-
Notifications
You must be signed in to change notification settings - Fork 7
/
decrypt_backspace.py
47 lines (40 loc) · 1.36 KB
/
decrypt_backspace.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
import re
def decrypt_n_comment(func, func_name):
"""
Decryption of backspace string
"""
for xref in XrefsTo(LocByName(func_name)):
# init retrieve arguments
string_ea = search_inst(xref.frm, "push")
string_op = GetOperandValue(string_ea,0)
size_op = len("{}".format(GetString(string_op,-1, ASCSTR_C)))
# Call backspace's func
try:
func(string_op, size_op)
res = "{:s}".format(GetString(string_op,-1, ASCSTR_C))
except:
continue
# Refresh the memory for GetString function
idc.RefreshDebuggerMemory()
try:
# Add comments
MakeComm(xref.frm, res)
# Patch strings and names
idaapi.put_many_bytes(string_op, res)
MakeName(string_op, re.sub('\W+','', res))
except:
continue
def search_inst(ea, inst):
"""
Find first instruction before the given ea
"""
while True:
if GetMnem(ea) == inst:
return ea
ea = PrevHead(ea)
# Initialization ------------------------------------------
FUNC_NAME = "get_string"
PROTO = "int __cdecl {:s}(PCHAR strings, DWORD size);".format(FUNC_NAME)
# Execution -----------------------------------------------
decrypt_function = Appcall.proto(FUNC_NAME, PROTO)
decrypt_n_comment(decrypt_function, FUNC_NAME)