Created
February 17, 2020 13:39
-
-
Save duzvik/e77800a25b5a25b6b8552f61e3a1d82d to your computer and use it in GitHub Desktop.
Cutter notebook example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import cutter | |
| import re | |
| cutter.cmd('aa') | |
| #sample 57752e9a9d3d2b54f68f015a0de589b4 | |
| #function that perform deobfuscation located at 0x10003630 | |
| #encoded string passed to this function at ecx register | |
| #let's find all xrefs to this function and deobfuscate string passed at ecx | |
| #ed x | |
| #and add comment in each function call | |
| decode_func_addr = 0x10003630 | |
| for xref in cutter.cmdj('axtj %s' % decode_func_addr): | |
| print(hex(xref['from'])) | |
| #search for ecx register(encoded string) | |
| max_iteration = 10 | |
| idx = 1 | |
| while idx < 10: | |
| obj = cutter.cmdj("pdj -%d @ %d" % (idx, xref['from'])) | |
| match_object = re.search(r'^mov ecx, (.*?)$', obj[0]['opcode'], flags=re.IGNORECASE) | |
| if match_object: | |
| str_addr = match_object.group(1) | |
| #get zero terminated string at addr | |
| obj = cutter.cmdj("pszj @ %s" % str_addr) | |
| #get bytearray of encoded str | |
| barr = str.encode(obj['string']) | |
| decoded = bytearray() | |
| for i in range(len(barr)): | |
| decoded.append((barr[i:i+1][0]+ 0x3) % 256 ) | |
| print(decoded.decode()) | |
| #add commentat | |
| cutter.cmd('CCu CALL %s @ %d' % (decoded.decode(), xref['from'])) | |
| break | |
| idx += 1 | |
| cutter.refresh() | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #winapi resolving occuring at @fcn.10001190 | |
| #let's add usefull coments to memory pointers | |
| #edi register points to GetProcAddress | |
| #find all edi calls and add comments | |
| addr = 0x10001190 | |
| cutter.cmd("s %d" % addr ) | |
| func_info = cutter.cmdj("afij") | |
| #print(func_info) | |
| func_size = func_info[0]['size'] | |
| print("Function size %d" % func_size) | |
| r = cutter.cmdj("pDj %d @ %d" % (func_size, addr) ) | |
| for el in r: | |
| #print(el['disasm']) | |
| match_object = re.search(r'^mov dword \[(0x.*?)\], eax$', el['disasm'], flags=re.IGNORECASE) | |
| if match_object: | |
| print(el['disasm']) | |
| #address of an exported function in the DLL stored at mems_addr | |
| mems_addr = match_object.group(1) | |
| print(hex(el['offset'])) | |
| #find nearest call | |
| idx = 1 | |
| while idx < 10: | |
| obj = cutter.cmdj("pdj -%d @ %d" % (idx, el['offset'])) | |
| match_object = re.search(r'^call (.*?)$', obj[0]['opcode'], flags=re.IGNORECASE) | |
| if match_object: | |
| print("Call found " + obj[0]['opcode'] + " at " + str(1)) | |
| idx+=1 | |
| #print(mems_addr) | |
| #else: | |
| # print(el['disasm']) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment