Ida pr0 l33b c0den.
from idaapi import stroffflag, offflag
import idaapi
import idc
key = [69, 50, 78, 99, 85, 107, 71, 50]
ea = idaapi.get_screen_ea()
print ea
MakeUnkn(ea, DOUNK_SIMPLE)
startEA = ea
while (Byte(ea) != 0):
ea = ea + 1
endEA = ea
size = (endEA - startEA)
print "Size = ", size
bytes = map(ord, GetManyBytes(startEA, size))
print "Obfuscated bytes: ", bytes
# magic.
decryptedData = ''.join([chr((bytes[i])^int(key[i%len(key)])) for i in
xrange(len(bytes))])
print "Done: ", decryptedData
i = 0
for ea in range(startEA, endEA):
PatchByte(ea, ord(decryptedData[i]))
i = i + 1
MakeStr(startEA, endEA)
It is hard to find the strings directly from xrefs to your 'decryption'
function. Like I said -- there is no reason to obfuscate code.
On Thu, Apr 12, 2012 at 12:53 PM, Stefan Giroux <[email protected]>wrote:
> There is no need to obfuscate your strings. From what it looks like, this
> program downloads code from
> http://tftrue.redline-utilities.net/TriggerBotDetector.dll
> At least make it clear that your plugin goes out to the web to download
> code if it does. If it doesn't, there is no need for curl.
>
>
> On Thu, Apr 12, 2012 at 9:40 AM, Crazed Gunman <[email protected]
> > wrote:
>
>> I don't think he's given anyone a reason not to trust him. I'd give it a
>> shot on his word.
>>
>> On 4/11/2012 5:17 PM, Asher Baker wrote:
>>
>>> On Wed, Apr 11, 2012 at 7:06 PM, Andrew DeMerse<[email protected]>
>>> wrote:
>>>
>>>> Sure, it's use at your own risk, but so is Sourcemod, Mani, etc.
>>>> Names 2 things that are fully open source.
>>>>
>>> But, joking aside, AnAkIn is pretty trustworthy.
>>>
>>> On Wed, Apr 11, 2012 at 7:06 PM, Andrew DeMerse<[email protected]>
>>> wrote:
>>>
>>>> Anakin has been around on the list for a very long time, and has
>>>> provided
>>>> nothing but good advice, fixes, and insight. If his plugin is anything
>>>> malicious, which I doubt, I have full backups, and it's easy enough to
>>>> fix.
>>>>
>>>> Sure, it's use at your own risk, but so is Sourcemod, Mani, etc.
>>>>
>>>>
>>>> On Wed, Apr 11, 2012 at 1:58 PM, Sebastian Iskra<[email protected]>
>>>> wrote:
>>>>
>>>>> Atleast I made a valid point Mr. Marbury.
>>>>>
>>>>> On Wed, Apr 11, 2012 at 12:55 PM, John Marbury<[email protected]>
>>>>> wrote:
>>>>>
>>>>>> Said the random sea-bass.
>>>>>>
>>>>>> ______________________________**_________________
>>>>>> To unsubscribe, edit your list preferences, or view the list archives,
>>>>>> please visit:
>>>>>> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds>
>>>>>>
>>>>>> ______________________________**_________________
>>>>> To unsubscribe, edit your list preferences, or view the list archives,
>>>>> please visit:
>>>>> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds>
>>>>>
>>>>
>>>>
>>>> ______________________________**_________________
>>>> To unsubscribe, edit your list preferences, or view the list archives,
>>>> please visit:
>>>> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds>
>>>>
>>>> ______________________________**_________________
>>> To unsubscribe, edit your list preferences, or view the list archives,
>>> please visit:
>>> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds>
>>>
>>
>>
>> ______________________________**_________________
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds>
>>
>
>
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
