-
Notifications
You must be signed in to change notification settings - Fork 26
/
Copy pathFinSpyDeob.py
60 lines (49 loc) · 1.52 KB
/
FinSpyDeob.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
import idaapi
import idc
input_md5 = '4A49135D2ECC07085A8B7C5925A36C0A'
class deobX86Hook(idaapi.IDP_Hooks):
def __init__(self):
idaapi.IDP_Hooks.__init__(self)
def ev_ana_insn(self, insn):
b1 = idaapi.get_byte(insn.ea)
if b1 >= 0x70 and b1 <= 0x7F:
d1 = idaapi.get_byte(insn.ea+1)
b2 = idaapi.get_byte(insn.ea+2)
d2 = idaapi.get_byte(insn.ea+3)
if b2 == b1 ^ 0x01 and d1-2 == d2:
idaapi.put_byte(insn.ea, 0xEB)
idaapi.put_word(insn.ea+2, 0x9090)
elif b1 == 0x0F:
b1_1 = idaapi.get_byte(insn.ea+1)
d1 = idaapi.get_long(insn.ea+2)
b2 = idaapi.get_byte(insn.ea+6)
b2_1 = idaapi.get_byte(insn.ea+7)
d2 = idaapi.get_long(insn.ea+8)
if b2 == 0x0F and b1_1 ^ 0x01 == b2_1 and d1-6 == d2:
idaapi.put_byte(insn.ea, 0xE9)
idaapi.put_long(insn.ea+1, d1+1)
idaapi.put_byte(insn.ea+5, 0x90)
idaapi.put_word(insn.ea+6, 0x9090)
idaapi.put_long(insn.ea+8, 0x90909090)
return False
class deobx86_t(idaapi.plugin_t):
flags = idaapi.PLUGIN_PROC | idaapi.PLUGIN_HIDE
comment = "Deobfuscator"
wanted_hotkey = ""
help = "Runs transparently"
wanted_name = "deobx86"
hook = None
def init(self):
self.hook = None
if idc.GetInputMD5() != input_md5 or idaapi.ph_get_id() != idaapi.PLFM_386:
return idaapi.PLUGIN_SKIP
self.hook = deobX86Hook()
self.hook.hook()
return idaapi.PLUGIN_KEEP
def run(self, arg):
pass
def term(self):
if self.hook:
self.hook.unhook()
def PLUGIN_ENTRY():
return deobx86_t()