-
-
Save eybisi/b41631fde21f6d4051d26c0d75617365 to your computer and use it in GitHub Desktop.
z
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from idautils import * | |
| from idaapi import * | |
| from idc import * | |
| from idautils import * | |
| from types import * | |
| def socksl(strinput,first_key,second_key): | |
| length = len(strinput) | |
| arr = [0 for i in range(length)] | |
| i = length - 1 | |
| while i >= 0: | |
| char1 = strinput[i] | |
| n = i - 1 | |
| arr[i] = chr(strinput(length) ^ ord(char1) ^ first_key) | |
| if n < 0: | |
| break | |
| i = n - 1 | |
| arr[n] = chr(sord(strinput[n]) ^ second_key) | |
| return ''.join(arr) | |
| def get_string(addr): | |
| out = "" | |
| while True: | |
| if Byte(addr) != 0: | |
| out += chr(Byte(addr)) | |
| else: | |
| break | |
| addr += 1 | |
| return out | |
| def get_decryp_funcs(): | |
| l = [] | |
| for segea in Segments(): | |
| for funcea in Functions(segea, SegEnd(segea)): | |
| functionName = GetFunctionName(funcea) | |
| if "IIIiiIiIIi" in functionName: | |
| cmt = GetType(funcea) | |
| #print cmt | |
| fc = cmt.split("(") | |
| sc = fc[1].split(")") | |
| tc = sc[0].split(",") | |
| #print tc[0] | |
| if len(tc) ==1: | |
| if tc[0] == "java.lang.String *arg0" : | |
| if idc.GetMnem(funcea+138) == "xor-int/lit8" or idc.GetMnem(funcea+136) == "xor-int/lit8": | |
| print "HORRAY",functionName ,hex(funcea) | |
| l.append(funcea) | |
| return l | |
| def handle_function(func_start,f,s): | |
| c = 0 | |
| for h in FuncItems(func_start): | |
| for xref in XrefsTo(h, 0): | |
| c+=1 | |
| #print 'from', hex(xref.frm), 'to', hex(xref.to), | |
| inst = DecodePreviousInstruction(xref.frm) | |
| if type(inst) is NoneType: | |
| continue | |
| if(get_operand_type(inst.ea,1) != 9): | |
| continue | |
| st = get_string(get_name_ea(inst.ea,print_operand(inst.ea,1))) | |
| dec = socksl(st,f,s) | |
| print c,st,"-->",dec | |
| set_cmt(xref.frm,dec,1) | |
| def do_job(): | |
| l = get_decryp_funcs() | |
| print len(l) | |
| for funcea in l: | |
| print funcea | |
| if idc.GetMnem(funcea+138) == "xor-int/lit8": | |
| first = get_operand_value(funcea+138,2) | |
| #print funcea+138,first | |
| second = get_operand_value(funcea+138+32,2) | |
| #print funcea+138+32,second | |
| handle_function(funcea,first,second) | |
| if idc.GetMnem(funcea+136) == "xor-int/lit8": | |
| first = get_operand_value(funcea+136,2) | |
| #print funcea+136,first | |
| second = get_operand_value(funcea+136+30,2) | |
| #print funcea+136+30,second | |
| handle_function(funcea,first,second) | |
| def one_funct(funcea): | |
| print funcea | |
| if idc.GetMnem(funcea+138) == "xor-int/lit8": | |
| first = get_operand_value(funcea+138,2) | |
| print hex(funcea+138),first | |
| second = get_operand_value(funcea+138+32,2) | |
| print hex(funcea+138+32),second | |
| handle_function(funcea,first,second) | |
| if idc.GetMnem(funcea+136) == "xor-int/lit8": | |
| first = get_operand_value(funcea+136,2) | |
| print hex(funcea+136),first | |
| second = get_operand_value(funcea+136+30,2) | |
| print hex(funcea+136+30),second | |
| handle_function(funcea,first,second) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment