rzpipe script to decrypt strings from Oski Stealer. Currently contains hardcoded addresses.
Blogpost: https://julian-wolf.eu/2022/06/17/oski-stealer-unpacking-and-string-decryption/
Script can be run standalone from commandline or in the context of rizin/cutter.
.\oski_string_decrypt.py file.exe
rizin.exe file.exe
. oski_string_decrypt.py
The comments are added at every function call for the decryption function:
Similar to Rizin, you open the console and run the script
