import idaapi, idautils, idc
from Crypto.Cipher import AES

cmds = [(0x149b8, 32)]
def MutatedTrippleXor(key, keymask1, keymask2, iv, ivmask1, ivmask2):
    i = 0
    j = 0
    ctr1 = 0
    ctr = 0
    for i in xrange(0x12+1):
        for j in xrange(32):
            ctr1 = 31 - j
            key[j] ^= keymask2[ctr1]
            keymask1[j] ^= key[ctr1]
            keymask2[j] ^= keymask1[ctr1]
        for j in xrange(16):
            ctr2 = 15 - j
            ivmask1[j] ^= iv[ctr2]
            iv[j] ^= ivmask2[ctr2]
            ivmask2[j] ^= ivmask1[ctr2]
    return (key, iv)

def makebytes(address, leng):
    return [ord(x) for x in idaapi.get_many_bytes(address, leng)]
    

def dump():
    keymask1 = makebytes(0x11118, 32) # r4
    keymask2 = makebytes(0x11178, 32) # r5
    key = makebytes(0x11148, 32) # r6
    ivmask1 = makebytes(0x11108, 16) #r10
    ivmask2 = makebytes(0x11168, 16) #r7
    iv = makebytes(0x11138, 16) #r8
    keyf, ivf = MutatedTrippleXor(key, keymask1, keymask2, iv, ivmask1, ivmask2)
    keyf = "".join([chr(x) for x in keyf])
    iv = "".join([chr(x) for x in iv])
    print "Key:%s" % ("".join(["\\x%x" % ord(x) for x in keyf]))
    print "IV:%s" % ("".join(["\\x%x" % ord(x) for x in iv]))
    print keyf
    print iv
    
    cipher = AES.new(keyf, AES.MODE_CBC, iv)
    for (cmd, sz) in cmds:
        data = "".join([chr(x) for x in makebytes(cmd, sz)])
        print cipher.decrypt(data)
    
dump()



Key:\xf4\xb2\xd3\x8c\xf5\x75\x1b\x9b\xf6\xf1\x5b\x76\xa7\x95\x57\xaa\xd8\x48\x74\x88\x9c\x2\x2\xf3\xf8\xd1\x2a\xe1\x15\xce\xff\x9c
IV:\x29\xae\x80\x79\xa9\x6a\xd8\xa2\xeb\xc8\x48\x5\xfe\x65\x6e\xeb
?????u???[v??W??Ht?????*????
)??y?j????H?en?
rm -rf /tmp/*.sam


:-d