kernelm0de/colibri_decoded_strings.txt

## colibri_decoded_strings.txt
check
ping
32bit
update
%s\SysWOW64\regsrv32.exe
%s\System32\regsrv32.exe
/vpnchecker.php
cmd.exe
powershell.exe -windowstyle hidden
runas
securetunnel.co
%s|%s|%s|%s|%s|%s|%s
 /delete /tn COMSurrogate /f
%s\schtasks.exe
Content-Type: application/x-www-form-urlencoded
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
/c %s%s%s %s
 /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr
Software\Microsoft\Windows NT\CurrentVersion
tiktokconnection.com
xlsm
open
HTTP/1.1
ProductName
/c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A %s%s%s
\Microsoft\WindowsApps
1.2.0
n5oluRfrXrvIqMuPrSM8
POST
Get-Variable.exe
dllhost.exe
%08lX%04lX%lu
64bit
%s /s
\WindowsPowerShell
%s\%s
%s:Zone.Identifier
%s?type=%s&uid=%s
%s%s
Unknown
n5nzckfMDTIIs06MPXgWQvXl4RbcXOAW
hkFTxY1TjbpAehkj95fEcCd8CAEfMPBz
%s\rundll32.exe %s,%s
GET

## colibri_decrypt.py
from ida_bytes import *

config_start = 0x401000
config_end = 0x4012c0
iterator = config_start

while iterator < config_end:
	result = ""
	string = get_dword(iterator)
	length = get_dword(iterator + 4)
	key = get_dword(iterator + 8)
	key_len = get_dword(iterator + 12)
	i = 0
	while i < length:
		c = get_word(string + i * 2) ^ get_word(key + 2 * (i % key_len))
		result += chr(c & 0xff)
		i += 1
	print (result)
	iterator += 16
	check
	ping
	32bit
	update
	%s\SysWOW64\regsrv32.exe
	%s\System32\regsrv32.exe
	/vpnchecker.php
	cmd.exe
	powershell.exe -windowstyle hidden
	runas
	securetunnel.co
	%s\|%s\|%s\|%s\|%s\|%s\|%s
	/delete /tn COMSurrogate /f
	%s\schtasks.exe
	Content-Type: application/x-www-form-urlencoded
	0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
	/c %s%s%s %s
	/create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr
	Software\Microsoft\Windows NT\CurrentVersion
	tiktokconnection.com
	xlsm
	open
	HTTP/1.1
	ProductName
	/c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A %s%s%s
	\Microsoft\WindowsApps
	1.2.0
	n5oluRfrXrvIqMuPrSM8
	POST
	Get-Variable.exe
	dllhost.exe
	%08lX%04lX%lu
	64bit
	%s /s
	\WindowsPowerShell
	%s\%s
	%s:Zone.Identifier
	%s?type=%s&uid=%s
	%s%s
	Unknown
	n5nzckfMDTIIs06MPXgWQvXl4RbcXOAW
	hkFTxY1TjbpAehkj95fEcCd8CAEfMPBz
	%s\rundll32.exe %s,%s
	GET
	from ida_bytes import *

	config_start = 0x401000
	config_end = 0x4012c0
	iterator = config_start

	while iterator < config_end:
	result = ""
	string = get_dword(iterator)
	length = get_dword(iterator + 4)
	key = get_dword(iterator + 8)
	key_len = get_dword(iterator + 12)
	i = 0
	while i < length:
	c = get_word(string + i * 2) ^ get_word(key + 2 * (i % key_len))
	result += chr(c & 0xff)
	i += 1
	print (result)
	iterator += 16