Skip to content

Instantly share code, notes, and snippets.

@0xToxin
Created July 30, 2023 11:23
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save 0xToxin/c85c23b99d04fbb27bb4d5160f4b86a6 to your computer and use it in GitHub Desktop.
'''
Tested on the samples:
5b17e978c2ca2cf03e4ffff1e4609f2ec98738b1541fa41ba5b67f061e9e2af2
8137e72db1c4ef3f375378d62a7dd84c5852a9371edd87f7b2a527609f2553b8
'''
import idc
import idautils
import idaapi
import re
DECRYPTION_FUNCTION_1 = # Replace with "Wrapper" function call
LIST_1 = # Add 64 length list
STRINGS_FILE_1 = # Output file path
DECRYPTION_FUNCTION_2 = # Replace with "Wrapper" function call
LIST_2 = # Add 64 length list
STRINGS_FILE_2 = # Output file path
def decShiftFunc(arg1, arg2, arg3, arg4):
final = ''
tmp = (arg1 & 0x3F) * 4
final += chr(((arg2 & 0x30) >> 4) + tmp)
tmp = (arg2 & 0xF) * 16
final += chr(((arg3 & 0x3C) >> 2) + tmp)
final += chr((arg4 & 0x3F) + ((arg3 & 0x03) << 6))
return final.replace('\0','')
def decWrapperFunc(encData, listNum):
hexList = []
for x in encData:
hexList.append(listNum.index(x))
subLists = [hexList[i:i+4] for i in range(0, len(hexList), 4)]
if len(subLists[-1]) < 4:
subLists[-1].extend([0x00] * (4 - len(subLists[-1])))
finalString = ''
for subList in subLists:
finalString += decShiftFunc(subList[0],subList[1],subList[2],subList[3])
return finalString
def getArg(ref_addr):
ref_addr = idc.prev_head(ref_addr)
if idc.print_insn_mnem(ref_addr) == 'mov':
if idc.get_operand_type(ref_addr, 1) == idc.o_imm:
return(idc.get_operand_value(ref_addr, 1))
else:
return None
def listDecrypt(functionEA, listID, fileID):
stringsList = []
for xref in idautils.XrefsTo(functionEA):
argPtr = getArg(xref.frm)
if not argPtr:
continue
data = idc.get_bytes(argPtr, 300)
encData = re.sub(b'[^\x20-\x7F]+', '', data.split(b'\x00')[0]).decode() # Cleaning...
decData = decWrapperFunc(encData,listID)
stringsList.append(decData)
idc.set_cmt(idc.prev_head(xref.frm), decData, 1)
print(f'[+] {len(stringsList)} Strings were extracted')
out = open(fileID, 'w')
for string in stringsList:
out.write(f'{string}\n')
out.close()
print('[*] Staring decryption of list 1')
listDecrypt(DECRYPTION_FUNCTION_1,LIST_1,STRINGS_FILE_1)
print('[+] Staring decryption of list 2')
listDecrypt(DECRYPTION_FUNCTION_2,LIST_2,STRINGS_FILE_2)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment