Fork me on GitHub

Creating helper scripts for r2

Currently i am playing around with duqu. Therefore i created a little script for decrypting the used strings. I simply wrote some class that registers automatically all methods as alias commands in r2. To see the registered commands type:

[0x10001ae9]> $
$decrypt

To decrypt a string at the given address:

[0x10001ae9]> $decrypt 0x10032134
avp.exe

Thats the current version of the script:

import r2pipe
import array
import sys
import os


def int_to_bytes(val, num_bytes):
    return [(val & (0xff << pos*8)) >> pos*8 for pos in range(num_bytes)]


class r2:
    def __init__(self):
        self.r2 = r2pipe.open()
        self.own_file = os.path.realpath(__file__)
        self.sections = self.r2.cmdj("iSj")
        self.method_list = [func for func in dir(self)
                            if callable(getattr(self, func))
                            and not func.startswith("__")
                            and not func == "register_commands"]
        self.register_commands()

    def register_commands(self):
        current_commands = self.r2.cmd("$")
        for method in self.method_list:
            if method not in current_commands:
                self.r2.cmd("$%s=#!pipe %s %s"
                            % (method, self.own_file, method))

    def decrypt(self, addr):
        addr = int(addr, 16)
        val = self.r2.cmdj("pvj @ 0x%x" % addr)['value']

        edi = 0x86f186f1
        edx = 0

        val = val ^ edi
        b = int_to_bytes(val, 4)

        count = 0
        while b[-2] != 0:
            edx = edx + 4
            val = self.r2.cmdj("pvj @ 0x%x" % (addr + edx))['value']
            val = val ^ edi
            b.extend(int_to_bytes(val, 4))
            if count > 100:
                return
            count = count + 1

        print array.array("B", b).tostring()


def main(argv):
    tool = r2()
    if len(argv) > 0:
        method = getattr(tool, argv[0])
        if method is not None:
            if len(argv) >= 2:
                method(argv[1])
            else:
                method()

if __name__ == "__main__":
    main(sys.argv[1:])

links

social