Skip to content

Instantly share code, notes, and snippets.

@iexpurgator

iexpurgator/plugx_extract_cfg-dat.py

Created September 4, 2022 07:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save iexpurgator/f0c01ad2d38f6c761c02ab8ddf92dacf to your computer and use it in GitHub Desktop.
Save iexpurgator/f0c01ad2d38f6c761c02ab8ddf92dacf to your computer and use it in GitHub Desktop.
Download ZIP
Raw
plugx_extract_cfg-dat.py
import struct
import lznt1 # lznt1
import capstone # capstone-engine
import re
import pefile # pefile
def DWORD(i):
return i & 0xFFFFFFFF
def LOBYTE(i):
return i & 0x000000FF
def dec(key, in_data):
k1 = k2 = k3 = k4 = key
result = b''
for x in in_data:
k1 = DWORD(k1 + (k1 >> 3) - 0x56565656)
k2 = DWORD(k2 + (k2 >> 5) - 0x36363636)
k3 = DWORD(k3 - (k3 << 7) + 0x57575757)
k4 = DWORD(k4 - (k4 << 9) - 0x76767677)
k = LOBYTE(k1 + k2 + k3 + k4)
result += bytes([x ^ k])
return result
def decrypt(data, start_addr, size):
data = data[start_addr:start_addr + size]
data_flag = 0
key = struct.unpack("<I", data[:4])[0]
res = dec(key, data)
if res.find(b"MZ") != -1 and res.find(b"PE") != -1:
res = lznt1.decompress(res[16:])
data_flag = 1
return (res, data_flag)
def disasm_obfus_call(data, start_addr, print_code=False):
push_addr = 0
push_val = 0
call_addr = 0
call_sub = 0
capstone.md = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
if print_code:
print()
for i in capstone.md.disasm(data[start_addr:], 0):
if print_code:
print("0x%x:\t%s\t%s" %
(i.address + start_addr, i.mnemonic, i.op_str))
if i.mnemonic == "ret":
push_addr = 0
push_val = 0
call_addr = 0
call_sub = 0
break
if i.mnemonic == "push" and "0x" in i.op_str:
push_addr = i.address
push_val = int(i.op_str, 16)
if i.mnemonic == "call" and i.address == push_addr + 5 and push_val != 0:
call_addr = i.address
call_sub = int(i.op_str, 16)
break
if print_code:
print()
return (call_addr + start_addr + 5, push_val, call_sub)
def show_data_info(data_addr, data_decrypt, data_flag):
if data_flag == 0:
print("Data at address %s contain: " % hex(data_addr))
string_ascii = re.findall(b"[\x1f-\x7e]{4,}", data_decrypt)
print(" Ascii string:\n +", "\n + ".join([i.decode() for i in string_ascii]))
string_utf16 = re.findall(b"[\x1f-\x7e]{4,}", data_decrypt.decode('utf-16').encode())
print(" UTF-16 string:\n +","\n + ".join([i.decode() for i in string_utf16]))
if data_flag == 1: # PE file
print("Data at address %s is a PE file" % hex(data_addr))
def decrypt_cfg(file_name):
f = open(f"{file_name}", "rb")
data = f.read()
f.close()
print(f"[ # ] Start decrypt {file_name}")
data_addr = 0
data_size = len(data)
data_decrypt, data_flag = decrypt(data, data_addr, data_size)
show_data_info(data_addr, data_decrypt, data_flag)
f = open(f"{file_name}.dec", "wb")
f.write(data_decrypt)
f.close()
print(f"[ + ] Decrypted successfuly {file_name}")
def decrypt_dat(file_name):
f = open(f"{file_name}", "rb")
data = f.read()
f.close()
print(f"[ # ] Start decrypt {file_name}")
idx = 0
for i in range(len(data)):
if data[i] == 0:
idx = i+1
break
print("Shell code start at %s" % hex(idx))
while True:
data_addr, data_size, next_ptr_shellcode = disasm_obfus_call(data, idx)
if data_size == 0 and next_ptr_shellcode == 0:
break
data_decrypt, data_flag = decrypt(data, data_addr, data_size)
sub_file_name = ".dec"
if data_flag == 1:
sub_file_name = "._decompressed.dll"
elif data_flag == 0:
sub_file_name = "._decrypted.bin"
else:
print(f"[ - ] Decrypt fail {file_name}")
exit(1)
f = open(f"{file_name}{sub_file_name}", "wb")
f.write(data_decrypt)
f.close()
show_data_info(data_addr, data_decrypt, data_flag)
idx += next_ptr_shellcode
print(f"[ + ] Decrypted successfuly {file_name}")
decrypt_cfg("std.cfg")
decrypt_dat("aross.dat")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment