Press "Enter" to skip to content

Month: June 2021

Ghidra Plug-in to Decode XOR-Obfuscated Strings

As a reverse engineer/malware analyst, it is important to be able to write scripts to help automate your workflow. One example is to be able to write plug-ins for tools such as Ghidra that can aid in deobfuscating strings for a particular sample. In this example we will be recovering strings that have been obfuscated using the bitwise XOR operation. This example uses fairly simple techniques that will serve as an introduction to writing Python Plugins, and string deobfuscation routines. Code: sample and DLL: on Youtube: Below is a sample of the obfuscated string pattern. The function…

Comments closed