Home
Artists
Search Recent Random
Posts
Search DMs Popular Hash Lookup Tags Random
Importer
Import FAQ
Register
Partychan SimpleX Chat ThePornDude
Home Artists Posts Import Register
Join the new SimpleX Chat Group!

Live Stream VOD: Emotet Deobfuscation Part 4 - IDA Python Binary Patching (Patreon)

Published:
2022-04-28 15:46:15
Imported:
2022-12

Content

In this Twitch stream we create a binary patching script using IDA Python to patch our obfuscated Emotet sample.

In the end we determine that directly patching the end of each state is not going to work since the flags we rely on may change within the state. Our workaround is to save the flags which gives us a complete solution but it still doesn't look great for the analyst. We need another solution.... 

Sample: c7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01

Sample Unpacked (this is the one we use in the stream): eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827

Rough notes (with code): Emotet Deobfuscation Generic Solution

Files

Live Stream VOD: Emotet Deobfuscation Part 4 - IDA Python Binary Patching

This is "Live Stream VOD: Emotet Deobfuscation Part 4 - IDA Python Binary Patching" by OALABS on Vimeo, the home for high quality videos and the people...

Comments

Nit

Not sure if you read these past the fact, I discovered there's a setting in Hex-Rays Decompiler called 'Honest _readeflags()' under 'Analysis Options 2'. It seems to do what you wanted to achieve with your workaround towards the end.