-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathstring_decrypt.py
52 lines (39 loc) · 1.21 KB
/
string_decrypt.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
import idaapi
import idautils
import idc
# Script for decrypting all normal strings in the Lockbit 3.0 binary
# Written by https://github.com/lldre together with Northwave
# This script finds all references to the string decrypt function and
# harvests the encrypted dwords that are pushed before it. It then decrypts
# Them using the dword listed inside of the string decrypt function. You
# might have to change this value for each new binary. The key is the not
# inverted version of the key in the actual binary.
FUNC = 0x401260
KEY = 0xbaf92035
def harvest_dword_loads(addr):
ret = []
state = 0
insn = ida_ua.insn_t()
# max lookback of 100
for i in range(100):
ida_ua.decode_insn(insn, addr)
if (insn.itype == idaapi.NN_mov) and (insn.Op2.type == o_imm):
ret.append(insn.Op2.value & 0xFFFFFFFF)
state = 1
elif state == 1:
break
addr = prev_head(addr)
return reversed(ret)
def decrypt(lst):
string = ""
for dw in lst:
dw ^= KEY
chars = [(dw & 0xFF), ((dw & 0xFF00) >> 8), ((dw & 0xFF0000) >> 16), ((dw & 0xFF000000) >> 24)]
for c in chars:
if c:
string += chr(c)
return string
for ea in idautils.CodeRefsTo(FUNC, 0):
l = harvest_dword_loads(ea)
s = decrypt(l)
print("%X: %s"%(ea, s))