Use of Idapython in sample analysis-character decryption

Recently took over a sample, the sample used a large number of XOR encryption, due to its own sample is not complete, can not run (ok my most porridge of the dynamic debugging is not, the sample is very interesting, there is time to do the big ticket analysis), this time had to please Idapython Dafa (of course, with IDC also), Several problems were encountered during the period and a record was recorded.

The character of the sample encryption is as follows, very simple, push the stack, repeatedly call sub_1000204d decryption.

At this point, to write a script, we hope that the script can be enough generic, usually the encryption in the sample is implemented by a function, the function itself is decrypted, the incoming parameters are usually decrypted characters, and key two parameters (certainly there are other patterns), Before you write a more generic script, you need to address several issues:

1. How to get the address of all call decryption functions
2. How to get the characters that need to be decrypted
3. How the decryption algorithm
4. Post-decryption processing (simplest, such as comments)

First, for the first question, how to get the address of the calling decryption function.

In Ida, this requirement actually provides a function xrefsto, which returns all references to an address, which can be tested in IDA using a two-sentence script.

For x in Xrefsto (0x1000204d,flags = 0):

Print Hex (X.FRM)

The test results are as follows:

The second question is how to get the encrypted string.

In this example, the function is called as follows.

At this point we need to use several functions

The first function is Prevhead, which is used to get the instructions in a snippet of code, the EA starts, mines is the end, notice that the search for this function is in descending order, and plainly is looking forward. With this function we can get the instruction before the decryption function, that is, the code area where the push offset xxxxx instruction is located.

Long Prevhead (Long EA, long Minea);

The second function is Getmnem, which is used to get instructions near the EA's specified address.

String Getmnem (long ea);

The third function is GETOPND, which is used to get the operation code of the instruction near the EA that specifies the address, note that n here is the opcode number, starting from 0, such as the instruction push offset xxxxx,0 code is push

String GETOPND (long ea,long N);

The fourth function is Getoperandvalue, which is used to get the operand of the instruction near the specified address EA, the general n is the number of the operand, starting from 0, such as the instruction push offset xxxxx,0 code is xxxxx

Long Getoperandvalue (long ea,long N);

By using these functions, we can get the cryptographic characters of the push-pressure-press-command, and the following is the parameter acquisition function.

The test results are as follows:

But here we just get the address of the encrypted character, and here we need to calculate the cutoff address of the encrypted string.

The third problem is decrypting the character.

Because here is simply the XOR decryption, including simple, of course, there are other encryption methods, directly add the function.

Question Fourth, comment

Can be implemented through the function Makecomm (). The EA is the annotated address and the comment is the comment class capacity.

Success Makecomm (long ea,string comment); Give a comment

This brings all the content together

The result after the script is run.

Use of Idapython in sample analysis-character decryption