Created
May 31, 2020 01:39
-
-
Save herrcore/72b0d1e32f7f9b3c193fe368eb75c6f5 to your computer and use it in GitHub Desktop.
IDA Pro script for decrypting IRC worm strings, ref https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def decrypt(key, data): | |
| out = '' | |
| for d in data: | |
| for k in key: | |
| d = chr(ord(d) ^ ord(k)) | |
| out += chr(~ord(d) & 255) | |
| return out | |
| def decrypt_string(ea): | |
| key = 'I0L0v3Y0u0V1rUs' | |
| start_ea = ea | |
| data = '' | |
| ## Limit the string to 500 max | |
| for limit_count in range(500): | |
| b = get_bytes(ea, 1) | |
| if ord(b) == 0: | |
| ## End of the string data | |
| break | |
| data += b | |
| ea += 1 | |
| ## Decrypt the string | |
| out = decrypt(key, data) | |
| return out | |
| def decrypt_all(ea, ea_end): | |
| while ea <= ea_end: | |
| b = get_bytes(ea, 1) | |
| if ord(b) == 0: | |
| ea +=1 | |
| continue | |
| new_str = decrypt_string(ea) | |
| if is_ascii(new_str): | |
| print new_str | |
| replace_string(ea, new_str) | |
| ea += len(new_str) | |
| def is_ascii(s): | |
| return all(ord(c) < 128 for c in s) | |
| def replace_string(ea, new_str): | |
| ea_start = ea | |
| for s in new_str: | |
| patch_byte(ea, ord(s)) | |
| ea += 1 | |
| create_strlit(ea_start, idc.BADADDR) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment