alexander-hanel · February 6, 2019 17:28
diff --git a/find_xor_funcs.py b/find_xor_funcs.py
 import idautils
 func_dict = {} 
 XOR_COUNT = 2
 FUNC_LEN = 35
 for func in idautils.Functions():
    flags = idc.get_func_attr(func, FUNCATTR_FLAGS) 
    if flags & FUNC_LIB or flags & FUNC_THUNK:
    	continue
    dism_addr = list(idautils.FuncItems(func)) 
    for line in dism_addr:
        m = idc.print_insn_mnem(line)
        if m == 'xor':
            if idc.get_operand_type(line, 0) != idc.get_operand_type(line, 1):
                if func in func_dict:
                    func_dict[func] += 1 
                else:
                    func_dict[func] = 1
                    
 for item in func_dict:
    if func_dict[item] >= XOR_COUNT:
        continue
    dism_addr = list(idautils.FuncItems(item))
    if len(dism_addr) >= FUNC_LEN:
        continue
    print "Potential XOR at 0x%x" % (item)
    for ea in dism_addr:
        line_size = get_item_size(ea)
        bytes = idc.get_bytes(ea, line_size)
        temp = bytes.encode("hex")
        print "0x%x %-*s %s" % (ea, 20, temp, idc.generate_disasm_line(ea, 0))
	import idautils
	func_dict = {}
	XOR_COUNT = 2
	FUNC_LEN = 35
	for func in idautils.Functions():
	flags = idc.get_func_attr(func, FUNCATTR_FLAGS)
	if flags & FUNC_LIB or flags & FUNC_THUNK:
	continue
	dism_addr = list(idautils.FuncItems(func))
	for line in dism_addr:
	m = idc.print_insn_mnem(line)
	if m == 'xor':
	if idc.get_operand_type(line, 0) != idc.get_operand_type(line, 1):
	if func in func_dict:
	func_dict[func] += 1
	else:
	func_dict[func] = 1

	for item in func_dict:
	if func_dict[item] >= XOR_COUNT:
	continue
	dism_addr = list(idautils.FuncItems(item))
	if len(dism_addr) >= FUNC_LEN:
	continue
	print "Potential XOR at 0x%x" % (item)
	for ea in dism_addr:
	line_size = get_item_size(ea)
	bytes = idc.get_bytes(ea, line_size)
	temp = bytes.encode("hex")
	print "0x%x %-*s %s" % (ea, 20, temp, idc.generate_disasm_line(ea, 0))