Skip to content

Instantly share code, notes, and snippets.

@alexander-hanel
Created November 6, 2019 18:51
Show Gist options
  • Save alexander-hanel/06a7a2bb45233907bfb126803cee51f6 to your computer and use it in GitHub Desktop.
Save alexander-hanel/06a7a2bb45233907bfb126803cee51f6 to your computer and use it in GitHub Desktop.
IDAPython script for decoding strings in nemty
import base64
from Crypto.Cipher import ARC4
def str_decrypt(enc_data):
key = 'fuckav\x00'
cipher = ARC4.new(key)
try:
enc_data = base64.b64decode(enc_data)
except:
return enc_data
return cipher.decrypt(enc_data)
for xref in CodeRefsTo(0x407395, 0):
args = idaapi.get_arg_addrs(xref)
if args:
arg_offset = args[0]
enc_offset = idc.get_operand_value(arg_offset, 0)
enc_data = idc.get_strlit_contents(enc_offset)
if enc_data:
dec_str = str_decrypt(enc_data)
idc.set_cmt(enc_offset, dec_str, 0)
print dec_str, hex(enc_offset)[:-1], hex(xref)[:-1], enc_data
@alexander-hanel
Copy link
Author

import base64
import hashlib 
from Crypto.Cipher import ARC4

def str_decrypt(enc_data):
    temp_key = "sosorin :)"
    key = hashlib.sha1(temp_key).digest()
    cipher = ARC4.new(key[:-4])
    try: 
       enc_data = base64.b64decode(enc_data)
    except:
        return enc_data
    return cipher.decrypt(enc_data)

for xref in CodeRefsTo(0x406EC4, 0): 
    args = idaapi.get_arg_addrs(xref)
    if args:
        arg_offset = args[0]
        enc_offset = idc.get_operand_value(arg_offset, 0)
        enc_data = idc.get_strlit_contents(enc_offset)
        if enc_data:
            dec_str = str_decrypt(enc_data)
            idc.set_cmt(enc_offset, dec_str, 0)
            print dec_str, hex(enc_offset)[:-1], hex(xref)[:-1], enc_data

@alexander-hanel
Copy link
Author

import base64
import hashlib 
import string 
from Crypto.Cipher import ARC4

def str_decrypt(enc_data):
    temp_key = b"sosorin :)"
    key = hashlib.sha1(temp_key).digest()
    cipher = ARC4.new(key[:-4])
    try: 
       enc_data = base64.b64decode(enc_data)
    except:
        return enc_data
    return cipher.decrypt(enc_data)

for xref in CodeRefsTo(0x4036E7, 0): 
    args = idaapi.get_arg_addrs(xref)
    if args:
        arg_offset = args[0]
        enc_offset = idc.get_operand_value(arg_offset, 0)
        enc_data = idc.get_strlit_contents(enc_offset)
        if enc_data:
            dec_str = str_decrypt(enc_data)
            if enc_data != dec_str:
                if all(chr(c) in string.printable for c in dec_str):
                    idc.set_cmt(enc_offset, dec_str.decode("ascii"), 0)
                    print(dec_str, hex(enc_offset), hex(xref), enc_data)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment