nerdexam
GIAC

GREM · Question #34

GREM Question #34: Real Exam Question with Answer & Explanation

The correct answer is A. Identify which register stores the return value of the function. B. Analyze the instructions leading up to the RET to understand what values are being pushed. D. Step through the function in a debugger to observe the changes in register values.. See the full explanation below for the reasoning.

Question

You are analyzing a malware sample in IDA Pro and identify a suspicious function written in assembly. The function uses multiple PUSH and MOV instructions and ends with a RET. How would you proceed to understand the function's purpose? (Choose three)

Options

  • AIdentify which register stores the return value of the function.
  • BAnalyze the instructions leading up to the RET to understand what values are being pushed.
  • CModify the function to replace the RET with a NOP.
  • DStep through the function in a debugger to observe the changes in register values.
  • ELook for calls to external libraries within the function.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GREM Practice