herrcore/emotet_strings.py

## emotet_strings.py
import idaapi, idc, idautils
import struct

def xor_decrypt(data, key):
    out = []
    for i in range(len(data)):
        out.append(data[i] ^ key[i%len(key)])
    return bytes(out)


def decrypt(ea):
    key = idc.get_bytes(ea, 4)
    xor_len = idc.get_bytes(ea+4, 4)
    str_len = struct.unpack('<I', key)[0] ^ struct.unpack('<I', xor_len)[0]
    # Add sanity check for length
    if str_len > 1000:
        return
    data = idc.get_bytes(ea+8, str_len)
    ptxt_data = xor_decrypt(data, key)
    print(ptxt_data)
    if is_ascii(ptxt_data):
        replace_string(ea, ptxt_data+b'\x00')


def is_ascii(s):
    return all(c < 128 for c in s)


def replace_string(ea, new_str):
    ea_start = ea
    for s in new_str:
        patch_byte(ea, s)
        ea += 1
    create_strlit(ea_start, idc.BADADDR)


while ea < ea_end:
    xrefs = [addr.frm for addr in idautils.XrefsTo(ea)]
    if len(xrefs) != 0:
        decrypt(ea)
    ea += 4
	import idaapi, idc, idautils
	import struct

	def xor_decrypt(data, key):
	out = []
	for i in range(len(data)):
	out.append(data[i] ^ key[i%len(key)])
	return bytes(out)


	def decrypt(ea):
	key = idc.get_bytes(ea, 4)
	xor_len = idc.get_bytes(ea+4, 4)
	str_len = struct.unpack('<I', key)[0] ^ struct.unpack('<I', xor_len)[0]
	# Add sanity check for length
	if str_len > 1000:
	return
	data = idc.get_bytes(ea+8, str_len)
	ptxt_data = xor_decrypt(data, key)
	print(ptxt_data)
	if is_ascii(ptxt_data):
	replace_string(ea, ptxt_data+b'\x00')



	def is_ascii(s):
	return all(c < 128 for c in s)


	def replace_string(ea, new_str):
	ea_start = ea
	for s in new_str:
	patch_byte(ea, s)
	ea += 1
	create_strlit(ea_start, idc.BADADDR)


	while ea < ea_end:
	xrefs = [addr.frm for addr in idautils.XrefsTo(ea)]
	if len(xrefs) != 0:
	decrypt(ea)
	ea += 4