Decoding RC4 Strings

Discussion on reverse-engineering and debugging.
Post Reply
tohitsugu
Posts: 5
Joined: Fri Apr 08, 2011 1:53 am

Wed Jun 04, 2014 5:10 pm

Hello everyone,

I am new to reverse engineering and am slowly learning the ropes. Lately I have been attempting to reverse some zeus binaries I've found on some computers at work and have had trouble getting the RC4 key. I found the following articles very helpful and thought I might share them with you:


http://vrt-blog.snort.org/2014/06/an-in ... g-and.html
http://mnin.blogspot.com/2011/09/abstra ... -zeus.html
tomchop
Posts: 11
Joined: Fri Jul 18, 2014 9:15 am

Fri Jul 18, 2014 5:17 pm

If you're focusing on Zeus (or its variants like Citadel), I strongly recommend you to dig into the Volatility plugins that have been made to dump part of their configuration (including their RC4 keys).

Here are some useful links:

Volatility zeusscan.py plugin
Volatility 2.0 Plugin Vscan
(Very early version of the plugin, great detail about inner workings)
Abstract Memory Analysis: Zeus Encryption Keys
Post Reply