Created
February 24, 2023 13:32
-
-
Save dr4k0nia/e59a9902a06da3c875333a98fe856082 to your computer and use it in GitHub Desktop.
Revisions
-
dr4k0nia created this gist
Feb 24, 2023 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,54 @@ # Unpacking [XorStringsNET](https://github.com/dr4k0nia/XorStringsNET) Since AgentTesla started using my [XorStringsNET](https://github.com/dr4k0nia/XorStringsNET) obfuscator to encrypt strings in their malware I decided to write a quick guide on how to decrypt the strings again. Observed in unpacked child SHA256: `d56f2852762f7f9fcb07eaf018e143ab1e4ad46e1f2e943faf13618388ef21a2` Original sample SHA256: `e66ffcfe9fb0d0cd80d96dcfd96e4941d3c2389d227f2655391cfdbc3bcd637c` ## Using [de4dot](https://github.com/de4dot/de4dot) Find the decryption method, its easily identified by the following indicators:  - It will be called a lot all over the binary, in places were you would expect strings. - The method takes a large integer value as parameters and returns a `string`  - The class containing the decryption method has a nested private struct and a field referencing that struct - The decryption method obtains the address of the struct field assigning it to a pointer type local - The decryption method contains the unusual `cpblk` instruction <br> Once we have identified the decyption method, we need to copy its Token value, found in the comment above the method. Next we will use de4dot to almost automaigcally decrypt the strings. We need to tell de4dot which method exactly it should use for string decryption which is what we need the Token for. Run de4dot using the following commandline arguments: `de4dot.exe file --strtyp delegate --strtok 0x6000000` Replace `0x6000000` with the token of your decryption method. Then simply let it run and you should get an output binary with fully decrypted strings. ## Using [de4dot_gui](https://github.com/dr4k0nia/de4dot_gui) Since I am lazy and dont like writing out commandline arguments everytime I want to manually decrypt some strings in de4dot, I wrote a simple GUI tool to invoke de4dot with the correct arguments. - Place the tool in your [de4dot](https://github.com/de4dot/de4dot) installation folder - Open it and Drag&Drop the protected executable or dll into the window - Configure it as following with the Token you obtained with dnSpy  Then press deobfuscate and wait for de4dot to finish its work. The result should be an output binary with fully decrypted strings.