Hello,

I have started reversing a piece of malware. The binary was packed, and I have managed to unpack it. In addition to this, I have found it's original entry point. However the binary seems to be statically linked, and I'm having some difficulties managing to find it's "main" function. I am going through what appears to be library code, and I have been debugging it for quite some time now without any real "productivity".

I know that besides kernel32.dll and ntdll.dll an additional library is loaded: ws2_32.dll, and I thought that it was loaded for a reason, so if I could backtrack some of it's function calls, eventually I should reach "main". This, however has proven not to be as linear as I had expected.

On this subject I read "Locating main" from the Ida Pro Book, but in all honesty I am having some difficulty applying what is said in the book to this particular instance of the problem. Besides this I tried searching the web but to no avail.

I am therefore asking for any pointers on how to tackle this problem.

Thank you in advance.

Set break at NtProtectVirtualMemory and trace, for packers usually works. But better not be regarded OEP as something separated from the primary code. If ws2_32.dll loaded dynamically, then watch it.

So you want the main function of the binary or the static libs that were linked to it, specifically ws2_32?

Have PHun

i think it will be difficult to locate main function in exe, even in a regular exe, there will be some compiler generated code which is executed prior to moving into the main function, such as environment intiliazation etc. This generated code will be different for different compilers and also the technology used to develop the app, (MFC etc.).

So in my opinion you wud have to unpack the entire exe and then start from the OEP, and move downwards, but still you wud have to have an idea as to how the main function wud look in assesmbly, some kind of signature, because it will be difficult to distinguish a main function from a regualr one, may be look at the arguments to the function, argc and argv.

Hello,

Aimless: I am looking for the main.
ronnie291983: That's basically what I've been doing. I guess I'll just keep at it.

Thanks for the input sofar

Most runtime environments parse the command line somehow, calling GetCommandLineA/W. You should be able to supply some text as a commandline and then follow that text (after bpx GetCommandLineA/W). When it is parsed to argc/argv and put on the stack, you should be near main.

radix

Many ways to get in. Only one way to get out. EXIT.

Find that damned API. The function in which it resides, is the START.

Therefore, one/two calls above, should be your main.

Have Phun

Hello,

Thanks for the ideas! I think I have managed to find it. I will carry on with the analysis of the binary