Forcefully Decoding All Strings with Python By instrumenting code in a debugger, you can force the malware to decode all of its strings. without executing any of its malicious payloads. Here are the basic steps that the script takes: 1. It uses inm.getXreffrom to enumerate all cross-references to the decoding function. 2. Starting at the address of the cross reference, it disassembles backwards (ie., in a reverse direction) looking for the soy 32,as instruction, where 22 represents any 32-bit register and the ADDR operand is the address of the encoded string 3. It reads a copy of the encoded string and saves it for logging purposes. 4. It sets ETP to the address of the cross-reference (the instruction which cats the decoding function), moves the string pointer onto the stack (twice-once for eachargument), and uses imm. stepover to execute the decoding function. 5. It reads a copy of the decoded string and prints it along with the encoded version saved in Step 3. 6. It repeats these steps for each string in the binary
Forcefully Decoding All Strings with Python
By instrumenting code in a debugger, you can force the malware to decode all of its strings. without executing any of its malicious payloads. Here are the basic steps that the script takes:
1. It uses inm.getXreffrom to enumerate all cross-references to the decoding function.
2. Starting at the address of the cross reference, it disassembles backwards (ie., in a reverse direction) looking for the soy 32,as instruction, where 22 represents any 32-bit register and the ADDR operand is the address of the encoded string
3. It reads a copy of the encoded string and saves it for logging purposes.
4. It sets ETP to the address of the cross-reference (the instruction which cats the decoding function), moves the string pointer onto the stack (twice-once for eachargument), and uses imm. stepover to execute the decoding function. 5. It reads a copy of the decoded string and prints it along with the encoded version saved in Step 3.
6. It repeats these steps for each string in the binary
Step by step
Solved in 2 steps