Skip to content

Instantly share code, notes, and snippets.

@nurpabuccu
Created June 4, 2021 14:44
Show Gist options
  • Save nurpabuccu/ac3fe35720d13890c0cc5317acf12a82 to your computer and use it in GitHub Desktop.
Save nurpabuccu/ac3fe35720d13890c0cc5317acf12a82 to your computer and use it in GitHub Desktop.
Cerberus payload base64+rc4 decrypt
# This script can be used for malware samples that used Base64+RC4.
# python3 rc4_decrypt.py <key> <base64-ciphertext>
import codecs
import base64
import sys
key = sys.argv[1]
c = base64.b64decode(sys.argv[2])
def KSA(key):
S = list(range(256))
j = 0
for i in range(256):
j = (j + S[i] + key[i % len(key)]) % 256
S[i], S[j] = S[j], S[i] # swap values
return S
def PRGA(S):
i = 0
j = 0
while True:
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i], S[j] = S[j], S[i]
K = S[(S[i] + S[j]) % 256]
yield K
def encrypt_logic(key, text):
key = [ord(c) for c in key]
keystream = PRGA(KSA(key))
res = []
for c in text:
val = ("%02x" % (c ^ next(keystream))) # XOR and taking hex
res.append(val)
return ''.join(res)
def encrypt(key, plaintext):
plaintext = [ord(c) for c in plaintext]
return encrypt_logic(key, plaintext)
def decrypt(key, ciphertext):
ciphertext = codecs.decode(ciphertext, 'hex_codec')
res = encrypt_logic(key, ciphertext)
return codecs.decode(res, 'hex_codec').decode('utf-8')
decrypted = decrypt(key, c)
print(decrypted)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment