reverse engineering
40 points Please read every question carefully and provide the screenshots (if required). Thank you. 1. For this question, please create a 2 column by 5 row table, then please put the following code snippets into the respective column. The top row should be labeled “Obfuscated” and “Not Obfuscated” (without the quotes) The color coding indicates a “code pair” one part is obfuscated, and the other part is not obfuscated. Please put them in the table appropriately. (10 points) Mov ecx, 0x294a mov ecx, 0x410cb4 Sub ecx, 0x40e301 Call Pop ebp Sub ebp, 0x40e207 mov ebp, -0xab7 Mov edi, ptr[eax+a4] mov edi, Rol edi, 7 Mov rax, 24h push 24h Pop rax Jmp 00801002h push 00801002h Ret 2. Please determine the type of file used in ch4_2.exe (2 points) 3. Exception-based control flow, call-stack tampering, indirect control flow, and selfmodifying code are all common ___________________________techniques (2 points) 4. What is an order of steps for a Reverse Engineer? (2-3 sentences, or a bulleted list) (4 points) 5. The File operation is used for what? Provide an example and screenshot it. (4 points) 6. Write a simple program that sorts a set of 10 integers largest to smallest, then using your favorite debugger, step into the main function and step through the code. Provide at least 3 screenshots – your debugger screen selection, stepping into main, then step once forward in your main function. (6 points for the 3 screenshots.) 7. Next, using the code in #6, show the memory registers after you step into main, THEN show the memory registers after you STEP ONCE into the code. (4 points for screenshots) 8. You run file on a piece of .exe code, you get nothing you can read. Strings does not yield anything intelligible either. The file is packed. The following questions relate to this hypothetical situation. This exercise becomes more challenging as you answer each question. Good luck! a. How do you unpack it? (1 point). b. Once you unpack it, you see it is written in C. How do you convert it to Assembly? (Name the webpage or tool you use) (1 point). c. Once you see the assembly code you notice something that is not seemingly possible. None of the assembly commands look normal (see below for point values) The code you discover looks like this Zzz zhr, zbz Fbxx xzfbxzrzj Zzz ZZZZZH ZZZ [zdz-24], zbz This the only snippet of real assembly code (or rather code that looks normal you could find) mov QWORD PTR [rbp-24], rax mov esi, OFFSET FLAT:.LC0 mov edi, OFFSET FLAT:_ZSt4cout call std::basic_ostream