Debugging
We will be using x86dbg
for our debug session. Remember that we decompressed the file using UPX. It would be wise to open the decompressed version instead of the original whatami.exe file. Opening the compressed will be fine but we will have to go through debugging the UPX packed code.
Unlike IDA Pro, x86dbg
is not able to recognize the WinMain
function where the real code starts. In addition, after opening the file, the instruction pointer may still be somewhere in the NTDLL
memory space. And to avoid being in an NTDLL
region during startup, we may need to make a short configuration change in x86dbg
.
Select Options->Preference. Under the Events tab, uncheck System Breakpoint and TLS Callbacks. Click on the Save button and then select Debug->Restart. This should now bring us to the entry point of whatami.exe
at the following address: 0x004016B8
.
Since we already know the WinMain
address from IDA Pro, we can just place a breakpoint at that address. The WinMain address is at...