psrok1/malduck-isfb-jjparser.py

## malduck-isfb-jjparser.py
# pip install malduck
import malduck
import sys

p = malduck.procmem.from_file(sys.argv[1])

# Recover magic
p.patchp(0, b"MZ")
p.patchp(p.uint32p(0x3c), b"PE")

# Locate structs
ppe = malduck.procmempe.from_memory(p)
jj_struct_start = ppe.pe.sections[-1].get_file_offset() + 32

class JJStruct(malduck.Structure):
	_pack_ = 1
	_fields_ = [
		("Magic",  malduck.WORD),
		("Flags",  malduck.WORD),
		("XOR",    malduck.DWORD),
		("CRC32",  malduck.DWORD),
		("Offset", malduck.DWORD),
		("Size",   malduck.DWORD)
	]

# Extract
for jj_pos in ppe.findp(b"JJ", jj_struct_start, 128):
	# Get structure data
	jj_struct_data = p.readp(jj_pos, JJStruct.sizeof())
	# Parse structure
	jj_struct = JJStruct.parse(jj_struct_data)
	# Read blob
	blob = ppe.readp(jj_struct.Offset, jj_struct.Size)
	# Decompress aPLib and Print
	print("===")
	print(repr(malduck.aplib(blob)))
	# pip install malduck
	import malduck
	import sys

	p = malduck.procmem.from_file(sys.argv[1])

	# Recover magic
	p.patchp(0, b"MZ")
	p.patchp(p.uint32p(0x3c), b"PE")

	# Locate structs
	ppe = malduck.procmempe.from_memory(p)
	jj_struct_start = ppe.pe.sections[-1].get_file_offset() + 32

	class JJStruct(malduck.Structure):
	_pack_ = 1
	_fields_ = [
	("Magic", malduck.WORD),
	("Flags", malduck.WORD),
	("XOR", malduck.DWORD),
	("CRC32", malduck.DWORD),
	("Offset", malduck.DWORD),
	("Size", malduck.DWORD)
	]

	# Extract
	for jj_pos in ppe.findp(b"JJ", jj_struct_start, 128):
	# Get structure data
	jj_struct_data = p.readp(jj_pos, JJStruct.sizeof())
	# Parse structure
	jj_struct = JJStruct.parse(jj_struct_data)
	# Read blob
	blob = ppe.readp(jj_struct.Offset, jj_struct.Size)
	# Decompress aPLib and Print
	print("===")
	print(repr(malduck.aplib(blob)))