Users login

Create an account »


Users login

Home » Technical Papers» Dissecting the Dyre Loader » String Decrypt by Jason Reaves on December 31, 2015

String Decrypt

The main function for the string decryption process is called with an index number as an argument indicating which string the calling code wants returned. This function when called puts every offset of every encoded string onto the stack. It then uses the index passed to it to then copy the encoded string into another section of memory, the end of the string is reached when a NULL byte is hit. We can see this happening in Figure ??.

After this is done the code passes the section of memory with the encoded string and the length to the function responsible for decrypting it. In Figure ?? we can see the heart of what appears to be a single byte XOR loop over an 8 byte key unless the bytes are the same in which case that byte is left alone. The byte checking portion is turned on or off with flag that gets passed to the routine, it is an attempt at making it safe for unicode strings. However since the unicode strings have their null byte XORd it appears that same check is not done during the encoding process, making the check itself possibly useless code.

Figure 2: Finding which string to decode
Figure 3: Main string decoding section

A proof of concept example of this can be seen in Figure ??, and decrypting all of the strings at every offset can give us insight into how the loader might operate(Figure ??). Taking out the same byte check and running the script against the encoded unicode strings also gives us some interesting strings(Figure ??).

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »