Last active
May 11, 2022 09:00
-
-
Save alexander-hanel/715488f0fc3e9498dcab4d6037f5bec0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import idautils | |
import string | |
DEBUG = True | |
if DEBUG: | |
import hexdump | |
SEGMENT = True | |
def get_to_xrefs(ea): | |
xref_set = set([]) | |
for xref in idautils.XrefsTo(ea, 1): | |
xref_set.add(xref.frm) | |
return xref_set | |
def get_from_xrefs(ea): | |
xref_set = set([]) | |
for xref in idautils.XrefsFrom(ea, 1): | |
xref_set.add(xref.to) | |
return xref_set | |
def get_next_xref(ea): | |
ss = 0 | |
cur_addr = idc.next_addr(ea) | |
while True: | |
if get_to_xrefs(cur_addr): | |
return cur_addr - 1 | |
elif get_from_xrefs(cur_addr): | |
return cur_addr - 1 | |
cur_addr = idc.next_addr(cur_addr) | |
if cur_addr == idc.BADADDR: | |
return ea | |
def calculate_data_size(ea): | |
return get_next_xref(ea) - ea | |
def get_data(ea): | |
size = calculate_data_size(ea) | |
if size: | |
return idc.get_bytes(ea, size) | |
return False | |
def validate_data(op2_addr, ignore_names, names): | |
# not valid if operand address is invalid | |
if not op2_addr: | |
return False | |
if idc.is_code(ida_bytes.get_flags(op2_addr)): | |
return False | |
# not encoded if IDA labels the offset | |
if ignore_names: | |
if op2_addr in names: | |
return False | |
# get data | |
temp_data = get_data(op2_addr) | |
if not len(temp_data): | |
return False | |
# ivalid if data is single character | |
temp_set = set(temp_data) | |
if len(temp_set) == 1: | |
return False | |
if temp_set == {0, 255}: | |
return False | |
# invalid if decodes properly | |
try: | |
temp_data.rstrip(b"\x00").decode() | |
return False | |
except: | |
return True | |
return True | |
def find_encrypted_strings(single_func=None, ignore_names=True): | |
names = dict(idautils.Names()) | |
x_offsets = [] | |
for func in idautils.Functions(): | |
# skip library & thunk functions | |
if single_func: | |
func = single_func | |
flags = idc.get_func_attr(func, FUNCATTR_FLAGS) | |
if flags & FUNC_LIB or flags & FUNC_THUNK: | |
continue | |
dism_addr = list(idautils.FuncItems(func)) | |
# loop through each instruction and find operand types to memory | |
for ea in dism_addr: | |
ins = ida_ua.insn_t() | |
idaapi.decode_insn(ins, ea) | |
if ins.Op2.type == idaapi.o_mem: | |
op2_addr = ins.Op2.addr | |
if validate_data(op2_addr,ignore_names, names): | |
x_offsets.append((ea, op2_addr)) | |
if single_func: | |
return x_offsets | |
return x_offsets | |
tt = find_encrypted_strings() | |
for t in tt: | |
print("Code Offset: 0x%x Data Offset:0x%x" % (t)) | |
dd = get_data(t[1]) | |
if DEBUG: | |
hexdump.hexdump(dd) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Example Output