-
-
Save b00ls0ck3t/743c0f829c2fd72e2af3921d2462de9f to your computer and use it in GitHub Desktop.
Revisions
-
duzvik created this gist
Jan 29, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,36 @@ import cutter; import re; cutter.cmd('aa') decode_func_addr = 0x00401210 cutter.cmd("s %d" % decode_func_addr ) func_info = cutter.cmdj("afij") func_size = func_info[0]['size'] print("Function size %d" % func_size) line = decode_func_addr for i in range(func_size): obj = cutter.cmdj("pdj 1 @ %s" % hex(line)) opcode =obj[0]['opcode'] match_object = re.search(r'^mov dword \[(.*)\], eax$', opcode, flags=re.IGNORECASE) if match_object: decoded_addr = match_object.group(1) tmp = cutter.cmdj("pdj -3 @ %s" % hex(line)) match_object = re.search(r'^push (.*?)$', tmp[0]['opcode'], flags=re.IGNORECASE) if match_object: str_addr = match_object.group(1) #get zero terminated string at addr tmp = cutter.cmdj("pszj @ %s" % str_addr) decoded_str = tmp['string'] print("%s %s" % (decoded_addr, decoded_str)) #add comments to all references to decoded_addr for xref in cutter.cmdj('axtj %s' % decoded_addr): if re.match(r"call *", xref['opcode']): # Add comments to each call of the decryption function cutter.cmd('CCu CALL %s @ %d' % (decoded_str, xref['from'])) line = line + 0x1 cutter.refresh()