This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# IDAPython script to decrypt the shifu banking trojan dropper strings | |
# find the function, EA should be at the entrypoint of the decryption function | |
# script finds all code X refs and parses the arguments to decrypt all strings with | |
# the XOR key supplied. | |
# glindor @_g3nuin3 | |
import idaapi | |
import idc | |
import idautils |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <stdlib.h> | |
#include <sys/ptrace.h> | |
void pre_check(int argc, char **argv, char **envp) | |
{ | |
printf("Inside pre_check!\n"); | |
if(ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) | |
{ | |
printf("Aliens found!\n"); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
void | |
__libc_csu_init (int argc, char **argv, char **envp) | |
{ | |
/* For dynamically linked executables the preinit array is executed by | |
the dynamic linker (before initializing any shared object). */ | |
#ifndef LIBC_NONSHARED | |
/* For static executables, preinit happens right before init. */ | |
{ | |
const size_t size = __preinit_array_end - __preinit_array_start; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gdb-peda$ disassemble _start | |
Dump of assembler code for function _start: | |
0x08048380 <+0>: xor ebp,ebp | |
0x08048382 <+2>: pop esi | |
0x08048383 <+3>: mov ecx,esp | |
0x08048385 <+5>: and esp,0xfffffff0 | |
0x08048388 <+8>: push eax | |
0x08048389 <+9>: push esp | |
0x0804838a <+10>: push edx | |
0x0804838b <+11>: push 0x8048570 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gdb-peda$ disassemble main | |
Dump of assembler code for function main: | |
0x080484e5 <+0>: push ebp | |
0x080484e6 <+1>: mov ebp,esp | |
0x080484e8 <+3>: and esp,0xfffffff0 | |
0x080484eb <+6>: call 0x80484d1 <message> | |
0x080484f0 <+11>: mov eax,0x0 | |
0x080484f5 <+16>: leave | |
0x080484f6 <+17>: ret | |
End of assembler dump. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <stdlib.h> | |
#include <sys/ptrace.h> | |
void anti_trace(void) __attribute__ ((constructor)); | |
void anti_trace(void) | |
{ | |
printf("checking for signs of alien life...\n"); | |
if(ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) | |
{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gdb-peda$ disassemble main | |
Dump of assembler code for function main: | |
0x0804847d <+0>: push ebp | |
0x0804847e <+1>: mov ebp,esp | |
0x08048480 <+3>: and esp,0xfffffff0 | |
0x08048483 <+6>: sub esp,0x10 | |
0x08048486 <+9>: mov DWORD PTR [esp+0xc],0x0 | |
0x0804848e <+17>: mov DWORD PTR [esp+0x8],0x0 | |
0x08048496 <+25>: mov DWORD PTR [esp+0x4],0x0 | |
0x0804849e <+33>: mov DWORD PTR [esp],0x0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <stdlib.h> | |
#include <sys/ptrace.h> | |
int main(int argc, char** argv) | |
{ | |
if(ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) | |
{ | |
printf("Alien presence detected!\n"); | |
exit(0); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
.text:00403A7E mov ecx, dword_43060C | |
.text:00403A84 mov esi, dword_430604 | |
.text:00403A8A or ecx, 2Fh | |
.text:00403A8D shl esi, cl | |
.text:00403A8F mov dword_430604, esi | |
.text:00403A95 push offset seh_handler ; push SEH entry handler | |
.text:00403A9A push large dword ptr fs:0 | |
.text:00403AA1 mov large fs:0, esp | |
.text:00403AA8 lea ecx, [ebp+AccessStatus] | |
.text:00403AAB lea edx, [ebp+SecurityAttributes.lpSecurityDescriptor] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
00403C1D . E8 42320000 CALL <JMP.&ADVAPI32.LsaLookupNames> | |
00403C22 . E8 CF2F0000 CALL <JMP.&LZ32.LZStart> | |
00403C27 . 68 74064300 PUSH 5d8645f7.00430674 ; /Password = "sslrfkjkdfai" | |
00403C2C . 68 60064300 PUSH 5d8645f7.00430660 ; |ServiceStartName = "z47sHc498Kw8I7Hk9Rk" | |
00403C31 . 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10] ; | | |
00403C34 . 68 84064300 PUSH 5d8645f7.00430684 ; |pDependencies = 5d8645f7.00430684 | |
00403C39 . 52 PUSH EDX ; |pTagId | |
00403C3A . 68 94064300 PUSH 5d8645f7.00430694 ; |LoadOrderGroup = "kupgnvhjat" | |
00403C3F . 68 4C064300 PUSH 5d8645f7.0043064C ; |BinaryPathName = "v451917V88JH88126q7" | |
00403C44 . 6A 2F PUSH 2F ; |ErrorControl = 2F |