I hereby claim:
- I am herrcore on github.
- I am herrcore (https://keybase.io/herrcore) on keybase.
- I have a public key whose fingerprint is 8E47 AB41 31AE D120 0655 3C4D 4339 149B F8AF 2E6A
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
#!/usr/bin/env python | |
__AUTHOR__ = '@herrcore' | |
############################################################################################### | |
## | |
## Script to reproduce the DGA for #Dromedan dropper | |
## Sample SHA256: f88bc84fea3695cd1da1a315eb09c65f21cfc6b764defc3c8efd94d6c6396e0c | |
## | |
## Another @herrcore production | |
## | |
## And so me put in work work work work work work! |
https://analyst.koodous.com/apks/52c073ef52312049182773b3c4f3d275b2f3419e8d16d3dbdb5ed3446c09b439 | |
https://analyst.koodous.com/apks/323d0c5ab28124361c96f2d337b2576216e076ab0e7cbc8cf981acae15916ee2 | |
https://analyst.koodous.com/apks/dc6d831b8bd96623aef593b255a47fdc97460d7417b90478a55ea6a952b33344 | |
https://analyst.koodous.com/apks/d337438242724d59183f769845733fc9d514b17512970c87a6a9f45547a00ee6 | |
https://analyst.koodous.com/apks/b86c18b8c948c92966a998ede389c78c99c8f5e69779d2184fdce2a7974615b8 | |
https://analyst.koodous.com/apks/a922f8990952c9635fb649dd735056999b0d1374f50ade15e2408d2be8a20057 | |
https://analyst.koodous.com/apks/32a25f2f339b70601a33d5577a65424eca25e526222067699702f406be9aa027 | |
https://analyst.koodous.com/apks/98a01bd62210bf1c818ecf64acb55fd3758a892310beaf4df28565f7df063d83 | |
https://analyst.koodous.com/apks/cc294653372db1df592b597e4d88bdc8eb834edad9833637cff3be676f18efff | |
https://analyst.koodous.com/apks/cb04a042013c72cebdce3dedc0c3b69ac32adb0415dd17474a4f5d05069e704a |
#!/usr/bin/env python | |
####################################################################### | |
## | |
## Extract the disk serial number from the SOFTWARE hive | |
## | |
####################################################################### | |
__AUTHOR__ = '@herrcore' | |
import datetime |
<# | |
.SYNOPSIS | |
Generate asprox ID and ID_Key. | |
.DESCRIPTION | |
Use host specific attributes to generate asprox ID and ID_Key unique to host. | |
.NOTES | |
File Name : asprox_id.ps1 | |
Author : @herrcore | |
Prerequisite : PowerShell V2 over Vista and upper. | |
#> |
import idaapi, idc, idautils | |
import re | |
import struct | |
start = 0x0041A558 | |
end = 0x0041B1E8 | |
for ptr in range(start,end,8): | |
key = Byte(ptr) |
#!~/.wine/drive_c/Python25/python.exe | |
# -*- coding: utf-8 -*- | |
# Copyright (c) 2009-2014, Mario Vilas | |
# All rights reserved. | |
# | |
# Redistribution and use in source and binary forms, with or without | |
# modification, are permitted provided that the following conditions are met: | |
# | |
# * Redistributions of source code must retain the above copyright notice, |
# Copyright (c) 2014 The MITRE Corporation. All rights reserved. | |
# | |
# Redistribution and use in source and binary forms, with or without | |
# modification, are permitted provided that the following conditions | |
# are met: | |
# 1. Redistributions of source code must retain the above copyright | |
# notice, this list of conditions and the following disclaimer. | |
# 2. Redistributions in binary form must reproduce the above copyright | |
# notice, this list of conditions and the following disclaimer in the | |
# documentation and/or other materials provided with the distribution. |
try: | |
import lznt1 | |
except: | |
print "Cannot import lznt1, try this lib: https://gist.github.com/herrcore/344ba2ea540f622b52efba858050539f" | |
import struct | |
def decrypt(data): | |
key = data[:8] | |
data = data[8:] |
def decrypt_string(ctxt): | |
tbl = 'UmlXZEyNki880daneIlvAipdZ5Kz45FucTmGiIhYdbFHromzJjbisCtBCm' | |
ctxt_bin = '' | |
for i in re.findall('..',ctxt): | |
ctxt_bin += chr(int(i,16)) | |
ptxt = '' | |
for i in range(0,len(ctxt_bin) - 1): | |
mut_chr = ord(ctxt_bin[i]) | |
tmp_chr = ord(ctxt_bin[i+1]) ^ ord(tbl[i]) | |
if mut_chr > tmp_chr: |