Windows Python / Runtime Function Decryption
| Author | irfan_eternal |
| Platform | Windows |
| Language | Python |
| Technique | Runtime Function Decryption |
Description:
This Ghidra script decrypts shellcode by XORing each byte with a given key and writes the decrypted bytes back to a specified address in the program.
Code
def decryptShellcode(size, xor_key, rva):
va = rva + 0x400000
va = hex(va)[2:]
addr = toAddr(va)
addr2 = addr
enc = get_bytes(toAddr(va), size)
for i in range(size):
clearListing(addr2)
addr2 = addr2.add(1)
size2 = size
for i in range(0,size):
enc[i] = enc[i]^xor_key
for i in enc:
i = i & 0xFF
setByte(addr, i)
addr = addr.add(1)Created
March 22, 2024
Last Revised
April 22, 2024