References Talks by Dr. Josh Stroschein, “Using Ghidra to Statically XOR Obfuscated Shellcode” (https://www.youtube.com/watch?v=DgaPPixn9k4) The author’s blog: https://0xevilc0de.com/ “Repository that provides sample codes mimicking real malware” (https://github.com/jstrosch/learning-malware-analysis ) Steps Create a new project Import a shellcode (shellcode.bin provided by the author) Tell Language: x86 (visual studio) The analyzed result shows up Go to the first offset (00000000) (at this moment, the codes seem to be a series of random bytes) ‘D’ or ‘Disassemble’ (now, the unpacking codes will show up) Codes The first jump (at 00000000) goes to 00000016 CALL FUN_00000002 Looking at the codes from 00000002, there is function that works as a XOR decoder: 0x186 and 0x97 seem to be the size of the packed code and the encoding key from the code above, 00000009 XOR byte ptr DS:[EAX + ECX*1],0x97 0000000e TEST ECX,ECX 00000010 JNZ LAB_00000008 EAX is a location (of the encoded shell codes).