import logging

from malduck.extractor import Extractor
from malduck.procmem import ProcessMemory
from malduck.yara import YaraRuleMatch

from ..utils import Config, get_rule_metadata

logger = logging.getLogger(__name__)


class Phoreal(Extractor):
    family = "phoreal"
    yara_rules = ("phoreal",)
    overrides = []

    @Extractor.rule
    def phoreal(self, p: ProcessMemory, match: YaraRuleMatch) -> Config | bool:
        _info: Config = get_rule_metadata(match)
        return _info

    @Extractor.extractor("rcdata")
    def PHOREAL_RC4_key(self, p: ProcessMemory, addr: int):
        from malduck import rc4

        key_size = 17  # apparently hardcoded in phoreal
        key_addr = addr + 6  # offset from start of string
        ct_addr = key_addr + 17
        max_size = 200

        key = bytearray()
        ct = bytearray()

        logger.info("[+] Found RC4 passphrase @ %X" % key_addr)

        for offset in range(0, key_size):
            o = p.uint8v(key_addr + offset)
            if o:
                key.append(o)

        logger.info("[+] RC4 passphrase: " + key.hex())

        nc = 0  # null counter
        for offset in range(0, max_size):
            o = p.uint8v(ct_addr + offset)
            if o:
                ct.append(o)

            if o == 0:
                nc += 1
            else:
                nc = 0
            if nc == 2:
                break

        logger.info("[+] RC4 cyphertext: " + ct.hex())

        rc4_decode = rc4(key, ct)

        logger.info("[+] RC4 decrypted plaintext: %s" % str(rc4_decode))

        domains = str(rc4_decode).split(";")
        domains[0] = domains[0].split("'")[1]
        del domains[-1]

        conf = {
            "rc4_key": key.hex(),
            self.family: {"plaintext": str(rc4_decode), "domains": domains},
        }
        return conf