alexander-hanel/rc4_bn.py

## rc4_bn.py
from binaryninja import lowlevelil

DEBUG = False

def get_rc4_xor_instru(instr):
    if not instr:
        return False
    if DEBUG:
        print(hex(instr.address), instr)
    for oper in instr.operands:
         if isinstance(oper, LowLevelILInstruction):
            if oper.operation == LowLevelILOperation.LLIL_XOR:
                if DEBUG:
                    print("LLIL_XOR", hex(oper.address), oper.left, oper.right, oper.right.value)
                try:
                    if oper.right.src.name.endswith("sp") or oper.right.src.name.endswith("bp"):
                        continue
                except:
                        pass
                # ignore XOR with constant value,
                if oper.right.value.type == RegisterValueType.ConstantValue:
                        continue
                if oper.left != oper.right:
                    get_bytes(oper.address)
                    return True
    return False

def get_bytes(offset):
    output = ""
    output += bv.file.filename
    output += "\n"
    func = bv.get_functions_containing(offset)[0]
    output += "0x%x, %s\n" % (func.start, func.name)
    bb = bv.get_basic_blocks_at(offset)[0]
    for x in bb.get_disassembly_text():
        output += "0x%x, %s\n" % (x.address, x)
    data = bv.read(bb.start, bb.end - bb.start)
    output += (",".join([hex(x) for x in data]))
    output += "\n"
    print(output)


def check_for_xor(func):
    l_0xff = 0 # used to find the first two loops
    for instr in func.llil_instructions:
        if l_0xff != 2:
            if instr.operation == LowLevelILOperation.LLIL_IF:
                try:
                    if instr.operands[0].operands[1].value == 0x100:
                        l_0xff += 1
                        if DEBUG:
                            print("LLIL_IF", instr, instr.operands[0].operands[1].value)
                except:
                    continue
        if l_0xff == 2:
            if get_rc4_xor_instru(instr):
                return True
    return False


def run():
    for func in bv.functions:
        check_for_xor(func)


def test(address):
    func =  bv.get_function_at(address)
    check_for_xor(func)

# test(0x0040feb1)
run()
	from binaryninja import lowlevelil

	DEBUG = False

	def get_rc4_xor_instru(instr):
	if not instr:
	return False
	if DEBUG:
	print(hex(instr.address), instr)
	for oper in instr.operands:
	if isinstance(oper, LowLevelILInstruction):
	if oper.operation == LowLevelILOperation.LLIL_XOR:
	if DEBUG:
	print("LLIL_XOR", hex(oper.address), oper.left, oper.right, oper.right.value)
	try:
	if oper.right.src.name.endswith("sp") or oper.right.src.name.endswith("bp"):
	continue
	except:
	pass
	# ignore XOR with constant value,
	if oper.right.value.type == RegisterValueType.ConstantValue:
	continue
	if oper.left != oper.right:
	get_bytes(oper.address)
	return True
	return False

	def get_bytes(offset):
	output = ""
	output += bv.file.filename
	output += "\n"
	func = bv.get_functions_containing(offset)[0]
	output += "0x%x, %s\n" % (func.start, func.name)
	bb = bv.get_basic_blocks_at(offset)[0]
	for x in bb.get_disassembly_text():
	output += "0x%x, %s\n" % (x.address, x)
	data = bv.read(bb.start, bb.end - bb.start)
	output += (",".join([hex(x) for x in data]))
	output += "\n"
	print(output)


	def check_for_xor(func):
	l_0xff = 0 # used to find the first two loops
	for instr in func.llil_instructions:
	if l_0xff != 2:
	if instr.operation == LowLevelILOperation.LLIL_IF:
	try:
	if instr.operands[0].operands[1].value == 0x100:
	l_0xff += 1
	if DEBUG:
	print("LLIL_IF", instr, instr.operands[0].operands[1].value)
	except:
	continue
	if l_0xff == 2:
	if get_rc4_xor_instru(instr):
	return True
	return False


	def run():
	for func in bv.functions:
	check_for_xor(func)


	def test(address):
	func = bv.get_function_at(address)
	check_for_xor(func)

	# test(0x0040feb1)
	run()