Forum Discussion

RobN's avatar
RobN
Bronze III
1 year ago
Solved

python-scripting-for-malware-analysis-ep-5-code-obfuscation

Has anyone attempted this lab? I appear to be stuck after creating a python script to put the code through the loops - I can produce a deobfuscated block but have inspected it using both xxd and strings but was unable to find a hidden url. Curious if anybody has solved it yet.

defensive cyber
  • steven's avatar
    steven
    1 year ago

    there are several steps you need to do. 

    1. identify the block which you need to 'carve out' in binary
    2. then use routine #1 to process the data (tip: it's about swapping)
    3. then use routine #2 to further process the data (tip: it's about xor but not with the password pentioned in Q3)
    4. then use routine #3 to process the data (tip: it's about adding something to each byte)

    and then I think you'll see it somewhere as string at the end of the output. xx.xxxxxxxx.tld

    hope that helps.

13 Replies

  • steven's avatar
    steven
    Icon for Ambassador rankAmbassador
    1 year ago

    there are several steps you need to do. 

    1. identify the block which you need to 'carve out' in binary
    2. then use routine #1 to process the data (tip: it's about swapping)
    3. then use routine #2 to further process the data (tip: it's about xor but not with the password pentioned in Q3)
    4. then use routine #3 to process the data (tip: it's about adding something to each byte)

    and then I think you'll see it somewhere as string at the end of the output. xx.xxxxxxxx.tld

    hope that helps.

    • RobN's avatar
      RobN
      Bronze III
      1 year ago

      Thanks for this - this is what I've already tried.

      I've done each step of the offered solution and done both xxd and strings on the data although I wasn't looking for .tld. I shall try it again tonight using that as a search value as I used 'http' 'ftp' and '://' as search values.

      Thanks again.

       

      • steven's avatar
        steven
        Icon for Ambassador rankAmbassador
        1 year ago

        naah.. there's no ftp, http, :, ://, ... ist just 
        ix.sixxwxxlxxxxxxx.xs  (where x is [a-z]).

  • ArthurDent's avatar
    ArthurDent
    Bronze III
    1 month ago

    I've grabbed the obfuscatedData, and run it through the deobfuscation code but don't see anything in there that looks like a domain. My deobfuscated data starts with 0x6b 0x42 0xce 0x7f. is that correct or do I have something wrong with my code?

    • ArthurDent's avatar
      ArthurDent
      Bronze III
      30 days ago

      Figured out my problem. Incorrect indexing used for the second routine.