-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathdecrypt_strings_mirai.py
48 lines (35 loc) · 1.46 KB
/
decrypt_strings_mirai.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#!/usr/bin/python
def decrypt(address, already_decrypted):
# walk over string bytes until termination
while True:
# read a single byte from database
encrypted_byte = bv.read(address, 1)
# return if null byte or already decrypted
if encrypted_byte == b'\x00' or address in already_decrypted:
return
# decrypt byte
decrypted_byte = chr(int(encrypted_byte[0]) ^ 0x22)
# write decrypted byte to database
bv.write(address, decrypted_byte)
# add to set of decrypted addresses
already_decrypted.add(address)
# increment address
address += 1
# get function instance of target function
target_function = bv.get_function_at(0x10778)
# set of already decrypted bytes
already_decrypted = set()
# 1: walk over all callers
for caller_function in set(target_function.callers):
# 2: walk over high-level IL instructions
for instruction in caller_function.hlil.instructions:
# 3: if IL instruction is a call
# and call goes to target function
if (instruction.operation == HighLevelILOperation.HLIL_CALL and
instruction.dest.constant == target_function.start):
# 4: fetch pointer to encrypted strings
p1 = instruction.params[0]
p2 = instruction.params[1]
# 5: decrypt strings
decrypt(p1.value.value, already_decrypted)
decrypt(p2.value.value, already_decrypted)