-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathstring_deobfuscater.py
More file actions
30 lines (22 loc) · 945 Bytes
/
string_deobfuscater.py
File metadata and controls
30 lines (22 loc) · 945 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
def get_string(addr,size):
out = ""
for offset in range(addr, (addr + size)):
out += chr(Byte(offset))
return out
def decrypt(key,cipher,size):
decrypted_string = ""
cnt = 0
for cnt in range(0,size):
decrypted_string = decrypted_string + chr(ord(cipher[cnt])^ord(key[cnt %len(key)]))
print ("[*] Attempting to decrypt strings in malware... ")
for x in XrefsTo(0x10001210, flags=0):
addr = idc.PrevHead(x.frm)
obfuscated_string = GetOperandValue(addr,0)
addr = idc.PrevHead(addr)
key = GetOperandValue(addr,0)
addr = idc.PrevHead(addr)
size = GetOperandValue(addr,0)
print "Addr: 0x%x | Key: 0x%x | Cipher: 0x%x | Size: %d" % (x.frm,key, obfuscated_string, size)
decrypted_string = decrypt(get_string(obfuscated_string, size), get_string(key, size),size)
print "Decrypted: %s" % (decrypted_string)
MakeComm(idc.NextHead(idc.NextHead(x.frm)), "[*] "+ decrypted_string)