最近分析一款病毒,輸入表是空的,並且搜字符串,搜不到函數名,函數名被加密了。
就寫了個腳本把函數名都解密起來,並加註釋,方便在IDA中查看。
完整腳本如下:
def get_string(addr):
out = ""
sourceString = "amNFHufoTRn0P3vI8xBS4t6jM9CqXeibUDEpQ1ZGYywJzAg7sk2lc5WLOrKdhV.?"
destString = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789.?"
while True:
if Byte(addr) != 0:
idx=sourceString.find(GetString(addr, 1,ASCSTR_C))
if idx != -1:
out += destString[idx]
else:
break
addr += 1
return out
def get_string_addr(addr):
while True:
addr = PrevHead(addr)
if GetMnem(addr) == "mov" and "edx" == GetOpnd(addr,0):
return addr
return ""
def decrypt_function_name():
base_addr_arry = [0x404D44, 0x404488]
for base_addr in base_addr_arry:
cross_refs=CodeRefsTo(int(base_addr),0)
for code_addr in cross_refs:
stringStartAddr = DataRefsFrom(get_string_addr(code_addr))
for addr in stringStartAddr:
str = get_string(addr)
MakeComm(code_addr, str)
decrypt_function_name()
解密前
解密後
