|
|
|
|
|
|
||
|
|
|
|
|
|
||
|
Using IDC to analyze encrypted code
|
This small tutorial demonstrates how to use IDC to decrypt part of a program at analysis time. The sample file is a portion of the Ripper virus. |
1st step
| The binary image of the virus is loaded into IDA and analysis is started at the entry point. |
|
Obviously, the bytes right after the call don't make sense, but the call gives us a clue : it is a decryption routine. |
2nd step
|
We create a small IDC program that mimicks the decryption routine. |
static decrypt(from, size, key ) {
auto i, x; // we define the variables
for ( i=0; i < size; i=i+1 ) {
x = Byte(from); // fetch the byte
x = (x^key); // decrypt it
PatchByte(from,x); // put it back
from = from + 1; // next byte
}
}
|
|
We save it on disk and press F2 to load it into IDA's interpreter. |
3rd step
|
Then, we press shift-F2 to call it with the appropriate values. Please note the linear address used for the starting point. Pressing OK executes the statement. |
|
The bytes are now decrypted |
4th step
|
We move the cursor to offset 0x50 and press C to inform IDA that there is now code at that location. |
|
And the code to allocate memory for the virus appears, along with a rather impolite message... The analysis may now resume. |
|
|