Skip to content

Instantly share code, notes, and snippets.

@duzvik
Created January 29, 2020 12:39
Show Gist options
  • Save duzvik/b850b0760c7a8e3500e1a57c6753e69e to your computer and use it in GitHub Desktop.
Save duzvik/b850b0760c7a8e3500e1a57c6753e69e to your computer and use it in GitHub Desktop.
import cutter;
import re;
cutter.cmd('aa')
decode_func_addr = 0x00401210
cutter.cmd("s %d" % decode_func_addr )
func_info = cutter.cmdj("afij")
func_size = func_info[0]['size']
print("Function size %d" % func_size)
line = decode_func_addr
for i in range(func_size):
obj = cutter.cmdj("pdj 1 @ %s" % hex(line))
opcode =obj[0]['opcode']
match_object = re.search(r'^mov dword \[(.*)\], eax$', opcode, flags=re.IGNORECASE)
if match_object:
decoded_addr = match_object.group(1)
tmp = cutter.cmdj("pdj -3 @ %s" % hex(line))
match_object = re.search(r'^push (.*?)$', tmp[0]['opcode'], flags=re.IGNORECASE)
if match_object:
str_addr = match_object.group(1)
#get zero terminated string at addr
tmp = cutter.cmdj("pszj @ %s" % str_addr)
decoded_str = tmp['string']
print("%s %s" % (decoded_addr, decoded_str))
#add comments to all references to decoded_addr
for xref in cutter.cmdj('axtj %s' % decoded_addr):
if re.match(r"call *", xref['opcode']):
# Add comments to each call of the decryption function
cutter.cmd('CCu CALL %s @ %d' % (decoded_str, xref['from']))
line = line + 0x1
cutter.refresh()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment