seth1002/decrypt_emotet_string.py

## decrypt_emotet_string.py
from __future__ import print_function
import idc
import idaapi
import idautils
import flare_emu
import unicorn

# test sample https://www.virustotal.com/gui/file/c7a9609c212f275415e678ac7452f19aa9fbc39f9c1fd2708f43629edfd28a3e/detection

decrypted_blocks = []


def ins_hook(unicornObject, address, instructionSize, userData):
    global decrypted_blocks

    if address == 0x00401BF8:
        eh = userData["EmuHelper"]

        decrypted_len = unicornObject.reg_read(unicorn.x86_const.UC_X86_REG_EAX)
        print('string len:{}'.format(decrypted_len))

        decrypted_addr = unicornObject.reg_read(unicorn.x86_const.UC_X86_REG_EDI)
        print('#####################\n addr : {:08x}'.format(decrypted_addr))
        buf = eh.getEmuBytes(decrypted_addr, (decrypted_len+1)*2)

        result = ''
        for idx in range(0, (decrypted_len)*2, 2):
            result += buf[idx]

        decrypted_blocks.append(result)
        print('size:{} data:{}'.format(len(buf), result))
        print('#####################\n')


def iterateHook(eh, address, argv, userData):

    decrypt_fun_name = 'DecryptString_401B60'
    print('\n0x{:08x}:call {}'.format(address, decrypt_fun_name))
    argv_hex = [hex(x) for x in argv]

    key = eh.getRegVal('ecx')
    len_ = eh.getRegVal('edx')
    print('-------------', hex(key), hex(len_), argv_hex)


    if len_ > 1000:
        print('TOO LONG:{}'.format(len_))
        return

    myEH = flare_emu.EmuHelper()
    mu = myEH.emulateRange(idc.get_name_ea_simple(decrypt_fun_name),
        registers = {'ecx':key, 'edx':len_ },
        instructionHook=ins_hook, stack = [0, argv[0]])
    ret = myEH.getRegVal('eax')


print(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>> start")
eh = flare_emu.EmuHelper()
eh.iterate(idc.get_name_ea_simple("DecryptString_401B60"), iterateHook)
# eh.iterate(idc.get_name_ea_simple("DecryptStirng_401AD0"), iterateHook)

print(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>> results")
print('\n'.join(decrypted_blocks))
print('end')
	from __future__ import print_function
	import idc
	import idaapi
	import idautils
	import flare_emu
	import unicorn

	# test sample https://www.virustotal.com/gui/file/c7a9609c212f275415e678ac7452f19aa9fbc39f9c1fd2708f43629edfd28a3e/detection

	decrypted_blocks = []


	def ins_hook(unicornObject, address, instructionSize, userData):
	global decrypted_blocks

	if address == 0x00401BF8:
	eh = userData["EmuHelper"]

	decrypted_len = unicornObject.reg_read(unicorn.x86_const.UC_X86_REG_EAX)
	print('string len:{}'.format(decrypted_len))

	decrypted_addr = unicornObject.reg_read(unicorn.x86_const.UC_X86_REG_EDI)
	print('#####################\n addr : {:08x}'.format(decrypted_addr))
	buf = eh.getEmuBytes(decrypted_addr, (decrypted_len+1)*2)

	result = ''
	for idx in range(0, (decrypted_len)*2, 2):
	result += buf[idx]

	decrypted_blocks.append(result)
	print('size:{} data:{}'.format(len(buf), result))
	print('#####################\n')


	def iterateHook(eh, address, argv, userData):

	decrypt_fun_name = 'DecryptString_401B60'
	print('\n0x{:08x}:call {}'.format(address, decrypt_fun_name))
	argv_hex = [hex(x) for x in argv]

	key = eh.getRegVal('ecx')
	len_ = eh.getRegVal('edx')
	print('-------------', hex(key), hex(len_), argv_hex)


	if len_ > 1000:
	print('TOO LONG:{}'.format(len_))
	return

	myEH = flare_emu.EmuHelper()
	mu = myEH.emulateRange(idc.get_name_ea_simple(decrypt_fun_name),
	registers = {'ecx':key, 'edx':len_ },
	instructionHook=ins_hook, stack = [0, argv[0]])
	ret = myEH.getRegVal('eax')


	print(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>> start")
	eh = flare_emu.EmuHelper()
	eh.iterate(idc.get_name_ea_simple("DecryptString_401B60"), iterateHook)
	# eh.iterate(idc.get_name_ea_simple("DecryptStirng_401AD0"), iterateHook)

	print(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>> results")
	print('\n'.join(decrypted_blocks))
	print('end')