xorhex

## theme.css
/* Credit for this template goes to HexRays' Support!
https://hex-rays.com/products/ida/news/8_2/ */

CustomIDAMemo
{
    qproperty-line-bg-default: rgba(0, 0, 0, 0.0);
    background: white url(/path/to/picture.png);
    background-attachment: fixed;
    background-repeat: none;
    background-position: bottom right;

## go_macho.yar
import "macho"

rule is_go_macho {
  strings:
    $go = { ff 20 47 6f 20 62 75 69 6c 64 20 49 44 3a 20 22  } // \xff Go build ID: \"

  condition:
      macho.cputype == macho.CPU_TYPE_X86_64
    and
      for any s in macho.segments : (

## CallOverString
rule CallOverString
{
  strings:
    $imp_1 = "LoadLibraryA"
    $imp_2 = "WinHttpOpen"

  condition:

    for any of ($imp_*) : (
            // Byte at address of string match minus 5 == call with relative offset opcode

## Dockerfile
FROM debian:bookworm-slim

RUN apt update && apt -y upgrade && apt install -y git automake libtool make gcc pkg-config libssl-dev libjansson-dev libmagic-dev bash && apt clean

RUN addgroup --gid 1835 yara; adduser --system -uid 1835 --gid 1835 --shell /bin/bash yara
RUN mkdir /home/yara/app && mkdir /home/yara/rules && mkdir /home/yara/malware
RUN chown -R yara:yara /home/yara/app; chown -R yara:yara /home/yara/rules; chown -R yara:yara /home/yara/malware;

USER yara

## LabyREnth Chl 2016, 1 - Key Check Algorithm Disassembled
ups0:004011B0
ups0:004011B0 ; =============== S U B R O U T I N E =======================================
ups0:004011B0
ups0:004011B0 ; Attributes: bp-based frame
ups0:004011B0
ups0:004011B0 ; int __cdecl sub_4011B0(char *Str)
ups0:004011B0 sub_4011B0      proc near               ; CODE XREF: _main+3Bp
ups0:004011B0
ups0:004011B0 var_38          = dword ptr -38h
ups0:004011B0 counter         = dword ptr -34h

## LabyREnth Chl 2016, 1 - Script Execution
$python keyfinder.py
key: 0x8c    var_38: 0x0
Found answer for: 0x8c : P
key: 0xf1    var_38: 0x8c
Found answer for: 0xf1 : A
key: 0x53    var_38: 0x17d
Found answer for: 0x53 : N
key: 0xa3    var_38: 0x1d0
Found answer for: 0xa3 : {
key: 0x8    var_38: 0x273

## LabyREnth Chl 2016, 1 - Derive the Key
#!/usr/bin/env python

import string

secret = []

keys = ['0x8c', '0xf1', '0x53', '0xa3', '0x8', '0xd7', '0xdc', '0x48', '0xdb', '0xc', '0x3a', '0xee', '0x15', '0x22', '0xc4', '0xe5', '0xc9', '0xa0', '0xa5', '0xc', '0xd3', '0xdc', '0x51', '0xc7', '0x39', '0xfd', '0xd0', '0xf8', '0x3b', '0xe8', '0xcc', '0x3', '0x6', '0x43', '0xf7', '0xda', '0x7e', '0x65', '0xae', '0x80']

def hash(var_38, test_char):
  return ((var_38 & 0xff) ^ (((((((ord(test_char) ^ 0x33) & 0xFF) + 0x44) & 0xFF) ^ 0x55) & 0xFF) - 0x66) & 0xFF) & 0xFF

## LabyREnth Chl 2016, 1 - Values to Compare Against
keys = ['0x8c', '0xf1', '0x53', '0xa3', '0x8', '0xd7', '0xdc', '0x48', '0xdb', '0xc', '0x3a', '0xee', '0x15', '0x22', '0xc4', '0xe5', '0xc9', '0xa0', '0xa5', '0xc', '0xd3', '0xdc', '0x51', '0xc7', '0x39', '0xfd', '0xd0', '0xf8', '0x3b', '0xe8', '0xcc', '0x3', '0x6', '0x43', '0xf7', '0xda', '0x7e', '0x65', '0xae', '0x80']

