Source: opensecuritytraining.info
I. String Decoding
- General algorithm
- read from memory/buffer
- transform
- write to memory/buffer
- Source and destination may be same (overwriting) or different
- May be single byte or multi-byte operations
- ASCII Table is your friend, so keep one on hand
II. Bit Masks
- Often operands of logical operations (AND, OR, XOR,…)
- Used for program control (flags)
- …and string manipulation (compression, encryption, etc.)
EXAMPLE 1:
movsx eax, byte ptr [edx]
and eax, 0Fh
EXAMPLE 2:
mov al, [edx]
and eax, 0Fh
Reverse Engineering, Malware Deep Insight 