Since AgentTesla started using my XorStringsNET obfuscator to encrypt strings in their malware I decided to write a quick guide on how to decrypt the strings again.
Observed in unpacked child SHA256: d56f2852762f7f9fcb07eaf018e143ab1e4ad46e1f2e943faf13618388ef21a2
Original sample SHA256: e66ffcfe9fb0d0cd80d96dcfd96e4941d3c2389d227f2655391cfdbc3bcd637c
| using System; | |
| using System.Collections; | |
| using System.Collections.Generic; | |
| using System.Linq; | |
| using System.Linq.Expressions; | |
| using System.Reflection; | |
| using System.Text; | |
| GetMethodHash("System.Reflection.Assembly", "Load"); |
| using System.Linq; | |
| using System.Reflection; | |
| namespace HashInvoke; | |
| public class HInvoke | |
| { | |
| public static T InvokeMethod<T>(uint classID, uint methodID, object[]? args = null) | |
| { | |
| // Get the System assembly and go trough all its types hash their name |
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Linq; | |
| using System.Reflection; | |
| using System.Threading; | |
| public class Program | |
| { | |
| private void Main() |
| // Deobfuscator for a3x file of sample SHA256: db8eb8347ed084c3ee3707ad032743e350157abcaf2817e5f15777b20c554b7f | |
| using System.Text; | |
| using System.Text.RegularExpressions; | |
| internal class Program | |
| { | |
| private static void Main(string[] args) | |
| { | |
| var strings = new StringBuilder(); | |
| string pattern = @"DoctrineDrama\(""(\w+)"",\s*(\d+)\)"; |
A while ago I watched a very interesting DEF CON talk called "Repsych: Psychological Warfare in Reverse Engineering" by Chris Domas. In his talk Chris talked about how one could fool and or piss off reverse engineers with some little tricks. This got me thinking what can I do in .net to piss off and or fool reverse engineers. After reading about homoglyphs I had a fun little idea.
Homoglyphs are characters that look the same but are actually from different alphabets. For our obfuscation concept, we will abuse the fact that there are unicode characters that look just like normal latin letters.
So since the homoglyph characters look just like latin characters, we can use them to have to identical looking names that are actually different. For example we could replace the character M in the name <Module> with an M from a different alphabet.
| void Main() | |
| { | |
| Decrypt("bISU^wHNIS").Dump(); | |
| Decrypt("fTTBJEK^").Dump(); | |
| Decrypt("kHFC").Dump(); | |
| var file = File.ReadAllBytes("ThomasEdinson.bin"); | |
| var result = file.Select(new Func<byte, int, byte>(stageDecryption)).ToArray<byte>(); | |
| using System; | |
| using System.ComponentModel; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace Code_Projects | |
| { | |
| public unsafe class Suscall | |
| { | |
| [DllImport("kernel32", SetLastError = true)] |
| // ==UserScript== | |
| // @name D2 Reaction Farmer | |
| // @namespace https://github.com/dr4k0nia | |
| // @version 1.0 | |
| // @description Auto click reaction for Destiny 2 Twitch Extension | |
| // @author drakonia | |
| // @match https://63i11l5ul8pm3buvheb3j2oyflbhtw.ext-twitch.tv/63i11l5ul8pm3buvheb3j2oyflbhtw/1.61/a2539f7f48a126bb354318161238275c/video_overlay.html* | |
| // @run-at document-end | |
| // @icon https://raw.githubusercontent.com/justrealmilk/destiny-icons/8b697d4529262a850d0c987ca78db86d3989850b/factions/faction_osiris.svg | |
| // @grant none |
| // Simple crackme example by drakonia | |
| Console.WriteLine("Enter the correct password:"); | |
| string? solution = null; | |
| while (solution == null) | |
| { | |
| string? input = Console.ReadLine(); | |
| solution = Verify(input); | |
| } |
