Jump to content
Tuts 4 You

How to decode string in malware ?


kb432

Recommended Posts

How to decode Encoded or Encrypted string in Reverse engineering a malware ? 

i heard there is a way using python script and Immunity debugger ? 

What is most effective option and which options should i try ? 

I looked up youtube and good but nothing useful. Help me  with this. 

Thanks Tuts4you! 

Link to comment
Share on other sites

  • 4 weeks later...

Hi kb432,

Recommendation for you: You should spend some more time learning reverse engineering and unpacking. That's the most important thing. Watch Lena151's (and http://opensecuritytraining.info/Training.html training related to assembly / malwares) tutorials more that one time until you fully understand how it works. If you do so, then you can start playing with malwares. And you will progress much faster. Just give it more time.

If we come back now to your specific question, there are two scenarios.

  1. sometimes, once the malware is unpacked, you can see fully all the strings. (ExampleWin32/Locky)
  2. sometimes, they are a bit more tricky, you can never see at once all the malware strings decrypted in memory, the malware decrypt one string, use it and then crypt it again or free the memory which contains the decrypted strings.

So load your sample in a debugger, make a bp on VirtualAlloc(Ex) / HeapAlloc or its native sister, grab the return address, see what data is written to that region, usually happened just after some few instructions after the VirtualAllocEx. Then hopefully yo can see the strings their.

Try this tool as well, but you learn mothing: https://www.fireeye.com/blog/threat-research/2015/12/flare_script_series.html.

Noteworthy.

Edited by Noteworthy
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...