Code-based Yara String Matching
by
Code-based Yara String Matching
In this lecture, we will discuss disassembly analysis of two versions each of the following encryption algorithms. We will consider the 32-bit and 64-bit implementations of each, and thus will analyze 4 different object files.
The following source files will be analyzed:
- tea1.c (TEA Implementation #1)
- tea2.c (TEA Implementation #2)
- treyfer1.c (Treyfer Implementation #1)
- treyfer2.c (Treyfer Implementation #2)
The following analysis artifacts are provided:
- tea1-32.o (TEA Implementation #1 compiled form, 32-bit)
- tea1-64.o (TEA Implementation #1 compiled form, 64-bit)
- tea1-32.s (TEA Implementation #1 disassembled form, 32-bit)
- tea1-64.s (TEA Implementation #1 disassembled form, 64-bit)
- tea1-32.hex (TEA Implementation #1 hex dump, 32-bit)
- tea1-64.hex (TEA Implementation #1 hex dump, 64-bit)
- tea2-32.o (TEA Implementation #2 compiled form, 32-bit)
- tea2-64.o (TEA Implementation #2 compiled form, 64-bit)
- tea2-32.s (TEA Implementation #2 disassembled form, 32-bit)
- tea2-64.s (TEA Implementation #2 disassembled form, 64-bit)
- tea2-32.hex (TEA Implementation #2 hex dump, 32-bit)
- tea2-64.hex (TEA Implementation #2 hex dump, 64-bit)
- treyfer1-32.o (Treyfer Implementation #1 compiled form, 32-bit)
- treyfer1-64.o (Treyfer Implementation #1 compiled form, 64-bit)
- treyfer1-32.s (Treyfer Implementation #1 disassembled form, 32-bit)
- treyfer1-64.s (Treyfer Implementation #1 disassembled form, 64-bit)
- treyfer1-32.hex (Treyfer Implementation #1 hex dump, 32-bit)
- treyfer1-64.hex (Treyfer Implementation #1 hex dump, 64-bit)
- treyfer2-32.o (Treyfer Implementation #2 compiled form, 32-bit)
- treyfer2-64.o (Treyfer Implementation #2 compiled form, 64-bit)
- treyfer2-32.s (Treyfer Implementation #2 disassembled form, 32-bit)
- treyfer2-64.s (Treyfer Implementation #2 disassembled form, 64-bit)
- treyfer2-32.hex (Treyfer Implementation #2 hex dump, 32-bit)
- treyfer2-64.hex (Treyfer Implementation #2 hex dump, 64-bit)
The following script was used to generate the above files:
Additionally, I present the following public repository of yara signatures, and related tools, for you:
tags: malware objdump asm lecture