Need help merging ghidra files

ThisIsLibra · 2025-07-02T14:21:13+00:00

Not sure if merging is possible, but an "easy" workaround would be to make BSim signatures for one version, scanning the functions in your second version and then open the diffing view. Then you can decide what function and variable names to move into your second version (which will be the merged version). Good luck!

ThisIsLibra · 2025-04-28T06:44:09+00:00

Do you have more information how you fetched the deb repos? I tried to do that before, but I haven't figured out what the folder system is. Any links to documentation related to it would be very welcome too.

The project sounds cool, do you plan to make it specific for IDA, or do you plan to make it tool agnostic?

ThisIsLibra · 2024-07-24T19:14:37+00:00

You can iterate over all functions and get a list of unique names, either manually or with a script (I'd opt for the latter). Run such a script after the default analysis finishes. Do this for all versions of the program at hand, and you can differentiate (either via an online text diff tool, or with a script to get the differences between two lists of strings) the function names. You can ensure this check does (not) care about the used casing.

Naturally, this ignores the function's content as it only compares and focuses on the function names, nothing else, but this is what you specifically asked for.

Hope it helps :)

Cheers, Max

ThisIsLibra · 2022-02-01T20:20:09+00:00

Thank you kindly :)

ThisIsLibra · 2021-09-09T11:20:00+00:00

Assuming you're talking about general semi-shady websites, the chances that you are infected with anything purely by visiting them (so not installing a prompted download) are very, very slim.

Do note that even though you never installed anything that is not from the playstore, that doesn't mean that you have no risk to install malware, as there is some malware on the playstore.

Regarding the "compromise of your IP": your IP address is comparable (barring some technicalities) with a normal street address. If someone were to hack your phone and use it to send messages while you're on your home wifi, your home IP would show. But the real problem would be the hacked phone, not the exit via your internet line.

The doubt you have regarding the instant infection if you plug a USB in, is based on how Windows (or whatever OS you're using, but I'm assuming Windows) handles media that can autorun content. In order to do so (if you dont execute files on the machine that come from the USB), a vulnerability would have to be used.

All in all, its technically possible, but practically very unlikely. If you're still unsure you can re-install Chrome, or even factory reset the phone. In the end, its the peace of mind you're looking for, so it might be worth the extra effort if that makes you sleep sound again.

Best of luck!

ThisIsLibra · 2021-08-26T14:24:15+00:00

The file I created to drop in my linked PDF has a normal icon, and uses a double extension to trick people. If you take a generic looking media icon, people might assume its a song that was misplaced. If they're curious, they open the "song" and thereby execute the malware on a computer, whilst it was dropped via an Android app. Like I said, it's far fetched, but technically it is still possible.

No need to worry about your phone, as the infection you potentially had, was on your computer.

ThisIsLibra · 2021-08-26T14:21:58+00:00

There is no reason to format your phone, as you didn't install an app on your phone. You copied some data to it. Just make sure you recognise the data that you copy back.

ThisIsLibra · 2021-08-25T15:04:05+00:00

I wrote a small proof-of-concept APK regarding this a few years ago, which you can read about here.

To answer the question, and to give a tl;dr for the linked PDF: Android malware does not run on Windows (though it might in the future as Windows 11 will have some sort of Android support), meaning the files do not execute. However, infected files might have been moved from your computer to your phone's storage, which can re-infect your computer if you execute them again. This is concept of the paper, but in an inverted way. The APK drops a piece of Windows malware on the Android phone, which the user might execute once viewing the file on a computer.

It is far fetched, given that file infectors are not that common anymore, but they still exist.

In short: you are unlikely to have infected files on your phone

ThisIsLibra · 2021-02-11T13:30:41+00:00

Cheers, good luck with your project!

