BobuSumisu/bozok_v1

## bozok_v1
#!/usr/bin/env python2
# Simple config extractor for Bozok v1.4.3

import sys
import pefile
import json
import re

def extract_conf(filename):
  data = open(filename, 'rb').read()

  # the version is hardcoded as a unicode string
  if not re.search(r'1\x00.\x004\x00.\x003\x00\x00\x00', data):
    print('Warning: version string (1.4.3) not found in data.')
    print('This is probably not going to work...')

  try:
    pe = pefile.PE(data=data)
  except:
    print('Input file ({}) is not a valid PE file.'.format(filename))
    exit(1)

  # loop over resources, looking for a RCDATA entry with name "CFG"
  for resource in pe.DIRECTORY_ENTRY_RESOURCE.entries:
    if resource.id == pefile.RESOURCE_TYPE['RT_RCDATA']:
      for entry in resource.directory.entries:
        if entry.name.string == 'CFG':

          # found the correct resource (probably), extract it
          offset = entry.directory.entries[0].data.struct.OffsetToData
          size = entry.directory.entries[0].data.struct.Size
          data = pe.get_memory_mapped_image()[offset:offset+size]

          # config is saved with "interloping" null-bytes, remove every other char
          # the different fields in the config are separated with a pipe
          data = data.replace('\x00', '').split('|')
          if len(data) != 15:
            print('Error extracting config: expected 15 values, found {}.'.format(len(data)))
            return None

          # domains are saved with a trailing asterisk, cut it off
          data[12] = data[12][:-1]

          return {
            'version': '1.4.3',
            'unknown1': data[0],
            'mutex': data[1],
            'exename': data[2],
            'regname': data[3],
            'extfile?': data[4],
            'password': data[5],
            'flag_exe': data[6],
            'flag_reg': data[7],
            'flag_thread': data[8],
            'flag4': data[9],
            'flag5': data[10],
            'port': data[11],
            'domain': data[12],
            'flag6': data[13]
          }

  return None

if __name__ == '__main__':
  if len(sys.argv) < 2:
    print('Usage: python ' + sys.argv[0] + ' FILENAME')
    exit()

  config = extract_conf(sys.argv[1])
  if config == None:
    print('Config extraction failed.')
  else:
    print(json.dumps(config, indent=2))
	#!/usr/bin/env python2
	# Simple config extractor for Bozok v1.4.3

	import sys
	import pefile
	import json
	import re

	def extract_conf(filename):
	data = open(filename, 'rb').read()

	# the version is hardcoded as a unicode string
	if not re.search(r'1\x00.\x004\x00.\x003\x00\x00\x00', data):
	print('Warning: version string (1.4.3) not found in data.')
	print('This is probably not going to work...')

	try:
	pe = pefile.PE(data=data)
	except:
	print('Input file ({}) is not a valid PE file.'.format(filename))
	exit(1)

	# loop over resources, looking for a RCDATA entry with name "CFG"
	for resource in pe.DIRECTORY_ENTRY_RESOURCE.entries:
	if resource.id == pefile.RESOURCE_TYPE['RT_RCDATA']:
	for entry in resource.directory.entries:
	if entry.name.string == 'CFG':

	# found the correct resource (probably), extract it
	offset = entry.directory.entries[0].data.struct.OffsetToData
	size = entry.directory.entries[0].data.struct.Size
	data = pe.get_memory_mapped_image()[offset:offset+size]

	# config is saved with "interloping" null-bytes, remove every other char
	# the different fields in the config are separated with a pipe
	data = data.replace('\x00', '').split('\|')
	if len(data) != 15:
	print('Error extracting config: expected 15 values, found {}.'.format(len(data)))
	return None

	# domains are saved with a trailing asterisk, cut it off
	data[12] = data[12][:-1]

	return {
	'version': '1.4.3',
	'unknown1': data[0],
	'mutex': data[1],
	'exename': data[2],
	'regname': data[3],
	'extfile?': data[4],
	'password': data[5],
	'flag_exe': data[6],
	'flag_reg': data[7],
	'flag_thread': data[8],
	'flag4': data[9],
	'flag5': data[10],
	'port': data[11],
	'domain': data[12],
	'flag6': data[13]
	}

	return None

	if __name__ == '__main__':
	if len(sys.argv) < 2:
	print('Usage: python ' + sys.argv[0] + ' FILENAME')
	exit()

	config = extract_conf(sys.argv[1])
	if config == None:
	print('Config extraction failed.')
	else:
	print(json.dumps(config, indent=2))