Fix image paths

gitbook/chapters/solutions/crash_dump_analysis.md

@@ -63,7 +63,7 @@ eip=deadbabe
 
 The extracted memory content can be verified to be a valid PE executable image using a hex editor and inspecting the header bytes or by using a tool such as CFF Explorer that recognizes the PE file format:
 
-![Neo Hexeditor](../..../../images/crashdump_neohex1.png "NeoHex")
+![Neo Hexeditor](../../images/crashdump_neohex1.png "NeoHex")
 
 However this memory content cannot be run as a PE executable directly as it is in a form known as  **Loaded PE**. This means the memory content is processed by the Operating System's PE Loader and loaded as per *VirtualAddress* offset of section headers. The PE section data for each section is at a distance of *VirtualAddress* bytes from the base as defined in its section header. However for a PE executable file, the section data should be *PointerToRawData* bytes from the start of the file. In order to *fix* this image we need to move PE section data for each section from *VirtualAddress* offset from base to *PointerToRawData* offset from base of file. This can be done either by writing a C program or using a library that understands PE file format such as [Metasm][3].
 
@@ -89,4 +89,4 @@ end
 
 [2]: <https://en.wikipedia.org/wiki/X86_assembly_language>
 
-[3]: <http://metasm.cr0.org/
+[3]: <http://metasm.cr0.org/

gitbook/chapters/solutions/file_identification_analysis_i.md

@@ -8,21 +8,21 @@ A compressed PE executable file *a.exe* is provided as input. The task is to dec
 
 The compressed executable was analysed in [IDA Pro][3]. However IDA was unable to identify strings in the executable. This is because the PE compressor packed the executable in such a way that all strings are transformed into a compressed form. The executable is required to be decompressed in order to extract strings from the executable.
 
-![IDA 1](../..../../images/fileid_ida1.png "IDA")
+![IDA 1](../../images/fileid_ida1.png "IDA")
 
 In order to unpack or decompress a compressed executable, it is first required to identify the packer or compressor used in the sample. The [PEiD][1] tool can be used for this purpose which can identify multiple executable packers and crypters.
 
-![PEiD 1](../..../../images/peid1.png "PEiD")
+![PEiD 1](../../images/peid1.png "PEiD")
 
-![PEiD 2](../..../../images/peid2.png "PEiD")
+![PEiD 2](../../images/peid2.png "PEiD")
 
 PEiD identifies the sample to be packed with [UPX][2]. While most malware packers and crypters do not support unpacking by themseves, UPX is a standard PE compression tool and is not meant exclusively for code protection or hiding anything. For this reason, UPX by itself supports decompressing an executable that is compressed by UPX. We can use UPX tool to decompress the sample executable:
 
-![UPX](../..../../images/upx_unpack1.png "UPX")
+![UPX](../../images/upx_unpack1.png "UPX")
 
 Finally the decompressed sample can be analyzed in IDA Pro to find the desired string:
 
-![IDA 2](../..../../images/fileid_ida2.png "IDA")
+![IDA 2](../../images/fileid_ida2.png "IDA")
 
 ## Alternative Solution: Manual Extraction
 
@@ -55,4 +55,4 @@ At this point we have successfully unpacked the UPX packed executable manually.
 
 [2]: <http://upx.sourceforge.net/>
 
-[3]: <https://www.hex-rays.com/products/ida/>
+[3]: <https://www.hex-rays.com/products/ida/>

gitbook/chapters/solutions/md5_code_section.md

@@ -8,11 +8,11 @@ An executable file is provided as input. The task is to compute MD5 checksum of
 
 A [Portable Executable](#) file is organized in terms of multiple sections. As a convention, most compilers use *.text* as the name for the text section in a PE file. It is possible to view and dump the contents of only *.text* section using [CFF Explorer Suite][1].
 
-![CFF Explorer Usage](../..../../images/cff1.png "CFF Explorer Sample")
+![CFF Explorer Usage](../../images/cff1.png "CFF Explorer Sample")
 
 Once the contents of the *.text* section is dumped to file, it is possible to compute the MD5 checksum of the content using [WinMD5][2] tool or any other appropriate checksum computation tool:
 
-![WinMD5](../..../../images/winmd5.png "WinMD5")
+![WinMD5](../../images/winmd5.png "WinMD5")
 
 
 [1]: <http://www.ntcore.com/exsuite.php>