Skip to content

Instantly share code, notes, and snippets.

@ghoulgy
Last active November 8, 2020 07:02
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save ghoulgy/1cae0c6e88b04f82c99a36daa6a19a34 to your computer and use it in GitHub Desktop.
Qakbot string decode script for GHIDRA
#Qakbot string decode script for GHIDRA
#@author ChiamYJ
#@category [Malware Analysis] Qakbot
# The address might be different in your machine.
dec_routine = toAddr(0x10010eff)
enc_strings = toAddr(0x10028a50)
bytes_arr = toAddr(0x1002f188)
comm_addr = 0
qak = currentProgram.getListing()
# Crypto function
def crypt(idx):
if idx > 0x373a:
return
dec_str = ""
while True:
c = getByte(enc_strings.add(idx)) ^ getByte(bytes_arr.add(idx & 0x3f))
if c == 0: break
dec_str+=chr(c)
idx+=1
return dec_str
# Loop Through xrefs -> get prev instruction -> get value -> decrypt
xrefs = getReferencesTo(dec_routine)
for xref in xrefs:
callee = xref.getFromAddress()
inst = getInstructionAt(callee)
prev_inst = getInstructionBefore(inst)
mnemonic = prev_inst.getMnemonicString()
if mnemonic == "PUSH": # e.g. PUSH 0x1234
try:
comm_addr = prev_inst.getAddress()
# getOpObject(0) means get first Op Object. "0x1234" from "PUSH ->0x1234<-"
obj_hex = prev_inst.getOpObjects(0)[0]
dec_str = crypt(obj_hex.getValue())
#print(dec_str)
except: continue
elif mnemonic == "MOV":
try:
comm_addr = prev_inst.getAddress()
# getOpObject(1) means get second Op Object "0x321" from "MOV dword ptr [ESP]=> local_c4, ->0x321<-"
obj_hex = prev_inst.getOpObjects(1)[0]
dec_str = crypt(obj_hex.getValue())
#print(dec_str)
except:
prev_inst_2 = getInstructionBefore(prev_inst)
mnemonic = prev_inst_2.getMnemonicString()
if mnemonic == "PUSH":
try:
comm_addr = prev_inst_2.getAddress()
obj_hex = prev_inst_2.getOpObjects(0)[0]
dec_str = crypt(obj_hex.getValue())
#print(dec_str)
except: continue
# Set Comment
codeUnit = qak.getCodeUnitAt(comm_addr)
codeUnit.setComment(codeUnit.EOL_COMMENT, dec_str)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment