Forum Discussion

RobN's avatar
RobN
Icon for Bronze III rankBronze III
2 months ago
Solved

python-scripting-for-malware-analysis-ep-5-code-obfuscation

Has anyone attempted this lab? I appear to be stuck after creating a python script to put the code through the loops - I can produce a deobfuscated block but have inspected it using both xxd and stri...
defensive cyber
  • steven's avatar
    steven
    2 months ago

    there are several steps you need to do. 

    1. identify the block which you need to 'carve out' in binary
    2. then use routine #1 to process the data (tip: it's about swapping)
    3. then use routine #2 to further process the data (tip: it's about xor but not with the password pentioned in Q3)
    4. then use routine #3 to process the data (tip: it's about adding something to each byte)

    and then I think you'll see it somewhere as string at the end of the output. xx.xxxxxxxx.tld

    hope that helps.

steven's avatar
steven
Icon for Silver I rankSilver I
2 months ago

there are several steps you need to do. 

  1. identify the block which you need to 'carve out' in binary
  2. then use routine #1 to process the data (tip: it's about swapping)
  3. then use routine #2 to further process the data (tip: it's about xor but not with the password pentioned in Q3)
  4. then use routine #3 to process the data (tip: it's about adding something to each byte)

and then I think you'll see it somewhere as string at the end of the output. xx.xxxxxxxx.tld

hope that helps.

RobN's avatar
RobN
Icon for Bronze III rankBronze III
2 months ago

Thanks for this - this is what I've already tried.

I've done each step of the offered solution and done both xxd and strings on the data although I wasn't looking for .tld. I shall try it again tonight using that as a search value as I used 'http' 'ftp' and '://' as search values.

Thanks again.

 

  • steven's avatar
    steven
    Icon for Silver I rankSilver I
    2 months ago

    naah.. there's no ftp, http, :, ://, ... ist just 
    ix.sixxwxxlxxxxxxx.xs  (where x is [a-z]).

    • netcat's avatar
      netcat
      Icon for Silver I rankSilver I
      2 months ago

      An URL would contain a scheme, but the lab questions often lack concise wording. The right advice was already given: Look for a host (ip address or fqdn).

    • RobN's avatar
      RobN
      Icon for Bronze III rankBronze III
      2 months ago

      When you read this within the code block was it three whole blocks of characters separated by the ., ie was it clear to read? I can see part of this using xxd but its still obfuscated by code more than 7a in hex.

      • steven's avatar
        steven
        Icon for Silver I rankSilver I
        2 months ago

        I hope that helps?