Decoding RC4 Strings

#23043 by tohitsugu
Wed Jun 04, 2014 5:10 pm

Hello everyone,

I am new to reverse engineering and am slowly learning the ropes. Lately I have been attempting to reverse some zeus binaries I've found on some computers at work and have had trouble getting the RC4 key. I found the following articles very helpful and thought I might share them with you:

http://vrt-blog.snort.org/2014/06/an-in ... g-and.html
http://mnin.blogspot.com/2011/09/abstra ... -zeus.html

Username

tohitsugu

Posts

Joined

Fri Apr 08, 2011 1:53 am

Re: Decoding RC4 Strings

#23406 by tomchop
Fri Jul 18, 2014 5:17 pm

If you're focusing on Zeus (or its variants like Citadel), I strongly recommend you to dig into the Volatility plugins that have been made to dump part of their configuration (including their RC4 keys).

Here are some useful links:

Volatility zeusscan.py plugin
Volatility 2.0 Plugin Vscan
(Very early version of the plugin, great detail about inner workings)
Abstract Memory Analysis: Zeus Encryption Keys

Username

tomchop

Posts

Joined

Fri Jul 18, 2014 9:15 am

Page 1 of 1
2 posts

Return to “Reverse Engineering and Debugging”

Display:

Sort by:

Jump to: