Unpack Shellcode w/ Ghidra Emulator | Decode XOR Dynamically🔥
ฝัง
- เผยแพร่เมื่อ 27 ก.ค. 2024
- Here's the deal. We've been asked to Reverse Engineer this program called 'payload'. It does nothing when we run it... but... in the background, it is calling back to someone's Kali Linux machine and they have an open shell.
Yet, when we throw it into Ghidra, we are greated with an "Bad Instruction" message and a do-while loop that performs an XOR through-out the entirety of the executable. We're blind.
We will be following along with Craig Young's Blog Post to find out the best way to reverse engineer and unpack the embeded shellcode!
Enough talking, let's get hacking!
Unpacking Shellcode with Ghidra Emulator
/ unpacking-shellcode-wi...
NVIDIA Broadcast 1.4 Eye Contact Effects
www.nvidia.com/en-us/geforce/...
0:00 Intro
0:23 Summary
2:22 Payload Generation
6:12 CodeBrowser Static Analysis
8:43 Emulator Dynamic Analysis
15:16 Exporting Decoded Data
17:17 Automatic Analysis of System Calls
22:22 Manual Analysis of System Calls
25:42 Conclusion - วิทยาศาสตร์และเทคโนโลยี
I'm a beginner in security and you explain very well. Thanks!
My pleasure!
Thanks alot. I hope to see more content like this from your in the future - you're doing great explaining concepts in an approachable way.
I'm glad you enjoyed it!
To get around the issue with the script saying no syscalls found, you simply need to put the cursor at top of the listing, hit 'F' to force Ghidra to create a function (because this is not a proper ELF file, no actual functions are defined without doing this) and then re-run the script. It will then work as expected.
Those were neat sunglasses
Dollar Store Sunglasses for the win!
Cool vid, thanks for sharing!
i'am from Egypt ..thanks alot
ohh yeah!
Dew mi!
@@stryker2k2 Owi OWi OWi
Fantastic tutorial, do you have anything for disassembling TriCore processors?
Thanks! And, nope... I am not that smart on TriCore processors (yet).