nsstring部分未解密,但是这个脚本不影响分析,祝大家玩的愉快。
import os.path
import idaapi
import idautils
import idcdef xxxxxxxx():
segm = idaapi.get_segm_by_name(“__data”)
if segm is None:
return Noneprint(" - start address: 0x%x" % segm.start_ea) print(" - end address: 0x%x" % segm.end_ea) print(" - key: 0x%x" % idaapi.get_dword(segm.start_ea)) print(" - len: 0x%x" % idaapi.get_dword(segm.start_ea + 4)) encrypt_key = idaapi.get_dword(segm.start_ea) encrypt_len = idaapi.get_dword(segm.start_ea + 4) / 4 - 2 encrypt_dat = segm.start_ea + 8 print(" - key: 0x%x" % encrypt_key) print(" - len: 0x%x" % encrypt_len) print(" - dat: 0x%x" % idaapi.get_dword(encrypt_dat)) while encrypt_len > 0: cur_key = idaapi.get_dword(encrypt_dat) dec_data = cur_key ^ 0xDEADBEAF dec_data = dec_data - encrypt_key print(" - dat1:%x" % dec_data) # MakeComm(encrypt_dat, "[*] " + str(dec_data)) patch_dword(encrypt_dat, dec_data) encrypt_dat += 4 encrypt_len -= 1 encrypt_key = cur_key # offset = get_struct_offsets(malloc_par()).get('sbrk_base') # sbrk_base = segm.start_ea # ea = idc.get_segm_start(get_name_ea_simple("_IO_2_1_stdin_")) # end_ea = idc.get_segm_end(ea) # while ea < end_ea: # ptr = config.get_ptr(ea) # if idaapi.is_loaded(ptr) and ptr == sbrk_base: # return (ea-offset) # ea += config.ptr_size return None
xxxxxxxx()
KeePass_str_deobf.py (2.1 KB)