References Talks by Dr. Josh Stroschein, “Using Ghidra to Statically XOR Obfuscated Shellcode” (https://www.youtube.com/watch?v=DgaPPixn9k4) The author’s blog: https://0xevilc0de.com/ “Repository that provides sample codes mimicking real malware” (https://github.com/jstrosch/learning-malware-analysis ) Steps Create a new project Import a shellcode (shellcode.bin provided by the author) Tell Language: x86 (visual studio) The analyzed result shows up Go to the first offset (00000000) (at this moment, the codes seem to be a series of random bytes) ‘D’ or ‘Disassemble’ (now, the unpacking codes will show up) Codes The first jump (at 00000000) goes to 00000016 CALL FUN_00000002 Looking at the codes from 00000002, there is function that works as a XOR decoder: 0x186 and 0x97 seem to be the size of the packed code and the encoding key from the code above, 00000009 XOR byte ptr DS:[EAX + ECX*1],0x97 0000000e TEST ECX,ECX 00000010 JNZ LAB_00000008 EAX is a location (of the encoded shell codes).

Install Java Visit the Oracle page (https://www.oracle.com/java/technologies/downloads/ ) Download an installation .deb package Install JDK Set alternatives sudo update-alternatives --install /usr/bin/java java /usr/lib/jvm/jdk-19/bin/java 1 sudo update-alternatives --install /usr/bin/javac javac /usr/lib/jvm/jdk-19/bin/javac 1 sudo update-alternatives --install /usr/bin/jar jar /usr/lib/jvm/jdk-19/bin/jar 1 set JAVA_HOME properly Install Ghidra Download the ghidra: https://github.com/NationalSecurityAgency/ghidra/releases Place the ghidra properly (e.g., under /usr/local) Create a symbolic links at your conveniences sudo ln -s DOWNLOADED_GHIDRA /usr/local/ghidra sudo ln -s /usr/local/ghidra/ghidraRun /usr/local/bin/ghidraRun Create a Ghidra.