Ghidra Native Analysis
Analyse von Native Libraries (.so-Dateien) mit Ghidra.
Workflow
- Import: File → Import File → libAES.so
- Analyze: Analysis → Auto Analyze
- Find Functions: Suche nach "encrypt", "key", "AES"
- Decompile: Fenster "Decompile" öffnen
Key-Extraction
// Typisches Pattern in libAES.so
unsigned char key[16] = {
0x34, 0x52, 0x2a, 0x5b, 0x7a, 0x6e, 0x49, 0x2c,
0x08, 0x09, 0x0a, 0x9d, 0x8d, 0x2a, 0x23, 0xf8
};
void encrypt(unsigned char* data) {
AES_encrypt(data, data, &key);
}
Nächster Schritt
Weiter zur Phase 4: PoC Development.