IDA-Pro/plugins/flare-ida/stackstrings

From aldeid
Jump to navigation Jump to search
You are here:
StackStrings

Description

The stackstrings_plugin.py implements the recovery of manually constructed strings described here

Usage

In the below example, we can easily identify that the malware is building strings from hex characters: 

.text:00401133                 mov     [ebp+var_1B0], 31h
.text:0040113A                 mov     [ebp+var_1AF], 71h
.text:00401141                 mov     [ebp+var_1AE], 61h
.text:00401148                 mov     [ebp+var_1AD], 7Ah
.text:0040114F                 mov     [ebp+var_1AC], 32h
.text:00401156                 mov     [ebp+var_1AB], 77h
.text:0040115D                 mov     [ebp+var_1AA], 73h
.text:00401164                 mov     [ebp+var_1A9], 78h
.text:0040116B                 mov     [ebp+var_1A8], 33h
.text:00401172                 mov     [ebp+var_1A7], 65h
.text:00401179                 mov     [ebp+var_1A6], 64h
.text:00401180                 mov     [ebp+var_1A5], 63h
.text:00401187                 mov     [ebp+var_1A4], 0
.text:0040118E                 mov     [ebp+var_1A0], 6Fh
.text:00401195                 mov     [ebp+var_19F], 63h
.text:0040119C                 mov     [ebp+var_19E], 6Ch
.text:004011A3                 mov     [ebp+var_19D], 2Eh
.text:004011AA                 mov     [ebp+var_19C], 65h
.text:004011B1                 mov     [ebp+var_19B], 78h
.text:004011B8                 mov     [ebp+var_19A], 65h
.text:004011BF                 mov     [ebp+var_199], 0

We can use the StackStrings plugin to decode the strings. Go to Edit > Plugins > StackStrings. Here is the result: 

.text:00401133                 mov     [ebp+var_1B0], 31h ; 1qaz2wsx3edc
.text:0040113A                 mov     [ebp+var_1AF], 71h
.text:00401141                 mov     [ebp+var_1AE], 61h
.text:00401148                 mov     [ebp+var_1AD], 7Ah
.text:0040114F                 mov     [ebp+var_1AC], 32h
.text:00401156                 mov     [ebp+var_1AB], 77h
.text:0040115D                 mov     [ebp+var_1AA], 73h
.text:00401164                 mov     [ebp+var_1A9], 78h
.text:0040116B                 mov     [ebp+var_1A8], 33h
.text:00401172                 mov     [ebp+var_1A7], 65h
.text:00401179                 mov     [ebp+var_1A6], 64h
.text:00401180                 mov     [ebp+var_1A5], 63h
.text:00401187                 mov     [ebp+var_1A4], 0
.text:0040118E                 mov     [ebp+var_1A0], 6Fh ; ocl.exe
.text:00401195                 mov     [ebp+var_19F], 63h
.text:0040119C                 mov     [ebp+var_19E], 6Ch
.text:004011A3                 mov     [ebp+var_19D], 2Eh
.text:004011AA                 mov     [ebp+var_19C], 65h
.text:004011B1                 mov     [ebp+var_19B], 78h
.text:004011B8                 mov     [ebp+var_19A], 65h
.text:004011BF                 mov     [ebp+var_199], 0

Comments

Keywords: IDA-Pro plugins stackstrings decode






Retrieved from "https://www.aldeid.com/w/index.php?title=IDA-Pro/plugins/flare-ida/stackstrings&oldid=30843"