• hex-ray 주석

    2020. 8. 25.

    by. ugonfor

    와 한글문서로 쓰여있는게 하나도 없어서 고생했는데 한글로 써놓으신 분이 있다니 ㅠㅠ 압도적 감사

     

    디컴파일된 수도코드의 주석 가져오기

    # IDA에서 분석하고 달아놨던 주석을 모두 가져오기 위해 디스어셈블된 상태에서 가져오는 주석인 idc.GetCommentEx 함수를 사용했지만 디컴파일된 수도코드에서 달아놨던 주석은 못가져온다.. 방법

    suspected.tistory.com

    본인이 작성한 스크립트는 아래와 같다.

     

    스크립트1

    #취약점 분석 9기 유효곤
    
    def find_function_arg(addr):
        while True:
            addr = idc.PrevHead(addr)
            if GetMnem(addr) == "push":
                return GetOperandValue(addr, 0)
        return ""
    
    def get_string(addr):
        out = ""
        while True:
            if Byte(addr) != 0:
                out += chr(Byte(addr))
            else:
                break
            addr += 1
        return out
    
    def decrypt_str(obf_str):
        deobf = list(obf_str)
        deobf_str = ""
        num = 0
        for i in deobf:
            each_str = ord(i)
            if each_str < ord("i") or each_str > ord("p"):
                if each_str < ord("r") or each_str > ord("y"):
                    if each_str < ord("I") or each_str > ord("P"):
                        if each_str < ord("R") and each_str > ord("Y"):
                            each_str -= 9
                            deobf_str += chr(each_str)
                        else : deobf_str += chr(each_str)
                    else:
                        each_str += 9
                        deobf_str += chr(each_str)
                else:
                    each_str -= 9
                    deobf_str += chr(each_str)
            else:
                each_str += 9
                deobf_str += chr(each_str)
        return deobf_str
    
    
    print "[*] Attempting to decrypt strings in malware"
    for x in XrefsTo(0x10003b00, flags=0):
        ref = find_function_arg(x.frm)
        string = get_string(ref)
        deobf_string = decrypt_str(string)
        print '[STRING]:%s\n[Deobfuscated]:%s' % (string,deobf_string)
        MakeComm(x.frm, deobf_string)
        MakeComm(ref, deobf_string)

    스크립트2

    #취약점 분석 9기 유효곤
    
    def decrypt_str(src):
        des =""
        for i in range(len(src)):
            tmp=src[i]
            des += chr(ord(tmp)-4)
        return des
    
    def find_function_arg(addr):
        while True:
            addr = idc.prev_head(addr)
            if print_insn_mnem(addr)[:3] == "mov":
                return get_operand_value(addr, 1)
        return ""
    
    def get_string(addr):
        out = ""
        while True:
            if get_wide_byte(addr) != 0:
                out += chr(get_wide_byte(addr))
            else:
                break
            addr += 1
        return out
    
    print("[*] Attempting to decrypt strings in malware")
    for x in XrefsTo(0x10001DC0, flags=0):
        ref = find_function_arg(x.frm)
        string = get_string(ref)
        deobf_string = decrypt_str(string)
        print ('[STRING]:%s\n[Deobfuscated]:%s' % (string,deobf_string))
        set_cmt(x.frm, deobf_string,0)
        set_cmt(ref, deobf_string,0) 
        
        print("[ADDRESS] :"+hex(x.frm))
        ct = idaapi.decompile(x.frm)
        tl = idaapi.treeloc_t()
        tl.ea = x.frm
        tl.itp = idaapi.ITP_SEMI
        ct.set_user_cmt(tl,deobf_string)
        ct.save_user_cmts()
        

    스크립트3

    #취약점 분석 9기 유효곤
    
    import string
    s = "krsG22DEWK+Nq5pjyJTPSj6u"
    
    
    
