def get_args(addr):
""" Retreives the passed arguments to the decryption function. We are only interested in the key
and offset to the encrypted string.
addr: (int) Address at which the decryption function was called.
Returns:
key: (int) The key used to decrypt the string.
enc_str: (list) Byte array of encrypted string.
ins_addr: (int) Address at which the encrypted byte array is referenced.
"""
found = False
foundstr = False
foundkey = False
while not found:
addr = idc.PrevHead(addr)
if idc.GetMnem(addr) == "mov" and "r8d" in idc.GetOpnd(addr,0):
#print "[+] Found key: 0x%08x at 0x%016x" % (idc.GetOperandValue(addr,1)& 0xffffffff, addr)
key = idc.GetOperandValue(addr,1) & 0xffffffff
foundkey = True
if idc.GetMnem(addr) == "lea" and "rdx" in idc.GetOpnd(addr,0):
#print "[+] Found str: 0x%016x at 0x%016x" % (idc.GetOperandValue(addr,1), addr)
enc_str_addr = idc.GetOperandValue(addr,1)
enc_str = get_encoded_string(enc_str_addr)
ins_addr = addr
foundstr = True
if foundkey and foundstr:
found = True
return key, enc_str, ins_addr
poison_ivy_string_decrypt.py 文件源码
python
阅读 16
收藏 0
点赞 0
评论 0
评论列表
文章目录
