I added several new features in this release to help you with reverse engineering malicious content. I hope you will find these changes helpful and easy to use! Converter, File Converter, and Data Converter can be downloaded from the Tools page.
Here’s a look at the significant additions made to Converter using live examples…
Mixed Text to Hex
Here’s Neutrino Exploit Kit’s latest obfuscated file:
To deobfuscate this, we need to first normalize the input into hex. Just paste the data into Converter then click on Format > Mixed Text to Hex and it’s converted to hex code.
Now we can de-xor the hex code into text:
Blackhole’s obfuscation method is pretty challenging since it uses a very long XOR key, 128-bytes to be exact. We can try to brute force this key by finding patterns in the obfuscated payload but that can take awhile. What I’ve done is automated this to some degree. It’s not perfect so you will have to put on your thinking caps and analyze the result. At times you will get a repeating pattern within the result so you will have to remove those bytes to get to the real XOR key.
Here’s an example where it does work. We use Converter’s Key Search/Convert feature to import the payload file. We really only need the first KB of data so leave the box checked.
Now copy the hex code and go back to the main screen and paste it in the top box. Now choose Tools > Pattern Finder. It will take awhile but when it’s done, your key will be found. The Stats > Count of Characters says there’s 256 characters (which is 128-bytes).
Next we can comma-separate the values by choosing Format > Hex Format – CSV.
Copy the comma-separated key and go back to Tools > Key Search/Convert. Reload the file (just 1KB to test your assumption), select the appropriate options and click on Convert. If all goes well, you’ll get your expected results.
If not, then it might be that the starting byte is wrong. If that’s the case then you need to manually figure out the starting byte by XORing the first value of the input data string (in this case it’s “B7″) with “M” (0x4D) to get the first value. Look for it in your key then make that byte first.
When you figured out the key and the file is small then reload it without the 1KB limitation and convert it. If it’s too big then use File > Convert Binary File and do it from there.
Single Rolling XOR Key
There are some exploit packs that use rolling XOR keys. They use the previous input byte or previous result as the key for the next byte. In this release, I’ve added those capabilities as well as the ability to use them in expressions.
The options for the Single Rolling XOR Key are pretty straight forward, just choose the appropriate option and enter a starting key value. Here’s an example:
Input in Hex: 1122334455
Hex Key: 70
Results of Single Rolling XOR Key:
None (uses same key for input): 6152433425
-> 11 xor 70, 22 xor 70, 33 xor 70, etc.
Use Previous Input Value: 6133117711
-> 11 xor 70, 11 xor 22, 22 xor 33, etc.
Use Previous Result: 6143703461
-> 11 xor 70, 61 xor 22, 43 xor 33, etc.
For handling complicated tasks, we can tap into additional capabilities using expressions. I’ve added a Expression Static Decimal Value section so you can add three starting values:
Pre – previous input value (same as “use previous input value”)
Res – previous result (same as “use previous result”)
Usr – user-defined value
Let me show you an example. This is Blackhole’s routine for deobfuscating the payload:
We can replicate this function in Converter using the following expression. You have to manually figure out the first value to get the result of “M” (0x4D) and then enter that into the starting value for “Pre” (or “Res”, in this case).
val xor ((((pre xor res) + 170) mod 256) xor 72)
Here’s the result:
This capability has been added to both the Key Search/Convert and Convert Binary File functions. The standalone File Converter and Data Converter programs have been updated with this capability as well.
Enjoy and thank you for your support!