Last active
June 2, 2016 07:38
-
-
Save hasherezade/d3d8c2d243505101554f to your computer and use it in GitHub Desktop.
Dyreza resources decoders (as input use dumped resource files)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
"Decodes dyreza resources from the original Exe" | |
__AUTHOR__ = 'hasherezade' | |
import argparse | |
def decode(data, key_data): | |
decoded = bytearray() | |
i = 0 | |
for i in range(0, len(data)): | |
val_index = data[i] | |
if val_index >= len(key_data): | |
print "Invalid key data!" | |
return "" | |
decoded.append(key_data[val_index]) | |
return decoded | |
def find_dll(data): | |
while len(data): | |
mz_start = data.find('MZ') | |
if mz_start == -1: | |
return None | |
data = data[mz_start:] | |
pe = data.find('PE') | |
if pe != -1: | |
return data | |
return None | |
def dump_to_file(filename, data): | |
with open(filename, 'w') as f: | |
f.write(data) | |
def main(): | |
parser = argparse.ArgumentParser(description="Dyreza payload decoder") | |
parser.add_argument('--datafile',dest="datafile",default=None,help="File with data", required=True) | |
parser.add_argument('--keyfile',dest="keyfile",default=None, help="File with key", required=True) | |
parser.add_argument('--dllname',dest="dllname",default=None, help="Where to dump the DLL", required=False) | |
parser.add_argument('--outfile',dest="outfile",default=None, help="Where to dump the output", required=True) | |
args = parser.parse_args() | |
data = bytearray(open(args.datafile, 'rb').read()) | |
key_data = bytearray(open(args.keyfile, 'rb').read()) | |
decoded = decode(data, key_data) | |
dump_to_file(args.outfile, decoded) | |
print "Dumped decoded to: %s" % (args.outfile) | |
dll_data = find_dll(decoded) | |
if dll_data is None: | |
return | |
dllname = "DyrezaInner.dll" | |
if args.dllname is not None: | |
dllname = args.dllname | |
dump_to_file(dllname, dll_data) | |
print "Extracted DLL to: %s" % (dllname) | |
if __name__ == '__main__': | |
main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
"Decodes dyreza resources from the DLL" | |
__AUTHOR__ = 'hasherezade' | |
#using elements from: http://lokalhost.pl/x/dyre.py by @maciekkotowicz | |
import argparse | |
import hashlib | |
from Crypto.Cipher import AES | |
BS = 16 | |
pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS) | |
unpad = lambda s : s[:-ord(s[len(s)-1:])] | |
def aes_decrypt(enc, iv, key): | |
cipher = AES.new(key, AES.MODE_CBC, iv ) | |
return unpad(cipher.decrypt(enc)) | |
### | |
# author: @maciekkotowicz | |
def hash_round(d,rounds): | |
x = hashlib.sha256(d).digest() | |
r = x | |
for i in range(rounds): | |
r += ''.join(map(lambda x: chr((ord(x)+1)&0xff),r[:16])) | |
x = hashlib.sha256(r).digest() | |
r = x | |
return x | |
def hash_resource(d): | |
x = hash_round(d[:0x20],0x40+0x40) | |
y = hash_round(d[0x20:0x30],0x40)[:0x10] | |
return y,x | |
def decrypt(d): | |
iv,key = hash_resource(d) | |
return aes_decrypt(d[0x30:],iv,key) | |
def xor(x,y): | |
if len(x)>len(y): | |
y = y * (len(x)/len(y)) | |
return ''.join(map(lambda x: chr(ord(x[0])^ord(x[1])),zip(x,y))) | |
### | |
# | |
def dump_bytes(bytes_arr, delim=" ", prompt_by_delim=False): | |
if not bytes_arr: | |
return "" | |
str = delim.join("%02x" % b for b in bytes_arr) | |
if (prompt_by_delim): | |
str = delim + str | |
return str | |
def dump_to_file(filename, data): | |
with open(filename, 'wb') as f: | |
f.write(data) | |
def main(): | |
parser = argparse.ArgumentParser(description="Dyreza payload decoder") | |
parser.add_argument('--datafile',dest="datafile",default=None,help="File with data", required=True) | |
parser.add_argument('--keyfile',dest="keyfile",default=None,help="File with xor keys", required=False) | |
parser.add_argument('--outfile',dest="outfile",default="out.bin", help="Where to dump the output", required=False) | |
args = parser.parse_args() | |
data = open(args.datafile, 'rb').read() | |
data_len = len(data) | |
xorkeys = None | |
if args.keyfile is not None: | |
xorkeys = open(args.keyfile, 'rb').read() | |
#print dump_bytes(bytearray(xorkeys)) | |
if len(data) == 0x30: #file with XOR keys | |
print "This is the file with XOR keys. Use it as: --keyfile" | |
return | |
if len(data) % 0x10 == 0: #AES encrypted data | |
print "AES encrypted data!" | |
data = pad(data) | |
output = decrypt(data) | |
print len(output) | |
else: | |
if xorkeys is None: | |
print "Supply the keyfile!" | |
return | |
output = xor(data, xorkeys) | |
header = output[:2] | |
if header == "\x00\x5b": | |
print "xor decoding ok!" | |
#output = decompress(output) | |
else: | |
print "xor decoding failed" | |
if output is None: | |
print "Output is empty" | |
return | |
if args.outfile is not None: | |
dump_to_file(args.outfile, output) | |
print "Dumped decoded to: %s" % (args.outfile) | |
return | |
print output | |
if __name__ == '__main__': | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment