extract_xor_key.py

from __main__ import *

def find_calc_api_hash_func():
    '''
        00402b5c 8b 55 fc        MOV        EDX,dword ptr [EBP + local_8]
        00402b5f 0f be 03        MOVSX      EAX,byte ptr [EBX]
        00402b62 89 45 fc        MOV        dword ptr [EBP + local_8],EAX
        00402b65 01 75 fc        ADD        dword ptr [EBP + local_8],ESI
        00402b68 d3 e2           SHL        EDX,param_1
        00402b6a 01 55 fc        ADD        dword ptr [EBP + local_8],EDX
        00402b6d 29 7d fc        SUB        dword ptr [EBP + local_8],EDI

    '''
    asm = b'\\x8b.{2,3}\\x0f.{2,3}\\x89.{2,3}\\x01.{2,4}\\xd3\\xe2\\x01.{2,3}\\x29.{2,3}'
    found = findBytes(None, asm, -1)
    if found:
        calc_hash_func = getFunctionContaining(found[0])
        return calc_hash_func


def find_calc_lib_hash_func():
    '''
        00402c29 d3 e7           SHL        EDI,libname
        00402c2b 83 f8 41        CMP        char_hex,0x41
        00402c2e 72 08           JC         LAB_00402c38
        00402c30 83 f8 5a        CMP        char_hex,0x5a
        00402c33 77 03           JA         LAB_00402c38
        00402c35 83 c0 20        ADD        char_hex,0x20
    '''
    asm = '\\xd3\\xe7\\x83.{1}\\x41\\x72\\x08\\x83.{1}\\x5a\\x77\\x03\\x83.{1}\\x20'
    found = findBytes(None, asm, -1)
    if found:
        calc_hash_func = getFunctionContaining(found[0])
        return calc_hash_func


def get_xor_key(calc_hash_func):
    for xref in getReferencesTo(calc_hash_func.getEntryPoint()):
        # instruction should be like;
        # CALL  calc_hash
        # XOR   EAX,0x<XOR-KEY>
        caller = xref.getFromAddress()
        next_inst = getInstructionAfter(caller)
        if str(next_inst).startswith('XOR EAX,0x'):
            return next_inst.getOpObjects(1)[0]

def get_api_xor_key():
    calc_api_hash_func = find_calc_api_hash_func()
    if calc_api_hash_func:
        xor_key = get_xor_key(calc_api_hash_func)    
        return xor_key
    
def get_lib_xor_key():
    calc_lib_hash_func = find_calc_lib_hash_func()
    if calc_lib_hash_func:
        xor_key = get_xor_key(calc_lib_hash_func)    
        return xor_key

def main():
    lib_xor_key = get_lib_xor_key()
    if lib_xor_key:
        print('[*] XOR key for Lib: {}'.format(lib_xor_key))
    else:
        print('[*] XOR key for Lib was not found')

    api_xor_key = get_api_xor_key()
    if api_xor_key:
        print('[*] XOR key for API: {}'.format(api_xor_key))
    else:
        print('[*] XOR key for API was not found')

if __name__ == '__main__':
    main()