netadr/sbz.py

## sbz.py
"""
Deobfuscates log messages present in EQGRP StraitBizarre samples.
To use this plugin, you must label the logging function (0x7fff2a3f8d10 in
f0285338e59322079bafe5780e1a26ef0d5d62cc0138b0725bd7a37084d03204) `sbz_log`.

Author: netadr
Date: 2024-06-30
"""

import binaryninja

from binaryninja.commonil import Call, Constant
from binaryninja.highlevelil import HighLevelILVar
from binaryninja.plugin import PluginCommand


def strlen(view, addr):
    pos = 0

    while True:
        if view.read_int(addr + pos, 1) == 0:
            break

        pos += 1

    return pos


def deobfuscate_message_helper(key, buf):
    size = len(buf)
    current = buf[0]
    counter = 0

    while True:
        current = (current * key) & 0xFF
        buf[counter] = current
        counter += 1

        if counter == size:
            break

        current = buf[counter]


def deobfuscate_message_impl(view, addr):
    size = strlen(view, addr)
    buf = view.read(addr, size)

    counter = 1
    current = 0

    result = bytearray(size)

    while True:
        current = counter

        if counter >= size or buf[counter] == 0:
            break

        counter += 1

    while counter != 0:
        previous = current

        counter = counter - 1
        current = buf[counter]
        xv = previous ^ current

        result[counter] = xv
        if xv == 0:
            result[counter] = previous

    deobfuscate_message_helper(0x8B, result)

    return result.decode("ascii")


def deobfuscate(view, ref, loc, xref):
    clear = deobfuscate_message_impl(view, loc)
    print(f"{xref:#x}: {clear}")

    ref.function.set_comment_at(xref, clear)


def handle_variable_ref(view, ref, call):
    hlil_function = ref.function.hlil
    for definition in hlil_function.get_var_definitions(call.params[3].var):
        deobfuscate(view, ref, definition.src.constant, definition.address)


def command_messages(view: binaryninja.BinaryView):
    functions = view.get_functions_by_name("sbz_log")

    for function in functions:
        for ref in function.caller_sites:
            call = ref.hlil
            if isinstance(call, Call) and len(call.params) >= 4:
                if isinstance(call.params[3], Constant):
                    deobfuscate(view, ref, call.params[3].constant, call.address)
                    pass
                elif isinstance(call.params[3], HighLevelILVar):
                    handle_variable_ref(view, ref, call)


PluginCommand.register(
    "SBZ\Deobfuscate Log Messages", "Deobfuscate all SBZ log messages", command_messages
)
	"""
	Deobfuscates log messages present in EQGRP StraitBizarre samples.
	To use this plugin, you must label the logging function (0x7fff2a3f8d10 in
	f0285338e59322079bafe5780e1a26ef0d5d62cc0138b0725bd7a37084d03204) `sbz_log`.

	Author: netadr
	Date: 2024-06-30
	"""

	import binaryninja

	from binaryninja.commonil import Call, Constant
	from binaryninja.highlevelil import HighLevelILVar
	from binaryninja.plugin import PluginCommand


	def strlen(view, addr):
	pos = 0

	while True:
	if view.read_int(addr + pos, 1) == 0:
	break

	pos += 1

	return pos


	def deobfuscate_message_helper(key, buf):
	size = len(buf)
	current = buf[0]
	counter = 0

	while True:
	current = (current * key) & 0xFF
	buf[counter] = current
	counter += 1

	if counter == size:
	break

	current = buf[counter]


	def deobfuscate_message_impl(view, addr):
	size = strlen(view, addr)
	buf = view.read(addr, size)

	counter = 1
	current = 0

	result = bytearray(size)

	while True:
	current = counter

	if counter >= size or buf[counter] == 0:
	break

	counter += 1

	while counter != 0:
	previous = current

	counter = counter - 1
	current = buf[counter]
	xv = previous ^ current

	result[counter] = xv
	if xv == 0:
	result[counter] = previous

	deobfuscate_message_helper(0x8B, result)

	return result.decode("ascii")


	def deobfuscate(view, ref, loc, xref):
	clear = deobfuscate_message_impl(view, loc)
	print(f"{xref:#x}: {clear}")

	ref.function.set_comment_at(xref, clear)


	def handle_variable_ref(view, ref, call):
	hlil_function = ref.function.hlil
	for definition in hlil_function.get_var_definitions(call.params[3].var):
	deobfuscate(view, ref, definition.src.constant, definition.address)


	def command_messages(view: binaryninja.BinaryView):
	functions = view.get_functions_by_name("sbz_log")

	for function in functions:
	for ref in function.caller_sites:
	call = ref.hlil
	if isinstance(call, Call) and len(call.params) >= 4:
	if isinstance(call.params[3], Constant):
	deobfuscate(view, ref, call.params[3].constant, call.address)
	pass
	elif isinstance(call.params[3], HighLevelILVar):
	handle_variable_ref(view, ref, call)


	PluginCommand.register(
	"SBZ\Deobfuscate Log Messages", "Deobfuscate all SBZ log messages", command_messages
	)