Jarosław Jedynak msm-code

## paper.asm.9319e5977756b9581c4ce3f8b6c7c31c
jz    loc_4381B4
xchg  eac, [ebp-0Ch]
push  053h
call  sub_408D02
push  050h
call  sub_408D02
push  edx
push  8AB4BF9EH
push  754A35C1H
call  sub_41CF77

## paper.asm.d8e2b049f81c1c7c57f717b042db6bed
jmp   0x42424242

## paper.asm.9f309c5f45c3c13cc5004490647f08fd
jz    loc_4381B4
xchg  eac, [ebp-0Ch]
push  053h
call  push_cpu_register  ; push ebx
push  050h
call  push_cpu_register  ; push eax
push  edx
push  8AB4BF9Eh
push  754A35C1h
call  detour_1           ; call f(8AB4BF9Eh, 754A35C1h)

## paper.cpp.9fe969957d8333124adfd59d98c59b29
void encrypted_memcpy(char *to, char *from, int len) {
    if (is_in_encrypted_section(to)) {
        if (is_in_encrypted_section(from)) {
            memcpy(to, from, len);
        } else {
            memcpy_and_encrypt(to, from, len);
        }
    } else {
        if (is_in_encrypted_section(from)) {
            memcpy_and_decrypt(to, from, len);

## paper.python.3c816792f60044320ba90ebb036db304
def nymaim_decrypt(self, raw, from_raw, length):
    from_va = from_raw + self.image_base
    xsize = from_va - self.off
    cur_key = self.key
    if xsize < 0:
        raise RuntimeError("raw too small - min is " + hex(self.off - self.image_base))
    for _ in range(xsize / 4):
        cur_key = (cur_key + self.xstep) & 0xffffffff

    r = ''

## paper.cpp.9649ca87fd3cc81af5e9d904e348f143
struct chunk {
    uint32_t type;
    uint32_t length;
    char data[chunk_length];
}

## paper.python.de82eb5882f08c4bdbd882bd1eac058f
if hash == self.CFG_URL:  # '48c2026b':
    parsed['urls'] += [{'url': append_http(x)} for x in filter(None, map(get_domainc, raw.split(';')))]
elif hash == self.CFG_DGA_HASH:  # 'd9aea02a':
    parsed['dga_hash'] = [uint32(h) for h in chunks(raw, 4)]
elif hash == self.CFG_DOMAINS:  # '095d4b1d':
    parsed['domains'] += map(lambda x: {'cnc': x}, filter(None, map(get_domainc, raw.split(';'))))
elif hash == self.CFG_ENC_KEY:  # '510be622':
    parsed['encryption_key'] = raw
...

## paper.unk.36ceda36e9be4e2c33450c45cca7dd3e
╰─$ strings decrypted_nymaim | grep -E "PortMap|upnp"
DeletePortMapping
urn:schemas-upnp-org:service:WANPPPConnection:1
urn:schemas-upnp-org:device:InternetGatewayDevice:1
GetSpecificPortMappingEntry
upnp:rootdevice
AddPortMapping
AddAnyPortMapping
urn:schemas-upnp-org:service:WANIPConnection:1
NewPortMappingDescription

## paper.unk.b15cdefe7c7ddf047ea537cc68fd66a5
╰─$ strings decrypted_nymaim | grep -E "nginx" -B 4
HTTP/1.1 200 OK
Connection: close
Content-Length: %u
Content-Type: application/octet-stream
Server: nginx/1.9.4


## paper.python.fd38e71c7996d21488ca07737dd4dc15
def inner_decrypt(raw, rsa_key):
    encrypted_header, encrypted_data = raw[-0x40:], raw[:-0x40]
    decrypted_data = rsa_decrypt(encrypted_header, rsa_key)

    md5 = decrypted_data[0:16]
    blob = decrypted_data[16:32]
    length = from_uint32(decrypted_data[32:36])

    serpent_decrypted = crypto.s_decrypt(encrypted_data, blob)[:length]
    assert md5 == hashlib.md5(serpent_decrypted).digest()
	jz loc_4381B4
	xchg eac, [ebp-0Ch]
	push 053h
	call sub_408D02
	push 050h
	call sub_408D02
	push edx
	push 8AB4BF9EH
	push 754A35C1H
	call sub_41CF77
	void encrypted_memcpy(char to, char from, int len) {
	if (is_in_encrypted_section(to)) {
	if (is_in_encrypted_section(from)) {
	memcpy(to, from, len);
	} else {
	memcpy_and_encrypt(to, from, len);
	}
	} else {
	if (is_in_encrypted_section(from)) {
	memcpy_and_decrypt(to, from, len);
	def nymaim_decrypt(self, raw, from_raw, length):
	from_va = from_raw + self.image_base
	xsize = from_va - self.off
	cur_key = self.key
	if xsize < 0:
	raise RuntimeError("raw too small - min is " + hex(self.off - self.image_base))
	for _ in range(xsize / 4):
	cur_key = (cur_key + self.xstep) & 0xffffffff

	r = ''
	struct chunk {
	uint32_t type;
	uint32_t length;
	char data[chunk_length];
	}
	if hash == self.CFG_URL: # '48c2026b':
	parsed['urls'] += [{'url': append_http(x)} for x in filter(None, map(get_domainc, raw.split(';')))]
	elif hash == self.CFG_DGA_HASH: # 'd9aea02a':
	parsed['dga_hash'] = [uint32(h) for h in chunks(raw, 4)]
	elif hash == self.CFG_DOMAINS: # '095d4b1d':
	parsed['domains'] += map(lambda x: {'cnc': x}, filter(None, map(get_domainc, raw.split(';'))))
	elif hash == self.CFG_ENC_KEY: # '510be622':
	parsed['encryption_key'] = raw
	...
	╰─$ strings decrypted_nymaim \| grep -E "PortMap\|upnp"
	DeletePortMapping
	urn:schemas-upnp-org:service:WANPPPConnection:1
	urn:schemas-upnp-org:device:InternetGatewayDevice:1
	GetSpecificPortMappingEntry
	upnp:rootdevice
	AddPortMapping
	AddAnyPortMapping
	urn:schemas-upnp-org:service:WANIPConnection:1
	NewPortMappingDescription
	╰─$ strings decrypted_nymaim \| grep -E "nginx" -B 4
	HTTP/1.1 200 OK
	Connection: close
	Content-Length: %u
	Content-Type: application/octet-stream
	Server: nginx/1.9.4
	def inner_decrypt(raw, rsa_key):
	encrypted_header, encrypted_data = raw[-0x40:], raw[:-0x40]
	decrypted_data = rsa_decrypt(encrypted_header, rsa_key)

	md5 = decrypted_data[0:16]
	blob = decrypted_data[16:32]
	length = from_uint32(decrypted_data[32:36])

	serpent_decrypted = crypto.s_decrypt(encrypted_data, blob)[:length]
	assert md5 == hashlib.md5(serpent_decrypted).digest()