This is the third part of our three-part series on code emulation for malware analysis:
- Part 1 explains how to use radare2’s function emulation feature, featuring a password-cracking exercise using radare2’s Python scripting plugin,
r2pipe.
- Part 2 demonstrates how to decode the configuration of the Mirai IoT botnet by writing an automation script using radare2’s Python scripting capabilities.
- Part 3 (this post) builds on the previous script by adding support for searching encrypted string addresses and generating function signatures to locate the decryption routine dynamically.
In the previous two posts, we explored how to emulate string decryption routines using radare2 macros and Python scripts. We successfully decrypted parts of the configuration, but not all of it. In this post, we will enhance our automation script to solve this. Specifically, we will find the addresses of the encrypted data dynamically and feed them into our emulator.
We will also address another interesting challenge: when testing our script against different Mirai variants, the decryption function offset changes. Even though the underlying assembly remains identical, the hardcoded address breaks. We can elegantly solve this by creating function signatures—another incredibly useful feature in radare2. Let’s get right into it!