Skip to content

Instantly share code, notes, and snippets.

Created Feb 1, 2016
What would you like to do?
decode from mad protector
import sys
import pefile
from StringIO import StringIO
from Crypto.Cipher import AES
K =''.join((chr(x) for x in range(15,0x4f,2)))
decrypt = lambda d:,AES.MODE_ECB).decrypt(d)
chunks = lambda l, n: [l[x: x+n] for x in xrange(0, len(l), n)]
IDX = 0
def decrypt_payload(d,off):
global IDX
out = StringIO()
if decrypt(d[off:off+16]).startswith('MZ'):
print '[%d][+] found encrypted MZ @ %X'% (IDX,off)
pe_hdr = decrypt(d[off:off+0x400])
pe = pefile.PE(data=pe_hdr)
return None
print '[%d][+] OK its parsable, lets proceed' % IDX
for c in chunks(d[off:],16):
IDX +=1
return out
path = sys.argv[1]
#off = int(sys.argv[2],16)
#size = int(sys.argv[3],16)
#cnt = 0
with open(path) as f:
off =d.find(ENC_HEADER)
while off != -1:
r= decrypt_payload(d,off)
if not r:
print '[-] this is not a PE i was looking for...'
d = r.getvalue()
off =d.find(ENC_HEADER)
with open(path+'.dec','wb') as f:
print '[*] decrypted payload saved as',path+'.dec'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment