Unpacking script for the Huan PE Crypter
A simple unpacking script for the Huan PE Crypter by Furkan Göksel. Since this Crypter will likely be used for malicious purposes sooner rather than later I chose to write this unpacking script and a matching Yara rule to detect the usage of Huan.
go run huan_unpack.go path/to/sample.exe
The payload is encrypted (orange) with AES-CBC and Key (green) and IV (blue) (along with the length of the plain- (red) and ciphertext (yellow)) are stored in the .huan section of the Loader binary.
