[identification] base64 encoded data

mandiant / flare-floss

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

Apache License 2.0

3.22k stars 447 forks source link

[identification] base64 encoded data #281

Open mr-tz opened 6 years ago

mr-tz commented 6 years ago

e.g. look for ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/= string

RahulSankhla312 commented 7 months ago

Hello @mr-tz I started working on this issue.

I have currently changed for stack_strings , that if a String is base_64 , it is identified . I have attached the output .

Kindly see through it and suggest the changes necessary .

williballenthin commented 7 months ago

The intent of this issue is to track the idea that the "decoding routine identification phase" should take into account references to the Base64 alphabet. The intuition being that when the Base64 alphabet is seen, it's probably used nearby to decide some data. So in the same part of the code where we recognize non-zero xor and high xrefs, we should also inspect string references for the default Base64 alphabet.

mr-tz commented 7 months ago

sidebar: your idea here could be an interesting additional tag for Quantumstrand