{"id":4649,"date":"2023-12-18T15:07:06","date_gmt":"2023-12-18T23:07:06","guid":{"rendered":"https:\/\/www.pnfsoftware.com\/blog\/?p=4649"},"modified":"2024-01-05T15:24:49","modified_gmt":"2024-01-05T23:24:49","slug":"how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper","status":"publish","type":"post","link":"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/","title":{"rendered":"How To Use JEB &#8211; Analyze an obfuscated win32 crypto clipper"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><em>We&#8217;re kicking off a malware analysis series explaining how to use JEB Decompiler to perform reverse engineering tasks ranging from out-of-the-box actions to complex use cases requiring scripts or custom plugins.<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In this first entry, we look at a Windows malware compiled for x86 32-bit targets. The malware is an Ethereum cryptocurrency stealer. It monitors and intercepts clipboard activity to find and replace wallet addresses by an address of its own &#8212; presumably, one controlled by the malware authors to collect stolen ether.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a119cbe396dd\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a119cbe396dd\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/#Quick_look_at_the_malware\" >Quick look at the malware<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/#Opening_the_file_in_JEB\" >Opening the file in JEB<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/#Project_and_units\" >Project and units<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/#Disassembly\" >Disassembly<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/#PE_unit\" >PE unit<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/#Examining_the_code\" >Examining the code<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/#Library_code_identification\" >Library code identification<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/#Entry-point_and_WinMain\" >Entry-point and WinMain<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/#Initial_decompilation\" >Initial decompilation<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/#Junk_code\" >Junk code<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/#Deobfuscation_score\" >Deobfuscation score<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/#Comparison_with_GHIDRA\" >Comparison with GHIDRA<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/#Cleaning_up_the_code\" >Cleaning up the code<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/#IR_cleaner_plugin\" >IR cleaner plugin<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/#Defining_the_garbage_array\" >Defining the garbage array<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/#Quick_analysis\" >Quick analysis<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/#Well-known_literals\" >Well-known literals<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Quick_look_at_the_malware\"><\/span>Quick look at the malware<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The file has a size of 81Kb, is compiled for x86 platforms. Although it does not appear to be packed, most metadata elements of the PE header were scraped. There is no rich data or timestamp.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SHA256: 503b2dc50262be583633db7b52dca9bcadc698413270047c209818436196c987<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"552\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-1024x552.png\" alt=\"\" class=\"wp-image-4650\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-1024x552.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-300x162.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-768x414.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-1536x829.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-2048x1105.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">Quick look at the file in Hiew<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">If you are familiar with JEB, its terminology, and the organization of its UI elements, you may skip the next section and go directly to <em>&#8220;Examining the code&#8221;<\/em>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Opening_the_file_in_JEB\"><\/span>Opening the file in JEB<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s fire up JEB. Any recent build (5.7+) with the x86 analysis modules and decompiler will do, i.e. <a href=\"https:\/\/www.pnfsoftware.com\/jeb\/community-edition\">JEB Community Edition<\/a> or <a href=\"https:\/\/www.pnfsoftware.com\/jeb\/#features-matrix\">JEB Pro<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-1.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-1-1024x576.png\" alt=\"\" class=\"wp-image-4652\" style=\"width:690px;height:auto\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-1-1024x576.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-1-300x169.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-1-768x432.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-1-1536x864.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-1-2048x1152.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">We open the file and keep the default settings<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-2.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-2-1024x576.png\" alt=\"\" class=\"wp-image-4653\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-2-1024x576.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-2-300x169.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-2-768x432.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-2-1536x864.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-2-2048x1152.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">A view of the GUI after the initial analysis (from top-left, clockwise: project explorer, main workspace, and code hierarchy)<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Project_and_units\"><\/span>Project and units<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The top-left view shows the <em>project<\/em>, along with a single <em>artifact<\/em> (the input file) and the analysis <em>units<\/em> created by JEB:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The artifact file has a blue-round icon<\/li>\n\n\n\n<li>The top-level unit is a <code>winpe<\/code> unit<\/li>\n\n\n\n<li>It has one child unit at the moment, named &#8220;x86 image&#8221;, of type <code>x86<\/code>.