Analyzing encrypted code

This small tutorial demonstrates how to use IDC to decrypt part of a program at analysis time. The sample file is a portion of the Ripper virus.

1st step

The binary image of the virus is loaded into IDA and analysis is started at the entry point

Obviously, the bytes right after the call don’t make sense, but the call gives us a clue: it is a decryption routine.

2nd step

We create a small IDC program that mimicks the decryption routine.

static decrypt(from, size, key ) {
  auto i, x;           // we define the variables
  for ( i=0; i < size; i=i+1 ) { 
    x = Byte(from);    // fetch the byte
    x = (x^key);       // decrypt it
    PatchByte(from,x); // put it back
    from = from + 1;   // next byte
  } 
}
            

Save it on disk and press F2 to load it into IDA's interpreter.

3rd step

Then, we press shift-F2 to call it with the appropriate values. Please note the linear address used for the starting point. Pressing OK executes the statement.

The bytes are now decrypted

4th step

We move the cursor to offset 0x50 and press C to inform IDA that there is now code at that location.

And the code to allocate memory for the virus appears, along with a rather impolite message... The analysis may now resume.