jershmagersh

rule Lumma_Stealer_Core {
    meta:
        description = "Detects Lumma Stealer core functionality"
        author = "Binary Ninja Analysis"
        date = "2024"
        malware_type = "stealer"
        reference = "Lumma Stealer Analysis"

    strings:
        // MurmurHash2-like constant used in API hashing

jershmagersh

import idaapi
import ida_hexrays
import idc
import ida_lines
import random
import string

HASH_ENUM_INDEX = 0

global call_op_uniq

jershmagersh

1. 30 min - Introducing Workshop Resources and Content 

• The workshop will begin by familiarizing participants with the tools used in the workshop, including:

• Binary Ninja (https://binary.ninja/) and Binary Ninja’s user-interface (UI) components that we will be using throughout the workshop (mainly the disassembler, decompiler, Python REPL, and scripting interfaces)

• Binary Ninja’s Decompiler, which uses Binary Ninja Intermediate Languages (BNILs - https://docs.binary.ninja/dev/bnil-overview.html). These BNILs will be used to assist with understanding disassembled instructions during our reverse engineering process

jershmagersh

Can you write Python that extracts the copied_alphabet string from the __builtin_strncpy in this function and uses it to decrypt data wtihin the dec_sc_buff variable using the binary ninja API? 👤

🤖 To extract the copied_alphabet string and decrypt data within the dec_sc_buff variable using the Binary Ninja API, you can follow these steps: Extract the copied_alphabet string directly from the provided HLIL. Implement the decryption logic based on the operation described in the HLIL for modifying dec_sc_buff. Use the Binary Ninja API for any additional operations needed. Here is a Python example that accomplishes this:

jershmagersh

How can I recursively get a highlevelil.HighLevelILCall from a nested set of operands? 👤

🤖 To recursively get a HighLevelILCall from a nested set of operands in a High-Level Intermediate Language (HLIL) instruction, you can define a recursive function that traverses the operands of each instruction. If an operand is itself an instruction (which is common in HLIL, where operands can be complex expressions), the function recursively examines it until it finds an instruction of type HighLevelILCall. Here's how you could implement such a function:

import binaryninja
from binaryninja.highlevelil import HighLevelILInstruction, HighLevelILOperation

def find_hlil_call_recursively(instr):
   # Base case: If the instruction is a call, return it

jershmagersh

/*
    robin verton, dec 2015
    implementation of the RC4 algo
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#define N 256   // 2^8

jershmagersh

    /* place hooks and track PE section */
    HOOK_GET_ORIG(this, "ntdll.dll", NtProtectVirtualMemory);
    HOOK_GET_ORIG(this, "ntdll.dll", NtWriteVirtualMemory);
    HOOK_GET_ORIG(this, "ntdll.dll", NtCreateThread);
    HOOK_GET_ORIG(this, "ntdll.dll", NtMapViewOfSection);
    HOOK_GET_ORIG(this, "ntdll.dll", NtResumeThread);
    HOOK_GET_ORIG(this, "ntdll.dll", NtDelayExecution);
    HOOK_GET_ORIG(this, "ntdll.dll", NtAllocateVirtualMemory);
    HOOK_GET_ORIG(this, "Kernel32.dll", CreateProcessInternalW);

jershmagersh

private void btnDecode_Click(object sender, EventArgs e)
{
	this.pbRoge.Image = Resources.bob_roge;
	byte[] dat_secret = Resources.dat_secret;
	string text = "";
	for (int i = 0; i < dat_secret.Length; i++)
	{
		byte b = dat_secret[i];
		text += (char)((b >> 4 | ((int)b << 4 & 240)) ^ 41);
	}

jershmagersh

#include <stdio.h>
#include <string.h>

int main(int argc, char ** argv) {
    
    const char dat_secret[] = "// dat_secret = System.IO.MemoryStream";
    long int secret_len = strlen(dat_secret);
    
    char text[secret_len];
    

jershmagersh

#!/usr/bin/ruby

$UPLOAD_DIR = "/var/www/uploads"
$HOME = "/var/www"

files = Dir.entries $UPLOAD_DIR

files.each do |file|
	if file.to_s.include? ".mp4"
		html_file_name = "#{file[0,file.length-4]}.html"