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The bottom-left view shows a list of code routines resulting from the analysis of the file.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Disassembly\"><\/span>Disassembly<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">By default, the main panel shows the disassembly window.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You may press the SPACE bar to switch to a graph view of the code (menu: <em>Action, Graph&#8230;<\/em>). In the graph view, only a single method is rendered at a time.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-3.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-3-1024x576.png\" alt=\"\" class=\"wp-image-4654\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-3-1024x576.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-3-300x169.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-3-768x432.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-3-1536x864.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-3-2048x1152.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">CFG (control flow graph) view of a disassembled routine<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"PE_unit\"><\/span>PE unit<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">If you wish to have a look at the PE file in more details, open the <code>winpe <\/code>unit. Double-click the corresponding node in the project hierarchy.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-4.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-4-1024x576.png\" alt=\"\" class=\"wp-image-4655\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-4-1024x576.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-4-300x169.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-4-768x432.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-4-1536x864.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-4-2048x1152.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">View of a winpe unit&#8217;s &#8220;Overview&#8221; fragment<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The <code>winpe <\/code>unit <em>view<\/em> provides several information, organized in <em>fragments<\/em> that can be seen below the unit view: <em>Description<\/em>, <em>Hex Dump<\/em>, <em>Overview<\/em> (the default fragment), <em>Sections<\/em>, <em>Directory Entries<\/em>, <em>Symbols<\/em>, etc.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Note that if the PE had not been stripped, we would probably see a compilation timestamp as well as additional sub-units detailing the Rich Header data. For Windows executables, that data is important to perform fine-grained compiler identification.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The Symbols tab lists all symbols advertised by the PE, including imported and exported routines. For example, if you filter on &#8220;clip&#8221;, you can see multiple win32 routines relating to clipboard access, such as <code>OpenClipboard <\/code>or <code>SetClipboardData<\/code>:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-5.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"373\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-5-1024x373.png\" alt=\"\" class=\"wp-image-4656\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-5-1024x373.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-5-300x109.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-5-768x280.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-5-1536x560.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-5-2048x746.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">The Symbols fragment of the winpe unit view, with a filter applied (&#8220;clip&#8221;)<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Examining_the_code\"><\/span>Examining the code<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s go back to the disassembly offered by the x86 unit. First, notice that the code hierarchy view does not seem to contain well-known methods (static code), typically standard library routines linked at compile-time.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s see why by looking at which <code>siglibs<\/code> (signature libraries) were applied during the initial analysis (menu: <em>Native, Signature Libraries&#8230;<\/em>). It looks like none were loaded:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-6.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"609\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-6-1024x609.png\" alt=\"\" class=\"wp-image-4658\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-6-1024x609.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-6-300x178.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-6-768x456.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-6-1536x913.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-6.png 1950w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">The Signatures Libraries dialog<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Library_code_identification\"><\/span>Library code identification<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Normally, when JEB performs the initial auto-analysis of the code, compiler identification is used to determine whether well-known signature libraries of static code (<code>siglibs<\/code>) should be loaded and applied to the binary. In this case, compiler identification failed because all header data had been discarded. JEB decided to not load and apply signatures.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To apply them manually, tick the &#8220;MSVC x86&#8221; boxes. (An alternative is to let JEB know that the file was compiled with MSVC before the analysis starts: when opening the artifact, when the Options panel is displayed, the user may decide to force the compiler to a set-value.)<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-20.