Translate.py is a Python script to perform bitwise operations on files (like XOR, ROL/ROR, …). You specify the bitwise operation to perform as a Python expression, and pass it as a command-line argument.
translate.py malware malware.decoded ‘byte ^ 0x10’
This will read file malware, perform XOR 0x10 on each byte (this is, expressed in Python: byte ^ 0x10), and write the result to file malware.decoded.
byte is a variable containing the current byte from the input file. Your expression has to evaluate to the modified byte. For complex manipulation, you can define your own functions in a script file and load this with translate.py, like this:
translate.py malware malware.decoded ‘process(byte)’ process.py
process.py must contain the definition of function process. Function process must return the modified byte.
Another variable is also available: position. This variable contains the position of the current byte in the input file, starting from 0.
If only part of the file has to be manipulated, while leaving the rest unchanged, you can do it like this:
def process(byte): if position >= 0x10 and position < 0x20: return byte ^ 0x10 else: return byte
This example will perform an XOR 0x10 operation from the 17th byte till the 32nd byte included. All other bytes remain unchanged.
Because Python as built-in shift operators (<< and >>) but no rotate operators, I’ve defined 2 rotate functions that operate on a byte: rol (rotate left) and ror (rotate right). They accept 2 arguments: the byte to rotate and the number of bit positions to rotate. For example, rol(0x01, 2) gives 0x04.
translate.py malware malware.decoded ‘rol(byte, 2)’
Another function I defined is IFF (the IF Function): IFF(expression, valueTrue, valueFalse). This function allows you to write conditional code without an if statement. When expression evaluates to True, IFF returns valueTrue, otherwise it returns valueFalse.
translate.py malware -o malware.decoded “IFF(position >= 0x10 and position < 0x20, byte ^ 0x10, byte)”