Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
IDAPython encrypted string decoder for DROPSHOT - APT33
import idc
import idaapi
from idautils import *
decryptTable = 0x41BA3C
decryptTableEnd = 0x41BA77
decryptFunction = 0x4012A0
# Get the translation table
bytes = idaapi.get_many_bytes(decryptTable, decryptTable-decryptTableEnd)
# Find xrefs to this function
for ref in CodeRefsTo(decryptFunction, 1):
# Get the first parameter passed, which is a string to decrypt
enc = idc.prev_head(ref)
# Get the second parameter passed, which is the length of the string
len = idc.prev_head(enc)
encValue = DecodeInstruction(enc)
lenValue = DecodeInstruction(len)
s = ""
# Simply substitute from the decryptTable
for i in range(0,lenValue.Operands[0].value):
s += bytes[ida_bytes.get_word(encValue.Operands[0].value + (i * 2))]
print "Decrypted: " + s
MakeComm(ref, "Decrypted: " + s)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment