RanByUs Decrypt script

'''
0x16/7ton

'''
import idaapi
import idautils
import idc


#config
#alf buffer
buf_alf= "WyIDOSLQoTMMwRBdXFdhMMflIVncWuiouyjkOiWvhEsXvsiJwiIttNIe"
#start address of offset table
addr_crbl=0x101EEA8
#Key Table Init size&value
table_dword = [None]*0x1414
memset_count=0
while (memset_count<0x1414):
    table_dword[memset_count]=0
    memset_count+=1

table_dword [0] = 0x92B8374F;
table_dword [0x4] = 0xA38C2612;
table_dword [0x8] = 0x49847091;
table_dword [0x0c] = 0x982D9283;
table_dword [0x10] = 0x92B8374F;
table_dword [0x410] = 0x49847091;
##Key table creating
round_count=0x0
count=0x11;
i = 0x14

###########1....

while (count):
    table_dword [i]= 0xffffffff &(table_dword [0x4] + table_dword [i- 4])
    i += 4
    count-=1
##########2....
i_start=0x414;
while(1):
    i =i_start
    count = 0xFF
    while ( count ):
        table_dword [i] = 0xffffffff &(table_dword [0xC] + table_dword [i- 4])
        i+= 4;
        count-=1;

    if (round_count==0):
        table_dword[0x810] = 0xffffffff &(table_dword[0x8]^(0xffffffff &(table_dword [0xC] & table_dword[0x80C])))
    if (round_count==1):
        table_dword[0xc10] = 0xffffffff &(table_dword[0x8]^(0xffffffff &(table_dword [0xC] & table_dword[0xC0C])))
    if (round_count==2):
        table_dword[0x1010] =0xffffffff &(table_dword[0x8]^(0xffffffff &(table_dword [0xC] & table_dword[0x100C])))
    if (round_count==3):
        break
    i_start+=0x400;
    round_count+=1;
#########3....
count2 = 0x12;
i=0;
r = 0x10;
magick_dword = 0;

while ( count2):
        magick_dword=0x0;
        count= 4;
        while ( count):
            magick_dword = 0xffffffff &((0x000000ff & ord(buf_alf[i]))| (0xffffffff &(magick_dword<< 8)))
            i+=1
            if ( i == 0x38):
                i = 0
            count-=1
        table_dword[r]^= 0xffffffff &(magick_dword);
        r += 4;
        count2-=1
#########4....
count2=9
magick_dword= 0x0
magick_dword2 = 0x0;
temp_1 = 0x0
temp_2 = 0x0
i=0x14;
while(count2):
    r=0x10;
    count =0x10;
    while ( count ):
        magick_dword= 0xffffffff&(table_dword[r]^ magick_dword)
        r+=4;
        magick_dword2 ^= 0xffffffff&(table_dword[0xffffffff &(4*(magick_dword & 0xFF) + 0x1010)]
                        +(table_dword[0xffffffff & (4*((magick_dword>>8) & 0xff)+0xc10)]
                        ^(table_dword[0xffffffff&(4*((magick_dword>>16) & 0xff)+0x810)]
                        +table_dword[0xffffffff & (4*(magick_dword>>0x18)+0x410)])))
        temp_1 = magick_dword
        magick_dword =magick_dword2
        magick_dword2=temp_1
        temp_2 = magick_dword
        count-=1
    magick_dword =temp_1 ^ table_dword[0x54];
    magick_dword2=temp_2 ^ table_dword[0x50];
    table_dword[i-4]=magick_dword
    table_dword[i]=magick_dword2
    i+=8
    count2-=1
i=0x414
count3=4
while(count3):
    count2=0x80
    while(count2):
        r=0x10;
        count =0x10;
        while ( count ):
            magick_dword= 0xffffffff&(table_dword[r]^ magick_dword)
            r+=4;
            magick_dword2 ^= 0xffffffff&(table_dword[0xffffffff &(4*(magick_dword & 0xFF) + 0x1010)]
                            +(table_dword[0xffffffff & (4*((magick_dword>>8) & 0xff)+0xc10)]
                            ^(table_dword[0xffffffff&(4*((magick_dword>>16) & 0xff)+0x810)]
                            +table_dword[0xffffffff & (4*(magick_dword>>0x18)+0x410)])))
            temp_1 = magick_dword
            magick_dword =magick_dword2
            magick_dword2=temp_1
            temp_2 = magick_dword
            count-=1
        magick_dword =temp_1 ^ table_dword[0x54];
        magick_dword2=temp_2 ^ table_dword[0x50];
        table_dword[i-4]=magick_dword
        table_dword[i]=magick_dword2

        i+=8
        count2-=1
    count3-=1
##############################
#Dword Key table generated
#now decrypt
i=0

size_string=0
string_count=0
addr_encr_str=0
encr_dword=0x0
encr_dword2=0x0
temp_dword=0x0
hash_dword=0x0
while(True):
    size_string=Dword(addr_crbl+i+0xc)
    addr_encr_str=Dword(addr_crbl+i+0x4)
    hash_dword=Dword(addr_crbl+i)

    if (size_string!=0):

        ea=0x01001000
        str_1=hex(hash_dword).rstrip("L").lstrip("0x")
        str_1=[''.join(x) for x in zip(*[list(str_1[z::2]) for z in range(2)])]
        str_1 = ' '.join(["%s" % x for x in str_1[::-1]])
        while True:
            ea = FindBinary(ea, SEARCH_DOWN,str_1 )
            if (ea==idaapi.BADADDR):
                break
            MakeComm(ea+4,"0x%x" % addr_encr_str)
            ea += 4

        print("string_%d hash_dword:0x%x size=%d addr_str=0x%x" % (string_count,hash_dword,size_string,addr_encr_str))
        ###encrypt cycle

        size_string=(((size_string>>2)-1)>>1)+1
        c=0
        while(size_string):

            count=0x10
            r = 0x54

            encr_dword=Dword(addr_encr_str+(c*8))
            encr_dword2=Dword(addr_encr_str+4+(c*8))
            while(count):

                encr_dword2=0xffffffff&(table_dword[r]^ encr_dword2)
                encr_dword ^= 0xffffffff&(table_dword[0xffffffff &(4*(encr_dword2  & 0xFF) + 0x1010)]
                              +(table_dword[0xffffffff & (4*((encr_dword2 >>8) & 0xff)+0xc10)]
                              ^(table_dword[0xffffffff&(4*((encr_dword2>>16) & 0xff)+0x810)]
                              +table_dword[0xffffffff & (4*(encr_dword2>>0x18)+0x410)])))
                temp_1=encr_dword2
                encr_dword2=encr_dword
                encr_dword=temp_1
                count-=1
                r-=4
            temp_dword=encr_dword2
            encr_dword2=temp_1
            encr_dword=temp_dword
            encr_dword=temp_dword^table_dword[0x14]
            encr_dword2^=table_dword[0x10]
            PatchDword(addr_encr_str+(c*8),encr_dword)
            PatchDword(addr_encr_str+4+(c*8),encr_dword2)
            c+=1
            size_string-=1
        string_count+=1
        i+=0x10 #next block in offset table
        ################
    else:
        break