Results 1 to 3 of 3

Thread: IDA plugin: Extract (UnRot13) and analyze

  1. #1
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17

    IDA plugin: Extract (UnRot13h) and analyze

    Some times ago I stumbled on a post at Offensive Computing where an user had some problems trying to figure out the encryption used by a malware (md5=36401cb9178232dde01b2788e8fc56f4).
    The malware contains 2 files located in the resource section. The files are encrypted, how to find out the encryption scheme? Well, using a debugger I would say. I didnít start any debugger btw, deciding to take a look at the files using a resource editor. Itís a common thing to store files inside resource section. Here are the starting bytes of the first file:



    If you know which are the first common bytes in an exe file you should be able to figure out yourself which kind of encryption has been used. The presence of many 0◊13 bytes is a nice hint, the file has been rot13h-ed (13h stands for 0x13).

    In an old blog entry (http://zairon.wordpress.com/2007/07/11/ida-plugin-extract-and-analyze/) I talked about a little ida plugin able to extract and analyze an hidden file; I slightly changed the plugin adding the possibility to un-rot13h the hidden file. Take a look at the simple dialog:



    You can download the plugin from: http://www.box.net/shared/static/1kzvon1x67.zip
    Last edited by ZaiRoN; October 27th, 2007 at 08:23.

  2. #2
    You mean rot-0x13'd right? 13 is 0x0d.

  3. #3
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Yes, sorry. I have to edit the post a little, just to make things clear.
    Thx for pointing it out.

Similar Threads

  1. Extract Sequence of assembly codes during runtime ???
    By mansourweb in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: February 18th, 2011, 16:43
  2. Extract hash for offline attack (Office 2007)
    By bboitano in forum RCE Cryptographics
    Replies: 1
    Last Post: February 3rd, 2011, 10:56
  3. analyze a dll
    By mansourweb in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: August 4th, 2010, 16:46
  4. ARTeam: IDA plugin to analyze dumped memory regions inside IDA
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 6
    Last Post: October 1st, 2008, 14:00
  5. How to analyze the seeds3,4 of f*lm 7.x?
    By steven_sim in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: June 4th, 2002, 10:04

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •