# Analyzing encrypted code This small tutorial demonstrates how to use IDC to decrypt part of a program at analysis time. The sample file is a portion of the Ripper virus. ### 1st step The binary image of the virus is loaded into IDA and analysis is started at the entry point ![](https://1187734245-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FBvvTRYOmg1A3xcvtPL0T%2Fuploads%2Fgit-blob-734817f3a2be6eba9e6b45e695c92f6cc4241bbc%2Fida_decrypt_tutorial001.gif?alt=media) Obviously, the bytes right after the call don’t make sense, but the call gives us a clue: it is a decryption routine. ![](https://1187734245-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FBvvTRYOmg1A3xcvtPL0T%2Fuploads%2Fgit-blob-f8d8a1d047cf907494bf982d33d7d12831f16466%2Fida_decrypt_tutorial002.gif?alt=media) ### 2nd step We create a small IDC program that mimicks the decryption routine. ``` static decrypt(from, size, key ) { auto i, x; // we define the variables for ( i=0; i < size; i=i+1 ) { x = Byte(from); // fetch the byte x = (x^key); // decrypt it PatchByte(from,x); // put it back from = from + 1; // next byte } } ``` Save it on disk and press F2 to load it into IDA's interpreter. ![](https://1187734245-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FBvvTRYOmg1A3xcvtPL0T%2Fuploads%2Fgit-blob-273d90dd3bf4d67a374740b1f52ce48c2a4e1527%2Fida_decrypt_tutorial003.gif?alt=media) ### 3rd step Then, we press shift-F2 to call it with the appropriate values. Please note the linear address used for the starting point. Pressing OK executes the statement. ![](https://1187734245-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FBvvTRYOmg1A3xcvtPL0T%2Fuploads%2Fgit-blob-718470d9b61812f3bc60eb726edf2b538e4b5c07%2Fida_decrypt_tutorial004.gif?alt=media) The bytes are now decrypted ![](https://1187734245-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FBvvTRYOmg1A3xcvtPL0T%2Fuploads%2Fgit-blob-c760465552f2653ccc84ccfa8f34c85ff459ad7e%2Fida_decrypt_tutorial005.gif?alt=media) ### 4th step We move the cursor to offset 0x50 and press C to inform IDA that there is now code at that location. ![](https://1187734245-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FBvvTRYOmg1A3xcvtPL0T%2Fuploads%2Fgit-blob-c9851ca963125d0460dd4ab9b8ce626332e923aa%2Fida_decrypt_tutorial006.gif?alt=media) And the code to allocate memory for the virus appears, along with a rather impolite message... The analysis may now resume.