Skip to content

Instantly share code, notes, and snippets.

@alexander-hanel

alexander-hanel/heart_sergei.py

Last active May 11, 2022 09:00
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save alexander-hanel/715488f0fc3e9498dcab4d6037f5bec0 to your computer and use it in GitHub Desktop.
Save alexander-hanel/715488f0fc3e9498dcab4d6037f5bec0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
heart_sergei.py
import idautils
import string
DEBUG = True
if DEBUG:
import hexdump
SEGMENT = True
def get_to_xrefs(ea):
xref_set = set([])
for xref in idautils.XrefsTo(ea, 1):
xref_set.add(xref.frm)
return xref_set
def get_from_xrefs(ea):
xref_set = set([])
for xref in idautils.XrefsFrom(ea, 1):
xref_set.add(xref.to)
return xref_set
def get_next_xref(ea):
ss = 0
cur_addr = idc.next_addr(ea)
while True:
if get_to_xrefs(cur_addr):
return cur_addr - 1
elif get_from_xrefs(cur_addr):
return cur_addr - 1
cur_addr = idc.next_addr(cur_addr)
if cur_addr == idc.BADADDR:
return ea
def calculate_data_size(ea):
return get_next_xref(ea) - ea
def get_data(ea):
size = calculate_data_size(ea)
if size:
return idc.get_bytes(ea, size)
return False
def validate_data(op2_addr, ignore_names, names):
# not valid if operand address is invalid
if not op2_addr:
return False
if idc.is_code(ida_bytes.get_flags(op2_addr)):
return False
# not encoded if IDA labels the offset
if ignore_names:
if op2_addr in names:
return False
# get data
temp_data = get_data(op2_addr)
if not len(temp_data):
return False
# ivalid if data is single character
temp_set = set(temp_data)
if len(temp_set) == 1:
return False
if temp_set == {0, 255}:
return False
# invalid if decodes properly
try:
temp_data.rstrip(b"\x00").decode()
return False
except:
return True
return True
def find_encrypted_strings(single_func=None, ignore_names=True):
names = dict(idautils.Names())
x_offsets = []
for func in idautils.Functions():
# skip library & thunk functions
if single_func:
func = single_func
flags = idc.get_func_attr(func, FUNCATTR_FLAGS)
if flags & FUNC_LIB or flags & FUNC_THUNK:
continue
dism_addr = list(idautils.FuncItems(func))
# loop through each instruction and find operand types to memory
for ea in dism_addr:
ins = ida_ua.insn_t()
idaapi.decode_insn(ins, ea)
if ins.Op2.type == idaapi.o_mem:
op2_addr = ins.Op2.addr
if validate_data(op2_addr,ignore_names, names):
x_offsets.append((ea, op2_addr))
if single_func:
return x_offsets
return x_offsets
tt = find_encrypted_strings()
for t in tt:
print("Code Offset: 0x%x Data Offset:0x%x" % (t))
dd = get_data(t[1])
if DEBUG:
hexdump.hexdump(dd)
@alexander-hanel
Copy link
Author

alexander-hanel commented May 11, 2022
edited

Example Output

Code Offset: 0x180001ba2  Data Offset:0x180001410
00000000: E5 CE BA 1F E6 CE BA 1F  B7 80 FD 0D 4C 21 08 0E  ............L!..
00000010: BB 98 3F D3 2E D0 01 5F  C7 6D CC 29 68 E3 F8 40  ..?...._.m.)h..@
00000020: B1 B5 AC 59 59 09 0E                              ...YY..
Code Offset: 0x180003861  Data Offset:0x18000134c
00000000: 21 06 33 24 69 06 33 24  64 45 78 15 01 06 33 24  !.3$i.3$dEx...3$
00000010: D2 A5 06 91 2F 28 18 D0  14 50 FE 2E 6D 2F 0D 58  ..../(...P..m/.X
00000020: D0 16 EE EF 91 49 13 97  DB 04 13 EA 6D B0 3F 3A  .....I......m.?:
00000030: 65 90 8D 90 2F E0 FA 7F  BB BB 7D 99 BC 89 FC C4  e.../.....}.....
00000040: 31 5D 07 68 A3 02 15 26  F2 BC 9F D5 DA 99 1F 52  1].h...&.......R
00000050: DB 37 FD AA C1 F3 AA A2  A5 4E 82 86 00 00 00     .7.......N.....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment