failing test: test-decode-substitution-cipher::Windows::32bit - Githubissues

mandiant / flare-floss

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

Apache License 2.0

3.23k stars 450 forks source link

failing test: test-decode-substitution-cipher::Windows::32bit #202

Closed mr-tz closed 8 years ago

mr-tz commented 8 years ago

Decoding routine identification fails. With #201 emulation works.

williballenthin commented 8 years ago

closed in 4a5017aad472875d4a2d821031cff7e61066ebbc

williballenthin commented 8 years ago

this is a detection issue

williballenthin commented 8 years ago

not sure how to solve... current features are something like:

there is a loop
there are two arguments to the function
there's a call to memchr (not even a real feature)
a bunch of a basic blocks (also not a feature, actually, an anti-feature)

this is not very much

williballenthin commented 8 years ago

perhaps the following instruction is interesting:

movsx   eax, byte ptr [ecx+eax]

add a new heuristic for: mov/fetch a single byte using a base pointer and offset. this is commonly seen in byte-wise algorithms.

williballenthin commented 8 years ago

perhaps could use symbolic analysis to determine that the output buffer is a function of the input buffer. unsure of the feasibility. need johnk to complete his exploration of symboliks and provide some tutorials before we tackle this.