(Python) Runtime Function Decryption by irfan_eternal

Created the Friday 22 March 2024. Updated 5 months, 3 weeks ago.

Description:

This Ghidra script decrypts shellcode by XORing each byte with a given key and writes the decrypted bytes back to a specified address in the program.

Code

            def decryptShellcode(size, xor_key, rva):
    va = rva + 0x400000
    va = hex(va)[2:]
    addr = toAddr(va)
    addr2 = addr
    enc = get_bytes(toAddr(va), size)
    for i in range(size):
            clearListing(addr2)
            addr2 = addr2.add(1)
    size2 = size
    for i in range(0,size):
        enc[i] = enc[i]^xor_key
        
            
    for i in enc:
       i = i & 0xFF
       setByte(addr, i)
       addr = addr.add(1)