-
Notifications
You must be signed in to change notification settings - Fork 536
/
Copy pathexample8-decodestr2.py
73 lines (72 loc) · 2.13 KB
/
example8-decodestr2.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
import GdaImport
#gjden
#example of decoding strings which is located by bytecode fingerprint.
def printStringHex(stri):
ret=''
for ch in stri:
ret+="%02x " % (ord(ch))
return ret
def decodeString(gda,idx):
rawstr=gda.GetStringById(idx)
if rawstr==None:
return ''
stri=rawstr
ret=list(stri)
i=len(stri)-1
xx=''
while i>= 0:
ret[i]=chr(ord(stri[i])^39)
if i <= 0:
break
i=i-1
ret[i]=chr(ord(stri[i])^101)
i=i-1
xx = ''.join(ret)
return xx
def GDA_MAIN(gda_obj):
gda=gda_obj
Dex0=gda.DexList[0]
midx=0x4fc9 #index of decoding method in dex
method=Dex0.MethodTable[str(midx)]
clist=method.callorIdxList
destr=''
callorHex='0000'
callorTable={}
strIdxTable={}
for idx in clist:
sidx=str(idx)
if callorTable.has_key(sidx):
continue
callorTable[sidx]=idx
callor=Dex0.MethodTable[sidx]
#dump bytecode of the callors
callorHex=gda.DumpHexData(callor.offset+0x10,callor.size-0x10,callor.size-0x10,0)
#callorHex=callorHex[0:-2]
#gda.log(callorHex)
start=8
end=len(callorHex)
while True:
#c94f is the string of index 0x4fc9
pos=callorHex.find('c94f',start,end-1)
if pos<0:
break;
start=pos+1
if callorHex[pos-4:pos-2]=='71':
#find the index of the encoded string.
strIdx1=callorHex[pos-6:pos-4]
strIdx2=callorHex[pos-8:pos-6]
strIdx=strIdx1+strIdx2
#check if this string is decoded
if strIdxTable.has_key(strIdx):
continue
strIdxTable[strIdx]=strIdx
#decode the string
dstr=decodeString(gda,int(strIdx,16))
#output
destr+="[string@"
destr+=strIdx
destr+="] "
destr+=dstr
destr+='\n'
gda.log(destr)
return 0