VilariStorms/-Vespy-logger-deobfuscation

Hilarious

Closed this issue · 1 comments

vesperpew commented

Made a whole repo for a outdated obf..

Vespy now uses simple obf v2 + ive never seen someone that stupid in my entire life. You dont know the difference between disassemble and deobfuscation lmao. "dis" is a module to disassemble byte codes in python. Nothing to do with deobfuscation. It'll show most of the strings.. thats it. Anyways, you should maybe learn more abt reverse engineer.. Making a whole repo on a simple obfuscation ive made for the first version of vespy 2.0 is crazy to me 😆

VilariStorms commented

Oh hi vespy.

I guess you didn't read what I wrote. If you want a "Key Terms" section explaining everything in detail for the lower iq readers like yourself, you are more that welcome to submit a pull request lol

The dis modue is indeed used to dissassemble python bytecode - not deobfuscate it but if you could actually read you would know that I never said it did lol.

The actual "Deobfucation" would be turning this obviously very simple example:

__import__(f'''{chr(98)}{chr(117)}{chr(105)}{chr(108)}{chr(116)}{chr(105)}{chr(110)}{chr(115)}''').exec(__import__(f'''{chr(109)}{chr(97)}{chr(114)}{chr(115)}{chr(104)}{chr(97)}{chr(108)}''').loads(__import__(f'''{chr(112)}{chr(105)}{chr(99)}{chr(107)}{chr(108)}{chr(101)}''').loads(__import__(f'''{chr(122)}{chr(108)}{chr(105)}{chr(98)}''').decompress(__import__(f'''{chr(98)}{chr(97)}{chr(115)}{chr(101)}{chr(54)}{chr(52)}''').b16decode('.....))))

Into something human readable and easy to understand like this:

__import__('builtins').exec(__import__('marshal').loads(__import__('pickle').loads(__import__('zlib').decompress(__import__('base64').b16decode('...'))))

As for vespy now using new obfuscation I don't particularly care. I chose vespy over other popular loggers like Blank-C, Lunar, etc because it was the logger I saw most frequently at the time of writing.

Nobody should be following a step by step guide on deobfucation line for line when dealing with samples found in the wild because (good) malware evolves and changes forms extremely frequently precisely to avoid revese engineering(case in point LOL), and detection by antivirus, etc.

As stated, when I wrote this my goal is not to babysit anyone through the process of reverse engineering a very simple piece of malware but rather to give a brief overview to some of the ways people just starting out can begin getting into this and highlight some interesting tidbits and helpful tools. I suggest you take the same approach building your own projects like vespy.

Tldr:

You didn't read what was written or understand it's purpose.