IDA Pro: IDC Script for Decrypting VB Obfuscated Malware

I was playing with a piece of malware with Jun Yee and we came across an obfuscated string in the VB code. The malware itself was written in Microsoft Visual Basic 6. It has a feature that allows the malware to overwrite itself after execution just to make it a bit stealthier. Additionally, the virus itself contains an obfuscated string . Thanks to Jun Yi for helping me decrypt it faster.

Binary Hash: A2904D4E6527278C94EAC1FB2B665572

// rr.exe static string decryption script
//    by: opcode0x90, 23 November 2010
//
#include

static DecryptString( cipher )
{
auto i, c;

// initialize
i = cipher;

for ( c = Word(i); c != 0; c = Word(i) )
{
// decrypt
if (c >= 0xC0 && c = 0xDA && c = 0xF4 && c <= 0xFD)
c = c - 196;

// replace original with decrypted char
PatchWord(i, c);

// move to next char
i = i + 2;
}

// convert entire decrypted cipher into unicode string
SetLongPrm(INF_STRTYPE, ASCSTR_UNICODE);
MakeStr(cipher, BADADDR);
}

static main()
{
auto funcaddr, x, y;
auto lpData;

// address to DecryptString() function
funcaddr = 0x0040B6FC;

// debug
for ( x = RfirstB0(funcaddr); x != BADADDR; x = RnextB0(funcaddr, x) )
{
lpData = Dword(x - 4);

// debug
Message(atoa(x) + ": " + atoa(lpData) + "\n");

// decrypt the string
DecryptString(lpData);
}
}

Leave a Reply