Extraction of DarkGate final payload from AutoIT script Version 4.14

DarkGate_Final_Payload_Extractor_v_4_14.py

AUTO_IT_PATH = 'pay.au3' #Change to the AutoIT script path.
FINAL_PAYLOAD_PATH = 'final2.bin' #Change to output path.

def decShiftFunc(arg1, arg2, arg3, arg4):
    final = b''
    tmp = (arg1 & 0x3F) * 4
    final += bytes([((arg2 & 0x30) >> 4) + tmp])
    tmp = (arg2 & 0xF) * 16
    final += bytes([((arg3 & 0x3C) >> 2) + tmp])
    final += bytes([(arg4 & 0x3F) + ((arg3 & 0x03) << 6)])
    return final
       
fileData = open(AUTO_IT_PATH, 'rb').read().decode(errors='ignore')

stringsArray = fileData.split('|')
b64CustomTable = stringsArray[1]
encodedData = stringsArray[2]

hexList = []
for x in encodedData:
    hexList.append(b64CustomTable.index(x))

subLists = [hexList[i:i+4] for i in range(0, len(hexList), 4)]
if len(subLists[-1]) < 4:
    subLists[-1].extend([0x00] * (4 - len(subLists[-1])))

finalPayload = b''
for subList in subLists:
    finalPayload += decShiftFunc(subList[0],subList[1],subList[2],subList[3])


open(FINAL_PAYLOAD_PATH, 'wb').write(finalPayload)
print('[+] Final Payload Was Created!')