Skip to content

Instantly share code, notes, and snippets.

Created February 1, 2016 19:05
  • Star 1 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save mak/d049a307a271052dc740 to your computer and use it in GitHub Desktop.
decode from mad protector
import sys
import pefile
from StringIO import StringIO
from Crypto.Cipher import AES
K =''.join((chr(x) for x in range(15,0x4f,2)))
decrypt = lambda d:,AES.MODE_ECB).decrypt(d)
chunks = lambda l, n: [l[x: x+n] for x in xrange(0, len(l), n)]
IDX = 0
def decrypt_payload(d,off):
global IDX
out = StringIO()
if decrypt(d[off:off+16]).startswith('MZ'):
print '[%d][+] found encrypted MZ @ %X'% (IDX,off)
pe_hdr = decrypt(d[off:off+0x400])
pe = pefile.PE(data=pe_hdr)
return None
print '[%d][+] OK its parsable, lets proceed' % IDX
for c in chunks(d[off:],16):
IDX +=1
return out
path = sys.argv[1]
#off = int(sys.argv[2],16)
#size = int(sys.argv[3],16)
#cnt = 0
with open(path) as f:
off =d.find(ENC_HEADER)
while off != -1:
r= decrypt_payload(d,off)
if not r:
print '[-] this is not a PE i was looking for...'
d = r.getvalue()
off =d.find(ENC_HEADER)
with open(path+'.dec','wb') as f:
print '[*] decrypted payload saved as',path+'.dec'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment