# Code-based Yara String Matching

by

## Code-based Yara String Matching

In this lecture, we will discuss disassembly analysis of two versions each of the following encryption algorithms. We will consider the 32-bit and 64-bit implementations of each, and thus will analyze 4 different object files.

The following source files will be analyzed:

- tea1.c (TEA Implementation #1)
- tea2.c (TEA Implementation #2)
- treyfer1.c (Treyfer Implementation #1)
- treyfer2.c (Treyfer Implementation #2)

The following analysis artifacts are provided:

- tea1-32.o (TEA Implementation #1 compiled form, 32-bit)
- tea1-64.o (TEA Implementation #1 compiled form, 64-bit)
- tea1-32.s (TEA Implementation #1 disassembled form, 32-bit)
- tea1-64.s (TEA Implementation #1 disassembled form, 64-bit)
- tea1-32.hex (TEA Implementation #1 hex dump, 32-bit)
- tea1-64.hex (TEA Implementation #1 hex dump, 64-bit)
- tea2-32.o (TEA Implementation #2 compiled form, 32-bit)
- tea2-64.o (TEA Implementation #2 compiled form, 64-bit)
- tea2-32.s (TEA Implementation #2 disassembled form, 32-bit)
- tea2-64.s (TEA Implementation #2 disassembled form, 64-bit)
- tea2-32.hex (TEA Implementation #2 hex dump, 32-bit)
- tea2-64.hex (TEA Implementation #2 hex dump, 64-bit)
- treyfer1-32.o (Treyfer Implementation #1 compiled form, 32-bit)
- treyfer1-64.o (Treyfer Implementation #1 compiled form, 64-bit)
- treyfer1-32.s (Treyfer Implementation #1 disassembled form, 32-bit)
- treyfer1-64.s (Treyfer Implementation #1 disassembled form, 64-bit)
- treyfer1-32.hex (Treyfer Implementation #1 hex dump, 32-bit)
- treyfer1-64.hex (Treyfer Implementation #1 hex dump, 64-bit)
- treyfer2-32.o (Treyfer Implementation #2 compiled form, 32-bit)
- treyfer2-64.o (Treyfer Implementation #2 compiled form, 64-bit)
- treyfer2-32.s (Treyfer Implementation #2 disassembled form, 32-bit)
- treyfer2-64.s (Treyfer Implementation #2 disassembled form, 64-bit)
- treyfer2-32.hex (Treyfer Implementation #2 hex dump, 32-bit)
- treyfer2-64.hex (Treyfer Implementation #2 hex dump, 64-bit)

The following script was used to generate the above files:

Additionally, I present the following public repository of yara signatures, and related tools, for you:

tags:*malware*-

*objdump*-

*asm*-

*lecture*