Ghidra Python script do decrypt strings in Vidar samples
If you want to try it out you can grab the used sample from Tria.ge here: https://tria.ge/230302-sq9zysda8v
- In Ghidra, click on Window -> Defined Strings
- Scroll through the list of strings and you'll notice A LOT of those kind of strings:
- Right click on one of those strings in the Listing window and choose "References" > "Show references to Address"
- Double click on the reference and you will get to the function we need:
- Take note of the function name which is called repeatedly (in this case func_decrypt_string)
- Open the script manager through "Window" > "Script Manager"
- Click on "New Script"
- Choose Python
- Paste in the content of main.py from this repository
- Replace "func_decrypt_string" with the actual name of the decrypt function you took note of earlier
- Run the script and you will see that the Listing gets populated with comments of the decrypted names: