Created
August 6, 2023 18:05
-
-
Save 0xToxin/64c007101f4ec3efc2f9b2e37b449899 to your computer and use it in GitHub Desktop.
A script that can be used to decrypt DarkGate network traffic, requires the list used for the config decoding process
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| LIST = '' # Replace list used for config decoding | |
| DATA = '' # Replace with the encrypted data from the network traffic | |
| ID = '' # Replace with the ID from the network traffic | |
| def decShiftFunc(arg1, arg2, arg3, arg4): | |
| final = '' | |
| tmp = (arg1 & 0x3F) * 4 | |
| final += chr(((arg2 & 0x30) >> 4) + tmp) | |
| tmp = (arg2 & 0xF) * 16 | |
| final += chr(((arg3 & 0x3C) >> 2) + tmp) | |
| final += chr((arg4 & 0x3F) + ((arg3 & 0x03) << 6)) | |
| return final.replace('\0','') | |
| hexList = [] | |
| for x in DATA: | |
| hexList.append(LIST.index(x)) | |
| subLists = [hexList[i:i+4] for i in range(0, len(hexList), 4)] | |
| if len(subLists[-1]) < 4: | |
| subLists[-1].extend([0x00] * (4 - len(subLists[-1]))) | |
| finalString = '' | |
| for subList in subLists: | |
| finalString += decShiftFunc(subList[0],subList[1],subList[2],subList[3]) | |
| key = len(ID) | |
| for x in ID: | |
| key ^= ord(x) | |
| plainData = '' | |
| for x in finalString: | |
| plainData += chr(~(ord(x) ^ key)& 0xFF) | |
| print(f'[+] Output: {plainData}') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment