From c50c573fb68261be8ffc16df4f71cef5454a0225 Mon Sep 17 00:00:00 2001 From: *cr0x6fw <115905615+d0x65viant@users.noreply.github.com> Date: Mon, 21 Aug 2023 18:38:19 +0300 Subject: [PATCH 1/3] Update findcrypt3.py Update yarasearch for yara-python > 4.2.3 --- findcrypt3.py | 42 ++++++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/findcrypt3.py b/findcrypt3.py index fbae388..4687d77 100644 --- a/findcrypt3.py +++ b/findcrypt3.py @@ -185,26 +185,28 @@ def yarasearch(self, memory, offsets, rules): print(">>> start yara search") values = list() matches = rules.match(data=memory) - for match in matches: - for string in match.strings: - name = match.rule - if name.endswith("_API"): - try: - name = name + "_" + idc.GetString(self.toVirtualAddress(string[0], offsets)) - except: - pass - value = [ - self.toVirtualAddress(string[0], offsets), - match.namespace, - name + "_" + hex(self.toVirtualAddress(string[0], offsets)).lstrip("0x").rstrip("L").upper(), - string[1], - repr(string[2]), - ] - idaapi.set_name(value[0], name - + "_" - + hex(self.toVirtualAddress(string[0], offsets)).lstrip("0x").rstrip("L").upper() - , 0) - values.append(value) + for MatchObj in matches: + for StringMatch in MatchObj.strings: + name = MatchObj.rule + for StringMatchInstance in StringMatch.instances: + if name.endswith("_API"): + try: + name = name + "_" + idc.GetString(self.toVirtualAddress(StringMatchInstance.offset, offsets)) + except: + pass + value = [ + self.toVirtualAddress(StringMatchInstance.offset, offsets), + MatchObj.namespace, + name + "_" + hex(self.toVirtualAddress(StringMatchInstance.offset, offsets)).lstrip("0x").rstrip("L").upper(), + StringMatch.identifier, + repr(StringMatchInstance.matched_data) + ] + + idaapi.set_name(value[0], name + + "_" + + hex(self.toVirtualAddress(StringMatchInstance.offset, offsets)).lstrip("0x").rstrip("L").upper() + , 0) + values.append(value) print("<<< end yara search") return values From 108d21ee87f74ebd84d608463fe7875732583d5b Mon Sep 17 00:00:00 2001 From: *cr0x6fw <115905615+d0x65viant@users.noreply.github.com> Date: Mon, 21 Aug 2023 19:15:34 +0300 Subject: [PATCH 2/3] Update findcrypt3.py --- findcrypt3.py | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/findcrypt3.py b/findcrypt3.py index 4687d77..d35e637 100644 --- a/findcrypt3.py +++ b/findcrypt3.py @@ -185,26 +185,26 @@ def yarasearch(self, memory, offsets, rules): print(">>> start yara search") values = list() matches = rules.match(data=memory) - for MatchObj in matches: - for StringMatch in MatchObj.strings: - name = MatchObj.rule - for StringMatchInstance in StringMatch.instances: + for matchobj in matches: + for strn_matchobj in matchobj.strings: + name = matchobj.rule + for strn_matchobj_inst in strn_matchobj.instances: if name.endswith("_API"): try: - name = name + "_" + idc.GetString(self.toVirtualAddress(StringMatchInstance.offset, offsets)) + name = name + "_" + idc.GetString(self.toVirtualAddress(strn_matchobj_inst.offset, offsets)) except: pass value = [ - self.toVirtualAddress(StringMatchInstance.offset, offsets), - MatchObj.namespace, - name + "_" + hex(self.toVirtualAddress(StringMatchInstance.offset, offsets)).lstrip("0x").rstrip("L").upper(), - StringMatch.identifier, - repr(StringMatchInstance.matched_data) + self.toVirtualAddress(strn_matchobj_inst.offset, offsets), + matchobj.namespace, + name + "_" + hex(self.toVirtualAddress(strn_matchobj_inst.offset, offsets)).lstrip("0x").rstrip("L").upper(), + strn_matchobj.identifier, + repr(strn_matchobj_inst.matched_data) ] idaapi.set_name(value[0], name + "_" - + hex(self.toVirtualAddress(StringMatchInstance.offset, offsets)).lstrip("0x").rstrip("L").upper() + + hex(self.toVirtualAddress(strn_matchobj_inst.offset, offsets)).lstrip("0x").rstrip("L").upper() , 0) values.append(value) print("<<< end yara search") From 0df08d13be4bfcb5778a40c62db13dd056c68919 Mon Sep 17 00:00:00 2001 From: *cr0x6fw <115905615+d0x65viant@users.noreply.github.com> Date: Mon, 21 Aug 2023 19:53:46 +0300 Subject: [PATCH 3/3] Update README.md --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index db52465..fe7e171 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,10 @@ -# findcrypt-yara +# [findcrypt3](https://github.com/polymorf/findcrypt-yara/tree/master). +## Updated fork, findcrypt3 for [yara-python](https://yara.readthedocs.io/en/latest/yarapython.html#yara.StringMatchInstance) > 4.2.3 + IDA pro plugin to find crypto constants (and more) +### Before using findcrypt3, do not forget to throw findcrypt3.rules into the local folder with IDA plugins (IDA\plugins). + ![bot](https://github.com/polymorf/findcrypt-yara/raw/master/screen.png) ## Installation Notes