-
-
Save Jack2/b4aedd69f7675e620564e8f55583a3bc to your computer and use it in GitHub Desktop.
De-obfuscated String using IDAPython for b4e43fec37a026e4452ebfa6e480ecaa96e109899e6282852af451c4d8ad5a40
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def find_function_arg(addr): | |
while True: | |
addr = idc.PrevHead(addr) | |
if GetMnem(addr) == "push": | |
return GetOperandValue(addr, 0) | |
return "" | |
def get_string(addr): | |
out = "" | |
while True: | |
if Byte(addr) != 0: | |
out += chr(Byte(addr)) | |
else: | |
break | |
addr += 1 | |
return out | |
def decrypt_str(obf_str): | |
deobf = list(obf_str) | |
deobf_str = "" | |
num = 0 | |
for i in deobf: | |
each_str = ord(i) | |
if each_str < ord("i") or each_str > ord("p"): | |
if each_str < ord("r") or each_str > ord("y"): | |
if each_str < ord("I") or each_str > ord("P"): | |
if each_str < ord("R") and each_str > ord("Y"): | |
each_str -= 9 | |
deobf_str += chr(each_str) | |
else : deobf_str += chr(each_str) | |
else: | |
each_str += 9 | |
deobf_str += chr(each_str) | |
else: | |
each_str -= 9 | |
deobf_str += chr(each_str) | |
else: | |
each_str += 9 | |
deobf_str += chr(each_str) | |
return deobf_str | |
print "[*] Attempting to decrypt strings in malware" | |
for x in XrefsTo(0x10003b00, flags=0): | |
ref = find_function_arg(x.frm) | |
string = get_string(ref) | |
deobf_string = decrypt_str(string) | |
print '[STRING]:%s\n[Deobfuscated]:%s' % (string,deobf_string) | |
MakeComm(x.frm, deobf_string) | |
MakeComm(ref, deobf_string) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
[*] Attempting to decrypt strings in malware