first date | last date | bitcoin address |
---|---|---|
01/18/2017 (first transaction) | 02/28/2017 (last transaction) | 137zbLqMQjc96kYcEyPonpT442eWuuvKYK |
15/03/2017 (official date on Spora store) | 14/04/2017 (in theory, 30 days validity) | 1EW2dYKBNNfjyabNrqMB4bE7jT5e9bZAU2 |
21/03/2017 (official date on Spora store) | 20/04/2017 (in theory, 30 days validity) | 1N5i6frmoCNKr9X8Nski3fWgYkavhR6Y3N |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import idc | |
def decrypt_n_comment(func, func_name): | |
""" | |
Decrypt and comment Shamoon2's strings | |
""" | |
data = {} | |
for xref in XrefsTo(LocByName(func_name)): | |
# init |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def decrypt(func): | |
""" | |
Decryption of zeus strings | |
""" | |
ZBOT_INDEX_MIN = 0x0 | |
ZBOT_INDEX_MAX = 0xe7 | |
data = {} | |
for i in range(ZBOT_INDEX_MIN, ZBOT_INDEX_MAX): | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
import re | |
import argparse | |
from colorama import init, Fore, Style | |
from terminaltables import DoubleTable | |
def main(): | |
args = usage() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def decrypt_n_comment(func, func_name): | |
""" | |
Decryption of cerber string | |
""" | |
for xref in XrefsTo(LocByName(func_name)): | |
# init retrieve arguments | |
string_ea = search_inst(xref.frm, "push") | |
string_op = GetOperandValue(string_ea,0) | |
size_ea = search_inst(PrevHead(string_ea), "push") | |
size_op = GetOperandValue(size_ea,0) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def decrypt_n_comment(func, func_name): | |
""" | |
Decryption of Satan string | |
""" | |
for xref in XrefsTo(LocByName(func_name)): | |
# init retrieve arguments | |
index_ea = search_inst(xref.frm, "push") | |
index_op = GetOperandValue(index_ea, 0) | |
buf = Appcall.buffer("\x00" * 512) |
I hereby claim:
- I am coldshell on github.
- I am coldshell (https://keybase.io/coldshell) on keybase.
- I have a public key ASDZXlbZhQYNgDhmihPYdIFOKn5-PcSgK0DCyT5FGJmMUgo
To claim this, I am signing this object: