This is a script used to unpack a hidden area of the bootsector after a TDL4 infection. This is classic code but still useful is anyone needs it. Written by your humble admin many years ago.
import idaapi
# Simulate C-style for() loop.
def cfor(first, test, update):
while test(first):
yield first
first = update(first)
# Bit-shifting operations.
#def ROR(x, n, bits = 32):
# mask = (2L**n) - 1
# mask_bits = x & mask
# return (x >> n) | (mask_bits << (bits - n))
#def ROL(x, n, bits = 32):
# return ROR(x, bits - n, bits)
def ROR(byte, count):
while count > 0:
byte = (byte >> 1 | byte << 7) & 0xFF
count -= 1
return byte
if __name__ == "__main__":
print "TDL4 Decrypt"
print "A script to unpack the contents hidden on the bootsector of a TDL4 infected host"
print ""
encryptedBytes = [None] * 311
rorCount = 311 # 0x137 (CX)
count = 0
# target starts at 0x62A in memory
for i in cfor(int('0x2A', 16), lambda i : i < (311 + i), lambda i : i + 1):
cryptedByte = idaapi.get_byte(i)
print "Byte[" + hex(i) + "]: " + hex(cryptedByte)
idaapi.patch_byte(i, ROR(cryptedByte, rorCount - count))
count += 1
if count == 311:
break