Decrypting with x86dbg
The preceding code snippet came from the HeapDemo.exe
file. You can download this file from https://github.com/PacktPublishing/Mastering-Reverse-Engineering/tree/master/ch9. Go ahead and start debugging the file using x86dbg
. This screenshot shows the disassembly code at the WinMain
function right after loading the file in x86dbg
:
From the executable's code entry point, we encounter heap allocation with the GetProcessHeap
and RtlAllocateHeap
APIs. This is followed by using a _memcpy
function, which copies 0x1BE
bytes of data from the address denoted by heapdemo.enc
. Let's take a look at the memory dump from heapdemo.enc
. To do that, right-click on push <heapdemo.enc>
, then select Follow in Dump
. Click on the given address, not the Selected Address
. This should change the contents in the currently focused Dump
window:
This should be the data that will be decrypted by the next lines of code that run in a loop. We should also see the same encrypted data at the allocated...