kb432 Posted September 26, 2016 Posted September 26, 2016 How to decode Encoded or Encrypted string in Reverse engineering a malware ? i heard there is a way using python script and Immunity debugger ? What is most effective option and which options should i try ? I looked up youtube and good but nothing useful. Help me with this. Thanks Tuts4you!
Futex Posted September 27, 2016 Posted September 27, 2016 Search the decryption strings routine and do the same.
Noteworthy Posted October 25, 2016 Posted October 25, 2016 (edited) Hi kb432, Recommendation for you: You should spend some more time learning reverse engineering and unpacking. That's the most important thing. Watch Lena151's (and http://opensecuritytraining.info/Training.html training related to assembly / malwares) tutorials more that one time until you fully understand how it works. If you do so, then you can start playing with malwares. And you will progress much faster. Just give it more time. If we come back now to your specific question, there are two scenarios. sometimes, once the malware is unpacked, you can see fully all the strings. (ExampleWin32/Locky) sometimes, they are a bit more tricky, you can never see at once all the malware strings decrypted in memory, the malware decrypt one string, use it and then crypt it again or free the memory which contains the decrypted strings. So load your sample in a debugger, make a bp on VirtualAlloc(Ex) / HeapAlloc or its native sister, grab the return address, see what data is written to that region, usually happened just after some few instructions after the VirtualAllocEx. Then hopefully yo can see the strings their. Try this tool as well, but you learn mothing: https://www.fireeye.com/blog/threat-research/2015/12/flare_script_series.html. Noteworthy. Edited October 25, 2016 by Noteworthy 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now