Ghidra Basics – Identifying, Decoding and Fixing Encrypted Strings (Paid Module)

by Prapattimynk, Wednesday, 6 December 2023 (3 months ago)
Ghidra Basics – Identifying, Decoding and Fixing Encrypted Strings (Paid Module)


Manual identification, decryption and fixing of encrypted strings using Ghidra and x32dbg.

In this post, we will investigate a Vidar Malware sample containing suspicious encrypted strings. We will use Ghidra cross references to analyse the strings and identify the location where they are used.

Using this we will locate a string decryption function, and utilise a debugger to intercept input and output to obtain decrypted strings.

We will then semi-automate the process, obtaining a full list of decoded strings that can be used to fix the previously obfuscated Ghidra database.

Summary

During basic analysis of a Vidar file, we can see a large number of base64 strings. These strings are not able to be decoded using base64 alone as there is additional encryption. By using Ghidra String References we can where the base64 is used, and hence locate the function responsible for decoding.

With a decoding function found, it is trival to find the “start” and “end” of the decryption process. Using this knowledge we can load the file into a debugger and set breakpoints on the beginning and end of the decoding function. This enables us to view the input (encoded string) and output (decoded string) without needing to reverse engineer the decryption process.

By further adding a simple log command into the debugger (x32dbg), we can tell x32dbg to print all values at the start and end of the decryption function. This is a means of automation that is simple to implement without coding knowledge.

Once the encrypted/decrypted contents have been obtained, we can use this to manually edit the original Ghidra file and gain a deeper understanding of the malware’s hidden functionality.

Obtaining the Full Post

The full post is available for paid members of the site. Signup provides access to all in-depth Ghidra and Reverse Engineering posts at a fraction ($10USD p/m) of the price of other educational content (often $200USD+). If you’re curious, see what others think of our content.

If you’re unable to sign up, consider reading some free posts from the Reverse Engineering or Threat Intelligence section.

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.