Skip to content

Instantly share code, notes, and snippets.

@christophetd

christophetd/xor-ddos-decryption.py

Last active January 5, 2024 17:13
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save christophetd/e275aee4fe40eb747ecb9c71b4b9cb45 to your computer and use it in GitHub Desktop.
Save christophetd/e275aee4fe40eb747ecb9c71b4b9cb45 to your computer and use it in GitHub Desktop.
Download ZIP
Tool to decrypt configuration values and network communications of malwares of the Xor Ddos family
Raw
xor-ddos-decryption.py
import binascii
import itertools
# XORs two byte strings together
def xor_bytes(bytes1, bytes2):
return [ chr(ord(a) ^ b) for (a, b) in zip(bytes1, bytes2) ]
# XORs a ciphertext with the malware's hardcoded key, and repeats it until it's long enough to match the ciphertext length.
def decrypt(cipher, key_hex = 'BB2FA36AAA9541F0'):
key_bytes = [ ord(a) for a in key_hex ]
plaintext = xor_bytes(cipher, itertools.cycle(key_bytes))
return ''.join(plaintext)
# Encrypted configuration values of the malware
encrypted_config = [
'6D3741346E515F2F6E41',
'6D205B286E33',
'6D365F366E33',
'6D3453346E41432F6E265A561A412F5442',
'6D2E5B246E5F5F2334255C431A422930',
'6D2E5B246E33',
'2A3646367B1C19202020175147502C02236C5D34261C552E2F2750521A432742423A54716F50592C7B79090D044D31476C265C3535565A2D326F5A5A590B7E007A72324641333641910D2E3784354430434232466133364129414D354031363078421D466E335741204158351A312230314253462B330441204117355B31343025421D46223359412F415F355D3121306C42404620334441414139353431463042423246413336414141393534314630424232464133364141413935343146304242324641333641414139353431463042423246413336414141393534314630424232464133364141413935343146304242324641333641414139353431463042423246413336414141393534314630424232464133364141413935343146304242324641333641414139353431463042423246413336414141393534314630424232464133364141413935343146304242324641333641414139353431463042423246413336414141393534314630424232464133364141413935343146304242324641333641414139353431463042423246413336414141393534314630424232464133364141413935343146304242324641333641414139353431463042423246413336414141393534314630424232464133364141413935343146304242324641333641414139353431463042423246413336414141393534314630',
'6D3453346E41432F6E41',
'6D3741346E515F2F6E41'
]
for config_value in encrypted_config:
print(decrypt(binascii.unhexlify(config_value)))
@ch40s
Copy link

ch40s commented Feb 27, 2019
edited

I get the following error for line 6:

return [chr(ord(a) ^ b) for (a, b) in zip(bytes1, bytes2)]
TypeError: ord() expected string of length 1, but int found

@christophetd : any idea why that happens?

@xtaran
Copy link

xtaran commented Jan 5, 2024

I get the following error for line 6:

return [chr(ord(a) ^ b) for (a, b) in zip(bytes1, bytes2)]
TypeError: ord() expected string of length 1, but int found

There's an ord(…) too many in the code. Update that line to look like this:

return [chr(a ^ b) for (a, b) in zip(bytes1, bytes2)]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment