# Analyzing encrypted code

This small tutorial demonstrates how to use IDC to decrypt part of a program at analysis time. The sample file is a portion of the Ripper virus.

### 1st step

The binary image of the virus is loaded into IDA and analysis is started at the entry point

![](/files/WasUHLCBWuoluakISpTa)

Obviously, the bytes right after the call don’t make sense, but the call gives us a clue: it is a decryption routine.

![](https://github.com/HexRaysSA/docs/blob/main/idc-tutorials/assets/ida_decrypt_tutorial002.gif)

### 2nd step

We create a small IDC program that mimicks the decryption routine.

```
static decrypt(from, size, key ) {
  auto i, x;           // we define the variables
  for ( i=0; i < size; i=i+1 ) { 
    x = Byte(from);    // fetch the byte
    x = (x^key);       // decrypt it
    PatchByte(from,x); // put it back
    from = from + 1;   // next byte
  } 
}
            
```

Save it on disk and press F2 to load it into IDA's interpreter.

![](/files/f94ky0G92DLc41Xb2YCz)

### 3rd step

Then, we press shift-F2 to call it with the appropriate values. Please note the linear address used for the starting point. Pressing OK executes the statement.

![](/files/phTb3e8xhVeJ9bITyhgU)

The bytes are now decrypted

![](/files/haC32deQLXxIKFOHp72T)

### 4th step

We move the cursor to offset 0x50 and press C to inform IDA that there is now code at that location.

![](/files/1NDqhDoAVSVcQ3fyPbhO)

And the code to allocate memory for the virus appears, along with a rather impolite message... The analysis may now resume.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.hex-rays.com/9.0/developer-guide/idc/idc-examples/analyzing-encrypted-code.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.