How to decode Encoded or Encrypted string in Reverse engineering a malware ? 

i heard there is a way using python script and Immunity debugger ? 

What is most effective option and which options should i try ? 

I looked up youtube and good but nothing useful. Help me  with this. 

Thanks Tuts4you! 

Search the decryption strings routine and do the same.

Help anyone ! 

Hi kb432,

Recommendation for you: You should spend some more time learning reverse engineering and unpacking. That's the most important thing. Watch Lena151's (and http://opensecuritytraining.info/Training.html training related to assembly / malwares) tutorials more that one time until you fully understand how it works. If you do so, then you can start playing with malwares. And you will progress much faster. Just give it more time.

If we come back now to your specific question, there are two scenarios.

1. sometimes, once the malware is unpacked, you can see fully all the strings. (ExampleWin32/Locky)
2. sometimes, they are a bit more tricky, you can never see at once all the malware strings decrypted in memory, the malware decrypt one string, use it and then crypt it again or free the memory which contains the decrypted strings.

So load your sample in a debugger, make a bp on VirtualAlloc(Ex) / HeapAlloc or its native sister, grab the return address, see what data is written to that region, usually happened just after some few instructions after the VirtualAllocEx. Then hopefully yo can see the strings their.

Try this tool as well, but you learn mothing: https://www.fireeye.com/blog/threat-research/2015/12/flare_script_series.html.

Noteworthy.

Edited October 25, 20168 yr by Noteworthy