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"565\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-20-1024x565.png\" alt=\"\" class=\"wp-image-4702\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-20-1024x565.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-20-300x166.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-20-768x424.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-20-1536x847.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-20.png 1914w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">Forcing a compiler setting before the initial analysis<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">After doing either of the above ((a) file re-analysis with a compiler identification pre-set; or (b) manual siglibs application), several methods are identified as MSVC code:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-7.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"893\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-7-1024x893.png\" alt=\"\" class=\"wp-image-4659\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-7-1024x893.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-7-300x262.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-7-768x670.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-7-1536x1340.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-7-2048x1787.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">Light-blue areas mean the code was matched against well-known signatures<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Entry-point_and_WinMain\"><\/span>Entry-point and WinMain<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Navigate to the executable entry-point (menu: <em>Native, Go to entry-point&#8230;<\/em>).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In the general case, the entry-point of a Windows PE compiled with MSVC is not the high-level entry-point that will contain meaningful code. Although it is relatively easy to find <code>WinMain<\/code> with a bit of experience, there is a JEB script to help you as well, <code>FindMain.py<\/code> (available in the samples-script folder, also <a href=\"https:\/\/github.com\/pnfsoftware\/jeb-samplecode\/blob\/master\/scripts\/FindMain.py\">available on GitHub<\/a>). Open up the script selector with <strong>F2<\/strong> (menu: <em>File, Scripts, Script selector&#8230;<\/em>). <\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-9.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"349\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-9-1024x349.png\" alt=\"\" class=\"wp-image-4661\" style=\"width:690px;height:auto\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-9-1024x349.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-9-300x102.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-9-768x262.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-9-1536x524.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-9.png 1815w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">Run a JEB Python script inside the GUI client<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Select the desired script and execute it. The result is displayed in the console:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>...\nFound high-level entry-point at <strong>0x401175<\/strong> (branched from <strong>0x401D38<\/strong>)\nRenaming entry-point to '<strong>winmain<\/strong>'\n...<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The code at 0x401175 was auto-renamed to <code>winmain<\/code> (menu: <em>Action, Rename&#8230;<\/em>).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Initial_decompilation\"><\/span>Initial decompilation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"> Let&#8217;s decompile that method by pressing the TAB key (menu: <em>Action, Decompile&#8230;<\/em>).<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-11.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1001\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-11-1024x1001.png\" alt=\"\" class=\"wp-image-4664\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-11-1024x1001.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-11-300x293.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-11-768x751.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-11-1536x1501.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-11.png 1591w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">Initial decompilation of WinMain<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Two items of interest to note at this point:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>There is lots of code that appears to be junk or garbage<\/li>\n\n\n\n<li>There is a note about some &#8220;deobfuscation score&#8221;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Junk_code\"><\/span>Junk code<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The decompiled <code>WinMain <\/code>method is about 300 lines of C code. A lot of it are assignments writing to program globals. At first glance, it looks like it could be some sort of obfuscation. Let&#8217;s look at the corresponding assembly code:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-12.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"502\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-12-1024x502.png\" alt=\"\" class=\"wp-image-4672\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-12-1024x502.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-12-300x147.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-12-768x377.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-12-1536x754.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-12-2048x1005.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">Press TAB to go back from a decompilation to the closest matching machine code disassembly line<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The snippets have the following structure:<br><code>push GARBAGE \/ pop dword [gXXX<\/code>]<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Or that, assuming <code>edi<\/code> is callee-saved:<br><code>mov edi, gXXX \/ ... \/ mov dword [edi+offset], GARBABE<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Later on, we will see how to remove this clutter to make the analysis more pleasant.