| #include <windows.h> | |
| #include <stdio.h> | |
| #include <wchar.h> | |
| #include <Unknwn.h> | |
| typedef enum _TTD_LOG_LEVEL | |
| { | |
| TTD_LOG_LEVEL_ERROR = 1, | |
| TTD_LOG_LEVEL_WARNING, | |
| TTD_LOG_LEVEL_INFO, |
| #include <vector> | |
| #include <string_view> | |
| #include <cstdint> | |
| #include <cctype> | |
| #include <limits> | |
| #include <array> | |
| namespace util | |
| { | |
| namespace detail |
| #pragma once | |
| #include <memory> | |
| #include <string> | |
| #include <vector> | |
| #include <fmt/core.h> | |
| #include <stdexcept> | |
| #include <zasm/zasm.hpp> | |
| #include <windows.h> |
| class ZeusVMToC: | |
| def __init__(self, diasm_file, output_file=None): | |
| self.diasm_file = diasm_file | |
| self.output_file = output_file | |
| self.line_num = 0 | |
| self.data_ptr_mov = 0 | |
| def tokenize(self): | |
| with open(self.diasm_file, 'r') as f: |
| from enum import Enum | |
| class HandlerType(Enum): | |
| Zero = 0 | |
| Shuffle = 1 | |
| Rc4 = 2 | |
| Imm = 3 | |
| RegReg = 4 | |
| RegImm = 5 | |
| Reg = 6 |
This Python script is designed to handle JMP deobfuscation.
It will sqash unneeded unconditional jmps and create new blocks, relocates blocks of code, adjusts relative addresses, and aligns blocks with padding.
Inspired by http://hooked-on-mnemonics.blogspot.com/2012/10/simple-deobfuscation-of-code.html
| import time | |
| from typing import List | |
| import pefile | |
| from capstone import * | |
| from capstone.x86 import * | |
| import re | |
| import struct | |
| # SAMPLE_PATH = 'bin/enc_string_test.bin32' | |
| SAMPLE_PATH = 'bin/2cd2f077ca597ad0ef234a357ea71558d5e039da9df9958d0b8bd0efa92e74c9.bin32' |
| #pragma once | |
| #include <stdint.h> | |
| #include "win_helper.h" | |
| namespace poc_kit | |
| { | |
| namespace pattern | |
| { |