67f8302a2fd28d15f62d6d20d748bfe350334e5353cbdef112bd1f8231b5599d

Metadata

SHA256: 67f8302a2fd28d15f62d6d20d748bfe350334e5353cbdef112bd1f8231b5599d
Difficulty: medium
Platform: Windows
Tags: string deobfuscation
Likes: 1
Views: 2
Submitter: larsborn

Analysis

Goal

Find and reverse engineer the string deobfuscation function in the sample. Create a binary refinery pipeline to decrypt the strings. Bonus points if you manage to write a Ghidra script to decrypt them all.

Description

the string deobfuscation function is called very often
the address of the string deobfuscation function is 0x0040c8f5
the function might have the wrong signature, use "Use Custom Storage" in the function signature dialog to correct it
it receives two arguments, one in EAX, on in EDI
the function operates on global memory that is an array of structs
those structs have three fields, one of type byte followed by a byte of padding, the second field is of type of type word and the last of type dword
the first field element is an XOR key, the second specifies the length of the buffer pointed to by the third

Recommended Tools

ghidra

Solutions

Use Ghidra to decrypt strings of KpotStealer malware Reference by larsborn

Sample