0xToxin/DarkGate_Strings_Decryptor.py

## DarkGate_Strings_Decryptor.py
'''
Tested on the samples:
5b17e978c2ca2cf03e4ffff1e4609f2ec98738b1541fa41ba5b67f061e9e2af2
8137e72db1c4ef3f375378d62a7dd84c5852a9371edd87f7b2a527609f2553b8
'''
import idc
import idautils
import idaapi
import re

DECRYPTION_FUNCTION_1 = # Replace with "Wrapper" function call
LIST_1 = # Add 64 length list
STRINGS_FILE_1 = # Output file path

DECRYPTION_FUNCTION_2 = # Replace with "Wrapper" function call
LIST_2 = # Add 64 length list
STRINGS_FILE_2 = # Output file path

def decShiftFunc(arg1, arg2, arg3, arg4):
    final = ''
    tmp = (arg1 & 0x3F) * 4
    final += chr(((arg2 & 0x30) >> 4) + tmp)
    tmp = (arg2 & 0xF) * 16
    final += chr(((arg3 & 0x3C) >> 2) + tmp)
    final += chr((arg4 & 0x3F) + ((arg3 & 0x03) << 6))
    return final.replace('\0','')

def decWrapperFunc(encData, listNum):
    hexList = []
    for x in encData:
        hexList.append(listNum.index(x))

    subLists = [hexList[i:i+4] for i in range(0, len(hexList), 4)]
    if len(subLists[-1]) < 4:
        subLists[-1].extend([0x00] * (4 - len(subLists[-1])))

    finalString = ''
    for subList in subLists:
        finalString += decShiftFunc(subList[0],subList[1],subList[2],subList[3])
    return finalString

def getArg(ref_addr):
    ref_addr = idc.prev_head(ref_addr)
    if idc.print_insn_mnem(ref_addr) == 'mov':
        if idc.get_operand_type(ref_addr, 1) == idc.o_imm:
            return(idc.get_operand_value(ref_addr, 1))
        else:
            return None

def listDecrypt(functionEA, listID, fileID):
    stringsList = []
    for xref in idautils.XrefsTo(functionEA):
        argPtr = getArg(xref.frm)
        if not argPtr:
            continue
        data = idc.get_bytes(argPtr, 300)
        encData = re.sub(b'[^\x20-\x7F]+', '', data.split(b'\x00')[0]).decode() # Cleaning...
        decData = decWrapperFunc(encData,listID)
        stringsList.append(decData)
        idc.set_cmt(idc.prev_head(xref.frm), decData, 1)

    print(f'[+] {len(stringsList)} Strings were extracted')
    out = open(fileID, 'w')
    for string in stringsList:
        out.write(f'{string}\n')
    out.close()

print('[*] Staring decryption of list 1')
listDecrypt(DECRYPTION_FUNCTION_1,LIST_1,STRINGS_FILE_1)
print('[+] Staring decryption of list 2')
listDecrypt(DECRYPTION_FUNCTION_2,LIST_2,STRINGS_FILE_2)
	'''
	Tested on the samples:
	5b17e978c2ca2cf03e4ffff1e4609f2ec98738b1541fa41ba5b67f061e9e2af2
	8137e72db1c4ef3f375378d62a7dd84c5852a9371edd87f7b2a527609f2553b8
	'''
	import idc
	import idautils
	import idaapi
	import re

	DECRYPTION_FUNCTION_1 = # Replace with "Wrapper" function call
	LIST_1 = # Add 64 length list
	STRINGS_FILE_1 = # Output file path

	DECRYPTION_FUNCTION_2 = # Replace with "Wrapper" function call
	LIST_2 = # Add 64 length list
	STRINGS_FILE_2 = # Output file path

	def decShiftFunc(arg1, arg2, arg3, arg4):
	final = ''
	tmp = (arg1 & 0x3F) * 4
	final += chr(((arg2 & 0x30) >> 4) + tmp)
	tmp = (arg2 & 0xF) * 16
	final += chr(((arg3 & 0x3C) >> 2) + tmp)
	final += chr((arg4 & 0x3F) + ((arg3 & 0x03) << 6))
	return final.replace('\0','')

	def decWrapperFunc(encData, listNum):
	hexList = []
	for x in encData:
	hexList.append(listNum.index(x))

	subLists = [hexList[i:i+4] for i in range(0, len(hexList), 4)]
	if len(subLists[-1]) < 4:
	subLists[-1].extend([0x00] * (4 - len(subLists[-1])))

	finalString = ''
	for subList in subLists:
	finalString += decShiftFunc(subList[0],subList[1],subList[2],subList[3])
	return finalString

	def getArg(ref_addr):
	ref_addr = idc.prev_head(ref_addr)
	if idc.print_insn_mnem(ref_addr) == 'mov':
	if idc.get_operand_type(ref_addr, 1) == idc.o_imm:
	return(idc.get_operand_value(ref_addr, 1))
	else:
	return None

	def listDecrypt(functionEA, listID, fileID):
	stringsList = []
	for xref in idautils.XrefsTo(functionEA):
	argPtr = getArg(xref.frm)
	if not argPtr:
	continue
	data = idc.get_bytes(argPtr, 300)
	encData = re.sub(b'[^\x20-\x7F]+', '', data.split(b'\x00')[0]).decode() # Cleaning...
	decData = decWrapperFunc(encData,listID)
	stringsList.append(decData)
	idc.set_cmt(idc.prev_head(xref.frm), decData, 1)

	print(f'[+] {len(stringsList)} Strings were extracted')
	out = open(fileID, 'w')
	for string in stringsList:
	out.write(f'{string}\n')
	out.close()

	print('[*] Staring decryption of list 1')
	listDecrypt(DECRYPTION_FUNCTION_1,LIST_1,STRINGS_FILE_1)
	print('[+] Staring decryption of list 2')
	listDecrypt(DECRYPTION_FUNCTION_2,LIST_2,STRINGS_FILE_2)