flare-floss icon indicating copy to clipboard operation
flare-floss copied to clipboard

Published 20 hours ago verified publisher icon mandiant

Unable to extract simple strings

Open pmondon opened this issue 2 years ago • 3 comments

I used the standalone version of FLOSS as described in the documentation and it is not able to decode strings. I just setup a main and a function that XOR using a simple 0x80 byte and it doesn't retrieve it whether it is in the stack or the heap it doesn't work. Even taking the code from the test sample create the same result. version used : floss.exe 1.7.0-alpha1 image image

pmondon avatar Jan 17 '22 14:01 pmondon

hey @pmondon happy to triage this. would you be willing to share the .exe? we can also incorporate this scenario as a test case for the project, if you're ok with it.

williballenthin avatar Jan 17 '22 21:01 williballenthin

Hi, I used one of the examples from the repository compiled with VisualStudio. I also created a really simple program (yes malloc 100 is arbitrary and not beautiful I know simple_encoder.zip )

pmondon avatar Jan 19 '22 13:01 pmondon

Great test case! vivisect fails to resolve the imports, so we cannot hook them

TRACE: floss.api_hooks: prehook: 0x140001082 call qword [rip + 4128]
TRACE: floss.api_hooks: apicall: 0x415c300f call qword [rip + 4128] ('int', None, 'msx64call', 'UnknownApi', ()) []
DEBUG: EmulatorDriver: driver hook API call NOT handled: UnknownApi

compare to IDA

.text:000000014000107A 48 8B D9          mov     rbx, rcx
.text:000000014000107D B9 64 00 00 00    mov     ecx, 64h ; 'd'  ; Size
.text:0000000140001082 FF 15 20 10 00 00 call    cs:malloc
.text:0000000140001088 48 8B F8          mov     rdi, rax

mr-tz avatar Mar 17 '22 13:03 mr-tz