Created
January 12, 2024 10:16
-
-
Save rhotav/47941476ca0dc393c3dee80a2133ef57 to your computer and use it in GitHub Desktop.
Coper Malware Family String Decryption
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
class StringDecryptor: | |
def __init__(self, key): | |
self.key_bytes = bytearray() | |
self.key_bytes.extend(map(ord, key)) | |
self.reset() | |
def initialize_sbox(self, key_bytes): | |
sbox = [i for i in range(256)] | |
key_length = len(key_bytes) | |
j = 0 | |
for i in range(256): | |
j = (j + sbox[i] + key_bytes[i % key_length]) % 256 | |
self.swap_values(i, j, sbox) | |
return sbox | |
def swap_values(self, i, j, sbox): | |
temp = sbox[i] | |
sbox[i] = sbox[j] | |
sbox[j] = temp | |
def decrypt_string(self, encrypted_string): | |
return self.process_decryption(self.convert_to_bytes(encrypted_string)) | |
def process_decryption(self, byte_array): | |
decrypted_bytes = bytearray(length := len(byte_array)) | |
for i in range(length): | |
index = (self.current_index + 1) % 256 | |
self.current_index = index | |
temp_value = self.sbox1 | |
temp_value2 = self.sbox2 | |
temp_index = (temp_value + temp_value2[index]) % 256 | |
self.sbox1 = temp_index | |
self.swap_values(index, temp_index, temp_value2) | |
temp_sbox2 = self.sbox2 | |
decrypted_bytes[i] = (temp_sbox2[(temp_sbox2[self.current_index] + temp_sbox2[self.sbox1]) % 256] ^ byte_array[i]) | |
return decrypted_bytes | |
def convert_to_bytes(self, input_string): | |
length = len(input_string) | |
byte_array = bytearray(length // 2) | |
for i in range(0, length, 2): | |
byte_array[i // 2] = ((int(input_string[i], 16) << 4) + int(input_string[i + 1], 16)) | |
return byte_array | |
def reset(self): | |
self.sbox2 = self.initialize_sbox(self.key_bytes) | |
self.current_index = 0 | |
self.sbox1 = 0 | |
decryptor = StringDecryptor("b0q1yASlv3LfRmNHA4IZpPvLhuwo") | |
try: | |
while True: | |
print(decryptor.decrypt_string(input('> ')).decode('utf-8')) | |
except KeyboardInterrupt: | |
exit(0) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment