herrcore · May 10, 2023 12:23
diff --git a/vawtrak_string_decoder.py b/vawtrak_string_decoder.py
 import idaapi, idc, idautils
 import re
 import struct
 import base64

 flag_arr=[]

 def decrypt_algo(key, data, data_len):
    out=""
    for i in range(0, data_len):
        key = (0x41C64E6D * key + 0x3039) & 0xffffffff
        key_byte = 0xff & key
        tmp = 0xff&(ord(data[i]) - key_byte)
        out += chr(tmp)
    return out

 def find_function_args(addr):
    addr = idc.PrevHead(addr)
    if GetMnem(addr) == "push":
        str_start = GetOperandValue(addr, 0)
    else:
        str_start = -1
    return str_start

 def get_string(start_addr, len):
    out = ""
    for i in range(0,len):
        out += chr(Byte(start_addr + i))
    return out


 def patch_string(start_addr, string_data):
    offset = 0
    for c in string_data:
        PatchByte(start_addr + offset, ord(c))
        offset += 1
    MakeStr(start_addr, BADADDR)


 def decrypt_call(fn_call):
    str_start = find_function_args(fn_call)
    if str_start == -1:
        return
    if str_start not in flag_arr:
        key_data = ida_bytes.get_32bit(str_start)
        len_data = ida_bytes.get_32bit(str_start+4)
        data_len = (key_data ^ len_data) >> 16
        data_start = str_start+8
        data = get_string(data_start, data_len)
        plaintxt_data = decrypt_algo(key_data, data, data_len)

        print "%s: %s" % (hex(str_start), plaintxt_data)
        patch_string(str_start, plaintxt_data)
        flag_arr.append(str_start)
            
 def single_decrypt(str_start):
    key_data = ida_bytes.get_32bit(str_start)
    len_data = ida_bytes.get_32bit(str_start+4)
    data_len = (key_data ^ len_data) >> 16
    data_start = str_start+8
    data = get_string(data_start, data_len)
    plaintxt_data = decrypt_algo(key_data, data, data_len)
    print "%s: %s" % (hex(str_start), plaintxt_data)
            
 def decrypt_all_strings(decrypt_function_address):
    for addr in XrefsTo(decrypt_function_address, flags=0):
        try:
            fn_call = addr.frm
            decrypt_call(fn_call)
        except:
            continue
	import idaapi, idc, idautils
	import re
	import struct
	import base64

	flag_arr=[]

	def decrypt_algo(key, data, data_len):
	out=""
	for i in range(0, data_len):
	key = (0x41C64E6D * key + 0x3039) & 0xffffffff
	key_byte = 0xff & key
	tmp = 0xff&(ord(data[i]) - key_byte)
	out += chr(tmp)
	return out

	def find_function_args(addr):
	addr = idc.PrevHead(addr)
	if GetMnem(addr) == "push":
	str_start = GetOperandValue(addr, 0)
	else:
	str_start = -1
	return str_start

	def get_string(start_addr, len):
	out = ""
	for i in range(0,len):
	out += chr(Byte(start_addr + i))
	return out


	def patch_string(start_addr, string_data):
	offset = 0
	for c in string_data:
	PatchByte(start_addr + offset, ord(c))
	offset += 1
	MakeStr(start_addr, BADADDR)


	def decrypt_call(fn_call):
	str_start = find_function_args(fn_call)
	if str_start == -1:
	return
	if str_start not in flag_arr:
	key_data = ida_bytes.get_32bit(str_start)
	len_data = ida_bytes.get_32bit(str_start+4)
	data_len = (key_data ^ len_data) >> 16
	data_start = str_start+8
	data = get_string(data_start, data_len)
	plaintxt_data = decrypt_algo(key_data, data, data_len)

	print "%s: %s" % (hex(str_start), plaintxt_data)
	patch_string(str_start, plaintxt_data)
	flag_arr.append(str_start)

	def single_decrypt(str_start):
	key_data = ida_bytes.get_32bit(str_start)
	len_data = ida_bytes.get_32bit(str_start+4)
	data_len = (key_data ^ len_data) >> 16
	data_start = str_start+8
	data = get_string(data_start, data_len)
	plaintxt_data = decrypt_algo(key_data, data, data_len)
	print "%s: %s" % (hex(str_start), plaintxt_data)

	def decrypt_all_strings(decrypt_function_address):
	for addr in XrefsTo(decrypt_function_address, flags=0):
	try:
	fn_call = addr.frm
	decrypt_call(fn_call)
	except:
	continue