Thursday, January 6, 2011

Decrypt Strings:Geinimi Android Trojan

Just analyzing an Android trojan couple of days ago and I was able to decrypt the strings inside the binary sample. Here it is a source code written in VB.Net.

Imports CryptoSysAPI
Module Module1
Sub Main()
Dim Hexdata As String = "64656275675F696E7465726E656C0202" ' hex data here!
Dim plainHex As String = Des.Pad(Hexdata)
plainHex = Des.Decrypt(Hexdata, "0102030405060708", Mode.ECB, "")
Hexdata = Des.Unpad(plainHex)
If Hexdata.Length = plainHex.Length Then Return
Console.WriteLine("Input: {0}", Hexdata);
Console.WriteLine("Decrypt(DES-ECB): {0}", Cnv.StringFromHex(Hexdata))
End Sub
End Module

Example Output:
Input: 64656275675F696E7465726E656C0202
Decrypt(DES-ECB): debug_internel

Note: You need CryptoSysAPI library in order to compile this code.


1 comment:

  1. $ echo 64656275675F696E7465726E656C0202 | perl -pe 's/([0-9a-f]{2})/pack("C", hex($1))/ige'