ajdumanhug/dec.py

## dec.py
#!/usr/bin/env python3
import base64
import struct
import argparse

KEY = bytes([8, 1, 2, 5, 2, 1, 7, 0, 1, 1, 0, 5, 0, 7, 0, 8])
RC4_KEY = b"D2F7DN23VW"
SECONDARY_XOR_KEY = 123

def xor_bytes(data: bytes, key: bytes) -> bytes:
    return bytes(b ^ key[i % len(key)] for i, b in enumerate(data))

def xor_single_byte(data: bytes, key: int) -> bytes:
    return bytes(b ^ key for b in data)

def rc4(key: bytes, data: bytes) -> bytes:
    S = list(range(256))
    j = 0
    for i in range(256):
        j = (j + S[i] + key[i % len(key)]) % 256
        S[i], S[j] = S[j], S[i]

    i = 0
    j = 0
    out = bytearray()
    for byte in data:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        k = S[(S[i] + S[j]) % 256]
        out.append(byte ^ k)
    return bytes(out)

def decode_outbound_content(content_b64: str) -> str:
    raw = base64.b64decode(content_b64)
    after_rc4 = rc4(RC4_KEY, raw)
    plain_utf16 = xor_bytes(after_rc4, KEY)
    return plain_utf16.decode("utf-16le", errors="replace")

def decode_inbound_response(response_b64: str) -> dict:
    raw = base64.b64decode(response_b64)
    plain = xor_bytes(raw, KEY)

    if len(plain) < 8:
        raise ValueError("Response too short")

    cmd_id = struct.unpack("<i", plain[0:4])[0]
    data_len = struct.unpack("<i", plain[4:8])[0]

    payload_enc = plain[8:8 + data_len]
    payload = xor_single_byte(payload_enc, SECONDARY_XOR_KEY)

    return {
        "cmd_id": cmd_id,
        "data_len": data_len,
        "payload_text": payload.decode("utf-8", errors="replace"),
    }

def main():
    parser = argparse.ArgumentParser(
        description="Decode outbound and inbound data from the sample malware."
    )

    group = parser.add_mutually_exclusive_group(required=True)
    group.add_argument(
        "--outbound",
        help="Base64 value from content="
    )
    group.add_argument(
        "--inbound",
        help="Base64 server response"
    )

    args = parser.parse_args()

    if args.outbound:
        print("[Decoded Outbound Content]")
        print(decode_outbound_content(args.outbound))

    elif args.inbound:
        result = decode_inbound_response(args.inbound)
        print("[CMD ID]", result["cmd_id"])
        print("[Data Length]", result["data_len"])
        print("[Payload]")
        print(result["payload_text"])

if __name__ == "__main__":
    main()
	#!/usr/bin/env python3
	import base64
	import struct
	import argparse

	KEY = bytes([8, 1, 2, 5, 2, 1, 7, 0, 1, 1, 0, 5, 0, 7, 0, 8])
	RC4_KEY = b"D2F7DN23VW"
	SECONDARY_XOR_KEY = 123

	def xor_bytes(data: bytes, key: bytes) -> bytes:
	return bytes(b ^ key[i % len(key)] for i, b in enumerate(data))

	def xor_single_byte(data: bytes, key: int) -> bytes:
	return bytes(b ^ key for b in data)

	def rc4(key: bytes, data: bytes) -> bytes:
	S = list(range(256))
	j = 0
	for i in range(256):
	j = (j + S[i] + key[i % len(key)]) % 256
	S[i], S[j] = S[j], S[i]

	i = 0
	j = 0
	out = bytearray()
	for byte in data:
	i = (i + 1) % 256
	j = (j + S[i]) % 256
	S[i], S[j] = S[j], S[i]
	k = S[(S[i] + S[j]) % 256]
	out.append(byte ^ k)
	return bytes(out)

	def decode_outbound_content(content_b64: str) -> str:
	raw = base64.b64decode(content_b64)
	after_rc4 = rc4(RC4_KEY, raw)
	plain_utf16 = xor_bytes(after_rc4, KEY)
	return plain_utf16.decode("utf-16le", errors="replace")

	def decode_inbound_response(response_b64: str) -> dict:
	raw = base64.b64decode(response_b64)
	plain = xor_bytes(raw, KEY)

	if len(plain) < 8:
	raise ValueError("Response too short")

	cmd_id = struct.unpack("<i", plain[0:4])[0]
	data_len = struct.unpack("<i", plain[4:8])[0]

	payload_enc = plain[8:8 + data_len]
	payload = xor_single_byte(payload_enc, SECONDARY_XOR_KEY)

	return {
	"cmd_id": cmd_id,
	"data_len": data_len,
	"payload_text": payload.decode("utf-8", errors="replace"),
	}

	def main():
	parser = argparse.ArgumentParser(
	description="Decode outbound and inbound data from the sample malware."
	)

	group = parser.add_mutually_exclusive_group(required=True)
	group.add_argument(
	"--outbound",
	help="Base64 value from content="
	)
	group.add_argument(
	"--inbound",
	help="Base64 server response"
	)

	args = parser.parse_args()

	if args.outbound:
	print("[Decoded Outbound Content]")
	print(decode_outbound_content(args.outbound))

	elif args.inbound:
	result = decode_inbound_response(args.inbound)
	print("[CMD ID]", result["cmd_id"])
	print("[Data Length]", result["data_len"])
	print("[Payload]")
	print(result["payload_text"])

	if __name__ == "__main__":
	main()
No results found