Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // search for encrypted strings in a specific piece of analyzed malware and decrypt them
- // http://interestingmalware.blogspot.com
- // interestingmalware@gmail.com
- auto datastart, dataend;
- auto ea;
- datastart = SegByBase(SegByName(".data"));
- dataend = SegEnd(datastart);
- Message("Start %x, end %x\n", datastart, dataend);
- auto xordecrypt = LocByName("XORStringDecrypt");
- for(ea = datastart; ea != BADADDR; ea = NextHead(ea, dataend)) {
- auto name = Name(ea);
- if(name != 0 && IsString(name) && substr(name, 0, 1) == "a") {
- if(Byte(ea) >= 0x7f) {
- //Message("fixing %x, %s\n", ea, name);
- Appcall(xordecrypt, GetTinfo(xordecrypt), ea);
- MakeStr(ea, -1);
- Message("fixed %x: %s\n", ea, GetString(ea, -1, ASCSTR_C));
- }
- }
- }
- Message("done!");
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement