Created
April 16, 2023 17:48
-
-
Save ald3ns/5b19cc870be382571c32a7b460056c95 to your computer and use it in GitHub Desktop.
Binary Ninja script to decrypt strings from ARM macOS Lockbit sample!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SHA256: 3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79 | |
| # Get the strings from the data section | |
| data_section = bv.get_section_by_name("__data") | |
| symbols = bv.get_symbols(data_section.start, (data_section.end-data_section.start)) | |
| xor_val = 0 | |
| xor=Transform['XOR'] | |
| # Find the _xor_val | |
| for i, sym in enumerate(symbols): | |
| # Get the _xor_val constant | |
| if sym.name == "_xor_val": | |
| xor_val = bv.read(sym.address, 4).decode()[0] # this is ugly but works for now | |
| # Strings after 0x100058008 are kinda funky so just to be safe stopping before that | |
| if (i+1 < len(symbols)) and sym.address < 0x100058008: | |
| bv.write(sym.address, xor.encode(bv.read(sym.address, (symbols[i+1].address-sym.address)), {"key":xor_val})) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment