{"id":4710,"date":"2024-01-09T10:35:42","date_gmt":"2024-01-09T18:35:42","guid":{"rendered":"https:\/\/www.pnfsoftware.com\/blog\/?p=4710"},"modified":"2024-01-12T10:05:24","modified_gmt":"2024-01-12T18:05:24","slug":"how-to-use-jeb-auto-decrypt-strings-in-protected-binary-code","status":"publish","type":"post","link":"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-auto-decrypt-strings-in-protected-binary-code\/","title":{"rendered":"How To Use JEB &#8211; Auto-decrypt strings in protected binary code"},"content":{"rendered":"\n<p><em>This is the second entry in our series showing how to use JEB and its well-known and lesser-known features to reverse engineer malware more efficiently. Part 1 is <a href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/\">here<\/a>.<\/em><\/p>\n\n\n\n<p>Today, we&#8217;re having a look at an interesting portion of a x86-64 Windows malware that carries encrypted strings. Those strings happen to be decrypted on the fly, the first time they&#8217;re required by some calling routine.<\/p>\n\n\n\n<p>SHA256: 056cba26f07ab6eebca61a7921163229a3469da32c81be93c7ee35ddec6260f1. The file is not packed, it was compiled for Intel x86 64-bit processors, using an unknown version of Visual Studio. The file is dropped by another malware and its purpose is reconnaissance and information gathering. Let&#8217;s load it in JEB 5.8 and do a standard analysis (default settings). <\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-69fdbf3a6289f\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-69fdbf3a6289f\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-auto-decrypt-strings-in-protected-binary-code\/#Initial_decompilations\" >Initial decompilations<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-auto-decrypt-strings-in-protected-binary-code\/#Second_decompilation\" >Second decompilation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-auto-decrypt-strings-in-protected-binary-code\/#String_auto-decryption\" >String auto-decryption<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-auto-decrypt-strings-in-protected-binary-code\/#The_decryptor_routine\" >The decryptor routine<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-auto-decrypt-strings-in-protected-binary-code\/#Comparison_with_GHIDRA\" >Comparison with GHIDRA<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-auto-decrypt-strings-in-protected-binary-code\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Initial_decompilations\"><\/span>Initial decompilations<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>For the sake of showing what mechanism is at play, we&#8217;re first looking at <code>sub_1400011F0<\/code>. Let&#8217;s decompile it by pressing the <strong>TAB<\/strong> key (menu: <em>Action<\/em>, <em>Decompile&#8230;<\/em>).<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-5.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"336\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-5-1024x336.png\" alt=\"\" class=\"wp-image-4719\" style=\"width:690px;height:auto\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-5-1024x336.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-5-300x98.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-5-768x252.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-5-1536x504.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-5.png 1575w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">Raw decompilation of sub_1400011F0, before examining its callees.<\/figcaption><\/figure>\n\n\n\n<p>Then, let&#8217;s decompile the callee <code>sub_140001120<\/code>.<\/p>\n\n\n\n<p>JEB can now thoroughly look at the routine and refines the initial prototype that was applied earlier, when the caller <code>sub_1400011F0 <\/code>was decompiled. It is now set to: <code>void(LPSTR)<\/code>.<\/p>\n\n\n\n<p>The code itself is a wrapper around <code>CreateProcess<\/code>; it executes the command line provided as argument.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"314\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-1024x314.png\" alt=\"\" class=\"wp-image-4712\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-1024x314.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-300x92.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-768x235.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-1536x470.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image.png 1564w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">sub_140001120 executes a command-line with CreateProcess. Note the refined prototype, void(LPSTR).<\/figcaption><\/figure>\n\n\n\n<p>Press escape to navigate back to the caller, or alternatively, examine the callers by pressing <strong>X<\/strong> (menu: <em>Action<\/em>, <em>Cross-references&#8230;<\/em>) and select <code>sub_1400011F0<\/code>. You will notice that JEB is now warning us that the decompilation is <strong>&#8220;stale&#8221;<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-6.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"351\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-6-1024x351.png\" alt=\"\" class=\"wp-image-4720\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-6-1024x351.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-6-300x103.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-6-768x263.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-6-1536x526.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-6.png 1574w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">The initial decompilation of sub_1400011F0 is stale after the decompilation of sub_140001120 yielded a better prototype.<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Second_decompilation\"><\/span>Second decompilation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The reason is that the prototype of <code>sub_140001120 <\/code>was refined by the second decompilation (to <code>void(LSPTR)<\/code>), and the method can be re-decompiled to a more accurate version.<\/p>\n\n\n\n<p>Let&#8217;s redecompile it: press <strong>F5<\/strong> (menu: <em>Window<\/em>, <em>Refresh<\/em>). You can see that second decompilation below. What happened to the calls to <code>sub_140001040<\/code>?<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-7.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"345\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-7-1024x345.png\" alt=\"\" class=\"wp-image-4721\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-7-1024x345.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-7-300x101.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-7-768x258.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-7-1536x517.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-7.png 1575w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">Second decompilation of sub_1400011F0, showing some decrypted strings instead of calls to sub_140001040.<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"String_auto-decryption\"><\/span>String auto-decryption<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Notice the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A <strong>&#8220;deobfuscation score&#8221;<\/strong> note was added as a method comment (refer to <a href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-to-analyze-an-obfuscated-win32-crypto-clipper\/#Deobfuscation_score\">part 1 of the series<\/a>)<\/li>\n\n\n\n<li>The calls to <code>sub_140001040 <\/code>are gone, they have been replaced by <strong>dark-pink strings<\/strong><\/li>\n<\/ul>\n\n\n\n<p>JEB also notified us in the console:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-9.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"139\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-9-1024x139.png\" alt=\"\" class=\"wp-image-4724\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-9-1024x139.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-9-300x41.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-9-768x104.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-9-1536x209.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-9.png 1618w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">Notifications about decrypted strings replace in decompiled code.<\/figcaption><\/figure>\n\n\n\n<p>Dark-pink strings represent synthetic strings not present in the binary itself. Here, they are the result of JEB auto-decrypting buffers by emulating the calls to routine <code>sub_140001040<\/code>, which was identified as a string provider. Indeed, the decompilation of <code>sub_140001120<\/code> helped, since the inferred parameter <code>LPSTR <\/code>was back-propagated to the callers, which in that case, was the return value of <code>sub_140001040<\/code>.<\/p>\n\n\n\n<p>Auto-decryption can be very handy. In the case of this malware, we can immediately see what will be executed by <code>CreateProcess<\/code>: shells executing <code>whoami<\/code> and <code>dir<\/code> and redirecting outputs to files in the local folder. However, if necessary, this feature can be disabled via the &#8220;Decryptor Options&#8221; in the decompiler properties:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Menu: <em>Options, Back-end properties&#8230;<\/em> to globally disable this in the future, except for your current project<\/li>\n\n\n\n<li>Menu: <em>Options, Specific Project properties&#8230;<\/em> for the current project only<\/li>\n\n\n\n<li>Or you may simply redecompile the method with <strong>CTRL+TAB<\/strong> (menu: <em>Action<\/em>, <em>Decompile with options&#8230;<\/em>) and disable string decryptor for specific code<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-12.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"177\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-12-1024x177.png\" alt=\"\" class=\"wp-image-4731\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-12-1024x177.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-12-300x52.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-12-768x133.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-12.png 1327w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">The string auto-decryptor may be enabled or disabled in the options<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"The_decryptor_routine\"><\/span>The decryptor routine<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>What is <code>sub_140001040 <\/code>anyway? Let&#8217;s navigate to the routine in the disassembly and decompile it.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-8.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"444\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-8-1024x444.png\" alt=\"\" class=\"wp-image-4722\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-8-1024x444.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-8-300x130.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-8-768x333.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-8-1536x667.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-8.png 1576w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">A raw decompilation of the decryptor code, sub_140001040<\/figcaption><\/figure>\n\n\n\n<p>After examination of the code, we can adjust things slightly:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The global <code>gvar_140022090<\/code> is an array of <code>PCHAR <\/code>(double-click on the item; rename it with <strong>N<\/strong>; change the type to a PCHAR using <strong>Y<\/strong>; create an array from that using the <strong>*<\/strong> key).<\/li>\n\n\n\n<li>The prototype is really <code>PCHAR(int)<\/code>, we can adjust that with <strong>Y<\/strong>.<\/li>\n\n\n\n<li>The first byte of an entry into <code>encrypted_strings<\/code> is the number of encrypted bytes remaining in the string; if 0, it is fully decrypted and subsequent calls will not attempt to decrypt bytes again.<\/li>\n\n\n\n<li>The key variable is v3 is the key; let&#8217;s rename it with <strong>N<\/strong>. Note that the key at (i) is the sum of the previous two keys used by indices (i-1), (i-2); the initial tuple is (0, 1). This looks like a Fibonacci sequence.<sup class='footnote'><a href='#fn-4710-1' id='fnref-4710-1' onclick='return fdfootnote_show(4710)'>1<\/a><\/sup><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-14.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"253\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-14-1024x253.png\" alt=\"\" class=\"wp-image-4733\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-14-1024x253.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-14-300x74.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-14-768x190.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-14-1536x380.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-14-2048x506.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">The decryptor (sub_140001040) after analysis.<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Comparison_with_GHIDRA\"><\/span>Comparison with GHIDRA<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>For comparison sake, here are GHIDRA 11 decompilations.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-2.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"440\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-2-1024x440.png\" alt=\"\" class=\"wp-image-4714\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-2-1024x440.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-2-300x129.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-2-768x330.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-2-1536x659.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-2.png 1775w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">The caller (sub_1400011F0) decompiled by GHIDRA 11.0.<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-10.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"653\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-10-1024x653.png\" alt=\"\" class=\"wp-image-4725\" style=\"width:690px;height:auto\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-10-1024x653.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-10-300x191.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-10-768x490.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-10-1536x980.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-10.png 1777w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">The decryptor (sub_140001040) decompiled by GHIDRA 11.0.<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-11.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"812\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-11-1024x812.png\" alt=\"\" class=\"wp-image-4726\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-11-1024x812.png 1024w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-11-300x238.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-11-768x609.png 768w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-11-1536x1218.png 1536w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2024\/01\/image-11.png 1781w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">The CreateProcess wrapper (sub_140001120) decompiled by GHIDRA 11.0. Notice that the low-level structure initialization code adds quite a bit of confusion.<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>JEB decompilers<sup class='footnote'><a href='#fn-4710-2' id='fnref-4710-2' onclick='return fdfootnote_show(4710)'>2<\/a><\/sup> do their best to clean-up and restore code, and that includes decrypting strings when it is deemed reasonable and safe.<\/p>\n\n\n\n<p>That concludes our second entry in this \u201cHow to use JEB\u201d series. In the next episodes, we will look at other features and how to write interesting IR and AST plugins to help us further deobfuscate and beautify decompiled code.<\/p>\n\n\n\n<p>As always, thank you for your support, and happy new year 2024 to All &#x1f60a; &#8211; Nicolas<\/p>\n\n\n\n<p>&#8211;<\/p>\n\n\n<div class='footnotes' id='footnotes-4710'><div class='footnotedivider'><\/div><ol><li id='fn-4710-1'> Interestingly, the <a href=\"https:\/\/www.pnfsoftware.com\/blog\/jeb-assistant\/\">JEB assistant<\/a> (call it with the <strong>BACKTICK<\/strong> key, or menu: <em>Action<\/em>, <em>Request Assistant&#8230;<\/em>) would like to rename this method to &#8220;<code>fibonacci_sequence<\/code>&#8220;! Not quite it, but that&#8217;s a relevant hint!) <span class='footnotereverse'><a href='#fnref-4710-1'>&#8617;<\/a><\/span><\/li><li id='fn-4710-2'> Note the plural: <code>dexdec<\/code> &#8211; the Dex decompiler &#8211; has had string auto-decryption via emulation for a while; its users are well-accustomed to seeing dark-pink strings in deobfuscated code! <span class='footnotereverse'><a href='#fnref-4710-2'>&#8617;<\/a><\/span><\/li><\/ol><\/div>","protected":false},"excerpt":{"rendered":"<p>This is the second entry in our series showing how to use JEB and its well-known and lesser-known features to reverse engineer malware more efficiently. Part 1 is here. Today, we&#8217;re having a look at an interesting portion of a x86-64 Windows malware that carries encrypted strings. Those strings happen to be decrypted on the &hellip; <a href=\"https:\/\/www.pnfsoftware.com\/blog\/how-to-use-jeb-auto-decrypt-strings-in-protected-binary-code\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">How To Use JEB &#8211; Auto-decrypt strings in protected binary code<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,30,2,13,5],"tags":[],"class_list":["post-4710","post","type-post","status-publish","format-standard","hentry","category-decompilation","category-jeb5","category-malware","category-native-code","category-obfuscation"],"_links":{"self":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/4710","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/comments?post=4710"}],"version-history":[{"count":0,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/4710\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/media?parent=4710"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/categories?post=4710"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/tags?post=4710"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}