lillypad/stuxnet_stage_1_decryptor.c

## stuxnet_stage_1_decryptor.c
/* Stuxnet First Stage Decryptor (in progress) */

#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>

#define PAYLOAD_SIZE 0x79a00

bool unpack_stage_1(char *payload, int payload_size){
  /*
    :TODO: Stuxnet Stage 1 Decryptor
    :payload: pointer to payload
    :payload_size: sizeof(payload) = 0x79a00
  */
  int iter = 0x3cd00;
  for (int i = 0; i < iter; i--){
    for (int j = 0; j < payload_size; j++){
      /*
        ;; this first xor decryptor can be done with bit masking as well
        mov al, %i        ;; store i in last byte of eax
        mov bl, 96        ;; store 0x96 in last byte of ebx
        imul bl           ;; calculated xor key (iterator * 96)
        xor [payload], al ;; xor payload with calculated key
        ;; if we use masking we can get the last byte of the eax value or al
        ;; first xor key = ([0x0-0x79a00] & 0xff) * 0x96
      */
      payload[j] = payload[j] ^ ((j & 0xFF) * 0x96);
    }
    if (i == 0){
      break;
    }
    /*
      lea edx, dword ptr ds:[edi+1]   ;; load size of payload + 1 into edx
      shr edx, 1                      ;; shift the value of edx to the right by one bit
                                      ;; edx is the new offset inside of the .stub
      lea esi, dword ptr ds:[edx+ecx] ;; load the address of .stub + new offset in edx
      mov dl, byte ptr ds:[esi+eax]   ;; move the first byte of the new offset in stub into dl
      xor byte ptr ds:[eax+ecx], dl   ;; xor the byte at stub offset + new offset + iter
      inc eax                         ;; increment iterable
      cmp eax, dword ptr ss:[ebp-4]   ;; check if iterable is equal to outer iter value
      ;; this stage of the decryptor xors part of the payload with itself
      ;; pretty cool shit
    */
    int offset = ((payload_size + 1) >> 1);
    for (int j = 0; j < iter; j++){
      payload[j] = payload[j] ^ payload[offset + j];
    }
    if (i == 0){
      break;
    }
    //decryptor stage 3
  }
  return true;
}
	/* Stuxnet First Stage Decryptor (in progress) */

	#include <stdio.h>
	#include <stdlib.h>
	#include <stdbool.h>

	#define PAYLOAD_SIZE 0x79a00

	bool unpack_stage_1(char *payload, int payload_size){
	/*
	:TODO: Stuxnet Stage 1 Decryptor
	:payload: pointer to payload
	:payload_size: sizeof(payload) = 0x79a00
	*/
	int iter = 0x3cd00;
	for (int i = 0; i < iter; i--){
	for (int j = 0; j < payload_size; j++){
	/*
	;; this first xor decryptor can be done with bit masking as well
	mov al, %i ;; store i in last byte of eax
	mov bl, 96 ;; store 0x96 in last byte of ebx
	imul bl ;; calculated xor key (iterator * 96)
	xor [payload], al ;; xor payload with calculated key
	;; if we use masking we can get the last byte of the eax value or al
	;; first xor key = ([0x0-0x79a00] & 0xff) * 0x96
	*/
	payload[j] = payload[j] ^ ((j & 0xFF) * 0x96);
	}
	if (i == 0){
	break;
	}
	/*
	lea edx, dword ptr ds:[edi+1] ;; load size of payload + 1 into edx
	shr edx, 1 ;; shift the value of edx to the right by one bit
	;; edx is the new offset inside of the .stub
	lea esi, dword ptr ds:[edx+ecx] ;; load the address of .stub + new offset in edx
	mov dl, byte ptr ds:[esi+eax] ;; move the first byte of the new offset in stub into dl
	xor byte ptr ds:[eax+ecx], dl ;; xor the byte at stub offset + new offset + iter
	inc eax ;; increment iterable
	cmp eax, dword ptr ss:[ebp-4] ;; check if iterable is equal to outer iter value
	;; this stage of the decryptor xors part of the payload with itself
	;; pretty cool shit
	*/
	int offset = ((payload_size + 1) >> 1);
	for (int j = 0; j < iter; j++){
	payload[j] = payload[j] ^ payload[offset + j];
	}
	if (i == 0){
	break;
	}
	//decryptor stage 3
	}
	return true;
	}