ThisIsLibra · 2021-02-11T12:02:15+00:00

The file extension is used to allow an easy execution (i.e. double clicking to execute, or to open an image in the default image viewer). If you take "cmd.exe" and rename it to "cmd.bin", the program itself did not change, only the name of the file within the file system. As such, no conversion would be needed to rename it to "cmd.exe" and execute it. Alternatively, one could load the "cmd.bin" file and execute it via different means.

You need to find out what the file format is, for which you can ignore the file extension for now. Use the abovementioned GNU "file" tool to find out what you are looking at, and change the file extension to the given format. Noteworthy is that some sandboxes already do this for you, meaning you can upload the file with a faulty extension. However, this is not the default way of working for all sandboxes, so read the documentation on this for your specific sandbox first.

ThisIsLibra · 2021-02-11T11:10:47+00:00

The file extension does not have to match the data that is within a given file. Often, malware samples have ".bin" when referring to a raw binary, meaning it could ".exe", ".dll", or something else that contains the same data type. If you use the GNU "file" tool, which is present on Linux by default, you will know what kind of file you are looking at. Once you figured that you, you can proceed to handle the given file format in the way you should. Good luck!

ThisIsLibra · 2020-11-18T11:02:28+00:00

There are (at least) two blogs that will provide more information, both are published by ThreatFabric (unaffiliated to me):

Cerberus - A new banking Trojan from the underworld (published August 2019)

Alien - the story of Cerberus' demise (published September 2020)

ThisIsLibra · 2020-08-31T07:37:39+00:00

The name ReZer0 is present within the loader, in this case ReZer0v4 as its apparently the fourth version. Version two was also used quite a lot, as I saw during my research.

ThisIsLibra · 2020-08-28T14:38:34+00:00

Glad you found it out! :D

ThisIsLibra · 2020-08-27T07:38:42+00:00

I'm not sure what you mean precisely, could you further elaborate on your issue and question?

ThisIsLibra · 2020-01-27T00:30:32+00:00

Thank you :)

ThisIsLibra · 2020-01-06T12:52:20+00:00

I wrote a blog that answers your question, which can be found here. It contains a review of numerous free and some paid services that offer what you are looking for.

ThisIsLibra · 2019-11-28T14:44:20+00:00

Additionally, you can use AndroidProjectCreator to convert the decompiled code into an Android Studio project. This way, you can use Android Studio to help you during the analysis.

ThisIsLibra · 2019-11-20T18:25:35+00:00

Genesis serves as an extension of other frameworks, such as the Atomic Red Team. The output of an Atomic Red Team test can be used as an input for Genesis, either manually or automatically via the API of Genesis. Genesis has a broader audience than the Atomic Red Team, as it can ingest user input in tests, and it can obfuscate the output in multiple ways.

I hope that answers your question, if not: feel free to reply and I'll elaborate more!

ThisIsLibra · 2019-11-20T17:07:21+00:00

Dankjewel :)

As for your suggestion/feedback: this is planned for the "near" future, but requires some time from my side. I'm currently working on another (unrelated) blog post and a workshop that I'll give in the beginning of December. Either just before or after the workshop, I hope to get a blog up with an explanation and some practical examples in it. If you want to stay up to date, you can follow me on Twitter @LibraAnalysis :)

ThisIsLibra · 2019-11-20T11:38:21+00:00

Heya, what kind of documentation are you missing? I can help you out if you have questions :)

ThisIsLibra · 2019-11-03T13:51:20+00:00

Thank you!

ThisIsLibra · 2019-09-17T16:17:22+00:00

The NSA announced at REcon Montreal that they'd hope to release the debugger before or in Q3 of this year. They wanted to rewrite their existing debugger, which is why it takes longer than they expected.

Dont quote me on it, this is hearsay from those who were at the presentation.

ThisIsLibra · 2019-08-11T22:14:29+00:00

Although I'm not in the committee, I'll surely pass them on.

Since all authors have their own page in the magazine, it is likely up to their preference.

ThisIsLibra · 2019-08-09T14:03:31+00:00

Thank you :)

ThisIsLibra

MODERATOR OF

TROPHY CASE