De-obfuscated String using IDAPython for b4e43fec37a026e4452ebfa6e480ecaa96e109899e6282852af451c4d8ad5a40

b4e4_Deobfuscator.py

def find_function_arg(addr):
    while True:
        addr = idc.PrevHead(addr)
        if GetMnem(addr) == "push":
            return GetOperandValue(addr, 0)
    return ""

def get_string(addr):
    out = ""
    while True:
        if Byte(addr) != 0:
            out += chr(Byte(addr))
        else:
            break
        addr += 1
    return out

def decrypt_str(obf_str):
    deobf = list(obf_str)
    deobf_str = ""
    num = 0
    for i in deobf:
        each_str = ord(i)
        if each_str < ord("i") or each_str > ord("p"):
            if each_str < ord("r") or each_str > ord("y"):
                if each_str < ord("I") or each_str > ord("P"):
                    if each_str < ord("R") and each_str > ord("Y"):
                        each_str -= 9
                        deobf_str += chr(each_str)
                    else : deobf_str += chr(each_str)
                else:
                    each_str += 9
                    deobf_str += chr(each_str)
            else:
                each_str -= 9
                deobf_str += chr(each_str)
        else:
            each_str += 9
            deobf_str += chr(each_str)
    return deobf_str


print "[*] Attempting to decrypt strings in malware"
for x in XrefsTo(0x10003b00, flags=0):
    ref = find_function_arg(x.frm)
    string = get_string(ref)
    deobf_string = decrypt_str(string)
    print '[STRING]:%s\n[Deobfuscated]:%s' % (string,deobf_string)
    MakeComm(x.frm, deobf_string)
    MakeComm(ref, deobf_string)

[*] Attempting to decrypt strings in malware

[STRING]:----FxivBxlwdaip
[Deobfuscated]:----FormBoundary
[STRING]:Vxzruua/5.0 (Nrwdxnj WK 6.1; NXN64) Chixve/28.0.1500.95 Jafair/537.36
[Deobfuscated]:Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36
[STRING]:Cxwweckrxw: teey-aurme
[Deobfuscated]:Connection: keep-alive
[STRING]:Cxwkewk-Uewgkh: 
[Deobfuscated]:Content-Length: 
[STRING]:Cache-Cxwkixu: vao-age=0
[Deobfuscated]:Cache-Control: max-age=0
[STRING]:Acceyk: */*
[Deobfuscated]:Accept: */*
[STRING]:Cxwkewk-Kpye: vlukryaik/fxiv-daka; bxlwdaip=
[Deobfuscated]:Content-Type: multipart/form-data; boundary=
[STRING]:Acceyk-Ewcxdrwg: gzry,defuake,jdch
[Deobfuscated]:Accept-Encoding: gzip,deflate,sdch
[STRING]:Acceyk-Uawglage: tx-TI
[Deobfuscated]:Accept-Language: ko-KR
[STRING]:Cxwkewk-Drjyxjrkrxw: fxiv-daka; wave="bxaid_rd"
[Deobfuscated]:Content-Disposition: form-data; name="board_id"
[STRING]:Cxwkewk-Drjyxjrkrxw: fxiv-daka; wave="ljei_rd"
[Deobfuscated]:Content-Disposition: form-data; name="user_id"
[STRING]:Cxwkewk-Drjyxjrkrxw: fxiv-daka; wave="frue1"; fruewave="rvg01_29.syg"
[Deobfuscated]:Content-Disposition: form-data; name="file1"; filename="img01_29.jpg"
[STRING]:Cxwkewk-Drjyxjrkrxw: fxiv-daka; wave="frue1"; fruewave="vp.dxc"
[Deobfuscated]:Content-Disposition: form-data; name="file1"; filename="my.doc"
[STRING]:Cxwkewk-Drjyxjrkrxw: fxiv-daka; wave="frue1"; fruewave="yiakrce.ydf"
[Deobfuscated]:Content-Disposition: form-data; name="file1"; filename="pratice.pdf"
[STRING]:Cxwkewk-Drjyxjrkrxw: fxiv-daka; wave="frue1"; fruewave="trwg.syg"
[Deobfuscated]:Content-Disposition: form-data; name="file1"; filename="king.jpg"
[STRING]:Cxwkewk-Drjyxjrkrxw: fxiv-daka; wave="frue1"; fruewave="dieav.amr"
[Deobfuscated]:Content-Disposition: form-data; name="file1"; filename="dream.avi"
[STRING]:Cxwkewk-Drjyxjrkrxw: fxiv-daka; wave="frue1"; fruewave="hy01.amr"
[Deobfuscated]:Content-Disposition: form-data; name="file1"; filename="hp01.avi"
[STRING]:Cxwkewk-Drjyxjrkrxw: fxiv-daka; wave="frue1"; fruewave="jkai.amr"
[Deobfuscated]:Content-Disposition: form-data; name="file1"; filename="star.avi"
[STRING]:Cxwkewk-Drjyxjrkrxw: fxiv-daka; wave="frue1"; fruewave="jkai.amr"
[Deobfuscated]:Content-Disposition: form-data; name="file1"; filename="star.avi"
[STRING]:Cxwkewk-Kpye: ayyurcakrxw/xckek-jkieav
[Deobfuscated]:Content-Type: application/octet-stream