decode from mad protector
import sys | |
import pefile | |
from StringIO import StringIO | |
from Crypto.Cipher import AES | |
K =''.join((chr(x) for x in range(15,0x4f,2))) | |
ENC_HEADER="\x23\x59\x90\x70\xe9\xc1\xec\x82\xb4\x87\xb3\x4e\x03\x10\x6c\x2e" | |
decrypt = lambda d: AES.new(K,AES.MODE_ECB).decrypt(d) | |
chunks = lambda l, n: [l[x: x+n] for x in xrange(0, len(l), n)] | |
IDX = 0 | |
def decrypt_payload(d,off): | |
global IDX | |
out = StringIO() | |
if decrypt(d[off:off+16]).startswith('MZ'): | |
print '[%d][+] found encrypted MZ @ %X'% (IDX,off) | |
try: | |
pe_hdr = decrypt(d[off:off+0x400]) | |
pe = pefile.PE(data=pe_hdr) | |
except: | |
return None | |
print '[%d][+] OK its parsable, lets proceed' % IDX | |
for c in chunks(d[off:],16): | |
out.write(decrypt(c)) | |
IDX +=1 | |
return out | |
path = sys.argv[1] | |
#off = int(sys.argv[2],16) | |
#size = int(sys.argv[3],16) | |
#cnt = 0 | |
with open(path) as f: | |
d=f.read() | |
off =d.find(ENC_HEADER) | |
while off != -1: | |
r= decrypt_payload(d,off) | |
if not r: | |
print '[-] this is not a PE i was looking for...' | |
sys.exit(1) | |
d = r.getvalue() | |
off =d.find(ENC_HEADER) | |
with open(path+'.dec','wb') as f: | |
f.write(d) | |
print '[*] decrypted payload saved as',path+'.dec' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment