alexander-hanel · February 28, 2023 19:31
diff --git a/rc4_bn.py b/rc4_bn.py
 from binaryninja import lowlevelil

 DEBUG = False 

 def get_rc4_xor_instru(instr):
    if not instr:
        return False
    if DEBUG:
        print(hex(instr.address), instr)
    for oper in instr.operands:
         if isinstance(oper, LowLevelILInstruction):
            if oper.operation == LowLevelILOperation.LLIL_XOR:
                if DEBUG:
                    print("LLIL_XOR", hex(oper.address), oper.left, oper.right, oper.right.value)  
                try:
                    if oper.right.src.name.endswith("sp") or oper.right.src.name.endswith("bp"):
                        continue 
                except:
                        pass
                # ignore XOR with constant value, 
                if oper.right.value.type == RegisterValueType.ConstantValue:
                        continue
                if oper.left != oper.right:
                    get_bytes(oper.address)
                    return True
    return False 

 def get_bytes(offset):
    output = ""
    output += bv.file.filename
    output += "\n"
    func = bv.get_functions_containing(offset)[0]
    output += "0x%x, %s\n" % (func.start, func.name)  
    bb = bv.get_basic_blocks_at(offset)[0]
    for x in bb.get_disassembly_text():
        output += "0x%x, %s\n" % (x.address, x)
    data = bv.read(bb.start, bb.end - bb.start)
    output += (",".join([hex(x) for x in data]))
    output += "\n"
    print(output)
    

 def check_for_xor(func):
    l_0xff = 0 # used to find the first two loops
    for instr in func.llil_instructions:
        if l_0xff != 2:
            if instr.operation == LowLevelILOperation.LLIL_IF: 
                try: 
                    if instr.operands[0].operands[1].value == 0x100:
                        l_0xff += 1 
                        if DEBUG:
                            print("LLIL_IF", instr, instr.operands[0].operands[1].value)
                except:
                    continue 
        if l_0xff == 2:
            if get_rc4_xor_instru(instr):
                return True 
    return False


 def run():
    for func in bv.functions:
        check_for_xor(func)


 def test(address):
    func =  bv.get_function_at(address)
    check_for_xor(func)

 # test(0x0040feb1)
 run()
	from binaryninja import lowlevelil

	DEBUG = False

	def get_rc4_xor_instru(instr):
	if not instr:
	return False
	if DEBUG:
	print(hex(instr.address), instr)
	for oper in instr.operands:
	if isinstance(oper, LowLevelILInstruction):
	if oper.operation == LowLevelILOperation.LLIL_XOR:
	if DEBUG:
	print("LLIL_XOR", hex(oper.address), oper.left, oper.right, oper.right.value)
	try:
	if oper.right.src.name.endswith("sp") or oper.right.src.name.endswith("bp"):
	continue
	except:
	pass
	# ignore XOR with constant value,
	if oper.right.value.type == RegisterValueType.ConstantValue:
	continue
	if oper.left != oper.right:
	get_bytes(oper.address)
	return True
	return False

	def get_bytes(offset):
	output = ""
	output += bv.file.filename
	output += "\n"
	func = bv.get_functions_containing(offset)[0]
	output += "0x%x, %s\n" % (func.start, func.name)
	bb = bv.get_basic_blocks_at(offset)[0]
	for x in bb.get_disassembly_text():
	output += "0x%x, %s\n" % (x.address, x)
	data = bv.read(bb.start, bb.end - bb.start)
	output += (",".join([hex(x) for x in data]))
	output += "\n"
	print(output)


	def check_for_xor(func):
	l_0xff = 0 # used to find the first two loops
	for instr in func.llil_instructions:
	if l_0xff != 2:
	if instr.operation == LowLevelILOperation.LLIL_IF:
	try:
	if instr.operands[0].operands[1].value == 0x100:
	l_0xff += 1
	if DEBUG:
	print("LLIL_IF", instr, instr.operands[0].operands[1].value)
	except:
	continue
	if l_0xff == 2:
	if get_rc4_xor_instru(instr):
	return True
	return False


	def run():
	for func in bv.functions:
	check_for_xor(func)


	def test(address):
	func = bv.get_function_at(address)
	check_for_xor(func)

	# test(0x0040feb1)
	run()