usualsuspect/parse_instructions.py

## parse_instructions.py
#!/usr/bin/env python3
# Cobalt Strike Malleable C2 instruction parser
import struct
import sys

def read_int(f):
    data = f.read(4)
    if not data:
        return None
    return struct.unpack(">I",data)[0]

def parse(ins_item):
    f = open(ins_item,"rb")

    while True:
        op = read_int(f)
        if not op:
            break

        if op <= 8:
            if op == 1:
                l = read_int(f)
                print("Remove %d chars at the end" % l)
            elif op == 2:
                l = read_int(f)
                print("Remove %d chars from the beginning" % l)
            elif op == 3:
                print("Base64 decode")
            else:
                continue
        elif op == 13:
            print("Base64 URL-safe decode")
        elif op == 8:
            print("NetBIOS Encode 'a'")
        elif op == 11:
            print("NetBIOS Encode 'A'")
        elif op == 15:
            print("XOR mask w/ random key")

parse(sys.argv[1])
	#!/usr/bin/env python3
	# Cobalt Strike Malleable C2 instruction parser
	import struct
	import sys

	def read_int(f):
	data = f.read(4)
	if not data:
	return None
	return struct.unpack(">I",data)[0]

	def parse(ins_item):
	f = open(ins_item,"rb")

	while True:
	op = read_int(f)
	if not op:
	break

	if op <= 8:
	if op == 1:
	l = read_int(f)
	print("Remove %d chars at the end" % l)
	elif op == 2:
	l = read_int(f)
	print("Remove %d chars from the beginning" % l)
	elif op == 3:
	print("Base64 decode")
	else:
	continue
	elif op == 13:
	print("Base64 URL-safe decode")
	elif op == 8:
	print("NetBIOS Encode 'a'")
	elif op == 11:
	print("NetBIOS Encode 'A'")
	elif op == 15:
	print("XOR mask w/ random key")

	parse(sys.argv[1])