Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
import sys
import re
if len(sys.argv) <= 1: exit()
scriptpath = sys.argv[1]
with open(scriptpath, 'r') as scriptfile:
script = scriptfile.read().replace('^', '')
p = re.compile('\([Ss][Ee][Tt][^=]+=([^&]+)&&')
s = p.search(script)
if s != None:
alphabet = s.group(1)
script = re.sub(r'[,\+;]', '', script)
p = re.compile('\(([0-9 ]+)\)')
s = p.search(script)
if s != None:
indices = s.group(1).split()
for i in indices:
idx = int(i)
if idx < len(alphabet):
sys.stdout.write(alphabet[idx])
@strictlymike

This comment has been minimized.

Copy link

commented Nov 28, 2018

Oh, my... I just found this today while looking for my own script by the same name. Here is my dynamic take on de-DOSfuscation, if you're interested :)

https://github.com/fireeye/flare-qdb/blob/master/flareqdb/scripts/deDOSfuscator.py
https://www.fireeye.com/blog/threat-research/2018/11/cmd-and-conquer-de-dosfuscation-with-flare-qdb.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.