Created
September 4, 2022 07:16
-
-
Save iexpurgator/f0c01ad2d38f6c761c02ab8ddf92dacf to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import struct | |
import lznt1 # lznt1 | |
import capstone # capstone-engine | |
import re | |
import pefile # pefile | |
def DWORD(i): | |
return i & 0xFFFFFFFF | |
def LOBYTE(i): | |
return i & 0x000000FF | |
def dec(key, in_data): | |
k1 = k2 = k3 = k4 = key | |
result = b'' | |
for x in in_data: | |
k1 = DWORD(k1 + (k1 >> 3) - 0x56565656) | |
k2 = DWORD(k2 + (k2 >> 5) - 0x36363636) | |
k3 = DWORD(k3 - (k3 << 7) + 0x57575757) | |
k4 = DWORD(k4 - (k4 << 9) - 0x76767677) | |
k = LOBYTE(k1 + k2 + k3 + k4) | |
result += bytes([x ^ k]) | |
return result | |
def decrypt(data, start_addr, size): | |
data = data[start_addr:start_addr + size] | |
data_flag = 0 | |
key = struct.unpack("<I", data[:4])[0] | |
res = dec(key, data) | |
if res.find(b"MZ") != -1 and res.find(b"PE") != -1: | |
res = lznt1.decompress(res[16:]) | |
data_flag = 1 | |
return (res, data_flag) | |
def disasm_obfus_call(data, start_addr, print_code=False): | |
push_addr = 0 | |
push_val = 0 | |
call_addr = 0 | |
call_sub = 0 | |
capstone.md = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32) | |
if print_code: | |
print() | |
for i in capstone.md.disasm(data[start_addr:], 0): | |
if print_code: | |
print("0x%x:\t%s\t%s" % | |
(i.address + start_addr, i.mnemonic, i.op_str)) | |
if i.mnemonic == "ret": | |
push_addr = 0 | |
push_val = 0 | |
call_addr = 0 | |
call_sub = 0 | |
break | |
if i.mnemonic == "push" and "0x" in i.op_str: | |
push_addr = i.address | |
push_val = int(i.op_str, 16) | |
if i.mnemonic == "call" and i.address == push_addr + 5 and push_val != 0: | |
call_addr = i.address | |
call_sub = int(i.op_str, 16) | |
break | |
if print_code: | |
print() | |
return (call_addr + start_addr + 5, push_val, call_sub) | |
def show_data_info(data_addr, data_decrypt, data_flag): | |
if data_flag == 0: | |
print("Data at address %s contain: " % hex(data_addr)) | |
string_ascii = re.findall(b"[\x1f-\x7e]{4,}", data_decrypt) | |
print(" Ascii string:\n +", "\n + ".join([i.decode() for i in string_ascii])) | |
string_utf16 = re.findall(b"[\x1f-\x7e]{4,}", data_decrypt.decode('utf-16').encode()) | |
print(" UTF-16 string:\n +","\n + ".join([i.decode() for i in string_utf16])) | |
if data_flag == 1: # PE file | |
print("Data at address %s is a PE file" % hex(data_addr)) | |
def decrypt_cfg(file_name): | |
f = open(f"{file_name}", "rb") | |
data = f.read() | |
f.close() | |
print(f"[ # ] Start decrypt {file_name}") | |
data_addr = 0 | |
data_size = len(data) | |
data_decrypt, data_flag = decrypt(data, data_addr, data_size) | |
show_data_info(data_addr, data_decrypt, data_flag) | |
f = open(f"{file_name}.dec", "wb") | |
f.write(data_decrypt) | |
f.close() | |
print(f"[ + ] Decrypted successfuly {file_name}") | |
def decrypt_dat(file_name): | |
f = open(f"{file_name}", "rb") | |
data = f.read() | |
f.close() | |
print(f"[ # ] Start decrypt {file_name}") | |
idx = 0 | |
for i in range(len(data)): | |
if data[i] == 0: | |
idx = i+1 | |
break | |
print("Shell code start at %s" % hex(idx)) | |
while True: | |
data_addr, data_size, next_ptr_shellcode = disasm_obfus_call(data, idx) | |
if data_size == 0 and next_ptr_shellcode == 0: | |
break | |
data_decrypt, data_flag = decrypt(data, data_addr, data_size) | |
sub_file_name = ".dec" | |
if data_flag == 1: | |
sub_file_name = "._decompressed.dll" | |
elif data_flag == 0: | |
sub_file_name = "._decrypted.bin" | |
else: | |
print(f"[ - ] Decrypt fail {file_name}") | |
exit(1) | |
f = open(f"{file_name}{sub_file_name}", "wb") | |
f.write(data_decrypt) | |
f.close() | |
show_data_info(data_addr, data_decrypt, data_flag) | |
idx += next_ptr_shellcode | |
print(f"[ + ] Decrypted successfuly {file_name}") | |
decrypt_cfg("std.cfg") | |
decrypt_dat("aross.dat") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment