Creating an IDA Python Plugin for Static XOR String Deobfuscation

In this video, we’ll explore a recent XLS document that drops and executes a DLL using RUNDLL32. The DLL is small and only used to download the next stage. However, it employs rather straight-forward string obfuscation using the bitwise XOR operation. An important skill for any reverse engineer/malware analyst is to be able to create plugins to assist in statically decoding these strings and doing so across the entire disassembly database. This video is intended to get you started creating IDA Plugins with Python, recognize the importance of deobfuscating strings and work on translating assembly to a higher-level language (i.e….

Read more

Reverse Engineering with Ghidra – Calling Conventions

I’ve posted a short video that takes a look at three prevalent calling conventions: C Declaration, standard call and fast call. I will show you how to compile sample programs from source, load them in Ghidra and analyze the disassembly/decompiler output to observe the differences in the calling conventions. The source code for the sample program can be found on my Github:https://github.com/jstrosch/learning-reverse-engineering/tree/master/Calling%20Conventions

Read more

Reversing Data Structures with Ghidra: Structures

In this video we’ll take a look at a couple of different structures in a C program, compile from source and reverse them using Ghidra. Our goals will be to analyze the resulting structures using both the listing view (disassembly) and the decompiler, identify member usage, overall size and element size. We’ll also discuss the different between using the stack and heap for structure memory as well as explore padding and it’s impact on overall structure size. I’ll also discuss some inconsistencies with Ghidra output. A discussion on reversing arrays can be found at: https://youtu.be/eNxckomOing The source code for the…

Read more

Reversing Data Structures with Ghidra: Arrays

In this video we’ll take a look at several different arrays in a C program, compile from source and reverse them using Ghidra. Our goals will be to analyze the resulting program flow using both the listing view (disassembly) and the decompiler, identify array usage, overall size and element size. I’ll also discuss some inconsistencies with Ghidra output, how to identify and how to correct. The source code for the sample program can be found on my Github:https://github.com/jstrosch/learning-reverse-engineering/tree/master/Control%20Structures

Read more

Reversing Control Structures with Ghidra: Loops

In this video we’ll take a look at several basic looping structures in a C program, compile from source and reverse them using Ghidra. Our goals will be to analyze the resulting program flow using both the listing view (disassembly) and the decompiler, identify key logic and discuss the underlying assembly instructions. Understanding basic control structures is one of the first steps in developing key reverse engineering skills. The source code for the sample program can be found on my Github: https://github.com/jstrosch/learning-reverse-engineering/tree/master/Control%20Structures

Read more