I hereby claim:
- I am coldshell on github.
- I am coldshell (https://keybase.io/coldshell) on keybase.
- I have a public key ASDZXlbZhQYNgDhmihPYdIFOKn5-PcSgK0DCyT5FGJmMUgo
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
def decrypt(func): | |
""" | |
Decryption of zeus strings | |
""" | |
ZBOT_INDEX_MIN = 0x0 | |
ZBOT_INDEX_MAX = 0xe7 | |
data = {} | |
for i in range(ZBOT_INDEX_MIN, ZBOT_INDEX_MAX): | |
#!/usr/bin/env python3 | |
import re | |
import argparse | |
from colorama import init, Fore, Style | |
from terminaltables import DoubleTable | |
def main(): | |
args = usage() |
def decrypt_n_comment(func, func_name): | |
""" | |
Decryption of Satan string | |
""" | |
for xref in XrefsTo(LocByName(func_name)): | |
# init retrieve arguments | |
index_ea = search_inst(xref.frm, "push") | |
index_op = GetOperandValue(index_ea, 0) | |
buf = Appcall.buffer("\x00" * 512) |
import idc | |
def decrypt_n_comment(func, func_name): | |
""" | |
Decrypt and comment Shamoon2's strings | |
""" | |
data = {} | |
for xref in XrefsTo(LocByName(func_name)): | |
# init |
def decrypt_n_comment(func, func_name): | |
""" | |
Decryption of cerber string | |
""" | |
for xref in XrefsTo(LocByName(func_name)): | |
# init retrieve arguments | |
string_ea = search_inst(xref.frm, "push") | |
string_op = GetOperandValue(string_ea,0) | |
size_ea = search_inst(PrevHead(string_ea), "push") | |
size_op = GetOperandValue(size_ea,0) |
first date | last date | bitcoin address |
---|---|---|
01/18/2017 (first transaction) | 02/28/2017 (last transaction) | 137zbLqMQjc96kYcEyPonpT442eWuuvKYK |
15/03/2017 (official date on Spora store) | 14/04/2017 (in theory, 30 days validity) | 1EW2dYKBNNfjyabNrqMB4bE7jT5e9bZAU2 |
21/03/2017 (official date on Spora store) | 20/04/2017 (in theory, 30 days validity) | 1N5i6frmoCNKr9X8Nski3fWgYkavhR6Y3N |