Thursday, December 24, 2009

OpenRG Deobfuscate in C

http://www.zibri.org/ Did this in a java script. I ported it to C. Have fun deobfuscating during the holidays!

#include
#include

char szDeobfuscated[4096];
int key[] = {86, -12, -17, 80, 52, 169,
-17, 107, 85, 75, 3, 60, 154, 1,
120, 179,-3, 177, 61, 211, 155, 210,
203, 159, 6, 209, 209, 101, -24, 189,
45, 159, 177, -17, 141,216, -12, -4, 187,
195, 184, 161, 11, 174, 61, 193, 46, 174,
-29,84, 7, -15, 10, 90, 208, 138, 120,
4, 6, 50, 134, 44, 172, -14};

void DeobfuscateString(char *enc)
{
int code = 0;
int z = 0;
int cDeobChar = 0;
char tempnum[5]; //e.g. 0xAB
int i = 0;
char *tmpstr = szDeobfuscated;
char a = 0;
char b = 0;
int length = 0;

if(NULL==enc)
return;

length = strlen(enc);

if(length> sizeof(szDeobfuscated)-1)
return;

printf("Decoding %s of length %d\n", enc, length);


for (i = 0; i < length; i++)
{
//check for ampersand '&'
if (enc[i] != 38)
{
code = enc[i];
}
else
{
//if it's an ampersand
i++; //skip over it
//take the next two characters and make a hex value out of it e.g.
//&ad would become 0xAD
memset(tempnum,0,5);
a = enc[i++];
b = enc[i++];
sprintf_s(tempnum,5,"0x%c%c\0",a,b);
sscanf_s(tempnum,"%x",&code);

}

cDeobChar = code - key[z];

if (cDeobChar < 0)
{
cDeobChar = cDeobChar + 255;
}

*tmpstr++ = (char)cDeobChar;
z++;
}
printf("\n\t%s\n",szDeobfuscated);
return;
}

int main(void)
{
memset(szDeobfuscated,0,4096);
DeobfuscateString("&ad;Y&5b;&b3;&a3;&17;T&8b;&c4;&b9;#&96;&04;c&ea;&1d;$%&5d;&16;&08;B3&c0;");
memset(szDeobfuscated,0,4096);
DeobfuscateString("&97;50&91;u&ea;0∾&86;|4m&cb;2&a9;&e4;");
return 0;
}