## LabyREnth Chl 2016, 1 - Hash Function
def hash(var_38, test_char):
  return ((var_38 & 0xff) ^ (((((((ord(test_char) ^ 0x33) & 0xFF) + 0x44) & 0xFF) ^ 0x55) & 0xFF) - 0x66) & 0xFF) & 0xF

## Walk to IAT - _IMAGE_IMPORT_BY_NAME
typedef struct _IMAGE_IMPORT_BY_NAME {
  WORD	Hint;
  BYTE	Name[1];
} IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;
	/* Credit for this template goes to HexRays' Support!
	https://hex-rays.com/products/ida/news/8_2/ */

	CustomIDAMemo
	{
	qproperty-line-bg-default: rgba(0, 0, 0, 0.0);
	background: white url(/path/to/picture.png);
	background-attachment: fixed;
	background-repeat: none;
	background-position: bottom right;
	import "macho"

	rule is_go_macho {
	strings:
	$go = { ff 20 47 6f 20 62 75 69 6c 64 20 49 44 3a 20 22 } // \xff Go build ID: \"

	condition:
	macho.cputype == macho.CPU_TYPE_X86_64
	and
	for any s in macho.segments : (
	rule CallOverString
	{
	strings:
	$imp_1 = "LoadLibraryA"
	$imp_2 = "WinHttpOpen"

	condition:

	for any of ($imp_*) : (
	// Byte at address of string match minus 5 == call with relative offset opcode
	FROM debian:bookworm-slim

	RUN apt update && apt -y upgrade && apt install -y git automake libtool make gcc pkg-config libssl-dev libjansson-dev libmagic-dev bash && apt clean

	RUN addgroup --gid 1835 yara; adduser --system -uid 1835 --gid 1835 --shell /bin/bash yara
	RUN mkdir /home/yara/app && mkdir /home/yara/rules && mkdir /home/yara/malware
	RUN chown -R yara:yara /home/yara/app; chown -R yara:yara /home/yara/rules; chown -R yara:yara /home/yara/malware;

	USER yara
	ups0:004011B0
	ups0:004011B0 ; =============== S U B R O U T I N E =======================================
	ups0:004011B0
	ups0:004011B0 ; Attributes: bp-based frame
	ups0:004011B0
	ups0:004011B0 ; int __cdecl sub_4011B0(char *Str)
	ups0:004011B0 sub_4011B0 proc near ; CODE XREF: _main+3Bp
	ups0:004011B0
	ups0:004011B0 var_38 = dword ptr -38h
	ups0:004011B0 counter = dword ptr -34h
	$python keyfinder.py
	key: 0x8c var_38: 0x0
	Found answer for: 0x8c : P
	key: 0xf1 var_38: 0x8c
	Found answer for: 0xf1 : A
	key: 0x53 var_38: 0x17d
	Found answer for: 0x53 : N
	key: 0xa3 var_38: 0x1d0
	Found answer for: 0xa3 : {
	key: 0x8 var_38: 0x273
	#!/usr/bin/env python

	import string

	secret = []

	keys = ['0x8c', '0xf1', '0x53', '0xa3', '0x8', '0xd7', '0xdc', '0x48', '0xdb', '0xc', '0x3a', '0xee', '0x15', '0x22', '0xc4', '0xe5', '0xc9', '0xa0', '0xa5', '0xc', '0xd3', '0xdc', '0x51', '0xc7', '0x39', '0xfd', '0xd0', '0xf8', '0x3b', '0xe8', '0xcc', '0x3', '0x6', '0x43', '0xf7', '0xda', '0x7e', '0x65', '0xae', '0x80']

	def hash(var_38, test_char):
	return ((var_38 & 0xff) ^ (((((((ord(test_char) ^ 0x33) & 0xFF) + 0x44) & 0xFF) ^ 0x55) & 0xFF) - 0x66) & 0xFF) & 0xFF
	typedef struct _IMAGE_IMPORT_BY_NAME {
	WORD Hint;
	BYTE Name[1];
	} IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;