If you have an area in memory that is xor obfuscated debug007:0018FB04 db 0CEh ; Î debug007:0018FB05 db 27h ; ' debug007:0018FB06 db 9Ch ; œ debug007:0018FB07 db 1Ah debug007:0018FB08 db 95h ; • debug007:0018FB09 db 2Eh ; . debug007:0018FB0A db 22h ; " debug007:0018FB0B db 57h ; W debug007:0018FB0C db 91h ; ‘ debug007:0018FB0D db 21h ; ! debug007:0018FB0E db 57h ; W debug007:0018FB0F db 3Ah ; : and you have assembly code that decodes or xors it to get it back to readable value .text:00401654 mov eax, [esp+28h+arg_0] .text:00401658 movzx ecx, byte ptr [eax] .text:0040165B movzx edx, byte ptr [eax+1] .text:0040165F xor cl, 0A3h .text:00401662 xor dl, 54h .text:00401665 mov [esp+28h+memcpySource], cl .text:00401669 movzx ecx, byte ptr [eax+2] .text:0040166D mov [esp+28h+var_23], dl .text:00401671 movzx edx, byte ptr [eax+3] .text:00401675 not cl .text:00401677 xor dl, 75h .text:0040167A mov [esp+28h+var_22], cl .text:0040167E movzx ecx, byte ptr [eax+4] .text:00401682 mov [esp+28h+var_21], dl .text:00401686 movzx edx, byte ptr [eax+5] .text:0040168A xor cl, 0E7h .text:0040168D xor dl, 44h .text:00401690 mov [esp+28h+var_20], cl .text:00401694 movzx ecx, byte ptr [eax+6] .text:00401698 mov [esp+28h+var_1F], dl .text:0040169C movzx edx, byte ptr [eax+7] .text:004016A0 xor cl, 4Bh .text:004016A3 xor dl, 23h .text:004016A6 mov [esp+28h+var_1E], cl .text:004016AA movzx ecx, byte ptr [eax+8] .text:004016AE mov [esp+28h+var_1D], dl .text:004016B2 movzx edx, byte ptr [eax+9] .text:004016B6 xor cl, 0BFh .text:004016B9 xor dl, 45h .text:004016BC mov [esp+28h+var_1C], cl .text:004016C0 movzx ecx, byte ptr [eax+0Ah] .text:004016C4 mov [esp+28h+var_1B], dl .text:004016C8 movzx edx, byte ptr [eax+0Bh] .text:004016CC xor cl, 3Bh .text:004016CF xor dl, 56h You can decode or xor it to read it in IDA Python scripting by going to file -> script command and entering code like this where 'd' is filled with the encoded hex values and the print statements are filled with the individual xor values from the code from textwrap import wrap d = "ce279c1a952e22579121573a" bytes = wrap(d, 2) for i in range(len(bytes)): bytes[i] = int(bytes[i],16) print(chr(bytes[0] ^ 0xa3)) print(chr(bytes[1] ^ 0x54)) print(chr((~bytes[2]) & 0x000000FF)) print(chr(bytes[3] ^ 0x75)) print(chr(bytes[4] ^ 0xe7)) print(chr(bytes[5] ^ 0x44)) print(chr(bytes[6] ^ 0x4b)) print(chr(bytes[7] ^ 0x23)) print(chr(bytes[8] ^ 0xbf)) print(chr(bytes[9] ^ 0x45)) print(chr(bytes[10] ^ 0x3b)) print(chr(bytes[11] ^ 0x56)) thus in this example d = "ce279c1a952e22579121573a" prints out mscorjit.dll which is a library the malware is going to load
Friday, November 9, 2018
IDA Python Xor Decode malware strings
Subscribe to:
Post Comments (Atom)
This is a testimony that I will tell everyone to hear. i have been married four 4 years and on the fifth year of my marriage, another woman had a spell to take my lover away from me and my husband left me and the kids and we have suffered for 2 years until i meant a post where this man Dr, kuta have helped someone and i decided to give him a try to help me bring my love Husband home and believe me i just send my picture to him and that of my husband and after 48 hours as he have told me, i saw a car drove into the house and behold it was my husband and he have come to me and the kids and that is why i am happy to make every one of you in similar to met with this man and have your lover back to your self His email: drkutaherbalcenter@gmail.com you can also contact him or whatspp him on this +2347054547814 thank so much
ReplyDeleteAll thanks to the great Priest Dr bow for helping me restore back my marriage when i taught all hope was lost.,this Priest helped me, and my relationship is now perfect. Contact for any spiritual work (@Drbowsolutionhome1) Your partner will definitely love you email him Drbowsolutionhome@gmail.com or whatapp him +2348121786772
ReplyDeleteHow I Got My Ex Husband Back..Am so excited to share my testimony of a real spell caster who brought my husband back to me. My husband and I have been married for about 6 years now. We were happily married with two kids, a boy and a girl. 3 months ago, I started to notice some strange behavior from him and a few weeks later I found out that my husband is seeing someone else. He started coming home late from work, he hardly care about me or the kids anymore, Sometimes he goes out and doesn't even come back home for about 2-3 days. I did all I could to rectify this problem but all to no avail. I became very worried and needed help. As I was browsing through the internet one day, I came across a website that suggested that Dr Aluya can help solve marital problems, restore broken relationships and so on. So, I felt I should give him a try. I contacted him and and told him my problems and he told me what to do and i did it and he did a spell for me. 48 hours later, my husband came to me and apologized for the wrongs he did and promise never to do it again. Ever since then, everything has returned back to normal. I and my family are living together happily again.. All thanks to Dr Aluya Powerful Love Spell that really works. If you have any problem contact him and i guarantee you that he will help you. He will not disappoint you. Email him at: aluya.48hoursspelltemple@gmail.com. or whatsapp him on: +2348110493039
ReplyDeleteSPELLS THAT WORKS I am sharing this testimony to partners suffering in their relationships LOVE because there is an enduring solution.
ReplyDeleteMy husband left me and our 2 kids for another woman for 3 years. I tried to be strong just for my kids but I could not control the pains that torment my heart. I was hurt and confused. I needed a help, so i did a research on the internet and came across a site where I saw that Dr. Aluya a spell caster, can help get lovers back. I contacted him and he did a special prayer and spells for me. To my surprises, after some days, my husband came back home. That was how we reunited again and there was a lot of love, joy and peace in the family.
You can as well contact Dr. Aluya , a powerful spell-caster for solutions on his contact aluya.48hoursspelltemple@gmail.com or directly on Whats App: +2348110493039
ReplyDeleteHELLO GET OUT OF FINANCIAL MESS WITH THE HELP OF drbenjaminfinance@gmail.com
I have been in financial mess for the past months, I’m a single mum with kids to look after. My name is REBECCA MICHAELSON, and am from Ridley Park, Pennsylvania. A couple of weeks ago My friend visited me and along our discussion she told me about DR BENJAMIN OWEN FINANCE of drbenjaminfinance@gmail.com that he can help me out of my financial situation, I never believed cause I have spend so much money on different loan lenders who did nothing other than running away with my money. She advised, I gave it a try because she and some of her colleagues were rescued too by this Godsent lender with loans to revive their dying businesses and paying off bills. so I mailed him and explain all about my financial situation and therefore took me through the loan process which was very brief and easy. After that my loan application worth $278,000.00USD was granted, all i did was to follow the processing and be cooperative and today I am a proud business owner sharing the testimony of God-sent Lender. You can as well reach him through the Company Email drbenjaminfinance@gmail.com
THANK YOU VERY MUCH