lborup
March 4th, 2009, 09:47
I am having difficulty establishing what actions are performed on a string in a piece of malware.
First some data is inserted into an xml document, so an ascii string containing the xml document is the result. The size of this string is 96h bytes.
Then another action is performed on that string, leaving it the size of 8Dh and not intelligible as ascii chars.
After this the string undergoes an AES encryption using an encryption routine from openssl.
Its the middle part that perplexes me. The algorithm is somewhat complex and i have not been able to decompile it. So what i am looking for is some kind of shortcut. Perhaps a method to test the resulting string (before AES) against different decompression/conversion/whatever routines to see if any one of those will yield the original string. Perhaps some insight into what could be happening if not compression.
Any clue will be appreciated...
First some data is inserted into an xml document, so an ascii string containing the xml document is the result. The size of this string is 96h bytes.
Then another action is performed on that string, leaving it the size of 8Dh and not intelligible as ascii chars.
After this the string undergoes an AES encryption using an encryption routine from openssl.
Its the middle part that perplexes me. The algorithm is somewhat complex and i have not been able to decompile it. So what i am looking for is some kind of shortcut. Perhaps a method to test the resulting string (before AES) against different decompression/conversion/whatever routines to see if any one of those will yield the original string. Perhaps some insight into what could be happening if not compression.
Any clue will be appreciated...