Friday, November 9, 2018

IDA Python Xor Decode malware strings

If you have an area in memory that is xor obfuscated

debug007:0018FB04 db 0CEh ; Î
debug007:0018FB05 db  27h ; '
debug007:0018FB06 db  9Ch ; œ
debug007:0018FB07 db  1Ah
debug007:0018FB08 db  95h ; •
debug007:0018FB09 db  2Eh ; .
debug007:0018FB0A db  22h ; "
debug007:0018FB0B db  57h ; W
debug007:0018FB0C db  91h ; ‘
debug007:0018FB0D db  21h ; !
debug007:0018FB0E db  57h ; W
debug007:0018FB0F db  3Ah ; :

and you have assembly code that decodes or xors it to get it back to readable value

.text:00401654 mov     eax, [esp+28h+arg_0]
.text:00401658 movzx   ecx, byte ptr [eax]
.text:0040165B movzx   edx, byte ptr [eax+1]
.text:0040165F xor     cl, 0A3h
.text:00401662 xor     dl, 54h
.text:00401665 mov     [esp+28h+memcpySource], cl
.text:00401669 movzx   ecx, byte ptr [eax+2]
.text:0040166D mov     [esp+28h+var_23], dl
.text:00401671 movzx   edx, byte ptr [eax+3]
.text:00401675 not     cl
.text:00401677 xor     dl, 75h
.text:0040167A mov     [esp+28h+var_22], cl
.text:0040167E movzx   ecx, byte ptr [eax+4]
.text:00401682 mov     [esp+28h+var_21], dl
.text:00401686 movzx   edx, byte ptr [eax+5]
.text:0040168A xor     cl, 0E7h
.text:0040168D xor     dl, 44h
.text:00401690 mov     [esp+28h+var_20], cl
.text:00401694 movzx   ecx, byte ptr [eax+6]
.text:00401698 mov     [esp+28h+var_1F], dl
.text:0040169C movzx   edx, byte ptr [eax+7]
.text:004016A0 xor     cl, 4Bh
.text:004016A3 xor     dl, 23h
.text:004016A6 mov     [esp+28h+var_1E], cl
.text:004016AA movzx   ecx, byte ptr [eax+8]
.text:004016AE mov     [esp+28h+var_1D], dl
.text:004016B2 movzx   edx, byte ptr [eax+9]
.text:004016B6 xor     cl, 0BFh
.text:004016B9 xor     dl, 45h
.text:004016BC mov     [esp+28h+var_1C], cl
.text:004016C0 movzx   ecx, byte ptr [eax+0Ah]
.text:004016C4 mov     [esp+28h+var_1B], dl
.text:004016C8 movzx   edx, byte ptr [eax+0Bh]
.text:004016CC xor     cl, 3Bh
.text:004016CF xor     dl, 56h


You can decode or xor it to read it in IDA Python scripting by going to
file -> script command
and entering code like this
where 'd' is filled with the encoded hex values
and the print statements are filled with the individual xor values from the code

from textwrap import wrap
d = "ce279c1a952e22579121573a"
bytes = wrap(d, 2)
for i in range(len(bytes)):
 bytes[i] = int(bytes[i],16)
print(chr(bytes[0] ^ 0xa3))
print(chr(bytes[1] ^ 0x54))
print(chr((~bytes[2]) & 0x000000FF))
print(chr(bytes[3] ^ 0x75))
print(chr(bytes[4] ^ 0xe7))
print(chr(bytes[5] ^ 0x44))
print(chr(bytes[6] ^ 0x4b))
print(chr(bytes[7] ^ 0x23))
print(chr(bytes[8] ^ 0xbf))
print(chr(bytes[9] ^ 0x45))
print(chr(bytes[10] ^ 0x3b))
print(chr(bytes[11] ^ 0x56))


thus in this example
d = "ce279c1a952e22579121573a"
prints out
mscorjit.dll

which is a library the malware is going to load

5 comments:

  1. This is a testimony that I will tell everyone to hear. i have been married four 4 years and on the fifth year of my marriage, another woman had a spell to take my lover away from me and my husband left me and the kids and we have suffered for 2 years until i meant a post where this man Dr, kuta have helped someone and i decided to give him a try to help me bring my love Husband home and believe me i just send my picture to him and that of my husband and after 48 hours as he have told me, i saw a car drove into the house and behold it was my husband and he have come to me and the kids and that is why i am happy to make every one of you in similar to met with this man and have your lover back to your self His email: drkutaherbalcenter@gmail.com you can also contact him or whatspp him on this +2347054547814 thank so much

    ReplyDelete
  2. All thanks to the great Priest Dr bow for helping me restore back my marriage when i taught all hope was lost.,this Priest helped me, and my relationship is now perfect. Contact for any spiritual work  (@Drbowsolutionhome1) Your partner will definitely love you email him Drbowsolutionhome@gmail.com or whatapp him +2348121786772

    ReplyDelete
  3. How I Got My Ex Husband Back..Am so excited to share my testimony of a real spell caster who brought my husband back to me. My husband and I have been married for about 6 years now. We were happily married with two kids, a boy and a girl. 3 months ago, I started to notice some strange behavior from him and a few weeks later I found out that my husband is seeing someone else. He started coming home late from work, he hardly care about me or the kids anymore, Sometimes he goes out and doesn't even come back home for about 2-3 days. I did all I could to rectify this problem but all to no avail. I became very worried and needed help. As I was browsing through the internet one day, I came across a website that suggested that Dr Aluya can help solve marital problems, restore broken relationships and so on. So, I felt I should give him a try. I contacted him and and told him my problems and he told me what to do and i did it and he did a spell for me. 48 hours later, my husband came to me and apologized for the wrongs he did and promise never to do it again. Ever since then, everything has returned back to normal. I and my family are living together happily again.. All thanks to Dr Aluya Powerful Love Spell that really works. If you have any problem contact him and i guarantee you that he will help you. He will not disappoint you. Email him at: aluya.48hoursspelltemple@gmail.com. or whatsapp him on: +2348110493039 

    ReplyDelete
  4. SPELLS THAT WORKS I am sharing this testimony to partners suffering in their relationships LOVE because there is an enduring solution.
    My husband left me and our 2 kids for another woman for 3 years. I tried to be strong just for my kids but I could not control the pains that torment my heart. I was hurt and confused. I needed a help, so i did a research on the internet and came across a site where I saw that Dr. Aluya a spell caster, can help get lovers back. I contacted him and he did a special prayer and spells for me. To my surprises, after some days, my husband came back home. That was how we reunited again and there was a lot of love, joy and peace in the family.
    You can as well contact Dr.  Aluya  , a powerful spell-caster for solutions on his contact aluya.48hoursspelltemple@gmail.com or directly on Whats App: +2348110493039

    ReplyDelete

  5. HELLO GET OUT OF FINANCIAL MESS WITH THE HELP OF drbenjaminfinance@gmail.com

    I have been in financial mess for the past months, I’m a single mum with kids to look after. My name is REBECCA MICHAELSON, and am from Ridley Park, Pennsylvania. A couple of weeks ago My friend visited me and along our discussion she told me about DR BENJAMIN OWEN FINANCE of drbenjaminfinance@gmail.com that he can help me out of my financial situation, I never believed cause I have spend so much money on different loan lenders who did nothing other than running away with my money. She advised, I gave it a try because she and some of her colleagues were rescued too by this Godsent lender with loans to revive their dying businesses and paying off bills. so I mailed him and explain all about my financial situation and therefore took me through the loan process which was very brief and easy. After that my loan application worth $278,000.00USD was granted, all i did was to follow the processing and be cooperative and today I am a proud business owner sharing the testimony of God-sent Lender. You can as well reach him through the Company Email drbenjaminfinance@gmail.com

    THANK YOU VERY MUCH

    ReplyDelete