add win x86 supports.

2023-07-10 13:41:20 +08:00 · 2022-04-04 14:55:19 +08:00
parent 3643ec2de3
commit ff414f6d79
3 changed files with 74 additions and 31 deletions
--- a/auto-analysis/win/x64/analysis.py
+++ b/auto-analysis/win/x64/analysis.py
@@ -9,29 +9,30 @@ import struct
 import r2pipe


+def regex_key_iv(asm_obj):
+    asm_regex = []
+    for body in asm_obj:
+        if "=[4]" in body["esil"] and body['type'] == 'mov':
+            opcode, value = body["disasm"].split(", ")
+            if "0x" in value:
+                asm_regex.append({"opcode": opcode, "value": value})
+    return asm_regex
+
+
 def get_aes_key_and_iv(file_path):
    r = r2pipe.open(file_path)
-    # auto analysis
    r.cmd("aaa")
-    # string "base64" x-cross reference
    regex = r.cmdj("axtj @@ str.base64")
    assert len(regex) == 1

    func = regex[0]["fcn_name"]
-    # disasm func
    r.cmd(f"s {func}")
    asm = r.cmdj("pdfj")['ops']
    assert len(asm) != 0

-    asm_regex = []
-    for body in asm:
-        if "=[4]" in body["esil"] and body['type'] == 'mov':
-            opcode, value = body["disasm"].split(", ")
-            asm_regex.append({"opcode": opcode, "value": value})
-
+    asm_regex = regex_key_iv(asm)
    assert len(asm_regex) == 12

    iv = struct.pack("<4L", *[int(asm_regex[i]['value'], 16) for i in range(4)])
    key = struct.pack("<8L", *[int(asm_regex[i]['value'], 16) for i in range(4, 12)])
-    # print(key, iv)
    return key, iv
--- a/auto-analysis/win/x86/analysis.py
+++ b/auto-analysis/win/x86/analysis.py
@@ -0,0 +1,45 @@
+# -*- coding:utf-8 -*-
+"""
+@Author: Mas0n
+@Name: typora_win_x86_analysis
+@Time: 2022/4/3 18:36
+@Desc: It's all about getting better.
+"""
+import struct
+import r2pipe
+
+
+def regex_key_iv(asm_obj):
+    asm_regex = []
+    for body in asm_obj:
+        if "=[4]" in body["esil"] and body['type'] == 'mov':
+            opcode, value = body["disasm"].split(", ")
+            if "0x" in value:
+                asm_regex.append({"opcode": opcode, "value": value})
+    return asm_regex
+
+
+def get_aes_key_and_iv(file_path):
+    r = r2pipe.open(file_path)
+    r.cmd("aaa")
+    regex = r.cmdj("axtj @@ str.base64")
+    assert len(regex) == 1
+
+    func = regex[0]["fcn_name"]
+    r.cmd(f"s {func}")
+    asm = r.cmdj("pdfj")['ops']
+    assert len(asm) != 0
+
+    asm_regex = regex_key_iv(asm)
+
+    iv = struct.pack("<4L", *[int(asm_regex[i]['value'], 16) for i in range(4)])
+
+    # find the set key func
+    call_regex = [i for i in asm if i['size'] == 5 and i['type'] == 'call']
+    r.cmd(f"s {call_regex[1]['jump']}")
+    asm = r.cmdj("pdfj")["ops"]
+    asm_regex = regex_key_iv(asm)
+    assert len(asm_regex) == 8
+
+    key = struct.pack("<8L", *[int(asm_regex[i]['value'], 16) for i in range(8)])
+    return key, iv