Created
September 20, 2017 22:30
-
-
Save xpn/21799e6e9f1178a39ba583916b7ec9f7 to your computer and use it in GitHub Desktop.
IDAPython encrypted string decoder for DROPSHOT - APT33
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idc | |
| import idaapi | |
| from idautils import * | |
| decryptTable = 0x41BA3C | |
| decryptTableEnd = 0x41BA77 | |
| decryptFunction = 0x4012A0 | |
| # Get the translation table | |
| bytes = idaapi.get_many_bytes(decryptTable, decryptTable-decryptTableEnd) | |
| # Find xrefs to this function | |
| for ref in CodeRefsTo(decryptFunction, 1): | |
| # Get the first parameter passed, which is a string to decrypt | |
| enc = idc.prev_head(ref) | |
| # Get the second parameter passed, which is the length of the string | |
| len = idc.prev_head(enc) | |
| encValue = DecodeInstruction(enc) | |
| lenValue = DecodeInstruction(len) | |
| s = "" | |
| # Simply substitute from the decryptTable | |
| for i in range(0,lenValue.Operands[0].value): | |
| s += bytes[ida_bytes.get_word(encValue.Operands[0].value + (i * 2))] | |
| print "Decrypted: " + s | |
| MakeComm(ref, "Decrypted: " + s) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment