools: procexp, procmon, regshot, autorun, and etc. 雪铁，冰刃。
3. Disconnect the network to avoid incluence to the network (if you are analyzing malware, this is very important!!!)
4. Set up monitor tools, run the executable, after the running has finished, stop the monitor tools and save the records.

Binary glance, Unpack

Drop the executable to IDA Pro, if it’s not packed you can get the function names, strings, imports and exports info, these are very useful for you to understand the executable.
But, normally malwares are packed, you won’t get the information, first thing to do is unpack it. Here UPX pack is used as example.

1. Identify the pack methods
   • Section UPX0 and UPX1 make them distinctive.
   • PEiD can tell what pack methods used, but not always correct if customized methods applied.
2. Unpack UPX
   UPX0 contains the packed code, UPX1 contains the code to do unpacking, and the code is often start with PUSHAD and ended with POPAD.
   Using OllyDbg, step to the code after POPAD, notice JMP and Call, they will lead to the true entry point, record the value for construct new PE.
3. LordPE to dump the unpacked executable
   After POPAD, the packed code and unpacked in the memory, using LordPE to dump the executable out. But the new executable can’t run.
4. ImportREC to set the new entrypoint and IAT