Created
December 23, 2022 09:54
-
-
Save 0xca7/696e4e65f72c9aac442340c9d7ef9131 to your computer and use it in GitHub Desktop.
highlight and decrypt strings in recordbreaker malware
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //TODO recordbreaker string decryption via selection | |
| //Applied to sample: 746669c6be1807fdafbc7ee3f1e958e1b584fa31688742bcc044d269af94b0d8 (sha256) | |
| //@author 0xca7 | |
| //@category _NEW_ | |
| //@keybinding | |
| //@menupath | |
| //@toolbar | |
| import ghidra.app.script.GhidraScript; | |
| import ghidra.program.model.mem.*; | |
| import ghidra.program.model.lang.*; | |
| import ghidra.program.model.pcode.*; | |
| import ghidra.program.model.util.*; | |
| import ghidra.program.model.reloc.*; | |
| import ghidra.program.model.data.*; | |
| import ghidra.program.model.block.*; | |
| import ghidra.program.model.symbol.*; | |
| import ghidra.program.model.scalar.*; | |
| import ghidra.program.model.listing.*; | |
| import ghidra.program.model.address.*; | |
| public class recordbreakerbreaker extends GhidraScript { | |
| byte[] get_key(byte[] bytes) { | |
| int len = 0; | |
| while(bytes[len] != 0x00) { | |
| len++; | |
| } | |
| byte[] key = new byte[len]; | |
| for(int i = 0; i < len; i++) { | |
| key[i] = bytes[i]; | |
| } | |
| return key; | |
| } | |
| byte[] get_data(byte[] bytes) { | |
| int flag = 0; | |
| int len = 0; | |
| int start_data = 0; | |
| // get the beginning index of the data bytes | |
| for(int i = 0; i < bytes.length; i++) { | |
| if(bytes[i] == 0x00) { | |
| flag = 1; | |
| } | |
| if(flag == 1 && bytes[i] != 0x00) { | |
| start_data = i; | |
| break; | |
| } | |
| } | |
| while(bytes[start_data + len] != 0x00) { | |
| len++; | |
| } | |
| byte[] data = new byte[len]; | |
| for(int i = 0; i < len; i++) { | |
| data[i] = bytes[start_data + i]; | |
| } | |
| return data; | |
| } | |
| void decrypt(byte[] data, byte[] key) { | |
| byte[] result = new byte[data.length]; | |
| for(int i = 0; i < data.length; i++) { | |
| result[i] = (byte) (data[i] ^ key[i % key.length]); | |
| } | |
| String s = ""; | |
| for(int i = 0; i < data.length; i++) { | |
| s += (char)result[i]; | |
| } | |
| println("decrypted: " + s); | |
| } | |
| public void run() throws Exception { | |
| if(currentSelection != null) { | |
| Memory mem = currentProgram.getMemory(); | |
| Address min_addr = currentSelection.getMinAddress(); | |
| Address max_addr = currentSelection.getMaxAddress(); | |
| byte[] b = new byte[(int)max_addr.subtract(min_addr)]; | |
| mem.getBytes(min_addr, b); | |
| byte[] key = get_key(b); | |
| for(int i = 0; i < key.length; i++) { | |
| printf("%c", key[i]); | |
| } | |
| printf("\n"); | |
| byte[] data = get_data(b); | |
| for(int i = 0; i < data.length; i++) { | |
| printf("%02x", data[i]); | |
| } | |
| decrypt(data, key); | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment