To successfully implement a script to decrypt all on-board strings, we need to understand how the strings are encrypted. This particular packer is pretty simple though and can be unpacked through simple breakpoints on VirtualAlloc and VirtualProtect. I chose to use for unpacking this sample, as I didn’t have access to a virtual machine setup for dynamic analysis, and so it was as simple as uploading the sample, waiting for it to unpack, and downloading the unpacked payload. We will be focusing on the second approach. ApproachĪs mentioned, there are at least two approaches you could have taken with this challenge patch the strings within the context of a disassembler, or patch the entire section without using disassembler functionality, instead opening the file, locating the correct section, and overwriting it. That is the approach we will be taking in this write-up, as we will most likely be doing a lot more IDA Python stuff later. BSS section of the unpacked payload with the decrypted strings, and proceeding to analyse the sample from there. IDA Python), and could simply involve patching the. This challenge could be completed without the use of disassembler specific plugins (e.g. The aim for this first challenge was to reverse engineer the string decryption routine to develop a script to automate decryption of the strings.
0 Comments
Leave a Reply. |