Skip to content

Instantly share code, notes, and snippets.

View herrcore's full-sized avatar

herrcore herrcore

308 followers · 9 following
View GitHub Profile
@herrcore
herrcore / revil_strings.py
Created April 19, 2021 06:02 — forked from OALabs/revil_strings.py
Decrypt REvil ransomware strings with IDA Python
import idaapi, idc, idautils
class DecryptorError(Exception):
pass
def rc4crypt(key, data):
x = 0
box = range(256)
@herrcore
herrcore / simple_ast.py
Created January 24, 2021 03:34
Simple AST implementation from https://www.youtube.com/watch?v=kzDuHh6kolk - tutorial by Jack Mott
#!/usr/bin/env python2.7
#####################################################################################
##
## Simple Abstract Syntax Tree Example for Tokens x, const, add, sub
##
## Reference: https://www.youtube.com/watch?v=kzDuHh6kolk - tutorial by Jack Mott
##
#####################################################################################
@herrcore
herrcore / prnloader.py
Created December 10, 2020 04:56
Decryptor for PrnLoader
def decrypt(data, video):
video_len = len(video)
if video_len > 0xa00000:
video_len = 0xa00000
video_offset_count = video_len /len(data)
out = ''
for i in range(len(data)):
out += chr(ord(data[i]) ^ ord(video[video_offset_count*i]))
return out
@herrcore
herrcore / irc_worm_string_decryption.py
Created May 31, 2020 01:39
IDA Pro script for decrypting IRC worm strings, ref https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf
def decrypt(key, data):
out = ''
for d in data:
for k in key:
d = chr(ord(d) ^ ord(k))
out += chr(~ord(d) & 255)
return out
def decrypt_string(ea):
@herrcore
herrcore / AdWindDecryptor.py
Created March 12, 2018 03:24
Python decryptor for newer AdWind config file - replicated from this Java version https://github.com/mhelwig/adwind-decryptor
#!/usr/local/bin/env python
########################################################################################################
##
## Decrypts the AdWind configiration files!
## ** May also work for other files **
##
##
## All credit to Michael Helwig for the original Java implementation:
## https://github.com/mhelwig/adwind-decryptor
@herrcore
herrcore / gootkit_packer_string_decrypt.py
Created March 3, 2018 22:35
Simple string decryptor for Gootkit packer (IDAPython script)
import idautils
import idaapi
import idc
def string_decrypt(data_ea, data_len):
data = idc.GetManyBytes(data_ea, data_len)
key = '89798798798g79er$'
out = 'str_'
for i in range(0 , len(data)):
@herrcore
herrcore / HexCopy.py
Last active November 11, 2021 10:57
IDA Plugin for quickly copying disassembly as encoded hex bytes (updated for IDA 7xx) - moved https://github.com/OALabs/hexcopy-ida
Moved: https://github.com/OALabs/hexcopy-ida
@herrcore
herrcore / ida_PYKSPA_hide_junk.py
Last active July 29, 2021 08:54
IDA script to hide junk code for PYKSPA malware
################################################################################
##
## Junk Hide for PYKSPA
##
## Author: @herrcore
##
## Hide junk code:
## mov al <something>
## mov al <something>
## mov al <something>
@herrcore
herrcore / ida_memdump.py
Created November 13, 2017 03:38
Dump a blob of memory into a file - IDA Pro script
import idautils
import idaapi
def memdump(ea, size, file):
data = idc.GetManyBytes(ea, size)
with open(file, "wb") as fp:
fp.write(data)
print "Memdump Success!"
@herrcore
herrcore / SandBoxTest.cpp
Created November 6, 2017 02:12
Test code for the Open Analysis Live! sandbox tutorial.
// SandBoxTest.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#include <strsafe.h>
#include <string>
using namespace std;