Skip to content

Instantly share code, notes, and snippets.

@0xToxin

0xToxin/DarkGate_Final_Payload_Extractor.py

Created August 6, 2023 08:26
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save 0xToxin/43e25700510ad3cc6268994b56c9a710 to your computer and use it in GitHub Desktop.
Save 0xToxin/43e25700510ad3cc6268994b56c9a710 to your computer and use it in GitHub Desktop.
Download ZIP
Extraction of DarkGate final payload from AutoIT script
Raw
DarkGate_Final_Payload_Extractor.py
from base64 import b64decode
AUTO_IT_PATH = '' #Change to the AutoIT script path.
FINAL_PAYLOAD_PATH = '' #Change to output path.
fileData = open(AUTO_IT_PATH, 'rb').read().decode(errors='ignore')
stringsArray = fileData.split('|')
modifiedXorKey = 'a' + stringsArray[1][1:9]
decodedData = b64decode(stringsArray[2])
key = len(modifiedXorKey)
for byte in modifiedXorKey:
key ^= ord(byte)
finalPayload = b''
for byte in decodedData:
finalPayload += bytes([~(byte ^ key)& 0xFF])
open(FINAL_PAYLOAD_PATH, 'wb').write(finalPayload)
print('[+] Final Payload Was Created!')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment