Sample
- SHA256
-
4029f9fcba1c53d86f2c59f07d5657930bd5ee64cca4c5929cbd3142484e815a - Difficulty
- medium
- Platform
- Windows
- Tags
- string deobfuscation
- Likes
- 1
- Views
- 3
- Submitter
- larsborn
Analysis
Goal
Identify and reverse engineer the string deobfuscation function in this sample. Write a binary refinery pipeline to emulate it. Bonus points if you manage to write a Ghidra script.
Description
- the string deobfuscation function is located at address
0x030a3340 - it uses XOR with a global key of length 17 to decrypt strings
Recommended Tools
ghidra
Comments
Please login to view and post comments.