Got a DLL where the binary code is obfuscated. I don’t really want to waste time reverse-engineering the algorithm. I’d rather connect a debugger and copy decoded code over. What’s the best approach to make sure Ghidra can analyze the code? Any links or hints?

This obfuscation turned out to be Themida. Tried simulation via Angr at first which is really nice but also extremely slow. So I ended up attaching a debugger, saving all memory segments, joining them into a single image and importing that into Ghidra. Works. 🤷‍♂️

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.