Stack strings not decoded from Zharkbot sample

Question

Stack strings not decoded from Zharkbot sample

Closed this issue a day ago · 3 comments

SHA256: 068ef78225ab94c3f9c228d6248911986c23317d269f0bb5d0a46bd15cd93e80

Stack string loops are not processed at

0x40195c
0x401b1c
00401cdc
0x401e7c
0x4067d6
0x4065ed
0x408ddc
0x41271c
0x4128da
0x412954
0x412afe
0x412c14

Answer 1 · 2024-07-26T11:51:50.000Z

Thanks for the report! If anyone wants to dive in the sample to find what's going on I'd appreciate any insights :)
Otherwise, I may have a few moments next week for this.

Answer 2 · 2025-01-01T22:06:25.000Z

Hi all, after analyzing the mentioned sample (SHA256: 068ef78225ab94c3f9c228d6248911986c23317d269f0bb5d0a46bd15cd93e80), I couldn't find any stack strings at the addresses provided. I followed up by reviewing the related issue in the Stackstack project and watched HerrcCode's stream. It seems there was a mix-up, and the actual sample referenced is the older Zharkbot (SHA256: d53ce8c0a8a89c2e3eb080849da8b1c47eaac614248fc55d03706dd5b4e10bdd). For this sample, FLOSS already decodes the tight strings correctly.

Hope this helps clarify! Let me know if further details are needed.

I’d love to contribute more to this project and help out wherever needed. Let me know how I can assist further!

Answer 3 · 2025-01-02T09:32:09.000Z

Ah, great, thanks for taking a look! I'll close this but please reopen if there's still (related) issues.

As for the help, any of the open issues are up for grabs :) Some pointers:

https://github.com/mandiant/flare-floss/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22
#721 / #972
and I'm open for discussions what sounds most interesting to you in general, e.g. emulation/decoding, language-specific extraction, Quantumstrand work (a new way to use strings, https://github.com/mandiant/flare-floss/releases/tag/quantumstrand-preview5)