Giters

NexusFuzzy / vidar_decrypt_strings

Ghidra Python script do decrypt strings in Vidar samples

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

vidar_decrypt_strings

Ghidra Python script do decrypt strings in Vidar samples

If you want to try it out you can grab the used sample from Tria.ge here: https://tria.ge/230302-sq9zysda8v

How to find the function which starts the decryption for all strings

  • In Ghidra, click on Window -> Defined Strings
  • Scroll through the list of strings and you'll notice A LOT of those kind of strings: image
  • Right click on one of those strings in the Listing window and choose "References" > "Show references to Address" image
  • Double click on the reference and you will get to the function we need: image
  • Take note of the function name which is called repeatedly (in this case func_decrypt_string)
  • Open the script manager through "Window" > "Script Manager"
  • Click on "New Script" image
  • Choose Python image
  • Paste in the content of main.py from this repository
  • Replace "func_decrypt_string" with the actual name of the decrypt function you took note of earlier image
  • Run the script and you will see that the Listing gets populated with comments of the decrypted names: image

About

Ghidra Python script do decrypt strings in Vidar samples

Languages

Language:Python 100.0%