TransWikia.com

Decode xor data in IDA

Reverse Engineering Asked by park joh on September 30, 2021

I have code that looks like this:

byte_100031BA4 = v41;
byte_100031BA5 ^= 0x3Eu;
byte_100031BA6 ^= 0x47u;
LOBYTE(a1) = -9;
byte_100031BA7 ^= 0xF7u;
byte_100031BA8 ^= 0xA9u;
byte_100031BA9 ^= 0xE8u;
byte_100031BAA ^= 0x5Eu;
byte_100031BAB ^= 0x7Fu;
byte_100031BAC ^= 0x33u;
LOBYTE(a2) = 116;
byte_100031BAD ^= 0x74u;
byte_100031BAE ^= 0x78u;
byte_100031BAF ^= 0xFAu;
xmmword_100031B80 = (__int128)_mm_xor_ps((__m128)xmmword_100031B80, (__m128)xmmword_10002E1C0);
byte_100031B90 ^= 0x8Bu;
byte_100031B92 ^= 0xD5u;
byte_100031B93 ^= 0x53u;
byte_100031B94 ^= 0x9Bu;
byte_100031B95 ^= 0x16u;
byte_100031B96 ^= 0x18u;

I want to use IDA Python to run on each line of code and if it starts with ‘byte_’ and has ‘^=’ in it then do for me the or and show the ‘decrypted value’ in a comment.

How can I do this?

2 Answers

A decompiler plugin can be made to apply xor operations automatically. Please check this blog post for more info and sample code.

Answered by Igor Skochinsky on September 30, 2021

the output you posted doesn't seem to be disassembly but PseudoCode
I am not sure if you want your pseudo Code Commented or Disassembly Commented
below is an approach to Comment the Disassembly using the built-in idc on Ida Free 7

iirc you can run idc from python (ida free doesn't support either pseudo code or python so I cant be sure )

the disassembly look like this prior to using the script

.data:0000000140023898 byte_140023898  db 0
.data:0000000140023899 byte_140023899  db 0
.data:000000014002389A byte_14002389A  db 0

script is along these lines entered an executed using shift+f2 or file->scriptCommand

auto addr,byteat,xorred;
addr = ask_addr(0,"enter an Address");
Message("you entered %xn",addr);
byteat = get_db_byte(addr);
Message("byte at Address is %xn",byteat);
Message("xorring byte with 0x3En");
xorred = byteat ^ 0x3e;
Message("result of xor = %xn" , xorred);
Message("Setting Commentn");
set_cmt(addr,sprintf("xorred result is %xn",xorred),0); 

after execution these messages will be seen in the Output Window

you entered 140023898
byte at Address is 0
xorring byte with 0x3E
result of xor = 3e
Setting Comment

and the commented disassembly will look like

.data:0000000140023898 byte_140023898  db 0                    ; xorred result is 3e
.data:0000000140023898                                         ;
.data:0000000140023899 byte_140023899  db 0
.data:000000014002389A byte_14002389A  db 0

Answered by blabb on September 30, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP