genuine_ blaquee

## shifu_decryptor.py
# IDAPython script to decrypt the shifu banking trojan dropper strings
# find the function, EA should be at the entrypoint of the decryption function
# script finds all code X refs and parses the arguments to decrypt all strings with
# the XOR key supplied.
# glindor @_g3nuin3

import idaapi
import idc
import idautils

## pre_check.c
#include <stdio.h>
#include <stdlib.h>
#include <sys/ptrace.h>

void pre_check(int argc, char **argv, char **envp)
{
    printf("Inside pre_check!\n");
    if(ptrace(PTRACE_TRACEME, 0, 0, 0) < 0)
    {
        printf("Aliens found!\n");

## csu_init.c
void
__libc_csu_init (int argc, char **argv, char **envp)
{
  /* For dynamically linked executables the preinit array is executed by
     the dynamic linker (before initializing any shared object).  */

#ifndef LIBC_NONSHARED
  /* For static executables, preinit happens right before init.  */
  {
    const size_t size = __preinit_array_end - __preinit_array_start;

## disassemble _start
gdb-peda$ disassemble _start
Dump of assembler code for function _start:
   0x08048380 <+0>:	xor    ebp,ebp
   0x08048382 <+2>:	pop    esi
   0x08048383 <+3>:	mov    ecx,esp
   0x08048385 <+5>:	and    esp,0xfffffff0
   0x08048388 <+8>:	push   eax
   0x08048389 <+9>:	push   esp
   0x0804838a <+10>:	push   edx
   0x0804838b <+11>:	push   0x8048570

## const_main.asm
gdb-peda$ disassemble main
Dump of assembler code for function main:
   0x080484e5 <+0>:	push   ebp
   0x080484e6 <+1>:	mov    ebp,esp
   0x080484e8 <+3>:	and    esp,0xfffffff0
   0x080484eb <+6>:	call   0x80484d1 <message>
   0x080484f0 <+11>:	mov    eax,0x0
   0x080484f5 <+16>:	leave
   0x080484f6 <+17>:	ret
End of assembler dump.

## constructor1.c
#include <stdio.h>
#include <stdlib.h>
#include <sys/ptrace.h>

void anti_trace(void) __attribute__ ((constructor));
void anti_trace(void)
{
    printf("checking for signs of alien life...\n");
    if(ptrace(PTRACE_TRACEME, 0, 0, 0) < 0)
    {

## main disasembly
gdb-peda$ disassemble main
Dump of assembler code for function main:
   0x0804847d <+0>:	push   ebp
   0x0804847e <+1>:	mov    ebp,esp
   0x08048480 <+3>:	and    esp,0xfffffff0
   0x08048483 <+6>:	sub    esp,0x10
   0x08048486 <+9>:	mov    DWORD PTR [esp+0xc],0x0
   0x0804848e <+17>:	mov    DWORD PTR [esp+0x8],0x0
   0x08048496 <+25>:	mov    DWORD PTR [esp+0x4],0x0
   0x0804849e <+33>:	mov    DWORD PTR [esp],0x0

## antiptrace1.c
#include <stdio.h>
#include <stdlib.h>
#include <sys/ptrace.h>

int main(int argc, char** argv)
{
    if(ptrace(PTRACE_TRACEME, 0, 0, 0) < 0)
    {
        printf("Alien presence detected!\n");
        exit(0);

## seh_handler
.text:00403A7E                 mov     ecx, dword_43060C
.text:00403A84                 mov     esi, dword_430604
.text:00403A8A                 or      ecx, 2Fh
.text:00403A8D                 shl     esi, cl
.text:00403A8F                 mov     dword_430604, esi
.text:00403A95                 push    offset seh_handler ; push SEH entry handler
.text:00403A9A                 push    large dword ptr fs:0
.text:00403AA1                 mov     large fs:0, esp
.text:00403AA8                 lea     ecx, [ebp+AccessStatus]
.text:00403AAB                 lea     edx, [ebp+SecurityAttributes.lpSecurityDescriptor]

## CreateService
00403C1D   . E8 42320000    CALL <JMP.&ADVAPI32.LsaLookupNames>
00403C22   . E8 CF2F0000    CALL <JMP.&LZ32.LZStart>
00403C27   . 68 74064300    PUSH 5d8645f7.00430674                           ; /Password = "sslrfkjkdfai"
00403C2C   . 68 60064300    PUSH 5d8645f7.00430660                           ; |ServiceStartName = "z47sHc498Kw8I7Hk9Rk"
00403C31   . 8D55 F0        LEA EDX,DWORD PTR SS:[EBP-10]                    ; |
00403C34   . 68 84064300    PUSH 5d8645f7.00430684                           ; |pDependencies = 5d8645f7.00430684
00403C39   . 52             PUSH EDX                                         ; |pTagId
00403C3A   . 68 94064300    PUSH 5d8645f7.00430694                           ; |LoadOrderGroup = "kupgnvhjat"
00403C3F   . 68 4C064300    PUSH 5d8645f7.0043064C                           ; |BinaryPathName = "v451917V88JH88126q7"
00403C44   . 6A 2F          PUSH 2F                                          ; |ErrorControl = 2F
	# IDAPython script to decrypt the shifu banking trojan dropper strings
	# find the function, EA should be at the entrypoint of the decryption function
	# script finds all code X refs and parses the arguments to decrypt all strings with
	# the XOR key supplied.
	# glindor @_g3nuin3

	import idaapi
	import idc
	import idautils
	#include <stdio.h>
	#include <stdlib.h>
	#include <sys/ptrace.h>

	void pre_check(int argc, char argv, char envp)
	{
	printf("Inside pre_check!\n");
	if(ptrace(PTRACE_TRACEME, 0, 0, 0) < 0)
	{
	printf("Aliens found!\n");
	void
	__libc_csu_init (int argc, char argv, char envp)
	{
	/* For dynamically linked executables the preinit array is executed by
	the dynamic linker (before initializing any shared object). */

	#ifndef LIBC_NONSHARED
	/* For static executables, preinit happens right before init. */
	{
	const size_t size = __preinit_array_end - __preinit_array_start;
	gdb-peda$ disassemble _start
	Dump of assembler code for function _start:
	0x08048380 <+0>: xor ebp,ebp
	0x08048382 <+2>: pop esi
	0x08048383 <+3>: mov ecx,esp
	0x08048385 <+5>: and esp,0xfffffff0
	0x08048388 <+8>: push eax
	0x08048389 <+9>: push esp
	0x0804838a <+10>: push edx
	0x0804838b <+11>: push 0x8048570
	gdb-peda$ disassemble main
	Dump of assembler code for function main:
	0x080484e5 <+0>: push ebp
	0x080484e6 <+1>: mov ebp,esp
	0x080484e8 <+3>: and esp,0xfffffff0
	0x080484eb <+6>: call 0x80484d1 <message>
	0x080484f0 <+11>: mov eax,0x0
	0x080484f5 <+16>: leave
	0x080484f6 <+17>: ret
	End of assembler dump.
	gdb-peda$ disassemble main
	Dump of assembler code for function main:
	0x0804847d <+0>: push ebp
	0x0804847e <+1>: mov ebp,esp
	0x08048480 <+3>: and esp,0xfffffff0
	0x08048483 <+6>: sub esp,0x10
	0x08048486 <+9>: mov DWORD PTR [esp+0xc],0x0
	0x0804848e <+17>: mov DWORD PTR [esp+0x8],0x0
	0x08048496 <+25>: mov DWORD PTR [esp+0x4],0x0
	0x0804849e <+33>: mov DWORD PTR [esp],0x0
	.text:00403A7E mov ecx, dword_43060C
	.text:00403A84 mov esi, dword_430604
	.text:00403A8A or ecx, 2Fh
	.text:00403A8D shl esi, cl
	.text:00403A8F mov dword_430604, esi
	.text:00403A95 push offset seh_handler ; push SEH entry handler
	.text:00403A9A push large dword ptr fs:0
	.text:00403AA1 mov large fs:0, esp
	.text:00403AA8 lea ecx, [ebp+AccessStatus]
	.text:00403AAB lea edx, [ebp+SecurityAttributes.lpSecurityDescriptor]
	00403C1D . E8 42320000 CALL <JMP.&ADVAPI32.LsaLookupNames>
	00403C22 . E8 CF2F0000 CALL <JMP.&LZ32.LZStart>
	00403C27 . 68 74064300 PUSH 5d8645f7.00430674 ; /Password = "sslrfkjkdfai"
	00403C2C . 68 60064300 PUSH 5d8645f7.00430660 ; \|ServiceStartName = "z47sHc498Kw8I7Hk9Rk"
	00403C31 . 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10] ; \|
	00403C34 . 68 84064300 PUSH 5d8645f7.00430684 ; \|pDependencies = 5d8645f7.00430684
	00403C39 . 52 PUSH EDX ; \|pTagId
	00403C3A . 68 94064300 PUSH 5d8645f7.00430694 ; \|LoadOrderGroup = "kupgnvhjat"
	00403C3F . 68 4C064300 PUSH 5d8645f7.0043064C ; \|BinaryPathName = "v451917V88JH88126q7"
	00403C44 . 6A 2F PUSH 2F ; \|ErrorControl = 2F