shifu trojan string decryptor

shifu_decryptor.py

# IDAPython script to decrypt the shifu banking trojan dropper strings
# find the function, EA should be at the entrypoint of the decryption function
# script finds all code X refs and parses the arguments to decrypt all strings with
# the XOR key supplied.
# glindor @_g3nuin3

import idaapi
import idc
import idautils

ea = here()
xrefs = CodeRefsTo(ea,0)

data = []
decrypted = []

def decrypt_string(string_offset, length, key):
    
    loc = string_offset
    res = ''
    for i in xrange(length):
        ch = idaapi.get_byte(loc)
        ch = ch ^ key
        res += chr(ch)
        loc = loc + 1

    return [string_offset, res, length]


for xref in xrefs:
    current_x = xref
    d = {}
    d['addr'] = hex(current_x)
    n_pushes = 0
    n_movedx = 0

    for i in xrange(6):
        if n_pushes == 2 and n_movedx == 1:
            break

        current_x = idc.PrevHead(current_x)
        instr = idautils.DecodeInstruction(current_x)
        if instr.itype == idaapi.NN_push:

            if n_pushes < 1:
                d['len'] = int(GetOperandValue(current_x, 0))

            if n_pushes == 1:
                d['key'] = int( hex(GetOperandValue(current_x, 0)), 16)

            n_pushes += 1

        if instr.itype == idaapi.NN_mov:
            if GetOpnd(current_x, 0) == 'edx':
                d['string_offset'] = GetOperandValue(current_x, 1)

    data.append(d)

for d in data:
    decrypted.append(decrypt_string(d['string_offset'], 
                                    d['len'],
                                    d['key'])
    )

for dec in decrypted:
    print "{}".format(dec)