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Deobfuscation_score\"><\/span>Deobfuscation score<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">A note <em>&#8220;deobfuscation score: 6&#8221;<\/em> was inserted as a method comment. That score indicates that some &#8220;advanced&#8221; clean-up was performed. In this case, a careful examination (as well as a comparison against a decompilation with UNSAFE optimizers turned off, which you can do by redecompiling the method with CTRL+TAB (menu: <em>Action, Decompile with Options&#8230;<\/em>)) will point to this area of code:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-13.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"529\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-13-1024x529.png\" alt=\"\" class=\"wp-image-4674\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-13-1024x529.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-13-300x155.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-13-768x397.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-13-1536x793.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-13.png 1576w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">The opaque predicate calculation is highlighted in green using CTRL+M (menu: <em>Action, Toggle Highlight&#8230;<\/em>)<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This predicate looks like the following: <code>if(X*(X+1) % 2 == 0) goto LABEL<\/code>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With X being an integer, X*(X+1) is always even. Therefore, the predicate will always evaluate to true. JEB cleaned this up automatically. (While this particular predicate is trivial, truly opaque predicates will also be attempted to be broken up by JEB, using the Z3 SMT solver.)<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Comparison_with_GHIDRA\"><\/span>Comparison with GHIDRA<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">For a point of comparison, you may have a look at <a href=\"https:\/\/www.pnfsoftware.com\/other\/blog_res\/ethclipper_winmain_decomp_ghidra10-4.c\" target=\"_blank\" rel=\"noreferrer noopener\">the same method decompiled by GHIDRA 10.4 here<\/a> (default settings were used, just like we did with JEB). The predicate is not cleaned-up adequately, extra control-flow edges are left over, leading to AST structuring confusion.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-14.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"418\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-14-1024x418.png\" alt=\"\" class=\"wp-image-4676\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-14-1024x418.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-14-300x123.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-14-768x314.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-14-1536x628.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-14.png 1767w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Cleaning_up_the_code\"><\/span>Cleaning up the code<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s start with decluttering this code. First of all, why couldn&#8217;t the decompiler clean it up on its own? If the globals written to are <em>never read with meaningful intent<\/em>, then they could be discarded.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The issue is that this is very hard to ensure in the general case. However, in specific cases, sometimes involving manual review, some global written-to memory range may be deemed useless, as it is the case here. How do we provide this information to the decompiler? Well, as of version 5.7, we cannot! <sup class='footnote'><a href='#fn-4649-1' id='fnref-4649-1' onclick='return fdfootnote_show(4649)'>1<\/a><\/sup> What we can do though is write a decompiler plugin to clean-up the offending IR, and in the process, generate clean(er) code.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IR_cleaner_plugin\"><\/span>IR cleaner plugin<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The decompiler accept several types of plugins, including <strong><a href=\"https:\/\/www.pnfsoftware.com\/jeb\/apidoc\/reference\/com\/pnfsoftware\/jeb\/core\/units\/code\/asm\/decompiler\/ir\/package-summary.html\">IR Optimizers<\/a><\/strong> (they work on the <em>Intermediate Representation<\/em> of a routine, as it moves up the decompilation pipeline), and <strong><a href=\"https:\/\/www.pnfsoftware.com\/jeb\/apidoc\/reference\/com\/pnfsoftware\/jeb\/core\/units\/code\/asm\/decompiler\/ast\/package-summary.html\">AST optimizers<\/a><\/strong> (to clean-up or reformat the generated abstract syntax tree of the pseudo-code). In most cases, IR optimizers are well-suited to perform code clean-up or deobfuscation tasks (refer to <a href=\"https:\/\/www.pnfsoftware.com\/blog\/ir-and-ast-optimizers-in-decompilers\/\" data-type=\"post\" data-id=\"4547\">this blog post<\/a> for a detailed comparison).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We will write the plugin in Java (we could also write it in Python). It will do the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Examine each IR statement of a CFG<\/li>\n\n\n\n<li>Check if the statement is writing an immediate to some global array: <code>*(array + offset) = value<\/code><\/li>\n\n\n\n<li>If so, check the array name. If it starts with the prefix &#8220;garbage&#8221;, consider the statement useless and replace it by a <a href=\"https:\/\/www.pnfsoftware.com\/jeb\/apidoc\/reference\/com\/pnfsoftware\/jeb\/core\/units\/code\/asm\/decompiler\/ir\/IENop.html\">Nop statement<\/a><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Writing IR plugins is out-of-scope in this post; we will go over that in details in a future entry. In  the meantime, you can <a href=\"https:\/\/github.com\/pnfsoftware\/jeb-samplecode\/tree\/master\/plugins\/scripts\/GarbageCleaner.java\" target=\"_blank\" rel=\"noreferrer noopener\">download the plugin code here<\/a>. Dump the Java file in your JEB&#8217;s <code>coreplugins\/scripts\/<\/code> folder. There is no need to close and re-open JEB; it will be picked up at the next decompilation.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: java; title: ; notranslate\" title=\"\">\npublic class GarbageCleaner extends AbstractEOptimizer {\n\n\t@Override\n\tpublic int perform() {\n\t\tint cnt = 0;\n\n\t\tfor (BasicBlock&lt;IEStatement&gt; b : cfg) {\n\t\t\tfor (int i = 0; i &lt; b.size(); i++) {\n\t\t\t\tIEStatement stm = b.get(i);\n\t\t\t\tif (stm instanceof IEAssign &amp;&amp; stm.asAssign().getDstOperand() instanceof IEMem\n\t\t\t\t\t\t&amp;&amp; stm.asAssign().getSrcOperand() instanceof IEImm) {\n\t\t\t\t\tIEMem dst = stm.asAssign().getDstOperand().asMem();\n\t\t\t\t\tIEGeneric e = dst.getReference();\n\t\t\t\t\t\/\/ &#x5B;xxx + offset] = immediate\n\t\t\t\t\tif (e.isOperation(OperationType.ADD)) {\n\t\t\t\t\t\tIEOperation op = e.asOperation();\n\t\t\t\t\t\tif (op.getOperand1().isVar() &amp;&amp; op.getOperand2().isImm()) {\n\t\t\t\t\t\t\tIEVar v = op.getOperand1().asVar();\n\t\t\t\t\t\t\tIEImm off = op.getOperand2().asImm();\n\t\t\t\t\t\t\tif (v.isGlobalReference()) {\n\t\t\t\t\t\t\t\tlong addr = v.getAddress();\n\t\t\t\t\t\t\t\tINativeContinuousItem item = ectx.getNativeContext().getNativeItemAt(addr);\n\t\t\t\t\t\t\t\t\/\/ logger.info(&quot;FOUND ITEM %s&quot;, item.getName());\n\t\t\t\t\t\t\t\tif (item != null &amp;&amp; item.getName().startsWith(&quot;garbage&quot;)) {\n\t\t\t\t\t\t\t\t\tlong itemsize = item.getMemorySize();\n\t\t\t\t\t\t\t\t\tif (off.canReadAsLong() &amp;&amp; off.getValueAsLong() + dst.getBitsize() \/ 8 &lt; itemsize) {\n\t\t\t\t\t\t\t\t\t\tlogger.info(&quot;FOUND GARBAGE CODE&quot;);\n\t\t\t\t\t\t\t\t\t\tb.set(i, ectx.createNop(stm));\n\t\t\t\t\t\t\t\t\t\tcnt++;\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (cnt &gt; 0) {\n\t\t\tcfg.invalidateDataFlowAnalysis();\n\t\t}\n\t\treturn cnt;\n\t}\n}\n<\/pre><\/div>\n\n\n<p class=\"wp-block-paragraph\">Note that by design, the plugin is not specific to this malware. We will be able to re-use it in future analyses: all global arrays prefixed with &#8220;garbage&#8221; will be treated by the decompiler as junk recipients, and cleaned-up accordingly!<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Defining_the_garbage_array\"><\/span>Defining the garbage array<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">At this point, we need to determine where that array is. Some examination of the code leads to the following boundaries (roughly): start at 0x41597E, spans over 0x100 bytes. Navigate to the disassembly; create an array using the STAR key (menu: <em>Native, Create\/Edit Array&#8230;<\/em>); specify its characteristics.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-15.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"374\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-15-1024x374.png\" alt=\"\" class=\"wp-image-4680\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-15-1024x374.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-15-300x110.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-15-768x280.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-15-1536x561.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-15.png 1881w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">Creating a global array of 0x100 bytes. This is the garbage array.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">As soon as the array is created, the disassembly will change to what can be seen below. At the same time, the decompilations using that array will be invalidated; that is the case for <code>WinMain<\/code>. You may see that another extra-comment was added by the decompiler: <em>&#8220;Stale decompilation &#8211; Refresh this view to re-decompile this code&#8221;<\/em>. Such decompilations are read-only until a new one is generated.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-16.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"278\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-16-1024x278.png\" alt=\"\" class=\"wp-image-4681\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-16-1024x278.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-16-300x82.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-16-768x209.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-16-1536x418.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-16-2048x557.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">The array is now created. The decompilation of WinMain becomes stale.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Before redecompiling, remember we need to rename our array with a label starting with &#8220;garbage&#8221;. Set the caret on the array, hit the key N (menu: <em>Actions, Rename&#8230;<\/em>) and set your new name, e.g., <code>garbageArray1<\/code>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now you may go back to the decompilation view of <code>WinMain<\/code> and hit F5 (menu: <em>Windows, Refresh&#8230;<\/em>) to regenerate a decompilation.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-17.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"837\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-17-1024x837.png\" alt=\"\" class=\"wp-image-4682\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-17-1024x837.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-17-300x245.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-17-768x628.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-17-1536x1255.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-17-2048x1674.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">Decompiled WinMain after the garbage array-assigns were cleaned-up by the plugin<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The code above is much nicer to look at &#8211; and much easier to work on!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Quick_analysis\"><\/span>Quick analysis<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The method at 0x401000, called by <code>WinMain<\/code>, is decrypting the thief&#8217;s wallet address, and generating two hexstring versions of it (ascii and unicode).<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-18.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"593\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-18-1024x593.png\" alt=\"\" class=\"wp-image-4683\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-18-1024x593.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-18-300x174.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-18-768x445.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-18-1536x890.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-18.png 1949w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">Decrypting the target wallet address. The decompilation is shown after proper types were applied on the data structures accessed (encrypted wallet address, hexstrings, etc.) and better names given to those vars<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The loop in <code>WinMain <\/code>is doing the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Every second, it queries the Windows clipboard with <code>OpenClipboard<\/code><\/li>\n\n\n\n<li>It checks if it contains text strings or unicode strings<\/li>\n\n\n\n<li>If the string is 42 characters in length and starts with &#8220;0x&#8221;, it proceeds (an Ethereum wallet address is 20 bytes, therefore its hexadecimal representation would be 40 characters)<\/li>\n\n\n\n<li>It checks if the string is not the attacker&#8217;s wallet address<\/li>\n\n\n\n<li>If not, it replaces the contents of the clipboard data by the attacker&#8217;s wallet address using <code>SetClipboardData<\/code><\/li>\n\n\n\n<li>Finally, the other contents found in the clipboard is discarded<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Well-known_literals\"><\/span>Well-known literals<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In JEB, you may replace immediates by well-known literals found in type libraries (aka <em>typelibs<\/em>, such as the win32 typelibs, which were automatically loaded when the analysis of the PE file started). To do that, select the immediate, then hit CTRL+N (menu: <em>Action, Replace&#8230;<\/em>), and select the desired literal <sup class='footnote'><a href='#fn-4649-2' id='fnref-4649-2' onclick='return fdfootnote_show(4649)'>2<\/a><\/sup><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For example, per the MSDN, <code>GetClipboardData <\/code>uses <code>CF_xxx<\/code> constants to indicate the type of data. We can ask JEB to replace <code>GetClipboardData(13)<\/code> by <code>GetClipboardData(CF_UNICODETEXT)<\/code> using the Action\/Replace handler:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-19.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"605\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-19-1024x605.png\" alt=\"\" class=\"wp-image-4685\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-19-1024x605.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-19-300x177.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-19-768x454.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2023\/12\/image-19.png 1299w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">Replacing 13 by CF_UNICODE in a call to GetClipboardData<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">That concludes the first blog in this &#8220;How to use JEB&#8221; series. In the next episodes, we will look at other features, dig deeper into writing IR plugins, look into types and types creation, and reverse other architectures, including exotic code.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To learn more, we encourage you to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Explore this blog, as it contains many technical entries and how-to&#8217;s.<\/li>\n\n\n\n<li>Look at the <a href=\"https:\/\/github.com\/pnfsoftware\/jeb-samplecode\">sample code<\/a> (scripts and plugins) shipping with JEB, it will get you started on using the <a href=\"https:\/\/www.pnfsoftware.com\/jeb\/apidoc\">API<\/a> to write your own extensions.<\/li>\n\n\n\n<li>Join our <a href=\"https:\/\/www.pnfsoftware.com\/chat\">Slack channel<\/a> to engage with other users in the community and ask questions if you&#8217;re stuck on anything.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Thank you very much &amp; Stay tuned &#x1f642; Happy Holiday to All &#x1f384;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&#8211;<\/p>\n\n\n<div class='footnotes' id='footnotes-4649'><div class='footnotedivider'><\/div><ol><li id='fn-4649-1'> The plugin written to analyze this malware may ship in some upcoming version of JEB. <span class='footnotereverse'><a href='#fnref-4649-1'>&#8617;<\/a><\/span><\/li><li id='fn-4649-2'> In many cases, JEB will do that automatically, and it should be the case here. <span class='footnotereverse'><a href='#fnref-4649-2'>&#8617;<\/a><\/span><\/li><\/ol><\/div>","protected":false},"excerpt":{"rendered":"<p>We&#8217;re kicking off a malware analysis series explaining how to use JEB Decompiler to perform reverse engineering tasks ranging from out-of-the-box actions to complex use cases requiring scripts or custom plugins. In this first entry, we look at a Windows malware compiled for x86 32-bit targets. The malware is an Ethereum cryptocurrency stealer. It monitors &hellip; <a href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">How To Use JEB &#8211; Analyze an obfuscated win32 crypto clipper<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,30,2,13,5,12],"tags":[],"class_list":["post-4649","post","type-post","status-publish","format-standard","hentry","category-decompilation","category-jeb5","category-malware","category-native-code","category-obfuscation","category-tutorial"],"_links":{"self":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/4649","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/comments?post=4649"}],"version-history":[{"count":0,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/4649\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/media?parent=4649"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/categories?post=4649"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/tags?post=4649"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}