Unpacking Pykspa Malware With Python and IDA Pro

Unpacking Pykspa Malware With Python and IDA Pro - Subscriber Request Part 1

Рет қаралды 12,604

Күн бұрын

Пікірлер: 17

@MalwareAnalysisForHedgehogs 7 жыл бұрын

Awesome that you are going to produce more videos this year! I tried weekly publishing too but found it hard to keep up with all the other stuff going on in life. So I just decided to be more flexible and relaxed with that. The IDAPython book is a good advice. I haven't done IDA scripting before although I intended to. It's fun to watch you when you are amused about stuff like the shortcut R actually turning the character into "r". X)

@OALABS 7 жыл бұрын

Thanks so much : ) Yeh producing one video a week is pretty demanding but there are two of us so we can share the work, I couldn't imagine trying to do this by myself. Alex's book is great! I can't recommend it enough... he has taught me so much about scripting. We are really working hard to do an episode with him. Thanks again for the support : ))

@EnduranceT 7 жыл бұрын

This is awesome! Thank you! It's very helpful and fun to watch how you use Python to solve these issues.

@Kaplan0644 5 жыл бұрын

Awesome video, I have seen ida scripting usage for the first time. Thank you

@TheBekabe 7 жыл бұрын

My request. Thanks so much. I always waiting for next part.

@OALABS 7 жыл бұрын

Thanks for the interesting sample! Part 2 drops next week!

@Ivo-- 7 жыл бұрын

I was screaming at the screen when you looked at data instead of out the first time (when you had implemented the algo without the sub of the counter).

@OALABS 7 жыл бұрын

haha! I know right! I had to leave that in there in the final cut : ))

@Nickerian91 5 жыл бұрын

cant you just run the debugger past the decryption function and dump the memory afterwards and it will be the decrypted file ready to run?

@OALABS 5 жыл бұрын

Yes for sure (see our recent video on lazy string decryption) but we wanted to show how to introduce some scripting into your analysis. In many cases you may have an unpacked dump that cannot be debugged and you will have to do it statically... then this tutorial would be useful : )

@gas142 5 жыл бұрын

Hi I'm trying to get the sample of this malware from the link above. I know it's probably old, but anyway... there is any chance to get this malware ?

@OALABS 5 жыл бұрын

Links to download the samples are always provided in the description of the video. You need to expand the description to see them. We use malshare which is a free malware sharing platform for researchers. You will need to register for a free account then you can download the sample from the links provided.

@axelsamik 7 жыл бұрын

Thanks for the great videos! I'll converted the script to BinaryNinja: github.com/Tomasuh/various/blob/master/BinaryNinja-scripts/nop-it.py

@OALABS 7 жыл бұрын

Awesome! I'm not really familiar with BinaryNinja but I find your comment super interesting: "BinaryNinja does not support collapsing parts of the code which is why we NOP and then look at the code in IL view which optimizes the NOPs away." I think this is a really cool tip for those who are using BinaryNinja as their primary analysis tool.