The FireEye Labs Obfuscated String Solver (FLOSS) automatically extracts obfuscated strings from Windows executables and shellcode. The tool integrates with various reverse engineering tools including IDA Pro, radare2, and x64dbg. In this post, I will show how to leverage strings that FLOSS decoded when reverse engineering malware using IDA Pro and debugging it using x64dbg.
Continue reading “Integrating FLOSS deobfuscated strings into IDA Pro and x64dbg”
Identifying string decoding functions in IDA Pro
Motivation and background
When triaging malicious executable files I always try the FireEye Labs Obfuscated String Solver (FLOSS) to quickly decode obfuscated strings. In short, FLOSS uses heuristics to identify decoding routine candidates and emulates them using vivisect’s disassembly and emulation modules.
While vivisect is an awesome tool, it sometimes is not as robust as IDA Pro in parsing and disassembling binaries. In addition, IDA Pro provides the Fast Library Identification and Recognition Technology (FLIRT) that helps to distinguish standard library functions and functions written by the program’s author.
Continue reading “Identifying string decoding functions in IDA Pro”