Some times ago I stumbled on a post at Offensive Computing where an user had some problems trying to figure out the encryption used by a malware (md5=36401cb9178232dde01b2788e8fc56f4).
The malware contains 2 files, located in the resource section. The files are encrypted, how to find out the encryption scheme? Well, using a debugger I would say. I didn’t start any debugger btw, deciding to take a look at the files using a resource editor. It’s a common thing to store files inside resource section. Here are the starting bytes of the first file:
If you know which are the first common bytes in an exe file you should be able to figure out yourself which kind of encryption has been used. The presence of many 0×13 bytes is a nice hint, the file has been rot13h-ed. Just to make things clear, I used the word rot13h which is different from the well known rot13 encryption.
In an old blog entry I talked about a little ida plugin able to extract and analyze an hidden file; I slightly changed the plugin adding the possibility to un-rot13h the hidden file.
June 16, 2009 at 3:10 pm
Share some exciting news with everyone.
I would like to share some exciting news with everyone. I recently discovered Orbasoft Antispyware (http://www.orbasoft.com) and it’s the best scanner that I’ve used so far. It picks the same type of bugs that the better known and more expensive scans do and it’s so easy to get. The antispyware solution from Orbasoft is the perfect solution for taking care of your computer. I know it’s made a difference for me and I’m so glad that I gave it a try. I really believe that you will benefit from this scan as much as I have and I recommend that you give it a try.