Fix issue with hardcoded seek offset for decrypted modules

meck-gd · meck-gd · commit 28c492ef8706 · 2025-06-18T15:15:16.000+02:00
diff --git a/analyze_crypted_code.py b/analyze_crypted_code.py
@@ -118,7 +118,8 @@ def process_code_object(code_obj, filedata: bytes, crypted_regions: list[dict])
 
 def main(filename: str) -> None:
     with open(filename, "rb") as fp:
-        fp.seek(0x20)
+        skip = int.from_bytes(fp.read(4), 'little') + int.from_bytes(fp.read(4), 'little')
+        fp.seek(skip)
         data = fp.read()
 
     obj = marshal.load(BytesIO(data))
diff --git a/bcc_info.py b/bcc_info.py
@@ -141,7 +141,8 @@ def parse_custom_elf(elf: bytes) -> list[tuple[int, str]]:
 
 # Unmarshal Python module containing the calls to BCC.
 with open(sys.argv[1], "rb") as fp:
-    fp.seek(0x20)
+    skip = int.from_bytes(fp.read(4), 'little') + int.from_bytes(fp.read(4), 'little')
+    fp.seek(skip)
     data = fp.read()
 
 obj = marshal.load(BytesIO(data))
diff --git a/disassemble.py b/disassemble.py
@@ -10,7 +10,8 @@
 
 
 with open(sys.argv[1], "rb") as fp:
-    fp.seek(0x20)
+    skip = int.from_bytes(fp.read(4), 'little') + int.from_bytes(fp.read(4), 'little')
+    fp.seek(skip)
     data = fp.read()
 
 obj = marshal.load(BytesIO(data))
