xpn/apt33_dropshot_decoder.py

## apt33_dropshot_decoder.py
import idc
import idaapi
from idautils import *

decryptTable = 0x41BA3C
decryptTableEnd = 0x41BA77
decryptFunction = 0x4012A0

# Get the translation table
bytes = idaapi.get_many_bytes(decryptTable, decryptTable-decryptTableEnd)

# Find xrefs to this function
for ref in CodeRefsTo(decryptFunction, 1):

    # Get the first parameter passed, which is a string to decrypt
    enc = idc.prev_head(ref)

    # Get the second parameter passed, which is the length of the string
    len = idc.prev_head(enc)

    encValue = DecodeInstruction(enc)
    lenValue = DecodeInstruction(len)

    s = ""
    # Simply substitute from the decryptTable
    for i in range(0,lenValue.Operands[0].value):
        s += bytes[ida_bytes.get_word(encValue.Operands[0].value + (i * 2))]

    print "Decrypted: " + s
    MakeComm(ref, "Decrypted: " + s)
	import idc
	import idaapi
	from idautils import *

	decryptTable = 0x41BA3C
	decryptTableEnd = 0x41BA77
	decryptFunction = 0x4012A0

	# Get the translation table
	bytes = idaapi.get_many_bytes(decryptTable, decryptTable-decryptTableEnd)

	# Find xrefs to this function
	for ref in CodeRefsTo(decryptFunction, 1):

	# Get the first parameter passed, which is a string to decrypt
	enc = idc.prev_head(ref)

	# Get the second parameter passed, which is the length of the string
	len = idc.prev_head(enc)

	encValue = DecodeInstruction(enc)
	lenValue = DecodeInstruction(len)

	s = ""
	# Simply substitute from the decryptTable
	for i in range(0,lenValue.Operands[0].value):
	s += bytes[ida_bytes.get_word(encValue.Operands[0].value + (i * 2))]

	print "Decrypted: " + s
	MakeComm(ref, "Decrypted: " + s)