Lazy String Decryption Tips With IDA PRO and Shade Ransomware Unpacked!

preview_player
Показать описание
We use x64dbg debugger to unpack troldesh / shade ransomware then we use IDA PRO to quickly decrypt strings and resolve dynamic imports. Expand for details...

-----
OALABS DISCORD

OALABS PATREON

OALABS TIP JAR

OALABS GITHUB

UNPACME - AUTOMATED MALWARE UNPACKING

-----

Original packed sample:
b1f13a9ef3da3c9bd2cfd0fcfd7368b48346a6995a91dd0edca12557773a7763

Ransom note:

Any.Run:

ID-Ransomware:

Talos FIRST (shared code identification):

Build your own FREE malware analysis VM:

Michael's Ransomware Analysis YouTube channel:

Feedback, questions, and suggestions are always welcome : )

#IDAPro #Tutorial #ReverseEngineering
  1. OALabs
  2. ida pro
  3. malware analysis
  4. debugger
  5. x64dbg
  6. shade ransomware
Рекомендации по теме
Lazy String Decryption 0:28:05

Lazy String Decryption Tips With IDA PRO and Shade Ransomware Unpacked!

IDA Pro Automated 0:31:45

IDA Pro Automated String Decryption For REvil Ransomware

Decrypt String Tool 0:04:44

Decrypt String Tool

Private Key and 0:07:35

Private Key and Public Key Encryption and Decryption (Asymmetric Encryption) in Python

AES Encryption Script 0:11:30

AES Encryption Script - Interactive Input - Cryptography with Python

Using the Bochs 0:12:34

Using the Bochs emulator to decrypt malware

Modern Cryptography - 0:06:43

Modern Cryptography - Hashing with MD5 - Cryptography with Python

Encrypting and Decrypting 0:15:36

Encrypting and Decrypting Files - Cracking Codes with Python (part 11)

Encryption and Decryption 0:02:11

Encryption and Decryption with a single line command

Encoding, RSA encryption/decryption, 0:18:43

Encoding, RSA encryption/decryption, Decoding Example

Rustpad - Decryption 0:03:51

Rustpad - Decryption Via Padding Oracle Vulnerability - BlackArch Linux #17

Simple AES Encryption 0:05:27

Simple AES Encryption - Cryptography with Python

Analyzing Adwind / 0:33:23

Analyzing Adwind / JRAT Java Malware

LOMX Virus File 0:06:54

LOMX Virus File (.Lomx) Ransomware Removal & Decrypt .Lomx Files

Password Encrypt and 0:01:26

Password Encrypt and Decrypt ( 7 Lines of code ) | Using Cryptography | Python | #mrlazyprogrammer

Jasypt Tutorial - 0:09:34

Jasypt Tutorial - Jasypt APIs for encrypt/decrypt Binary Data

HLAS Virus (.hlas 0:04:43

HLAS Virus (.hlas files) Ransomware Removal and Recover Files Guide [Updated]

Analyzing Hancitor DLL 1:20:14

Analyzing Hancitor DLL Live - Let's Build A Config Extractor!

Hashing vs Encryption 0:19:38

Hashing vs Encryption Differences

Top 5 Best 0:08:11

Top 5 Best Ida Pro Plugins For Malware Analysis

Hex Editing [HD] 0:05:28

Hex Editing [HD] #5 Encrypted Files

Encrypting Files with 0:20:48

Encrypting Files with Ansible Vault

ZCrypt - Basic 0:06:58

ZCrypt - Basic Decryption Tool | Crypto | CTF | Zsquare

Cryptographic Algorithms: Bitcoin 0:49:37

Cryptographic Algorithms: Bitcoin for Developers Study Session #2

Комментарии
Автор

Ooo that's an awesome trick! Shame IDA Free doesn't support remote debugging, so you just have to be extra careful doing it locally (snapshots!).
P.S. Thanks for the plug. :)

Demonslay
Автор

Sergei, thanks again for another great video and for enriching our community.

yakovgoldberg
Автор

Awesome video guys! Unpacking some banking malware then actual reversing of how it performs "Man-in-the-browser" would be great

andylockhart
Автор

Very useful information, thanks for sharing!

BGroothedde
Автор

Holy hot damn, you're really good at this!

Kippykip
Автор

Hey guys, fantastic video as always! I had no idea you could use snapshots in IDA, that's brilliant stuff. However I have one question as to why you used HxD to look at that section when PE Bear already gives you a hex dump on the top whenever you click on a particular section :P

_nit
Автор

I'm not sure how i suppose to feel after watching malware analysis and memes together

ahmedezzat
Автор

Please please please show us how to unpack ENiGMA 5.X!

ashvinbhuttoo
Автор

I saw you had ftk imager on your desktop, why don't you upload some windows forensics analysis tutorial on your channel, that would be fun 😀

lakshayarora
Автор

Yeah it's very useful I have a same issue with a software can you help me to bypass a activation please

therockpk
Автор

OALabs, тут обратились к вам как Sergei - вы что, из наших? В смысле из СНГ? А откуда и когда переехали? Может в детстве и поэтому так шпарите?) Просто по голосу не скажешь, акцента не заметил. Обычно чувствуется
з.ы. А здесь - 21:48 - не нужно было также указать и в Input File и директорию? МОжет поэтому IDA обратилась к файлу на ЭТОЙ виртуальной машине?

pinokio
Автор

can you do a video about unpacking custom or unknown packers ??

SaliyaRuchiranga
Автор

I want you to keep a video zoom it's very hard to see on mobile

therockpk