(Python) Runtime Function Decryption by irfan_eternal
Created the Friday 22 March 2024. Updated 5 months, 3 weeks ago.
Description:
This Ghidra script decrypts shellcode by XORing each byte with a given key and writes the decrypted bytes back to a specified address in the program.
Code
def decryptShellcode(size, xor_key, rva):
va = rva + 0x400000
va = hex(va)[2:]
addr = toAddr(va)
addr2 = addr
enc = get_bytes(toAddr(va), size)
for i in range(size):
clearListing(addr2)
addr2 = addr2.add(1)
size2 = size
for i in range(0,size):
enc[i] = enc[i]^xor_key
for i in enc:
i = i & 0xFF
setByte(addr, i)
addr = addr.add(1)