Created
September 13, 2023 08:50
-
-
Save 0xToxin/822ce02966d4c672a2fa569fdf23bc52 to your computer and use it in GitHub Desktop.
Can be used to decode payloads retrieved from DarkGate C2's
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
LIST = 'zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+=' # Replace list used for config decoding | |
DATA = '' # Replace with the encrypted data from the network traffic | |
ID = '' # Replace with the ID from the network traffic | |
def decShiftFunc(arg1, arg2, arg3, arg4): | |
final = b'' | |
tmp = (arg1 & 0x3F) * 4 | |
final += bytes([((arg2 & 0x30) >> 4) + tmp]) | |
tmp = (arg2 & 0xF) * 16 | |
final += bytes([((arg3 & 0x3C) >> 2) + tmp]) | |
final += bytes([(arg4 & 0x3F) + ((arg3 & 0x03) << 6)]) | |
return final | |
hexList = [] | |
for x in DATA: | |
hexList.append(LIST.index(x)) | |
subLists = [hexList[i:i+4] for i in range(0, len(hexList), 4)] | |
if len(subLists[-1]) < 4: | |
subLists[-1].extend([0x00] * (4 - len(subLists[-1]))) | |
finalString = b'' | |
for subList in subLists: | |
finalString += decShiftFunc(subList[0],subList[1],subList[2],subList[3]) | |
key = len(ID) | |
for x in ID: | |
key ^= ord(x) | |
plainData = b'' | |
for x in finalString: | |
plainData += bytes([~(x ^ key)& 0xFF]) | |
open('payload.bin', 'wb').write(plainData) | |
print('[+] Final Payload Was Created!') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment