Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- '''
- 0x16/7ton
- '''
- import idaapi
- import idautils
- import idc
- #config
- #alf buffer
- buf_alf= "WyIDOSLQoTMMwRBdXFdhMMflIVncWuiouyjkOiWvhEsXvsiJwiIttNIe"
- #start address of offset table
- addr_crbl=0x101EEA8
- #Key Table Init size&value
- table_dword = [None]*0x1414
- memset_count=0
- while (memset_count<0x1414):
- table_dword[memset_count]=0
- memset_count+=1
- table_dword [0] = 0x92B8374F;
- table_dword [0x4] = 0xA38C2612;
- table_dword [0x8] = 0x49847091;
- table_dword [0x0c] = 0x982D9283;
- table_dword [0x10] = 0x92B8374F;
- table_dword [0x410] = 0x49847091;
- ##Key table creating
- round_count=0x0
- count=0x11;
- i = 0x14
- ###########1....
- while (count):
- table_dword [i]= 0xffffffff &(table_dword [0x4] + table_dword [i- 4])
- i += 4
- count-=1
- ##########2....
- i_start=0x414;
- while(1):
- i =i_start
- count = 0xFF
- while ( count ):
- table_dword [i] = 0xffffffff &(table_dword [0xC] + table_dword [i- 4])
- i+= 4;
- count-=1;
- if (round_count==0):
- table_dword[0x810] = 0xffffffff &(table_dword[0x8]^(0xffffffff &(table_dword [0xC] & table_dword[0x80C])))
- if (round_count==1):
- table_dword[0xc10] = 0xffffffff &(table_dword[0x8]^(0xffffffff &(table_dword [0xC] & table_dword[0xC0C])))
- if (round_count==2):
- table_dword[0x1010] =0xffffffff &(table_dword[0x8]^(0xffffffff &(table_dword [0xC] & table_dword[0x100C])))
- if (round_count==3):
- break
- i_start+=0x400;
- round_count+=1;
- #########3....
- count2 = 0x12;
- i=0;
- r = 0x10;
- magick_dword = 0;
- while ( count2):
- magick_dword=0x0;
- count= 4;
- while ( count):
- magick_dword = 0xffffffff &((0x000000ff & ord(buf_alf[i]))| (0xffffffff &(magick_dword<< 8)))
- i+=1
- if ( i == 0x38):
- i = 0
- count-=1
- table_dword[r]^= 0xffffffff &(magick_dword);
- r += 4;
- count2-=1
- #########4....
- count2=9
- magick_dword= 0x0
- magick_dword2 = 0x0;
- temp_1 = 0x0
- temp_2 = 0x0
- i=0x14;
- while(count2):
- r=0x10;
- count =0x10;
- while ( count ):
- magick_dword= 0xffffffff&(table_dword[r]^ magick_dword)
- r+=4;
- magick_dword2 ^= 0xffffffff&(table_dword[0xffffffff &(4*(magick_dword & 0xFF) + 0x1010)]
- +(table_dword[0xffffffff & (4*((magick_dword>>8) & 0xff)+0xc10)]
- ^(table_dword[0xffffffff&(4*((magick_dword>>16) & 0xff)+0x810)]
- +table_dword[0xffffffff & (4*(magick_dword>>0x18)+0x410)])))
- temp_1 = magick_dword
- magick_dword =magick_dword2
- magick_dword2=temp_1
- temp_2 = magick_dword
- count-=1
- magick_dword =temp_1 ^ table_dword[0x54];
- magick_dword2=temp_2 ^ table_dword[0x50];
- table_dword[i-4]=magick_dword
- table_dword[i]=magick_dword2
- i+=8
- count2-=1
- i=0x414
- count3=4
- while(count3):
- count2=0x80
- while(count2):
- r=0x10;
- count =0x10;
- while ( count ):
- magick_dword= 0xffffffff&(table_dword[r]^ magick_dword)
- r+=4;
- magick_dword2 ^= 0xffffffff&(table_dword[0xffffffff &(4*(magick_dword & 0xFF) + 0x1010)]
- +(table_dword[0xffffffff & (4*((magick_dword>>8) & 0xff)+0xc10)]
- ^(table_dword[0xffffffff&(4*((magick_dword>>16) & 0xff)+0x810)]
- +table_dword[0xffffffff & (4*(magick_dword>>0x18)+0x410)])))
- temp_1 = magick_dword
- magick_dword =magick_dword2
- magick_dword2=temp_1
- temp_2 = magick_dword
- count-=1
- magick_dword =temp_1 ^ table_dword[0x54];
- magick_dword2=temp_2 ^ table_dword[0x50];
- table_dword[i-4]=magick_dword
- table_dword[i]=magick_dword2
- i+=8
- count2-=1
- count3-=1
- ##############################
- #Dword Key table generated
- #now decrypt
- i=0
- size_string=0
- string_count=0
- addr_encr_str=0
- encr_dword=0x0
- encr_dword2=0x0
- temp_dword=0x0
- hash_dword=0x0
- while(True):
- size_string=Dword(addr_crbl+i+0xc)
- addr_encr_str=Dword(addr_crbl+i+0x4)
- hash_dword=Dword(addr_crbl+i)
- if (size_string!=0):
- ea=0x01001000
- str_1=hex(hash_dword).rstrip("L").lstrip("0x")
- str_1=[''.join(x) for x in zip(*[list(str_1[z::2]) for z in range(2)])]
- str_1 = ' '.join(["%s" % x for x in str_1[::-1]])
- while True:
- ea = FindBinary(ea, SEARCH_DOWN,str_1 )
- if (ea==idaapi.BADADDR):
- break
- MakeComm(ea+4,"0x%x" % addr_encr_str)
- ea += 4
- print("string_%d hash_dword:0x%x size=%d addr_str=0x%x" % (string_count,hash_dword,size_string,addr_encr_str))
- ###encrypt cycle
- size_string=(((size_string>>2)-1)>>1)+1
- c=0
- while(size_string):
- count=0x10
- r = 0x54
- encr_dword=Dword(addr_encr_str+(c*8))
- encr_dword2=Dword(addr_encr_str+4+(c*8))
- while(count):
- encr_dword2=0xffffffff&(table_dword[r]^ encr_dword2)
- encr_dword ^= 0xffffffff&(table_dword[0xffffffff &(4*(encr_dword2 & 0xFF) + 0x1010)]
- +(table_dword[0xffffffff & (4*((encr_dword2 >>8) & 0xff)+0xc10)]
- ^(table_dword[0xffffffff&(4*((encr_dword2>>16) & 0xff)+0x810)]
- +table_dword[0xffffffff & (4*(encr_dword2>>0x18)+0x410)])))
- temp_1=encr_dword2
- encr_dword2=encr_dword
- encr_dword=temp_1
- count-=1
- r-=4
- temp_dword=encr_dword2
- encr_dword2=temp_1
- encr_dword=temp_dword
- encr_dword=temp_dword^table_dword[0x14]
- encr_dword2^=table_dword[0x10]
- PatchDword(addr_encr_str+(c*8),encr_dword)
- PatchDword(addr_encr_str+4+(c*8),encr_dword2)
- c+=1
- size_string-=1
- string_count+=1
- i+=0x10 #next block in offset table
- ################
- else:
- break
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement