Forum Discussion
Bronze IIIpython-scripting-for-malware-analysis-ep-5-code-obfuscation
there are several steps you need to do.
- identify the block which you need to 'carve out' in binary
- then use routine #1 to process the data (tip: it's about swapping)
- then use routine #2 to further process the data (tip: it's about xor but not with the password pentioned in Q3)
- then use routine #3 to process the data (tip: it's about adding something to each byte)
and then I think you'll see it somewhere as string at the end of the output. xx.xxxxxxxx.tld
hope that helps.
Silver IIthere are several steps you need to do.
- identify the block which you need to 'carve out' in binary
- then use routine #1 to process the data (tip: it's about swapping)
- then use routine #2 to further process the data (tip: it's about xor but not with the password pentioned in Q3)
- then use routine #3 to process the data (tip: it's about adding something to each byte)
and then I think you'll see it somewhere as string at the end of the output. xx.xxxxxxxx.tld
hope that helps.
Bronze IIIThanks for this - this is what I've already tried.
I've done each step of the offered solution and done both xxd and strings on the data although I wasn't looking for .tld. I shall try it again tonight using that as a search value as I used 'http' 'ftp' and '://' as search values.
Thanks again.
- steven
naah.. there's no ftp, http, :, ://, ... ist just
ix.sixxwxxlxxxxxxx.xs (where x is [a-z]).- netcat
Silver III
An URL would contain a scheme, but the lab questions often lack concise wording. The right advice was already given: Look for a host (ip address or fqdn).
- RobN
When you read this within the code block was it three whole blocks of characters separated by the ., ie was it clear to read? I can see part of this using xxd but its still obfuscated by code more than 7a in hex.
- steven
I hope that helps?
