Created
November 23, 2016 23:34
-
-
Save herrcore/8e2fa6a523e52928e03a027531de6bac to your computer and use it in GitHub Desktop.
Panda Banker string decrypt https://github.com/tildedennis/malware/tree/master/panda_banker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import idaapi, idc, idautils | |
import re | |
import struct | |
start = 0x0041A558 | |
end = 0x0041B1E8 | |
for ptr in range(start,end,8): | |
key = Byte(ptr) | |
len = Word(ptr + 2) | |
ptr_str = Dword(ptr + 4) | |
out ='' | |
for i in range(0,len): | |
out += chr(((key ^ i ^ Byte(ptr_str + i))^0xff) & 0xff) | |
print out |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Not polished, just the algorithm.
Only works for unpacked samples.
Replace start,end with address from the .rdata encrypted strings table (pointer in the string decryption function)
Yara key to locate string decrypt function $a = {0F B7 D3 F6 D1 32 0C 10 32 CB 43}