This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jz loc_4381B4 | |
xchg eac, [ebp-0Ch] | |
push 053h | |
call sub_408D02 | |
push 050h | |
call sub_408D02 | |
push edx | |
push 8AB4BF9EH | |
push 754A35C1H | |
call sub_41CF77 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jmp 0x42424242 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jz loc_4381B4 | |
xchg eac, [ebp-0Ch] | |
push 053h | |
call push_cpu_register ; push ebx | |
push 050h | |
call push_cpu_register ; push eax | |
push edx | |
push 8AB4BF9Eh | |
push 754A35C1h | |
call detour_1 ; call f(8AB4BF9Eh, 754A35C1h) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
void encrypted_memcpy(char *to, char *from, int len) { | |
if (is_in_encrypted_section(to)) { | |
if (is_in_encrypted_section(from)) { | |
memcpy(to, from, len); | |
} else { | |
memcpy_and_encrypt(to, from, len); | |
} | |
} else { | |
if (is_in_encrypted_section(from)) { | |
memcpy_and_decrypt(to, from, len); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def nymaim_decrypt(self, raw, from_raw, length): | |
from_va = from_raw + self.image_base | |
xsize = from_va - self.off | |
cur_key = self.key | |
if xsize < 0: | |
raise RuntimeError("raw too small - min is " + hex(self.off - self.image_base)) | |
for _ in range(xsize / 4): | |
cur_key = (cur_key + self.xstep) & 0xffffffff | |
r = '' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
struct chunk { | |
uint32_t type; | |
uint32_t length; | |
char data[chunk_length]; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
if hash == self.CFG_URL: # '48c2026b': | |
parsed['urls'] += [{'url': append_http(x)} for x in filter(None, map(get_domainc, raw.split(';')))] | |
elif hash == self.CFG_DGA_HASH: # 'd9aea02a': | |
parsed['dga_hash'] = [uint32(h) for h in chunks(raw, 4)] | |
elif hash == self.CFG_DOMAINS: # '095d4b1d': | |
parsed['domains'] += map(lambda x: {'cnc': x}, filter(None, map(get_domainc, raw.split(';')))) | |
elif hash == self.CFG_ENC_KEY: # '510be622': | |
parsed['encryption_key'] = raw | |
... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
╰─$ strings decrypted_nymaim | grep -E "PortMap|upnp" | |
DeletePortMapping | |
urn:schemas-upnp-org:service:WANPPPConnection:1 | |
urn:schemas-upnp-org:device:InternetGatewayDevice:1 | |
GetSpecificPortMappingEntry | |
upnp:rootdevice | |
AddPortMapping | |
AddAnyPortMapping | |
urn:schemas-upnp-org:service:WANIPConnection:1 | |
NewPortMappingDescription |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
╰─$ strings decrypted_nymaim | grep -E "nginx" -B 4 | |
HTTP/1.1 200 OK | |
Connection: close | |
Content-Length: %u | |
Content-Type: application/octet-stream | |
Server: nginx/1.9.4 | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def inner_decrypt(raw, rsa_key): | |
encrypted_header, encrypted_data = raw[-0x40:], raw[:-0x40] | |
decrypted_data = rsa_decrypt(encrypted_header, rsa_key) | |
md5 = decrypted_data[0:16] | |
blob = decrypted_data[16:32] | |
length = from_uint32(decrypted_data[32:36]) | |
serpent_decrypted = crypto.s_decrypt(encrypted_data, blob)[:length] | |
assert md5 == hashlib.md5(serpent_decrypted).digest() |
OlderNewer