SHARE
TWEET

Zeus2 String Decryption IDC script

a guest Jul 6th, 2010 2,635 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // IDA IDC script to decrypt encrypted strings in the Zeus/Zbot 2 malware.
  2. // <interestingmalware@gmail.com>
  3.  
  4. #include "idc.idc"
  5.  
  6. static main() {
  7.   auto table = LocByName("_encrypted_strings");
  8.   auto decrypta = LocByName("GetEncryptedStringA");
  9.   auto decryptw = LocByName("GetEncryptedStringW");
  10.  
  11.   Message("Decrypting string table\n");
  12.   fix_table(table);
  13.  
  14.   Message("Commenting calls to %s\n", NameEx(BADADDR, decrypta));
  15.   comment_calls(decrypta, table);
  16.  
  17.     Message("Commenting calls to %s\n", NameEx(BADADDR, decryptw));
  18.   comment_calls(decryptw, table);
  19. }
  20.  
  21. static fix_table(table) {
  22.   auto entry;
  23.   auto xorval, length, data;
  24.   auto index, i, s;
  25.  
  26.   entry = table;
  27.  
  28.   while(1) {
  29.     MakeWord(entry);
  30.     xorval = Word(entry);
  31.    
  32.     MakeWord(entry + 2);
  33.     length = Word(entry + 2);
  34.  
  35.     if(length == 0) return;
  36.  
  37.     data = Dword(entry + 4);
  38.  
  39.     s = strfill(0, length+1);
  40.     for(i=0; i<length; i++) {
  41.       s[i] =  (Byte(data + i) - length) ^ xorval;
  42.     }
  43.  
  44.     // fix up disassembly
  45.     MakeNameEx(data, sprintf("EncString_%.2X", index), SN_CHECK);
  46.     MakeComm(entry + 4, s);
  47.    
  48.     // do next entry
  49.     entry = entry + 8;
  50.     index = index + 1;
  51.   }
  52. }
  53.  
  54. static comment_calls(func, table) {
  55.   auto x, t;
  56.   auto prev;
  57.   auto op;
  58.   auto comm;
  59.  
  60.   // find all references to specified function
  61.   for(x=RfirstB(func); x != BADADDR; x = RnextB(func, x)) {
  62.     // check xref type to make sure it's a call
  63.     t = XrefType();
  64.     if(t == fl_CF || t == fl_CN) {
  65.       // check if previous instruction is 'pop eax'
  66.       prev = PrevHead(x, MinEA());
  67.       if(GetMnem(prev) == "pop" && GetOpnd(prev, 0) == "eax") {
  68.         // now look for the push
  69.         for(; prev != BADADDR; prev = PrevHead(prev, MinEA())) {
  70.           if(GetMnem(prev) == "push") {
  71.             // if we found a push, add a comment for the string
  72.             op = GetOperandValue(prev, 0);
  73.             comm = CommentEx(table + (op * 8) + 4, 0);
  74.            
  75.             // add comment to call
  76.             MakeComm(x, comm);
  77.             break;
  78.           }
  79.         }
  80.       }
  81.     }
  82.   }
  83. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top