Я любезно делюсь частью своей коллекции VAC reversing scripts.
Эти скрипты должны использоваться с IDA + IDAPython, то, что они делают, довольно самоочевидно.. Для тех, кто все еще не понимает, скрипты используются для помощи в реверсировании модулей VAC, точнее они: перестраивают/исправляют импорт VACs, расшифровывают зашифрованные таблицы строк VAC и строки.
DecryptStr.py
DecryptImportStringtable.py
FixMainImportTables.py
Эти скрипты должны использоваться с IDA + IDAPython, то, что они делают, довольно самоочевидно.. Для тех, кто все еще не понимает, скрипты используются для помощи в реверсировании модулей VAC, точнее они: перестраивают/исправляют импорт VACs, расшифровывают зашифрованные таблицы строк VAC и строки.
DecryptStr.py
C++:
# Name: DecryptStr.py
# Desc: Decrypt an encrypted VAC3 string at cursor and rename all the refs to it (point the cursor to the start of raw encrypted string data)
# Author: c5 (guidedhacking.com)
import idautils
import idaapi
xorKey = 0x55
# Get cursor address
ea = ScreenEA()
isValid = True
#verify if this could actually be a string
if Byte(ea) == xorKey :
Message("\nError, invalid string\n")
isValid = False
strLen = Byte(ea) ^ xorKey
if strLen > 48 or strLen <= 0 :
Message("\nError, invalid string\n")
isValid = False
if isValid == True :
print("string address: %X" % ea)
#decrypt string
strPlaintext = ""
for i in range(1, strLen + 1) :
strPlaintext += (chr(Byte(ea + i) ^ xorKey))
xorKey = Byte(ea + i)
print("string: %s" % strPlaintext)
#rename string
MakeName(ea, "_str_" + strPlaintext)
#find all refsto the string and rename them
refCount = 0
for xref in XrefsTo(ea, 0) :
refCount += 1
MakeName(xref.frm, "str_" + strPlaintext + str(refCount))DecryptImportStringtable.py
C++:
# Name: DecryptImportStringtable.py
# Desc: Decrypt all encrypted VAC3 strings in a table pointed to by cursor and rename references to them (point cursor at encrypted string table first element (table with array of pointers to raw encrpyted strings))
# Author: c5 (guidedhacking.com)
import idautils
import idaapi
mainXorKey = 0x55
def DecryptStrAndRenameRefs(stringStart) :
xorKey = mainXorKey
ea = stringStart
#verify if this could actually be a string
if Byte(ea) == xorKey :
return 0
strLen = Byte(ea) ^ xorKey
if strLen > 48 or strLen <= 0 :
return 0
#decrypt string
strPlaintext = ""
for i in range(1, strLen + 1) :
strPlaintext += (chr(Byte(ea + i) ^ xorKey))
xorKey = Byte(ea + i)
#rename string
MakeName(ea, "_str_" + strPlaintext)
#find all refsto the string and rename them
refCount = 0
for xref in XrefsTo(ea, 0) :
refCount += 1
MakeName(xref.frm, "str_" + strPlaintext + str(refCount))
return 1
# Get cursor address
tableStart = ScreenEA()
tableItemsCount = 0
currentTableItem = tableStart
while (tableItemsCount < 128) : #some sanity
if Dword(currentTableItem) == 0 :
break
if (DecryptStrAndRenameRefs(Dword(currentTableItem)) == 0) :
break
currentTableItem += 4
tableItemsCount += 1
print("\nTable renamed (%i strings)\n" % tableItemsCount)FixMainImportTables.py
C++:
# Name: FixMainImportTables.py
# Desc: Finds all main imported functions loaded during initialization and renames pointers to them. If a function is "ref'ed to", a __ endix is appended to the name (that usually means this function is directly called)
# Author: c5 (guidedhacking.com)
import idautils
import idaapi
start = 0x10001000
end = 0x10060000
mainXorKey = 0x55
loadModuleImportsPat1 = [0x56, 0x8B, 0x74, 0x24, 0x0C, 0x83, 0x3E, 0x00, 0x75, 0x04, 0x32, 0xC0, 0x5E, 0xC3]
loadModuleImportsMask1 = "xxxxxxxxx?xxxx"
loadModuleImportsPat2 = [0x55, 0x8B, 0xEC, 0x53, 0x8B, 0x5D, 0x0C, 0x8B, 0x03, 0x56, 0x33, 0xF6, 0x3B, 0xC6, 0x75, 0x04, 0x32, 0xC0]
loadModuleImportsMask2 = "xxxxxxxxxxxxxxx?xx"
def DecryptStr(stringStart) :
xorKey = mainXorKey
ea = stringStart
#verify if this could actually be a string
if Byte(ea) == xorKey :
return 0
strLen = Byte(ea) ^ xorKey
if strLen > 48 or strLen <= 0 :
return 0
#decrypt string
strPlaintext = ""
for i in range(1, strLen + 1) :
strPlaintext += (chr(Byte(ea + i) ^ xorKey))
xorKey = Byte(ea + i)
return strPlaintext
def findPattern(current, pat, mask) :
Index = 0
for x in pat :
if mask[Index] == "?" :
Index += 1
continue
if x != Byte(current + Index) :
return 0
else :
Index += 1
return current
# find LoadModuleImports
n = start
found = False
while n < end :
if findPattern(n, loadModuleImportsPat1, loadModuleImportsMask1) != 0 :
print("\nLoadModuleImports: 0x%x" % n)
found = True
break
n += 1
if (found == False) :
n = start
while n < end :
if findPattern(n, loadModuleImportsPat2, loadModuleImportsMask2) != 0 :
print("\nLoadModuleImports: 0x%x" % n)
found = True
break
n += 1
loadModImports = n
funcNamesPatched = 0
if found == True :
for ref in CodeRefsTo(loadModImports, False):
# 68 C8 EF 00 10 push offset str_ntdll_dll1
# 68 1C 45 41 10 push offset hNtdll
# E8 AE FC FF FF call LoadModuleImports
stringTableStart = Dword(ref - 9)
funcTableStart = Dword(ref - 4)
print("Module: %s " % DecryptStr(Dword(stringTableStart)))
print("Functions: %X " % funcTableStart)
# iterate current stringtable
currentItemCount = 0
currentStringTableItem = stringTableStart + 4 #first item is handle to module
while (currentItemCount < 128) :
if Dword(currentStringTableItem) == 0 :
break
decryptedFuncName = DecryptStr(Dword(currentStringTableItem))
if (decryptedFuncName == 0) :
break
# rename functable item
currentFuncPtrItem = funcTableStart + 4 + (4 * currentItemCount)
#print("%X " % currentFuncPtrItem)
#print("%s " % decryptedFuncName)
MakeDword(currentFuncPtrItem)
funcName = "pFn" + decryptedFuncName
refCount = 0
for xref in XrefsTo(currentFuncPtrItem, 0) :
refCount += 1
if refCount > 0 :
funcName += "__"
MakeName(currentFuncPtrItem, funcName)
# next iteration
currentStringTableItem += 4
currentItemCount += 1
funcNamesPatched += currentItemCount
print("%i function pointers renamed\n" % funcNamesPatched)
else :
print("Failed\n")
