document.write('
Data hosted with ♥ by Pastebin.com - Download Raw - See Original
  1. // search for encrypted strings in a specific piece of analyzed malware and decrypt them
  2. // http://interestingmalware.blogspot.com
  3. // interestingmalware@gmail.com
  4.  
  5. auto datastart, dataend;
  6. auto ea;
  7.  
  8. datastart = SegByBase(SegByName(".data"));
  9. dataend = SegEnd(datastart);
  10.  
  11. Message("Start %x, end %x\\n", datastart, dataend);
  12.  
  13. auto xordecrypt = LocByName("XORStringDecrypt");
  14.  
  15. for(ea = datastart; ea != BADADDR; ea = NextHead(ea, dataend)) {
  16.   auto name = Name(ea);
  17.   if(name != 0 && IsString(name) && substr(name, 0, 1) == "a") {
  18.     if(Byte(ea) >= 0x7f) {
  19.        //Message("fixing %x, %s\\n", ea, name);
  20.        Appcall(xordecrypt, GetTinfo(xordecrypt), ea);
  21.        MakeStr(ea, -1);
  22.        Message("fixed %x: %s\\n", ea, GetString(ea, -1, ASCSTR_C));
  23.     }
  24.   }
  25. }
  26.  
  27. Message("done!");
');