Last active
August 15, 2019 07:50
-
-
Save eybisi/bc5ef295094769b9a3a8aa3a38c894fa to your computer and use it in GitHub Desktop.
hydra dropper string decryption script for ghidra
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import ghidra.app.script.GhidraScript | |
| import exceptions | |
| from ghidra.program.model.address import AddressOutOfBoundsException | |
| from ghidra.program.model.symbol import SourceType | |
| def xor_block(faddr,saddr,size): | |
| first_block = getBytes(toAddr(faddr),size).tolist() | |
| second_block = getBytes(toAddr(saddr),size).tolist() | |
| #print(saddr,faddr) | |
| a = "" | |
| #print(toAddr(fb),toAddr(sb),size) | |
| for i in range(len(first_block)): | |
| zz = (first_block[i]-0x34)&0xff | |
| #print(zz^second_block[i]&0xff) | |
| a += chr(zz^second_block[i]&0xff) | |
| return a[:-t] | |
| def block(addr): | |
| if addr == 0x75877: | |
| return 0x00075a31 | |
| #print(hex(addr)) | |
| xrefs = getReferencesTo(toAddr(addr)) | |
| if len(xrefs) ==0: | |
| return addr+1 | |
| if len(xrefs) == 2: | |
| first_mov = xrefs[1].getFromAddress() | |
| else: | |
| first_mov = xrefs[0].getFromAddress() | |
| ## we know first block, go to next mov and get analysis ref | |
| try: | |
| second_inst = getInstructionAt(first_mov.add(14)) | |
| if second_inst == None: | |
| #print(first_mov) | |
| ## we already been here or will be get size and move out | |
| inst = getInstructionAt(first_mov.add(32)) | |
| block_size = inst.getByte(2) | |
| return addr+block_size | |
| second_mov_addr = first_mov.add(14) | |
| inst = getInstructionAt(first_mov.add(0x2e)) | |
| except AddressOutOfBoundsException as e: | |
| print("Found last xor block exiting..") | |
| exit() | |
| second_block_ref = getReferencesFrom(second_mov_addr) | |
| second_addr = second_block_ref[0].getToAddress() | |
| block_size = inst.getByte(2) | |
| dec_str = xor_block(addr,int(second_addr.getOffset()),block_size) | |
| func = getFunctionBefore(first_mov) | |
| new_name = "dec_"+dec_str[:-1] | |
| #func.setName(new_name,SourceType.USER_DEFINED) | |
| print("Block : {} , func : {}, dec string : {}".format(hex(addr),func.getEntryPoint(),dec_str)) | |
| if second_addr.getOffset() - addr == block_size: | |
| return addr+2*block_size | |
| else: | |
| return addr+block_size | |
| def extract_encrypted_str(): | |
| curr_block_location = 0x00075641 | |
| #0x00034141 | |
| for i in range(200): | |
| curr_block_location = block(curr_block_location) | |
| def run(): | |
| extract_encrypted_str() | |
| run() | |
| ''' | |
| hydra_v2.py> Running... | |
| Block : 0x75641 , func : 00021970, dec string : /gjvmrdr | |
| Block : 0x75675 , func : 000276b0, dec string : getAssets | |
| Block : 0x756ab , func : 000277e0, dec string : ()Landroid/content/res/AssetManager; | |
| Block : 0x75717 , func : 00029700, dec string : | |
| Block : 0x7573b , func : 00028f00, dec string : txjkjl.png | |
| Block : 0x75773 , func : 0002bbe0, dec string : android/graphics/BitmapFactory | |
| Block : 0x757d3 , func : 0002bd10, dec string : decodeByteArray | |
| Block : 0x75815 , func : 0002be40, dec string : ([BII)Landroid/graphics/Bitmap; | |
| Block : 0x75a31 , func : 00030ae0, dec string : /iwdvl.dex | |
| Block : 0x75a69 , func : 00030c10, dec string : /oat | |
| Block : 0x75a95 , func : 00030e60, dec string : w+ | |
| Block : 0x75abd , func : 000310b0, dec string : /gjvmrdr | |
| Block : 0x75af1 , func : 00034720, dec string : getClassLoader | |
| Block : 0x75b11 , func : 000478d0, dec string : openConnection | |
| Block : 0x75b31 , func : 0004af80, dec string : "countrycode": | |
| Block : 0x75b51 , func : 0004dcd0, dec string : getInputStream | |
| Block : 0x75b91 , func : 00034850, dec string : ()Ljava/lang/ClassLoader; | |
| Block : 0x75be7 , func : 00034980, dec string : dalvik/system/DexClassLoader | |
| Block : 0x75c43 , func : 00034ab0, dec string : <init> | |
| Block : 0x75c73 , func : 00034be0, dec string : (Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/ClassLoader;)V | |
| Block : 0x75d37 , func : 00036cf0, dec string : rw | |
| Block : 0x75d5f , func : 00039fd0, dec string : . | |
| Block : 0x75d85 , func : 0003a100, dec string : .. | |
| Block : 0x75dad , func : 0003a230, dec string : %s/%s | |
| Block : 0x75ddb , func : 0003f460, dec string : loadClass | |
| Block : 0x75e11 , func : 0003f590, dec string : (Ljava/lang/String;)Ljava/lang/Class; | |
| Block : 0x75e7f , func : 0003e420, dec string : moonlight.loader.sdk.ActvImpl | |
| Block : 0x75edd , func : 0003e5b0, dec string : moonlight.loader.sdk.HelpImpl | |
| Block : 0x75f3b , func : 0003e740, dec string : moonlight.loader.sdk.KeepImpl | |
| Block : 0x75f99 , func : 0003e8d0, dec string : moonlight.loader.sdk.RecvImpl | |
| Block : 0x75ff7 , func : 00041f10, dec string : moonlight.loader.sdk.SdkBuilder | |
| Block : 0x76059 , func : 00042040, dec string : <init> | |
| Block : 0x76089 , func : 00042170, dec string : (Landroid/app/Application;)V | |
| Block : 0x760e5 , func : 00047540, dec string : java/net/URL | |
| Block : 0x76121 , func : 00047670, dec string : <init> | |
| Block : 0x76151 , func : 000477a0, dec string : (Ljava/lang/String;)V | |
| Block : 0x761bf , func : 00047a00, dec string : ()Ljava/net/URLConnection; | |
| Block : 0x76217 , func : 000466c0, dec string : http://ip-api.com/json | |
| Block : 0x76267 , func : 00048cc0, dec string : java/net/HttpURLConnection | |
| Block : 0x762bf , func : 00048df0, dec string : getResponseCode | |
| Block : 0x76301 , func : 00048f20, dec string : ()I | |
| Block : 0x7632b , func : 00049050, dec string : setUseCaches | |
| Block : 0x76367 , func : 00049180, dec string : (Z)V | |
| Block : 0x76393 , func : 000492b0, dec string : setConnectTimeout | |
| Block : 0x763d9 , func : 000493e0, dec string : (I)V | |
| Block : 0x76405 , func : 00049510, dec string : connect | |
| Block : 0x76437 , func : 00049640, dec string : ()V | |
| Block : 0x76461 , func : 00049770, dec string : disconnect | |
| Block : 0x76499 , func : 000498a0, dec string : ()V | |
| Block : 0x764e3 , func : 0004b0b0, dec string : tr | |
| Block : 0x7650b , func : 0004b240, dec string : ; | |
| Block : 0x76531 , func : 0004b370, dec string : google | |
| Block : 0x76561 , func : 0004b4a0, dec string : " | |
| Block : 0x76587 , func : 0004d810, dec string : java/net/HttpURLConnection | |
| Block : 0x765df , func : 0004d940, dec string : java/io/InputStream | |
| Block : 0x76629 , func : 0004da70, dec string : disconnect | |
| Block : 0x76661 , func : 0004dba0, dec string : ()V | |
| Block : 0x766ab , func : 0004de00, dec string : ()Ljava/io/InputStream; | |
| Block : 0x766fd , func : 0004df30, dec string : read | |
| Block : 0x76729 , func : 0004e060, dec string : ()I | |
| Block : 0x76753 , func : 0004e850, dec string : <init> | |
| Block : 0x76783 , func : 0004e980, dec string : (Landroid/app/Activity;)V | |
| Block : 0x767d9 , func : 0001dad0, dec string : create | |
| Block : 0x76809 , func : 0001dc00, dec string : (Landroid/os/Bundle;)V | |
| Block : 0x76859 , func : 0001dec0, dec string : start | |
| Block : 0x76887 , func : 0001dff0, dec string : ()V | |
| Block : 0x768b1 , func : 0001e250, dec string : stop | |
| Block : 0x768dd , func : 0001e380, dec string : ()V | |
| Block : 0x76907 , func : 0001e610, dec string : destroy | |
| Block : 0x76939 , func : 0001e740, dec string : ()V | |
| Block : 0x76963 , func : 0004ee20, dec string : <init> | |
| Block : 0x76993 , func : 0004ef50, dec string : (Landroid/app/Service;)V | |
| Block : 0x769e7 , func : 0001eb10, dec string : create | |
| Block : 0x76a17 , func : 0001ec40, dec string : ()V | |
| Block : 0x76a41 , func : 0001eeb0, dec string : start | |
| Block : 0x76a6f , func : 0001efe0, dec string : ()V | |
| Block : 0x76a99 , func : 0001f270, dec string : destroy | |
| Block : 0x76acb , func : 0001f3a0, dec string : ()V | |
| Block : 0x76af5 , func : 0004f3f0, dec string : <init> | |
| Block : 0x76b25 , func : 0004f520, dec string : (Landroid/accessibilityservice/AccessibilityService;)V | |
| Block : 0x76bb5 , func : 0001f770, dec string : connected | |
| Block : 0x76beb , func : 0001f8a0, dec string : ()V | |
| Block : 0x76c15 , func : 0001fb10, dec string : event | |
| Block : 0x76c43 , func : 0001fc40, dec string : (Landroid/view/accessibility/AccessibilityEvent;)V | |
| Block : 0x76ccb , func : 0001fed0, dec string : interrupted | |
| Block : 0x76d05 , func : 00020000, dec string : ()V | |
| Block : 0x76d2f , func : 00020270, dec string : receive | |
| Block : 0x76d61 , func : 000203a0, dec string : (Landroid/content/Context;Landroid/content/Intent;)V | |
| Found last xor block exiting.. | |
| ''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment