Hi Guys,
I would like to continue my previous post regarding the hiding strings from the malware analyst or antimalaware software.
There are many techniques to evade strings from static analsis which is done by antimalware software or human analyst. I found most common technique yet effective used by the malware is XOR to obfuscate the . I also found some malware use heavy encryption to do the evasion such as Bcrypt or AES.
We will discuse a simple XOR implementation to make us easier to get the idea. I also want to help the reverser to understand the XOR code in assembly
The C code as below
#include <iostream>
void encryptDecrypt(char inpString[])
{
// Define XOR key
// Any character value will work
char xorKey = '9';
// calculate length of input string
int len = strlen(inpString);
// perform XOR operation of key
// with every caracter in string
for (int i = 0; i < len; i++)
{
inpString[i] = inpString[i] ^ xorKey;
}
}
int main()
{
char sampleString[] = "kPVfxJTXKX";
encryptDecrypt(sampleString);
printf(sampleString);
}
The code above will do the XOR to each char in sampleString (kPVfxJTXKX) with decimal 9 as the key. the expected result value is Rio_Asmara
Lets see how the encryptDecrypt function in assembly. The binary code is compiled with debugging symbol.
The pattern of XOR function will almost look the same as the above. So lets do some analyses to analyze the code. Below is the XOR function operation that has statically been analyzed that might help for further analysis. You can focus to the yellow highlighted one to compare with the above original assembly code before analyzed.
You can follow the code above for reversing the one key XOR operation. There will be slight different but the main things of the operation would be similar from one malware to another malware.
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 