forked from Th4nat0s/Chall_Tools
-
Notifications
You must be signed in to change notification settings - Fork 0
/
dcod_zeustr.py
executable file
·63 lines (52 loc) · 1.69 KB
/
dcod_zeustr.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#!/usr/bin/python
import sys
# v 0.1
# Copyleft Thanat0s
# http://Thanat0s.trollprod.org
#
# Licence GNU GPL
"""
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00020eb4 00401000 00401000 00000400 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .data 00000400 00422000 00422000 00021400 2**2
CONTENTS, ALLOC, LOAD, DATA
2 .reloc 00001692 00425000 00425000 00021800 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
"""
filename='facture.unpack.exe'
offset = 0x400
array = 0x00402C80
base = 0x00401000
file = open(filename, 'rb')
byteArr = bytearray(file.read())
file.close()
fileSize = len(byteArr)
index = 0
stringcount = 0
while True:
lena = byteArr[array - base + offset + index ]
lenb = byteArr[array - base + offset + 1 + index]
lenc = byteArr[array - base + offset + 2 + index]
lend = byteArr[array - base + offset + 3 + index]
offa = byteArr[array - base + offset + 4 + index]
offb = byteArr[array - base + offset + 5 + index]
offc = byteArr[array - base + offset + 6 + index]
offd = byteArr[array - base + offset + 7 + index]
if (offa+offb+offc+offd == 0):
break
print ('Str:%02x Len:%02x%02x Key:%02x%02x Off:%02x%02x%02x%02x') % (stringcount, lend,lenc,lenb,lena, offd,offc,offb,offa),
index = index + 8
stringcount = stringcount + 1
strlen = ( lend << 8 ) + lenc
key = lena
stringoff = ( offd << 24 ) + ( offc << 16) + ( offb << 8) + offa
decoded = ''
i = 0
j = 0
while (i < strlen):
decoded = decoded + chr(((byteArr[stringoff - base + offset + i ] ^ key) % 256) ^ j )
i = i + 1
j = (j+ 1 ) % 256
print decoded