def find_oep(insBytes):
"""
Finds the original entry point of a code object obfuscated by PjOrion.
If the entrypoint does not match the predefine signature it will return 0.
:param insBytes: the code object
:type insBytes: bytearray
:returns: the entrypoint
:rtype: int
"""
dec = Decoder(insBytes)
ins = dec.decode_at(0)
try:
# First instruction sets up an exception handler
assert ins.mnemonic == 'SETUP_EXCEPT'
# Get location of exception handler
exc_handler = 0 + ins.arg + ins.size
# Second instruction is intentionally invalid, on execution
# control transfers to exception handler
assert dec.decode_at(3).is_opcode_valid() == False
assert dec.decode_at(exc_handler).mnemonic == 'POP_TOP'
assert dec.decode_at(exc_handler + 1).mnemonic == 'POP_TOP'
assert dec.decode_at(exc_handler + 2).mnemonic == 'POP_TOP'
logger.debug('Code entrypoint matched PjOrion signature v1')
oep = exc_handler + 3
except:
if ins.mnemonic == 'JUMP_FORWARD':
oep = 0 + ins.arg + ins.size
logger.debug('Code entrypoint matched PjOrion signature v2')
elif ins.mnemonic == 'JUMP_ABSOLUTE':
oep = ins.arg
logger.debug('Code entrypoint matched PjOrion signature v2')
else:
logger.warning('Code entrypoint did not match PjOrion signature')
oep = 0
return oep
deobfuscator.py 文件源码
python
阅读 25
收藏 0
点赞 0
评论 0
评论列表
文章目录
