| class ZeusVMToC: | |
| def __init__(self, diasm_file, output_file=None): | |
| self.diasm_file = diasm_file | |
| self.output_file = output_file | |
| self.line_num = 0 | |
| self.data_ptr_mov = 0 | |
| def tokenize(self): | |
| with open(self.diasm_file, 'r') as f: |
| from enum import Enum | |
| class HandlerType(Enum): | |
| Zero = 0 | |
| Shuffle = 1 | |
| Rc4 = 2 | |
| Imm = 3 | |
| RegReg = 4 | |
| RegImm = 5 | |
| Reg = 6 |
This Python script is designed to handle JMP deobfuscation.
It will sqash unneeded unconditional jmps and create new blocks, relocates blocks of code, adjusts relative addresses, and aligns blocks with padding.
Inspired by http://hooked-on-mnemonics.blogspot.com/2012/10/simple-deobfuscation-of-code.html
| import time | |
| from typing import List | |
| import pefile | |
| from capstone import * | |
| from capstone.x86 import * | |
| import re | |
| import struct | |
| # SAMPLE_PATH = 'bin/enc_string_test.bin32' | |
| SAMPLE_PATH = 'bin/2cd2f077ca597ad0ef234a357ea71558d5e039da9df9958d0b8bd0efa92e74c9.bin32' |
| #pragma once | |
| #include <stdint.h> | |
| #include "win_helper.h" | |
| namespace poc_kit | |
| { | |
| namespace pattern | |
| { |
| int __stdcall sub_10001100(_DWORD *a1, unsigned int a2, unsigned int a3) | |
| { | |
| _DWORD *v3; // edi | |
| unsigned int v4; // ebx | |
| unsigned int v5; // esi | |
| int v6; // edx | |
| unsigned int v7; // eax | |
| int v8; // ecx | |
| unsigned int v9; // edx | |
| unsigned __int16 *v10; // edx |
| import idautils | |
| import idaapi | |
| import ida_bytes | |
| import ida_search | |
| import ida_segment | |
| import ida_nalt | |
| def find_function(pattern): | |
| text = ida_segment.get_segm_by_name('.text') | |
| return ida_search.find_binary(text.start_ea, text.end_ea, pattern, 16, ida_search.SEARCH_DOWN) |
| import struct | |
| def extract_stage3(stage3_buffer): | |
| # struct stage3_header | |
| # { | |
| # uint32_t magic; | |
| # uint16_t block_count; | |
| # uint16_t header_size; | |
| # uint32_t entry_offset; |