Created
February 10, 2023 21:32
-
-
Save sysopfb/8c71915b065a54e458b188fec8333c22 to your computer and use it in GitHub Desktop.
qbot sxor_3 double decode
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #stager 1 versions (sxor_3) | |
| def decode_data4(data): | |
| key = hashlib.sha1(b'bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN').digest() | |
| rc4 = ARC4.new(key) | |
| t = rc4.decrypt(data) | |
| tt = qbot_helpers.qbot_decode(t[20:]) | |
| return(tt) | |
| #qbot_decode is just the oldschool decode of qbots: | |
| def qbot_decode(data): | |
| retval = "" | |
| rc4 = ARC4.new(data[:20]) | |
| t = rc4.decrypt(data[20:]) | |
| t = t[20:] | |
| if qbot_hdr not in t: | |
| retval = t | |
| else: | |
| retval = qbot_decompress(t) | |
| return retval | |
| #Also now has an extra flag after the C2 node instead of just the preceding type value | |
| def parse_c2(data): | |
| out = "" | |
| if len(data) % 7 == 0: | |
| for i in range(0,len(data),7): | |
| if i > 1: | |
| out += ',' | |
| (f, o1, o2, o3, o4, p) = struct.unpack_from('>BBBBBH', data[i:]) | |
| out += ("{} | {}.{}.{}.{}:{}".format(f,o1,o2,o3,o4,p)) | |
| if len(data[i+7:]) < 7: | |
| break | |
| elif len(data) % 8 == 0: | |
| for i in range(0,len(data),8): | |
| if i > 1: | |
| out += ',' | |
| (f, o1, o2, o3, o4, p, ff) = struct.unpack_from('>BBBBBHB', data[i:]) | |
| out += ("{} | {}.{}.{}.{}:{} | {}".format(f,o1,o2,o3,o4,p,ff)) | |
| if len(data[i+8:]) < 8: | |
| break | |
| return out |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment