On Sat, Aug 1, 2009 at 11:52 PM, Udhay Shankar N<[email protected]> wrote: > Interesting article. Anyone here have experience trying to > reverse-engineer malware that uses really good crypto? > I haven't done this personally but I have worked with people who do. Typically, the type of encryption isn't that important when you are trying to de-obfuscate a binary, the obfuscation routines get treated as a black box anyway. That is, you let the code do its own de-obfuscation. This gets tricky because the fancier code knows when you are looking at it or blocks you from looking at it (it looks to see if a debug process is attached, or if it is running in a VM, or, sometimes, it debugs itself so nobody else can).
Knowing the cryptographic algorithm can be useful. There is even a plugin available for IDAPro that will look for tell-tale constants for you and point out known cryptographic algorithms. Knowing the cryptographic algorithm is more important after the de-obfuscated code gets revealed because recognizing a cryptographic algorithm shortens the reverse-engineering phase - describing a chunk of code as AES is a lot easier and clearer then saying something like, "there are these constant tables with these values and they are used on two buffers passed in with xors and shifts to return a single buffer with a different value but the logic is so convoluted I cannot really tell you how the resulting buffer is related to the initial buffers." ;-) -Michael Heyman --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [email protected]
