Skip to content

Instantly share code, notes, and snippets.

import idc
def decrypt_n_comment(func, func_name):
"""
Decrypt and comment Shamoon2's strings
"""
data = {}
for xref in XrefsTo(LocByName(func_name)):
# init
def decrypt(func):
"""
Decryption of zeus strings
"""
ZBOT_INDEX_MIN = 0x0
ZBOT_INDEX_MAX = 0xe7
data = {}
for i in range(ZBOT_INDEX_MIN, ZBOT_INDEX_MAX):
#!/usr/bin/env python3
import re
import argparse
from colorama import init, Fore, Style
from terminaltables import DoubleTable
def main():
args = usage()

Spora bitcoin addresses


first date last date bitcoin address
01/18/2017 (first transaction) 02/28/2017 (last transaction) 137zbLqMQjc96kYcEyPonpT442eWuuvKYK
15/03/2017 (official date on Spora store) 14/04/2017 (in theory, 30 days validity) 1EW2dYKBNNfjyabNrqMB4bE7jT5e9bZAU2
21/03/2017 (official date on Spora store) 20/04/2017 (in theory, 30 days validity) 1N5i6frmoCNKr9X8Nski3fWgYkavhR6Y3N
def decrypt_n_comment(func, func_name):
"""
Decryption of cerber string
"""
for xref in XrefsTo(LocByName(func_name)):
# init retrieve arguments
string_ea = search_inst(xref.frm, "push")
string_op = GetOperandValue(string_ea,0)
size_ea = search_inst(PrevHead(string_ea), "push")
size_op = GetOperandValue(size_ea,0)
def decrypt_n_comment(func, func_name):
"""
Decryption of Satan string
"""
for xref in XrefsTo(LocByName(func_name)):
# init retrieve arguments
index_ea = search_inst(xref.frm, "push")
index_op = GetOperandValue(index_ea, 0)
buf = Appcall.buffer("\x00" * 512)

Keybase proof

I hereby claim:

  • I am coldshell on github.
  • I am coldshell (https://keybase.io/coldshell) on keybase.
  • I have a public key ASDZXlbZhQYNgDhmihPYdIFOKn5-PcSgK0DCyT5FGJmMUgo

To claim this, I am signing this object: