Skip to content

Instantly share code, notes, and snippets.

@hasherezade
Last active October 22, 2021 23:58
Show Gist options
  • Save hasherezade/2f09ae061b196ce16fce777472649346 to your computer and use it in GitHub Desktop.
Save hasherezade/2f09ae061b196ce16fce777472649346 to your computer and use it in GitHub Desktop.
Small utility do deobfuscate TrickBot strings
#include <stdio.h>
#include <windows.h>
#include "peconv.h"
/*
Requires a path to the original trick bot module: 0a7da84873f2a4fe0fcc58c88bbbe39d
*/
#define OFFSET_DECODE_LIST 0x10ab0 //decode_from_the_list
#define OFFSET_DECODE_STR 0x10b30 // decode_string
#define OFFSET_ENC_LIST 0x1EC24 // enc_string_list (the list of obfuscated strings)
int (__cdecl *decode_from_the_list)(DWORD string_index, char *output_buf) = nullptr;
int (__cdecl *decode_str)(char* input_buf, char *output_buf) = nullptr;
int main(int argc, char *argv[])
{
if (argc < 2) {
std::cerr << "Args: <path to the malware> [string to decode]" << std::endl;
system("pause");
return 0;
}
size_t v_size = 0;
char* mal_path = argv[1];
char* inp_str = nullptr;
if (argc >= 3) {
inp_str = argv[2];
}
std::cout << "Reading module from: " << mal_path << std::endl;
BYTE *malware = peconv::load_pe_executable(mal_path, v_size);
if (!malware) {
system("pause");
return -1;
}
std::cout << "Loaded" << std::endl;
char** enc_list = (char**)((ULONGLONG)malware + OFFSET_ENC_LIST);
ULONGLONG func_offset = (ULONGLONG)malware + OFFSET_DECODE_LIST;
decode_from_the_list = (int (__cdecl *) (DWORD, char*)) func_offset;
func_offset = (ULONGLONG)malware + OFFSET_DECODE_STR;
decode_str = (int (__cdecl *) (char*, char*)) func_offset;
char out_buf[0x1000] = { 0 };
if (inp_str != nullptr) {
DWORD res1 = decode_str(inp_str, out_buf);
if (res1 == 0) {
std::cerr << "[ERROR] Invalid input. Could not decode" << std::endl;
peconv::free_pe_buffer(malware, v_size);
return -1;
}
std::cout << out_buf << std::endl;
peconv::free_pe_buffer(malware, v_size);
system("pause");
return 0;
}
//if nothing supplied, decode the internal table
for (DWORD i = 1; true; i++) {
if (!peconv::validate_ptr(malware, v_size, enc_list[i], sizeof(PVOID))) {
break;
}
DWORD res1 = decode_str(enc_list[i], out_buf);
if (res1 == 0) {
break;
}
std::cout << i << " : " << out_buf << std::endl;
}
peconv::free_pe_buffer(malware, v_size);
system("pause");
return 0;
}
@hasherezade
Copy link
Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment