1

The code is:

https://pastebin.com/ZwvySjgy

Is it possible to deobfuscate the strings protected with STRINGDEC?

Megabeets
  • 8,989
  • 2
  • 24
  • 48
sir mirror
  • 19
  • 3

2 Answers2

2

The function STRINGDEC isn't a built-in autoit function. It was implemented by the programmer to create some sort of Substitution cipher.

You can see the source code of the function at the bottom of the script:

FUNC STRINGDEC($STRING,$PARAM)
$STRING=STRINGTOASCIIARRAY($STRING)
$PARAM=STRINGSPLIT($PARAM,",",2)
$COUNT=0
$RETURN=""
FOR $I=0 TO UBOUND($PARAM)-1
$CHAR=$PARAM[$I]
$COMPARE=$STRING[$COUNT]
$RETURN&=CHRW($CHAR+$COMPARE)
IF $COUNT=UBOUND($STRING)-1 THEN
$COUNT=0
ELSE
$COUNT=$COUNT+1
ENDIF
NEXT
RETURN $RETURN
ENDFUNC

You can easily implement it by yourself in python, which is a common language for this kind of tasks:

def stringdec (encoded_string, shifts):
    shift_array = shifts.split(',')
    count = 0
    decoded_string = ""
    for i in range(len(shift_array)):
        key = shift_array[i]
        encoded_char = encoded_string[count]
        decoded_string +=  chr(ord(encoded_char)+int(key))
        if count == len(encoded_string)-1:
            count = 0
        else:
            count +=1
    return decoded_string

Now just execute the function to reveal the decrypted strings:

>>> stringdec("cafcpiykeudtenowwkcwacdibognfe","0,7,-5,15,-80,-28,-24,-4,4,-18,-9,-66,-8,-51")
'char Magic[2];'

>>> stringdec("ubkwizcimjccdlngsyozqnmibctpmy","2,13,7,-19,-73,-56,22,11,-8,9,-20,11,-24,-11,5,13,-35,-24,-8,-21,-54")
'word BytesOnLastPage;'

>>> stringdec("jkmnqgfdegisgbolkjuviexnjchhmj","13,4,5,-10,-81,-23,-5,3,0,12,-46")
'word Pages;'

>>> stringdec("juwfbhmxssmocpwtpbcobugkqfdcsx","13,-6,-5,-2,-66,-22,-8,-12,-4,-16,-12,5,6,-1,-9,-1,-53")
'word Relocations;'

Check this pastebin page for a full list of the decrypted strings.

Megabeets
  • 8,989
  • 2
  • 24
  • 48
  • You are right. That's why I used the term "some sort of" since the shift isn't constant. It will be more accurate to say "some sort of Substitution cipher". – Megabeets Jan 09 '18 at 15:17
1

You need to reimplement the following function:

FUNC STRINGDEC($STRING,$PARAM)
$STRING=STRINGTOASCIIARRAY($STRING)
$PARAM=STRINGSPLIT($PARAM,",",2)
$COUNT=0
$RETURN=""
FOR $I=0 TO UBOUND($PARAM)-1
$CHAR=$PARAM[$I]
$COMPARE=$STRING[$COUNT]
$RETURN&=CHRW($CHAR+$COMPARE)
IF $COUNT=UBOUND($STRING)-1 THEN
$COUNT=0
ELSE
$COUNT=$COUNT+1
ENDIF
NEXT
RETURN $RETURN
ENDFUNC

This function is at the end of your script at pastebin.

On a basis of some examples taken from your pastebin and If I'm not mistaken in Python it should look like

def STRINGDEC(thestring, thekey):
    res = ""
    thekey = thekey.replace(" ", "")
    splittedkey = thekey.split(",")
    string_length = len(thestring)
    for i in range(len(splittedkey)):
        res += chr(ord(thestring[i]) + int(splittedkey[i]))
    return res
print STRINGDEC("retwkmufmhmqqqdufngfgdcsnpuhur"," 5 ,10,-2,-19,-75,-32,-20,-3,-5,1,1,-12,-54")
print STRINGDEC("jkyhbzkqgtbnrbyvhdlfukgrzrptzq"," 13,4 ,-7,-4 ,-66,-44,10,-4,-5,-15,16,-31,-12,-15,-20,-19,12,5,3,8,-2,-48")
print STRINGDEC("fgdaygtgtzkeiogftjplkmhulfitfm"," -2 ,16,11,17,-21,-71,-32,2,-7,-21,-39,-4,11,-10,-20,14,-19,3,0,-49")
print STRINGDEC("zopsbydhesjliykcpzsrvtfauhflxz"," -22,8,-1,-1,2,-89,-20,7,4,-5,10,-7,9,-37,4,-16,9,-13,-17,-3,-10,-32,-5,1,-9,-3,-43")
print STRINGDEC("flefcfumutnglnuaesxlfacuwsbvwu"," -2 ,11,10,12,1,-70,-39,8,-8,-18,-9,11,-29,-8,-34,24,8,-17,-9,0,13,-38")
print STRINGDEC("sirkouutovjrulplwkbwilyyfdsrvn"," 4  ,6,0,-7,-79,-34,-12,6,-10,-39,-4,-35,-5,8,-7,3,-9,-10,10,-47,-4,-11,-21,-20,12,-41")

and it gives the following result:

word Machine;
word NumberOfSections;
dword TimeDateStamp;
dword PointerToSymbolTable;
dword NumberOfSymbols;
word SizeOfOptionalHeader;

Searching for deobfuscating function always helps and sometimes the function is very easy to find.

w s
  • 8,458
  • 1
  • 24
  • 40