0

How do I calculate the location of the string in this sample located at offset 0x1CAD8?

The instruction at 0x140001A97 in the sample is:

0x140001A97   F2 0F1005 39C60100   movsd xmm0, qword [rip + str..exe]

The opcode has 0x39C60100 which is 0x1C639. If I add that to rip, I don't land on the address of the string:

0x140001A97 -> offset = 0xE97

0xE97 + 0x8 + 0x1C639 = 0x1D4D8

The string's offset is 0x1CAD8 not 0x1D4D8

What am I missing?

The sample is Ryuk: 18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1 If you need a copy of the sample, a base64 encoded passworded zip archive with the sample is located here: https://pastebin.com/aKskMXY7

The password for that zip file is reseinfected. If you need something to decode base64 quickly, use this cyberchef recipe:

From_Base64('A-Za-z0-9+/=',true)
Improve this question

2 Answers 2

Reset to default
1

I think you are confusing yourself somehow and mixing up file offsets with virtual offsets

lets try a simple example

open a random exe in windbg
patch the bytes in the current instruction Pointer
disassemble
subtract and look

explanation for commands below
cdb is console equivalent for windbg
-c is the command line to be passed to the debugger
eb . is enter bytes at the current instruction pointer (. (dot denotes current ip))
it is followed by bytes from your post

then I disassemble one single instruction at current ip using u . l1
I query what the current ip isby ? $ip
and quit

take the results and do the subtraction with python 

C:\>cdb -c "eb . F2 0F 10 05 39 C6 01 00;u . l1;? $ip;q" cdb | f:\git\usr\bin\awk "/Reading/,/quit/"
0:000> cdb: Reading initial command 'eb . F2 0F 10 05 39 C6 01 00;u . l1;? $ip;q'
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffc`69ad2dbc f20f100539c60100 movsd   xmm0,mmword ptr [xxx (00007ffc`69aef3fd)]
Evaluate expression: 140722081443260 = 00007ffc`69ad2dbc
quit:

C:\>python -c "print (hex(0x7ffc69aef3fd-(0x7ffc69ad2dbc+8)))"
0x1c639

rereading your posts it appears you have indeed mixed up raw offsets with virtual offsets
use 0x1a97 instead of 0xe97 (0xc00 bytes accounted for)
locate in which section your string is in
and add the difference between section Va and Section Pointer to RawData
I believe it would account for the remaining 0xa00 bytes

Improve this answer
0

(14001E0D8-140001A97)-8 = 1C639, VA 14001E0D8 is offset 0001CAD8

This is the answer. Thanks to an individual on one of the lists I'm on.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.