We get 2 PE files evil.exe
and mypacker.exe
.
Looking at evil.exe
, we can follow the invoke_main()
function up to
undefined8 FUN_1400117f0(void)
from unicorn import * | |
from unicorn.x86_const import * | |
from capstone import * | |
from pwn import * | |
import copy | |
from z3 import * | |
import sys | |
import time | |
UINT_MAX = 0xffffffffffffffff |
from base64 import b64decode | |
from Crypto.Cipher import ARC4 | |
#s = "mpntingadxedMTBjMDc2NGZiNDNiOTYzMjk3NjhkZTRmM2ZlOWMyMGE5NDAwMGUwMzFmMmQ0ZGIxMDdlOGY3ODE4ZWJlMGVhNzlhNTQ=" | |
s = "wfycyqhbrwfxMWFjMWYxOGM1MjljZDI1M2UxNjUzNDY2ZTRlNDYwNDk5MWUxYjc2OTVjODc2YWYxOTI0YTgxYzUwMWQ4NGUzZGIxZjYwMGVjZWViNDhkYTYyMTkyNjQ0MjllYzhhMDUyZjg2MGM3NGEyYjZkYmU=" | |
def decrypt_string(s): | |
key = s[:12].encode() | |
data = bytes.fromhex(b64decode(s[12:]).decode()) | |
c = ARC4.new(key=key) |
Useless code:
#include <stdio.h>
void nop(void)
{
asm("nop");
}