// search for encrypted strings in a specific piece of analyzed malware and decrypt them
// http://interestingmalware.blogspot.com
// interestingmalware@gmail.com
auto datastart, dataend;
auto ea;
datastart = SegByBase(SegByName(".data"));
dataend = SegEnd(datastart);
Message("Start %x, end %x\\n", datastart, dataend);
auto xordecrypt = LocByName("XORStringDecrypt");
for(ea = datastart; ea != BADADDR; ea = NextHead(ea, dataend)) {
auto name = Name(ea);
if(name != 0 && IsString(name) && substr(name, 0, 1) == "a") {
if(Byte(ea) >= 0x7f) {
//Message("fixing %x, %s\\n", ea, name);
Appcall(xordecrypt, GetTinfo(xordecrypt), ea);
MakeStr(ea, -1);
Message("fixed %x: %s\\n", ea, GetString(ea, -1, ASCSTR_C));
}
}
}
Message("done!");