Create a gist now

Instantly share code, notes, and snippets.

@ColinKeigher / Secret
Last active Oct 21, 2015

What would you like to do?
Decodes malicious payloads that typically get decoded in a VBscript
from sys import argv
filename = argv[1]
malwarekey = argv[2]
def dexor(filedata, filekey):
var1 = ''
var2 = 0
var4 = ''
for x in xrange(0, len(filedata)):
var4 = filekey[var2]
var1 = var1 + chr(ord(filedata[x]) ^ ord(var4))
var2 += 1
if var2 >= len(filekey):
var2 = 0
return var1
if __name__ == '__main__':
data = open(filename, 'rb').read()
print dexor(filedata=data, filekey=malwarekey)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment