Moonsec, a malware research company, has released a new tool called “Moonsec Decryptor” that can deobfuscate some of the malware samples previously released by the company. In this article, we’ll give you a brief introduction to Moonsec and their deobfuscation tool, and then provide you with five tips on how to use it to your advantage.
What is Deobfuscation?
Deobfuscation is the process of removing obfuscation from code, which can make it easier to understand and reverse engineer. The goal is to make the code as readable and understandable as possible so that vulnerabilities can be identified and exploited more easily.
There are a few different methods that can be used when deobfuscating code:
1. Remove Encryption/Security Measures
Many malware authors will encrypt their code in an attempt to prevent investigators from understanding what they are looking at. This can be done using a variety of methods, including random number generators, encryption algorithms, and secret key pairs. By removing these security measures, it becomes much easier to understand the code structure and identify vulnerabilities.
2. Reveal Functionality Disguised As Code
Many malware authors will disguise functionality as code in order to hide it from view. For example, some malware authors may use variable names that closely resemble legitimate programming keywords in order to trick analysts into thinking they are seeing actual code. By revealing these hidden features, it becomes much easier to identify where the malicious activity is taking place within the file.
3. Remove Obfuscation Tactics From Code
Another method that can be used when deobfuscating code is to remove any obfuscation tactics that have been applied. This includes things like binary data encoding schemes, compression techniques, and password protection schemes. By removing these layers of obfuscation, it becomes much easier for analysts to understand the underlying logic
Types of Deobfuscation
There are many ways to deobfuscate a payload, but the most effective technique depends on the exploit and the language used.
Some deobfuscation techniques may require reverse engineering or malware analysis. For example, for an exploit written in C, you may need to understand how the compiler works to deobfuscate it.
In some cases, you can simply remove all of the obfuscation and analyze the codebase directly. Another option is to use a deobfuscation tool that automatically detects and removes obfuscation from codebases.
How to Deobfuscate a Moonsec Exploit
Moonsec’s exploits are well-crafted and difficult to decipher. In this blog post, we will show you how to deobfuscate an exploit from Moonsec’s latest release.
First, you will need the exploit file and the decryption key.
The following steps will help you decrypt the exploit:
1) Open the moonsec_x64.exe file in a text editor like Notepad.
2) Locate the “debug” string at the beginning of the file. This string is used by Moonsec to debug their exploits.
3) Replace all occurrences of “debug” with “nop” in order to disable debugging features for the exploit. The resulting code should look like this: nop ;
4) Next, locate the function that handles decoding a file usingmoonsec_libc function pointer as an argument. This function is located inside of a moonsec_x64_handler() subroutine which is defined in a moonsec_x64.h header file. The exact location of this subroutine can be found by looking through Moonsec’s source code for their x64 binaries.
5) Once you have located this function, you will need to modify it so that it will decode any files that are passed to it as input instead of just .txt files. To do this, replace
Deobfuscating moonsec exploits can be a daunting task, but with the right techniques and tools, it is possible to make sense of the malicious code. By understanding how moonsec exploits work and what components are involved, you can start to identify potential vulnerabilities in your own systems. These tips will help you deobfuscate a moonsec exploit without much difficulty.