psrok1 · December 18, 2019 19:26
diff --git a/icedid-strings.py b/icedid-strings.py
 """
 IDAPython (py2), tested on IDA 7.3.
 malduck.idamem is pretty beta thing, but should work in most cases.
 """

 import string
 from malduck import idamem, utf16z


 def decrypt_strings(addr):
    ida = idamem()
    while addr + 4 < SegEnd(addr):
        length = (ida.uint32v(addr) ^ ida.uint16v(addr + 4)) & 0xffff
        if length < 3 or length > 0x100:
            addr += 1
            continue
        out = ''
        key = ida.uint32v(addr, fixed=True)
        for i in range(length):
            key = key.ror(3) + i
            out += chr((ida.uint32v(addr + 6 + i) ^ key) & 0xff)
        if out.endswith("\x00") and all(map(lambda c: c in string.printable + "\x00", out)):
            yield addr, repr(out[:-1]) if out[1] != '\x00' else repr(utf16z(out))
            addr += length
        else:
            addr += 1

 for va, decrypted_string in decrypt_strings(list(Segments())[2]):
    print(hex(va), decrypted_string)
	"""
	IDAPython (py2), tested on IDA 7.3.
	malduck.idamem is pretty beta thing, but should work in most cases.
	"""

	import string
	from malduck import idamem, utf16z


	def decrypt_strings(addr):
	ida = idamem()
	while addr + 4 < SegEnd(addr):
	length = (ida.uint32v(addr) ^ ida.uint16v(addr + 4)) & 0xffff
	if length < 3 or length > 0x100:
	addr += 1
	continue
	out = ''
	key = ida.uint32v(addr, fixed=True)
	for i in range(length):
	key = key.ror(3) + i
	out += chr((ida.uint32v(addr + 6 + i) ^ key) & 0xff)
	if out.endswith("\x00") and all(map(lambda c: c in string.printable + "\x00", out)):
	yield addr, repr(out[:-1]) if out[1] != '\x00' else repr(utf16z(out))
	addr += length
	else:
	addr += 1

	for va, decrypted_string in decrypt_strings(list(Segments())[2]):
	print(hex(va), decrypted_string)