    
    
    def decrypt_str(s):
        src = [0]*len(s)
        for i in range(len(s)):
            src[i] = s[i]
    
        des = [0] * len(src)
        cnt = 0
    
        word = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
        key = "ANONYBR"
        after = 0
        word_num = [0] * 256
        for i in range(256):
            ccccc = -1
            for j in range(len(word)):
                ccccc +=1
                if chr(i) == word[j]:
                    break
            word_num[i] = ccccc
            
        cnt_1 = 0
        for i in range(len(src)):
            if ( src[i] ):
                if src[i] == ord('=') :
                    break
                if  src[i] == ord(' '):
                    src[i] = ord('+')
                check = word_num[ord(src[i])]
                if ( check >= 0 ):
                    switch = cnt_1 % 4 
                    if switch == 0:
                        des[cnt] = (4 * check)&0xff
                    elif switch == 1:
                        cnt +=1
                        des[cnt] |= (check >> 4)&0xff
                        des[cnt] = (16 * check)&0xff
                    
                    elif switch == 2:
                        cnt +=1
                        des[cnt] |= (check >> 2)&0xff
                        des[cnt] = (check << 6)&0xff
                    
                    elif switch == 3:
                        des[cnt] |= (check)&0xff
                        cnt += 1
                    
                    cnt_1 +=1
    
    
    
    
        size = 0
        for i in range(len(des)):
            if des[i] != 0:
                size += 1
    
        buf = [0] * 2053
    
        cnt = 2
        cnt_1 = 0
        while(cnt < 258):
            buf[cnt_1 + 1028] = cnt - 2
            buf[cnt_1 + 1029] = cnt - 1
            buf[cnt_1 + 1030] = cnt
            cnt_1 += 4
            buf[cnt_1] = ord(key[(cnt - 2) % 7])
            buf[cnt_1 + 1] = ord(key[(cnt - 1) % 7])
            v4 = cnt % 7
            v5 = cnt + 1
            cnt += 4
            buf[cnt_1 + 1027] = v5
            buf[cnt_1 + 2] = ord(key[v4])
            buf[cnt_1 + 3] = ord(key[v5 % 7])
    
        v6 = 0
        for i in range(256):
            v8 = buf[i + 1028]
            t = ((buf[i + 4]))&0xff
            v6 = (v8 + t + v6)&0xff
            buf[i + 1028] = buf[v6 + 1028]
            buf[v6 + 1028] = v8
    
    
        v10 = 0
        v11 = 0
        for i in range(size):
            v11 = 0xff&(v11 + 1)
            v13 = buf[v11 + 1028]
            v10 = (v13 + v10)&0xff
            buf[v11 + 1028] = buf[v10 + 1028]
            buf[v10 + 1028] = v13&0xff
            des[i] ^= 0xff&(buf[0xff&(v13 + 0xff&(buf[v11 + 1028])) + 1028])
    
        re = ""
        for i in range(len(des)):
            re += chr(des[i])
    
        return re
    
    def find_function_arg(addr):
        while True:
            addr = idc.prev_head(addr)
            if print_insn_mnem(addr)[:3] == "mov":
                return get_operand_value(addr, 1)
        return ""
    
    def get_string(addr):
        out = ""
        while True:
            if get_wide_byte(addr) != 0:
                out += chr(get_wide_byte(addr))
            else:
                break
            addr += 1
        return out
    
    print("[*] Attempting to decrypt strings in malware")
    for x in XrefsTo(0x401AE0, flags=0):
        ref = find_function_arg(x.frm)
        string = get_string(ref)
        deobf_string = decrypt_str(string)
        print ('[STRING]:%s\n[Deobfuscated]:%s' % (string,deobf_string))
        set_cmt(x.frm, deobf_string,0)
        set_cmt(ref, deobf_string,0) 
        
        print("[ADDRESS] :"+hex(x.frm))
        ct = idaapi.decompile(x.frm)
        tl = idaapi.treeloc_t()
        tl.ea = x.frm
        tl.itp = idaapi.ITP_SEMI
        ct.set_user_cmt(tl,deobf_string)
        ct.save_user_cmts()
        

     

    대충보면.... 어떻게 api쓰는 지 감 오실듯... ㅎㅇㅌ

    'Study > Reversing Skills' 카테고리의 다른 글

    리케알 올솔 -1  (1) 2021.03.19
    Frida Cheat Sheet  (0) 2021.03.10
    IDA, IDAPython, z3사용법  (0) 2020.11.05
    CRC(순환 중복 검사)에 대하여  (0) 2020.07.15

    댓글