IDA PRO save decrypted string from memory

Hi Guys,

I want to share a feature in IDA that help you to do static analyses more easy. I have an application that will decrypt a string loaded from data section memory in the PE. We know that it is quite hard to static analyses where some data only available during debugging such as decryption of string.

I made a simple application that will decrypt a string during runtime. Since the decrypted string will only available during runtime then it is hard to do static analyses such as code below. all string still in the encrypted form

Let see the original c codes

#include "stdafx.h"

#include "stdio.h"
#include "stdlib.h"
#include "string.h"

#include "Base64_RC4.h"

char src[64] = { 'U','m','l','v','I','E','F','z','b','W','F','y','Y','S','B','T','d','X','J','5','Y','W','R','p' };
char dst[64];

void main()
	CBase64  base64;
	printf("Decoded string: %s\n",dst);
	memcpy(src, dst, 64);
	memset(dst, 0, sizeof(dst));
	memset(src, 0, sizeof(src));

We can see there the variable dst will be filled in with the decrypted string from the src variable and later the result in dst will be copied back to src using mempcy function.

There is a functionality in IDA in order to take snapshot of the memory during debuggin mode.

This command copies the contents of the process memory to the database. It is available during a debugging session. The memory contents will be copied to the database. The user may specify that only the segments with the ‘loader’ attribute will be saved in the database.

The segments with the loader attribute are created by the input file loader and usually contain information from the input file. However, in some cases (like attaching to an existing process), there will not be any loader segments because the input file was not loaded by IDA.

Ok now lets do the snapshot. We can identify the code that does the decyption in the assembly code as yellow highlighted below.

We can see that the above code after the decryption has been called we realize that the decrypted string will be copied back to the source memory address with the call memcpy.

Before mempcy src variable still has decrypted value

After memcpy src variable has been overwritten with the decrypted value

In order to do memory snapshot, the application should be in the state of paused with break point. So i put the break point just after the memcpy call.

Here is the steps

  1. Run the application with the debug mode after you set the break point
  2. Go to Debugger –> Take memory snapshot
  3. Select Loader segments
  4. After the process done and select File –> Save
  5. Then you can stop the debugging and continue with static analyses

Now, we can see the different here, although we are in the static mode we can see the string just like it has been decrypted

Now the data segment is just like it has been decrypted

So with that string available for static analyses then it is easier for us to dig dive the code.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s