Alexander Hanel Extract Stack Strings + Simple deobfuscate

Created by Alexander Hanel last modified
from unicorn import *
from unicorn.x86_const import *
from capstone import *
from capstone.x86_const import *

BASE_ADDRESS = 0x1000000
STACK_OFFSET = 0x200000

def setup(code_bin):
    """init capstone, return instance"""
        # Initialize emulator in X86-32bit mode
        mu = Uc(UC_ARCH_X86, UC_MODE_32)

        # map 2MB memory for this emulation
        mu.mem_map(BASE_ADDRESS, 8 * 1024 * 1024)

        # write data to memory
        mu.mem_write(BASE_ADDRESS, code_bin)

        # initialize register for stack 
        mu.reg_write(UC_X86_REG_ESP, BASE_ADDRESS + STACK_OFFSET)
        mu.reg_write(UC_X86_REG_EBP, BASE_ADDRESS + STACK_OFFSET)

    except UcError as e:
        print("ERROR SETUP:%s" % e)
        return None
    return mu

#TODO: calculuate the string size 
def get_string(offset,size=0x20):
    """read string from stack, example: lea     ecx, [ebp+var_44], enter 0x44 """
    read_str = str(emu.mem_read(BASE_ADDRESS + STACK_OFFSET - offset, size))
    temp = read_str[:read_str.find("\x00\x00")]
    read_str = temp.replace("\x00","")
    return read_str

def get_code():
    """ read bytes from idb"""
        start = SelStart()
        end = SelEnd()
        length =  end - start
        string = "".join([byte for byte in GetManyBytes( SelStart(), length)])
        return (start, end, string)
        return (0,0,0)

start,end, data = get_code()
if start:
    emu = setup(data)

    if emu:
            emu.emu_start(BASE_ADDRESS, BASE_ADDRESS + len(data))
        except UcError as e:
            print("ERROR START: %s" % e)
        offset = AskLong(0, "Please enter stack offset")
        comment = get_string(offset)
        print "0x%x, %s" % (PrevHead(end), comment)
        MakeComm(PrevHead(end), comment)

Comments (3)

  1. Linda Melson***2&url=[93]+[right_bottom_bottom_1_180]+%D0%BF%D0%B8%D0%B2%D0%BE+%D1%81%D0%BE%D1%87%D0%B8+2017&goto=[44]+[left2]+%D0%97%D0%B0%D0%BF%D0%BB%D1%8B%D0%B2+%D1%87%D0%B5%D1%80%D0%B5%D0%B7+%D0%91%D0%BE%D1%81%D1%84%D0%BE%D1%80&goto=[4]+[sidebar2]+L+radio&goto=!&url=|1|basketstatus=yes&redirect=

  2. Linda Melson

    PROFİL BACKLİNK LİST BACKLİNK LİST 2 BACKLİNK LİST 3 zafer2 blog okey zafer2;URL=^E4X&URL=¤t=,TFvar,00319d4f-d81c-4818-81b1-a8413dc614e6,TFvar,GYDH-Y363-YCFJ-DFGH-5R6H,TFvar, http://www.мфц{0}&sno={1}&link=;redirect=

  3. Linda Melson!hfkaj`&encoded=1&redirect=;redirect=[seite]=