Assuming this is like reversing 100, we decided to pop it into IDA and see if we could spot a Decrypt function.
When you first open the ELF in IDA, it looks something like this:
Scrolling down, we see where it encrypts and kicks out. Directly after, there’s a decryption function that never gets touched…
Looks like another NOP patch to me…
Note: To get this menu to show up in IDA, edit idagui.cfg to include the line:
DISPLAY_PATCH_SUBMENU = YES
Patch over 4006BE with some nops and commit the changes.
And viola:
-- d1r3w0lf
No comments:
Post a Comment