-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDecryptor.py
151 lines (127 loc) · 5.27 KB
/
Decryptor.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
# this is a decryptor for the encrypted strings in the speedtest.sys sample
import idc, idaapi, idautils
import builtins
import ida_kernwin
ida_kernwin.set_encoding("UTF-16LE")
decryptor1_ea = 0x11432
decryptor1_wrapper_ea = 0x11524
decryptor1_seed = 0x0AA107FB
decryptor1_xrefs=[] #2nd and 5th calls the string is 3 ins above
string_arg = ""
def decryptor1(string_arg, string_ea):
string_offset = string_arg
string_call = string_ea
# 1. Insert the seed value here
seed = 0x0AA107FB
i = 0
result= ""
while True:
seed = ((seed * 0x19660D) + 0x3C6EF35F) & 0xFFFFFFFF # <-- 2. Replace None with a dynamic expression to calculate the seed
val = idc.get_wide_word(string_offset+ i) # read 1 word
if val == 0:
break
val = ( val ^ ( ( seed >> 16 ) | 0x8000 ) ) & 0xFFFF
i = i + 2
result += chr(val)
print (result)
idc.set_cmt(string_offset, None,0)
idc.set_cmt(string_offset, result,0)
idc.set_cmt(string_call, None,0)
idc.set_cmt(string_call, result,0)
def trigger():
for addr in idautils.CodeRefsTo(decryptor1_wrapper_ea, 0):
print (hex(addr))
decryptor1_xrefs.append(addr)
if (addr == 0x10b35 or addr == 0x11011): #3rd and 5th
string_ea = idc.prev_head(idc.prev_head(idc.prev_head(addr)))
# idc.print_operand(ea, long n)
string_arg = idc.get_operand_value(string_ea, 0)
print (hex(string_ea) + " " + hex(string_arg))
decryptor1(string_arg, string_ea)
# call decryptors(string_arg)
else:
string_ea = idc.prev_head(idc.prev_head(addr))
string_arg = idc.get_operand_value(string_ea, 0)
print (hex(string_ea) + " " + hex(string_arg))
decryptor1(string_arg, string_ea)
# call decryptors(string_arg)
# decoder2 is doing the decoding is called only from wrapper_Aux
# wrapper_aux has 3xrefs one of them decrpter2_wrapper which has 6 xrefs
#
decryptor2_ea = 0x11482
decryptor2_wrapper_aux_ea = 0x114CC # to get the args 0x00011598 is special
decryptor2_wrapper_ea = 0x11582
decryptor2_seed = 0x0AA107FB
decryptor2_xrefs=[] #(0x111b3 0x111B3 0x11CFF two stepps to get the address of the string) 0x11598 is the same as 0x111b3
for addr in idautils.CodeRefsTo(decryptor2_wrapper_ea, 0):
decryptor2_xrefs.append(hex(addr))
for addr in idautils.CodeRefsTo(decryptor2_wrapper_aux_ea, 0):
decryptor2_xrefs.append(hex(addr))
def decryptor2(string_arg, string_ea): #string_ea is the call address and string arg is the stored address
string_offset = string_arg
string_call = string_ea
# 1. Insert the seed value here
seed = 0x0AA107FB
i = 0
result= ""
while True:
seed = ((seed * 0x19660D) + 0x3C6EF35F) & 0xFFFFFFFF # <-- 4. Replace None with a dynamic expression to calculate the seed
val = idc.get_wide_byte(string_offset+ i)
if val == 0:
break
val = ( val ^ ( ( seed >> 16 ) | 0x80 ) ) & 0xFF
i = i + 1
result += chr(val)
print (result)
idc.set_cmt(string_offset, None,0)
idc.set_cmt(string_offset, result,0)
idc.set_name(string_offset, result, SN_CHECK)
idc.set_cmt(string_call, None,0)
idc.set_cmt(string_call, result,0)
def trigger2():
for addr in decryptor2_xrefs: #strings type
print (addr)
if (addr == hex(0x11598)):
continue
if (addr == hex(0x111b3) or addr == hex(0x11CFF) or addr == hex(0x11cf2)): #(0x111b3 0x11cf2 0x11CFF two stepps to get the address of the string) 0x11598 is the same as 0x111b3
string_ea = idc.prev_head(idc.prev_head(idc.prev_head(int(addr, 16))))
# idc.print_operand(ea, long n)
string_arg = idc.get_operand_value(string_ea, 0)
print (hex(string_ea) + " " + hex(string_arg))
decryptor2(string_arg, string_ea)
# call decryptors(string_arg)
else:
string_ea = idc.prev_head(idc.prev_head(int(addr, 16)))
string_arg = idc.get_operand_value(string_ea, 0)
print (hex(string_ea) + " " + hex(string_arg))
decryptor2(string_arg, string_ea)
# call decryptors(string_arg)
decryptor3_ea = 0x12330
Decryptor3_key = 0x77
encrypted_String3=""
encrypted_string3_ea = [0x12B80 , 0x12B08, 0x12AA0, 0x12A40, 0x12BF8]
decrypted_string3 = ""
for ea in encrypted_string3_ea:
i = 0
decrypted_string3 = ""
while True:
val = idc.get_wide_word(ea + i)
if val == 0:
break
val = (val ^ 0x7777) & 0xffff
i += 2
decrypted_string3 += chr(val)
print(hex(ea))
print (decrypted_string3)
for xref in idautils.XrefsTo(ea, 1):
idc.set_cmt(xref.frm, None,0)
idc.set_cmt(xref.frm, decrypted_string3,0)
for xrefs in idautils.DataRefsTo(ea):
idc.set_cmt(ea, None,0)
idc.set_cmt(ea, decrypted_string3,0)
idc.set_name(ea, decrypted_string3, SN_CHECK)
# decryption encrypted_string[i] ^ 0x7777 i += 2
for i in encrypted_String3:
val = encrypted_String3[i]
decrypted_string3[i] = val
i += 2