Skip to content

Instantly share code, notes, and snippets.

@mak
Created February 1, 2016 19:05
Show Gist options
  • Save mak/d049a307a271052dc740 to your computer and use it in GitHub Desktop.
Save mak/d049a307a271052dc740 to your computer and use it in GitHub Desktop.
decode from mad protector
import sys
import pefile
from StringIO import StringIO
from Crypto.Cipher import AES
K =''.join((chr(x) for x in range(15,0x4f,2)))
ENC_HEADER="\x23\x59\x90\x70\xe9\xc1\xec\x82\xb4\x87\xb3\x4e\x03\x10\x6c\x2e"
decrypt = lambda d: AES.new(K,AES.MODE_ECB).decrypt(d)
chunks = lambda l, n: [l[x: x+n] for x in xrange(0, len(l), n)]
IDX = 0
def decrypt_payload(d,off):
global IDX
out = StringIO()
if decrypt(d[off:off+16]).startswith('MZ'):
print '[%d][+] found encrypted MZ @ %X'% (IDX,off)
try:
pe_hdr = decrypt(d[off:off+0x400])
pe = pefile.PE(data=pe_hdr)
except:
return None
print '[%d][+] OK its parsable, lets proceed' % IDX
for c in chunks(d[off:],16):
out.write(decrypt(c))
IDX +=1
return out
path = sys.argv[1]
#off = int(sys.argv[2],16)
#size = int(sys.argv[3],16)
#cnt = 0
with open(path) as f:
d=f.read()
off =d.find(ENC_HEADER)
while off != -1:
r= decrypt_payload(d,off)
if not r:
print '[-] this is not a PE i was looking for...'
sys.exit(1)
d = r.getvalue()
off =d.find(ENC_HEADER)
with open(path+'.dec','wb') as f:
f.write(d)
print '[*] decrypted payload saved as',path+'.dec'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment