Sample

Metadata

SHA256: 4eb33ce768def8f7db79ef935aabf1c712f78974237e96889e1be3ced0d7e619
Difficulty: easy
Platform: Windows
Tags: string deobfuscation
Likes: 2
Views: 3
Submitter: larsborn

Analysis

Goal

Identify and reverse engineer the string deobfuscation function. Bonus points if you can write a Ghidra script to emulate it.

Description

the string deobfuscation function is located at 0x004027e1
it uses XOR with a fixed key to decrypt strings

Recommended Tools

ghidra

Solutions

String Obfuscation in the Hamweq IRC-bot Reference by larsborn

Comments

Please login to view and post comments.