Forum Discussion
Malware Analysis: Shlayer
- 5 months ago
Mmmhh, i looked at the lab to help you. Noticed it was a hard one. Tried what was in my mind for the xor-key and it was right. This key only has 2 chars. A number and a letter. Try searching for ^ in ghidra.
good luck :)
Hi Gus, thank you - I checked this, the __DATA__bss section where the variable values are kept (that are referred to in the function) ghidra represents as undefined bytes. I'm currently checking other obfuscated data in the binary.
- RobN5 months ago
Bronze III
Sorted this now, I went on a tangent!
- RobH24 days ago
Bronze I
Hi Rob, I was wondering if you remembered enough about this to give me a hint? I feel like I'm checking everywhere for the hex beneath the zzz43...24cl portions, but I'm just not finding anything conclusive.
- RobN23 days ago
Bronze III
Hi RobH,
I'll check my notes later, see what I can find. I'll take another look at the lab too - looking at my answer I went the long way round to find it.