in nightMARE/src/nightmare/malware/blister/configuration.py [0:0]
def decrypt_core(pe: lief.PE.Binary, data: bytes, rsrc_data: bytes) -> BlisterHelper:
"""
Decrypts the Blister's core using provided data and returns a BlisterHelper instance.
:param pe: The PE binary.
:param data: The PE content.
:param rsrc_data: Resource data of the PE binary.
:return: A BlisterHelper instance after decrypting the Blister's core using provided data.
"""
if (
core_key_offset := utils.yara_scan(data=data, compiled_rule=CORE_KEY_RULE)
) is None or (
core_tag_offset := utils.yara_scan(data=data, compiled_rule=CORE_TAG_RULE)
) is None:
raise SignatureNotFoundException("")
core_key = utils.get_data(data, core_key_offset + CORE_KEY_YARA_OFFSET, 4)
core_tag = utils.get_data(data, core_tag_offset + CORE_TAG_YARA_OFFSET, 4)
encrypted_memory_offset = rsrc_data.find(core_tag) + 4
decrypted_memory = bits.xor(rsrc_data[encrypted_memory_offset:], core_key)
return BlisterHelper(
core_key_offset,
core_tag_offset,
core_key,
core_tag,
encrypted_memory_offset,
decrypted_memory,
)