-
와 한글문서로 쓰여있는게 하나도 없어서 고생했는데 한글로 써놓으신 분이 있다니 ㅠㅠ 압도적 감사
디컴파일된 수도코드의 주석 가져오기
# IDA에서 분석하고 달아놨던 주석을 모두 가져오기 위해 디스어셈블된 상태에서 가져오는 주석인 idc.GetCommentEx 함수를 사용했지만 디컴파일된 수도코드에서 달아놨던 주석은 못가져온다.. 방법
suspected.tistory.com
본인이 작성한 스크립트는 아래와 같다.
스크립트1
#취약점 분석 9기 유효곤 def find_function_arg(addr): while True: addr = idc.PrevHead(addr) if GetMnem(addr) == "push": return GetOperandValue(addr, 0) return "" def get_string(addr): out = "" while True: if Byte(addr) != 0: out += chr(Byte(addr)) else: break addr += 1 return out def decrypt_str(obf_str): deobf = list(obf_str) deobf_str = "" num = 0 for i in deobf: each_str = ord(i) if each_str < ord("i") or each_str > ord("p"): if each_str < ord("r") or each_str > ord("y"): if each_str < ord("I") or each_str > ord("P"): if each_str < ord("R") and each_str > ord("Y"): each_str -= 9 deobf_str += chr(each_str) else : deobf_str += chr(each_str) else: each_str += 9 deobf_str += chr(each_str) else: each_str -= 9 deobf_str += chr(each_str) else: each_str += 9 deobf_str += chr(each_str) return deobf_str print "[*] Attempting to decrypt strings in malware" for x in XrefsTo(0x10003b00, flags=0): ref = find_function_arg(x.frm) string = get_string(ref) deobf_string = decrypt_str(string) print '[STRING]:%s\n[Deobfuscated]:%s' % (string,deobf_string) MakeComm(x.frm, deobf_string) MakeComm(ref, deobf_string)스크립트2
#취약점 분석 9기 유효곤 def decrypt_str(src): des ="" for i in range(len(src)): tmp=src[i] des += chr(ord(tmp)-4) return des def find_function_arg(addr): while True: addr = idc.prev_head(addr) if print_insn_mnem(addr)[:3] == "mov": return get_operand_value(addr, 1) return "" def get_string(addr): out = "" while True: if get_wide_byte(addr) != 0: out += chr(get_wide_byte(addr)) else: break addr += 1 return out print("[*] Attempting to decrypt strings in malware") for x in XrefsTo(0x10001DC0, flags=0): ref = find_function_arg(x.frm) string = get_string(ref) deobf_string = decrypt_str(string) print ('[STRING]:%s\n[Deobfuscated]:%s' % (string,deobf_string)) set_cmt(x.frm, deobf_string,0) set_cmt(ref, deobf_string,0) print("[ADDRESS] :"+hex(x.frm)) ct = idaapi.decompile(x.frm) tl = idaapi.treeloc_t() tl.ea = x.frm tl.itp = idaapi.ITP_SEMI ct.set_user_cmt(tl,deobf_string) ct.save_user_cmts()스크립트3
#취약점 분석 9기 유효곤 import string s = "krsG22DEWK+Nq5pjyJTPSj6u" def decrypt_str(s): src = [0]*len(s) for i in range(len(s)): src[i] = s[i] des = [0] * len(src) cnt = 0 word = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" key = "ANONYBR" after = 0 word_num = [0] * 256 for i in range(256): ccccc = -1 for j in range(len(word)): ccccc +=1 if chr(i) == word[j]: break word_num[i] = ccccc cnt_1 = 0 for i in range(len(src)): if ( src[i] ): if src[i] == ord('=') : break if src[i] == ord(' '): src[i] = ord('+') check = word_num[ord(src[i])] if ( check >= 0 ): switch = cnt_1 % 4 if switch == 0: des[cnt] = (4 * check)&0xff elif switch == 1: cnt +=1 des[cnt] |= (check >> 4)&0xff des[cnt] = (16 * check)&0xff elif switch == 2: cnt +=1 des[cnt] |= (check >> 2)&0xff des[cnt] = (check << 6)&0xff elif switch == 3: des[cnt] |= (check)&0xff cnt += 1 cnt_1 +=1 size = 0 for i in range(len(des)): if des[i] != 0: size += 1 buf = [0] * 2053 cnt = 2 cnt_1 = 0 while(cnt < 258): buf[cnt_1 + 1028] = cnt - 2 buf[cnt_1 + 1029] = cnt - 1 buf[cnt_1 + 1030] = cnt cnt_1 += 4 buf[cnt_1] = ord(key[(cnt - 2) % 7]) buf[cnt_1 + 1] = ord(key[(cnt - 1) % 7]) v4 = cnt % 7 v5 = cnt + 1 cnt += 4 buf[cnt_1 + 1027] = v5 buf[cnt_1 + 2] = ord(key[v4]) buf[cnt_1 + 3] = ord(key[v5 % 7]) v6 = 0 for i in range(256): v8 = buf[i + 1028] t = ((buf[i + 4]))&0xff v6 = (v8 + t + v6)&0xff buf[i + 1028] = buf[v6 + 1028] buf[v6 + 1028] = v8 v10 = 0 v11 = 0 for i in range(size): v11 = 0xff&(v11 + 1) v13 = buf[v11 + 1028] v10 = (v13 + v10)&0xff buf[v11 + 1028] = buf[v10 + 1028] buf[v10 + 1028] = v13&0xff des[i] ^= 0xff&(buf[0xff&(v13 + 0xff&(buf[v11 + 1028])) + 1028]) re = "" for i in range(len(des)): re += chr(des[i]) return re def find_function_arg(addr): while True: addr = idc.prev_head(addr) if print_insn_mnem(addr)[:3] == "mov": return get_operand_value(addr, 1) return "" def get_string(addr): out = "" while True: if get_wide_byte(addr) != 0: out += chr(get_wide_byte(addr)) else: break addr += 1 return out print("[*] Attempting to decrypt strings in malware") for x in XrefsTo(0x401AE0, flags=0): ref = find_function_arg(x.frm) string = get_string(ref) deobf_string = decrypt_str(string) print ('[STRING]:%s\n[Deobfuscated]:%s' % (string,deobf_string)) set_cmt(x.frm, deobf_string,0) set_cmt(ref, deobf_string,0) print("[ADDRESS] :"+hex(x.frm)) ct = idaapi.decompile(x.frm) tl = idaapi.treeloc_t() tl.ea = x.frm tl.itp = idaapi.ITP_SEMI ct.set_user_cmt(tl,deobf_string) ct.save_user_cmts()대충보면.... 어떻게 api쓰는 지 감 오실듯... ㅎㅇㅌ
'Study > Reversing Skills' 카테고리의 다른 글
리케알 올솔 -1 (1) 2021.03.19 Frida Cheat Sheet (0) 2021.03.10 IDA, IDAPython, z3사용법 (1) 2020.11.05 CRC(순환 중복 검사)에 대하여 (0) 2020.07.15 댓글
ugonfor.
보안 위주로 가볍게 작성하였습니다 :)
