Skip to content

Instantly share code, notes, and snippets.

@Midi12

Midi12/decipher_fishcheat.py

Last active April 28, 2021 13:31
Show Gist options
  • Save Midi12/00779c0bc22ac74d2d039b8d18a5f572 to your computer and use it in GitHub Desktop.
Save Midi12/00779c0bc22ac74d2d039b8d18a5f572 to your computer and use it in GitHub Desktop.
Download ZIP
Some string cipher resolution in some unknown fish cheat
Raw
decipher_fishcheat.py
'''
sub_180001F5C+34 mov rdx, 0C9A201E140208649h
sub_180001F5C+3E mov rcx, 213228A830CCCFFEh
sub_180001F5C+48 mov qword ptr [rbp+var_10], rdx
sub_180001F5C+4C mov qword ptr [rbp+var_10+8], rcx
sub_180001F5C+50 mov rax, 5068B50F657EF22h ; <- encrypted name
sub_180001F5C+5A movups xmm2, [rbp+var_10]
sub_180001F5C+5E mov qword ptr [rbp+ModuleName], rax
sub_180001F5C+62 mov r14, 5638B3DF636EF65h ; <- xor key
sub_180001F5C+6C mov qword ptr [rbp+var_40+8], rcx
sub_180001F5C+70 mov rax, 0E0E85073937B9CBh ; <- encrypted name
sub_180001F5C+7A mov qword ptr [rbp+ModuleName+8], rax
sub_180001F5C+7E lea rcx, [rbp+ModuleName] ; lpModuleName
sub_180001F5C+82 movups xmm0, xmmword ptr [rbp+ModuleName]
sub_180001F5C+86 mov rax, 27F7CFB34B9F0B6Ah ; <- encrypted name
sub_180001F5C+90 mov qword ptr [rbp+var_40], rdx
sub_180001F5C+94 pxor xmm2, [rbp+var_40]
sub_180001F5C+99 mov rsi, 0E6B85743944B98Ah ; <- xor key
sub_180001F5C+A3 mov qword ptr [rbp+var_20], rax
sub_180001F5C+A7 mov rdi, 278ECFDF4BFD0B07h ; <- xor key
sub_180001F5C+B1 mov rax, 7064B132AC9F2FB2h ; <- encrypted name
sub_180001F5C+BB mov qword ptr [rbp+var_60], r14
sub_180001F5C+BF mov qword ptr [rbp+var_20+8], rax
sub_180001F5C+C3 mov rbx, 7008B15EACFB2F9Ch ; <- xor key
sub_180001F5C+CD movups xmm1, [rbp+var_20]
sub_180001F5C+D1 mov qword ptr [rbp+var_60+8], rsi
sub_180001F5C+D5 pxor xmm0, xmmword ptr [rbp+var_60]
sub_180001F5C+DA mov qword ptr [rbp+var_50], rdi
sub_180001F5C+DE mov qword ptr [rbp+var_50+8], rbx
sub_180001F5C+E2 pxor xmm1, [rbp+var_50]
sub_180001F5C+E7 movdqa [rbp+var_20], xmm1
sub_180001F5C+EC movdqa xmmword ptr [rbp+ModuleName], xmm0
sub_180001F5C+F1 movdqa [rbp+var_10], xmm2
sub_180001F5C+F6 call cs:GetModuleHandleW ; <- call using the plaintext string on the stack
encrypted strings & corresponding xor key are passed into
xmm registers using immediate value operands and xored
together using
'''
def xor(a, b):
return (a ^ b) & 0xFF
def xorl(a, b):
res = []
for i in range(len(a)):
res.append(xor(a[i], b[i]))
return res
def expand(i):
return [b for b in i.to_bytes(8, byteorder = 'little')]
def get_wchar(data, offset):
return chr(int(data[offset] + (data[offset + 1] << 8)) & 0xFFFF)
def get_string_len_w(data, offset):
i = 0
length = 0
cw = get_wchar(data, offset + i)
while(cw != '\x00'):
length += 1
i += 2
cw = get_wchar(data, offset + i)
return length
def get_string_w(data, offset):
s = ''
length = get_string_len_w(data, offset)
for i in range(length):
s += get_wchar(data, offset + (i * 2))
return s
'''
data format
[
(data_part_0, data_part_1, key_part_0, key_part_1),
...
]
call template
decipher_string_0([
(,,,),
(,,,)
])
'''
FIX_UNICODE = [0, 0]
def decipher_string_0(data):
s = ''
for i in range(len(data)):
mod_name_0 = data[i][0]
mod_name_1 = data[i][1]
mod_name = expand(mod_name_0) + expand(mod_name_1)
key_mod_name_0 = data[i][2]
key_mod_name_1 = data[i][3]
key_mod_name = expand(key_mod_name_0) + expand(key_mod_name_1)
s += get_string_w([b for b in xorl(mod_name, key_mod_name)] + FIX_UNICODE, 0)
return s
first_GetModuleHandleW_str = decipher_string_0([
(0x5068B50F657EF22,0xE0E85073937B9CB,0x5638B3DF636EF65,0xE6B85743944B98A),
(0x27F7CFB34B9F0B6A,0x7064B132AC9F2FB2,0x278ECFDF4BFD0B07,0x7008B15EACFB2F9C)
])
print('First GetModuleHandleW : ' + first_GetModuleHandleW_str)
second_GetModuleHandleW_str = decipher_string_0([
(0x5638B3DF636EF65,0xE6B85743944B98A,0x5178B54F658EF30,0xE0A85183914B9F3),
(0x27A0CFAD4B980B7E,0x7008B132AC972FF8,0x278ECFDF4BFD0B07,0x7008B15EACFB2F9C)
])
print('Second GetModuleHandleW : ' + second_GetModuleHandleW_str)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment