Finding encoding functions to isolate them is an important part of the analysis process, but typically you’ll also want to decode the hidden content. There are two fundamental ways to duplicate the encoding or decoding functions in malware:
Reprogram the functions.
Use the functions as they exist in the malware itself.
The most economical way to decrypt data—whether or not the algorithm is known—is to let the program itself perform the decryption in the course of its normal activities. We call this process self-decoding.
If you’ve ever stopped a malware program in a debugger and noticed a string in memory that you didn’t see when you ran strings, you have already used the self-decoding technique. If the previously hidden information ...