eybisi/allatorixdemo.py

## allatorixdemo.py
from idautils import *
from idaapi import *
from idc import *
from idautils import *
from types import *

def socksl(strinput,first_key,second_key):
    length = len(strinput)
    arr = [0 for i in range(length)]
    i = length - 1
    while i >= 0:
        char1 = strinput[i]
        n = i - 1
        arr[i] = chr(ord(char1) ^ first_key)
        if n < 0:
            break
        i = n - 1
        arr[n] = chr(ord(strinput[n]) ^ second_key)
    return ''.join(arr)

def get_string(addr):
  out = ""
  while True:
    if Byte(addr) != 0:
      out += chr(Byte(addr))
    else:
      break
    addr += 1
  return out

def get_allatori_demos():
	l = []
	for segea in Segments():
		for funcea in Functions(segea, SegEnd(segea)):
			functionName = GetFunctionName(funcea)
			if "fsafsdfsfsdfsfsdfsd" in functionName:  # "fsafsd.." is the ALLATORIxDEMO function if different function name used in dex change
				cmt = GetType(funcea)
				#print functionName
				fc = cmt.split("(")
				sc = fc[1].split(")")
				tc = sc[0].split(",")
				#print len(tc)
				if len(tc) ==1:
					if tc[0] == "java.lang.String *p0" : # sometimes p0 becomes arg0, look for function
						print "HORRAY",functionName
						l.append(funcea)

	return l

def handle_function(func_start,f,s):
    c = 0
    for h in FuncItems(func_start):
	    for xref in XrefsTo(h, 0):
		    c+=1
		    #print 'from', hex(xref.frm), 'to', hex(xref.to),
		    inst = DecodePreviousInstruction(xref.frm)
		    if type(inst) is NoneType:
			continue
		    if(get_operand_type(inst.ea,1) != 9):
			    continue
		    st = get_string(get_name_ea(inst.ea,print_operand(inst.ea,1)))
		    dec = socksl(st,f,s)
		    print c,st,"-->",dec
		    set_cmt(xref.frm,dec,1)

def do_job():
	l = get_allatori_demos()
	print len(l)
	for ea in l:
		print ida_ua.ua_mnem(ea+0x22)
		if ida_ua.ua_mnem(ea+0x22) == 'xor-int/lit8' and ida_ua.ua_mnem(ea+0x3c) == 'xor-int/lit8': # to filter bad functions
			first = get_operand_value(ea+0x22,2)	# 0x22 and 0x3c are offsets to xor instruction, if its different for you change it
			second = get_operand_value(ea+0x3c,2)
			print first,second
			handle_function(ea,first,second)
			print ea
		else :
			print "no"
do_job()
	from idautils import *
	from idaapi import *
	from idc import *
	from idautils import *
	from types import *

	def socksl(strinput,first_key,second_key):
	length = len(strinput)
	arr = [0 for i in range(length)]
	i = length - 1
	while i >= 0:
	char1 = strinput[i]
	n = i - 1
	arr[i] = chr(ord(char1) ^ first_key)
	if n < 0:
	break
	i = n - 1
	arr[n] = chr(ord(strinput[n]) ^ second_key)
	return ''.join(arr)

	def get_string(addr):
	out = ""
	while True:
	if Byte(addr) != 0:
	out += chr(Byte(addr))
	else:
	break
	addr += 1
	return out

	def get_allatori_demos():
	l = []
	for segea in Segments():
	for funcea in Functions(segea, SegEnd(segea)):
	functionName = GetFunctionName(funcea)
	if "fsafsdfsfsdfsfsdfsd" in functionName: # "fsafsd.." is the ALLATORIxDEMO function if different function name used in dex change
	cmt = GetType(funcea)
	#print functionName
	fc = cmt.split("(")
	sc = fc[1].split(")")
	tc = sc[0].split(",")
	#print len(tc)
	if len(tc) ==1:
	if tc[0] == "java.lang.String *p0" : # sometimes p0 becomes arg0, look for function
	print "HORRAY",functionName
	l.append(funcea)

	return l

	def handle_function(func_start,f,s):
	c = 0
	for h in FuncItems(func_start):
	for xref in XrefsTo(h, 0):
	c+=1
	#print 'from', hex(xref.frm), 'to', hex(xref.to),
	inst = DecodePreviousInstruction(xref.frm)
	if type(inst) is NoneType:
	continue
	if(get_operand_type(inst.ea,1) != 9):
	continue
	st = get_string(get_name_ea(inst.ea,print_operand(inst.ea,1)))
	dec = socksl(st,f,s)
	print c,st,"-->",dec
	set_cmt(xref.frm,dec,1)

	def do_job():
	l = get_allatori_demos()
	print len(l)
	for ea in l:
	print ida_ua.ua_mnem(ea+0x22)
	if ida_ua.ua_mnem(ea+0x22) == 'xor-int/lit8' and ida_ua.ua_mnem(ea+0x3c) == 'xor-int/lit8': # to filter bad functions
	first = get_operand_value(ea+0x22,2) # 0x22 and 0x3c are offsets to xor instruction, if its different for you change it
	second = get_operand_value(ea+0x3c,2)
	print first,second
	handle_function(ea,first,second)
	print ea
	else :
	print "no"
	do_job()