drakonia dr4k0nia

## DuckTail_Unpacker_ADAPTER.cs
using System;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Reflection;
using System.Threading;

public class Program
{
	private void Main()

## HInvokeHashGen.cs
using System;
using System.Collections;
using System.Collections.Generic;
using System.Linq;
using System.Linq.Expressions;
using System.Reflection;
using System.Text;

GetMethodHash("System.Reflection.Assembly", "Load");

## readme.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                dr4k0nia
                / readme.md
            
            
              Created
              February 24, 2023 13:32
            
              
                Decrypting XorStringsNET the easy way
              
          
    Unpacking XorStringsNET

Since AgentTesla started using my XorStringsNET obfuscator to encrypt strings in their malware I decided to write a quick guide
on how to decrypt the strings again.
Observed in unpacked child SHA256: d56f2852762f7f9fcb07eaf018e143ab1e4ad46e1f2e943faf13618388ef21a2
Original sample SHA256: e66ffcfe9fb0d0cd80d96dcfd96e4941d3c2389d227f2655391cfdbc3bcd637c
Using de4dot


## Program.cs
// Deobfuscator for a3x file of sample SHA256: db8eb8347ed084c3ee3707ad032743e350157abcaf2817e5f15777b20c554b7f
using System.Text;
using System.Text.RegularExpressions;

internal class Program
{
    private static void Main(string[] args)
    {
        var strings = new StringBuilder();
        string pattern = @"DoctrineDrama\(""(\w+)"",\s*(\d+)\)";

## Decryption.linq
void Main()
{
	Decrypt("bISU^wHNIS").Dump();
	Decrypt("fTTBJEK^").Dump();
	Decrypt("kHFC").Dump();

	var file = File.ReadAllBytes("ThomasEdinson.bin");

	var result = file.Select(new Func<byte, int, byte>(stageDecryption)).ToArray<byte>();


## HInvoke.cs
using System.Linq;
using System.Reflection;

namespace HashInvoke;

public class HInvoke
{
    public static T InvokeMethod<T>(uint classID, uint methodID, object[]? args = null)
    {
        // Get the System assembly and go trough all its types hash their name

## D2_ReactionFarmer.js
// ==UserScript==
// @name         D2 Reaction Farmer
// @namespace    https://github.com/dr4k0nia
// @version      1.0
// @description  Auto click reaction for Destiny 2 Twitch Extension
// @author       drakonia
// @match        https://63i11l5ul8pm3buvheb3j2oyflbhtw.ext-twitch.tv/63i11l5ul8pm3buvheb3j2oyflbhtw/1.61/a2539f7f48a126bb354318161238275c/video_overlay.html*
// @run-at       document-end
// @icon         https://raw.githubusercontent.com/justrealmilk/destiny-icons/8b697d4529262a850d0c987ca78db86d3989850b/factions/faction_osiris.svg
// @grant        none

## crackme.cs
// Simple crackme example by drakonia

Console.WriteLine("Enter the correct password:");
string? solution = null;
while (solution == null)
{
    string? input = Console.ReadLine();
    solution = Verify(input);
}

## Suscall.cs
using System;
using System.ComponentModel;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace Code_Projects
{
    public unsafe class Suscall
    {
        [DllImport("kernel32", SetLastError = true)]

## DynamicInvokeExample.cs
using System.Diagnostics;
using System.Text;
using System;
using System.Runtime.InteropServices;

namespace Code_Projects
{
    public static class DynamicInvokeExample
    {
	using System;
	using System.Diagnostics;
	using System.IO;
	using System.Linq;
	using System.Reflection;
	using System.Threading;

	public class Program
	{
	private void Main()
	using System;
	using System.Collections;
	using System.Collections.Generic;
	using System.Linq;
	using System.Linq.Expressions;
	using System.Reflection;
	using System.Text;

	GetMethodHash("System.Reflection.Assembly", "Load");
	// Deobfuscator for a3x file of sample SHA256: db8eb8347ed084c3ee3707ad032743e350157abcaf2817e5f15777b20c554b7f
	using System.Text;
	using System.Text.RegularExpressions;

	internal class Program
	{
	private static void Main(string[] args)
	{
	var strings = new StringBuilder();
	string pattern = @"DoctrineDrama\(""(\w+)"",\s*(\d+)\)";
	void Main()
	{
	Decrypt("bISU^wHNIS").Dump();
	Decrypt("fTTBJEK^").Dump();
	Decrypt("kHFC").Dump();

	var file = File.ReadAllBytes("ThomasEdinson.bin");

	var result = file.Select(new Func<byte, int, byte>(stageDecryption)).ToArray<byte>();
	using System.Linq;
	using System.Reflection;

	namespace HashInvoke;

	public class HInvoke
	{
	public static T InvokeMethod<T>(uint classID, uint methodID, object[]? args = null)
	{
	// Get the System assembly and go trough all its types hash their name
	// ==UserScript==
	// @name D2 Reaction Farmer
	// @namespace https://github.com/dr4k0nia
	// @version 1.0
	// @description Auto click reaction for Destiny 2 Twitch Extension
	// @author drakonia
	// @match https://63i11l5ul8pm3buvheb3j2oyflbhtw.ext-twitch.tv/63i11l5ul8pm3buvheb3j2oyflbhtw/1.61/a2539f7f48a126bb354318161238275c/video_overlay.html*
	// @run-at document-end
	// @icon https://raw.githubusercontent.com/justrealmilk/destiny-icons/8b697d4529262a850d0c987ca78db86d3989850b/factions/faction_osiris.svg
	// @grant none
	// Simple crackme example by drakonia

	Console.WriteLine("Enter the correct password:");
	string? solution = null;
	while (solution == null)
	{
	string? input = Console.ReadLine();
	solution = Verify(input);
	}
	using System;
	using System.ComponentModel;
	using System.Diagnostics;
	using System.Runtime.InteropServices;

	namespace Code_Projects
	{
	public unsafe class Suscall
	{
	[DllImport("kernel32", SetLastError = true)]