├── README.md
├── LICENSE
└── azok.go


/README.md:
--------------------------------------------------------------------------------
1 | # Azorult Key Finder
2 | Brute-force script for finding azorult XOR key. 
3 | 
4 | ## Usage
5 | ```
6 | go build azok.go
7 | ./azok -t 100 -f malware_request.txt
8 | ```


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019 Ege Balcı
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/azok.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"encoding/base64"
  5 | 	"encoding/binary"
  6 | 	"flag"
  7 | 	"fmt"
  8 | 	"io/ioutil"
  9 | 	"log"
 10 | 	"os"
 11 | 	"runtime"
 12 | 	"strings"
 13 | 	"sync"
 14 | 	"time"
 15 | 
 16 | 	"github.com/briandowns/spinner"
 17 | 	"github.com/fatih/color"
 18 | 	pb "gopkg.in/cheggaaa/pb.v1"
 19 | )
 20 | 
 21 | //var mutex = &sync.Mutex{}
 22 | var wg sync.WaitGroup
 23 | 
 24 | func main() {
 25 | 
 26 | 	runtime.GOMAXPROCS(runtime.NumCPU()) // Run faster & more resource !
 27 | 	banner()
 28 | 
 29 | 	fileName := flag.String("f", "", "Azorult request file")
 30 | 	threads := flag.Int("t", 10, "Number of threads")
 31 | 	dump := flag.Bool("d", false, "Dump the request content once decrypted")
 32 | 	flag.Parse()
 33 | 
 34 | 	if len(os.Args) < 2 {
 35 | 		flag.PrintDefaults()
 36 | 		os.Exit(1)
 37 | 	}
 38 | 
 39 | 	rawFile, err := ioutil.ReadFile(*fileName)
 40 | 	if err != nil {
 41 | 		log.Fatalf("Error while opening file: %s", err)
 42 | 	}
 43 | 
 44 | 	file := []byte{}
 45 | 
 46 | 	if len(rawFile) > 3000 {
 47 | 		file = rawFile[:3000]
 48 | 	} else {
 49 | 		file = rawFile
 50 | 	}
 51 | 
 52 | 	print("First trying default key...", "*")
 53 | 	data := xor(file, []byte{0x03, 0x55, 0xae})
 54 | 	if check(string(data)) {
 55 | 		print("Key Found !", "+")
 56 | 		print(xxd([]byte{0x03, 0x55, 0xae}), "+")
 57 | 		if *dump {
 58 | 			fmt.Println("\n\n" + string(data))
 59 | 		}
 60 | 		os.Exit(0)
 61 | 	}
 62 | 
 63 | 	print("Generating keyspace: ", "**")
 64 | 	s := spinner.New(spinner.CharSets[35], 100*time.Millisecond) // Build our new spinner
 65 | 	s.Start()
 66 | 
 67 | 	channel := make(chan uint32, 16581375)
 68 | 	for i := 0; i < 16581375; i++ {
 69 | 		channel <- uint32(i)
 70 | 	}
 71 | 	s.Stop()
 72 | 	fmt.Println("OK")
 73 | 	close(channel)
 74 | 
 75 | 	fmt.Println("")
 76 | 	progressBar := pb.New(16581375)
 77 | 	progressBar.SetWidth(80)
 78 | 	progressBar.Start()
 79 | 
 80 | 	for i := 0; i < *threads; i++ {
 81 | 		wg.Add(1)
 82 | 		go func() {
 83 | 			defer wg.Done()
 84 | 			for key := range channel {
 85 | 				k := make([]byte, 4)
 86 | 				binary.BigEndian.PutUint32(k, uint32(key))
 87 | 				//print(xxd(k[1:]), "*")
 88 | 				data := xor(file, k[1:])
 89 | 				if check(string(data)) {
 90 | 					progressBar.Finish()
 91 | 					fmt.Println("")
 92 | 					print("Key Found !", "+")
 93 | 					print(xxd(k[1:])+"\n", "+")
 94 | 					if *dump {
 95 | 						fmt.Println("\n\n" + string(data))
 96 | 					}
 97 | 					os.Exit(0)
 98 | 				}
 99 | 				progressBar.Increment()
100 | 
101 | 			}
102 | 
103 | 		}()
104 | 	}
105 | 	wg.Wait()
106 | 	progressBar.Finish()
107 | 	fmt.Println("")
108 | 	print("End of keyspace :( ", "-")
109 | 
110 | }
111 | 
112 | func check(data string) bool {
113 | 	knownStrings := []string{"353E77DF-928B-4941-A631-512662F0785A3061-4E40-BBC2-3A27F641D32B-54FF-44D7-85F3-D950F519F12F", "DV8CF101-053A-4498-98VA-EAB3719A088W-VF9A8B7AD-0FA0-4899-B4RD-D8006738DQCD", "Windows", "Microsoft", "System", "MachineID", "Computer"}
114 | 
115 | 	for _, j := range knownStrings {
116 | 		if strings.Contains(string(data), j) {
117 | 			return true
118 | 		}
119 | 	}
120 | 	return false
121 | }
122 | 
123 | func print(str string, status string) {
124 | 
125 | 	red := color.New(color.FgRed).Add(color.Bold)
126 | 	yellow := color.New(color.FgYellow).Add(color.Bold)
127 | 	green := color.New(color.FgGreen).Add(color.Bold)
128 | 
129 | 	if status == "*" {
130 | 		yellow.Print("[*] ")
131 | 		fmt.Println(str)
132 | 	} else if status == "+" {
133 | 		green.Print("[+] ")
134 | 		fmt.Println(str)
135 | 	} else if status == "-" {
136 | 		red.Print("[-] ")
137 | 		fmt.Println(str)
138 | 	} else if status == "!" {
139 | 		red.Print("[!] ")
140 | 		fmt.Println(str)
141 | 	} else if status == "**" {
142 | 		yellow.Print("[*] ")
143 | 		fmt.Print(str)
144 | 	}
145 | }
146 | 
147 | func xxd(data []byte) string {
148 | 	out := ""
149 | 	for i, j := range data {
150 | 		out += fmt.Sprintf("0x%02X", j)
151 | 		if i != len(data)-1 {
152 | 			out += ", "
153 | 		}
154 | 		if i+1%12 == 0 {
155 | 			out += "\n"
156 | 		}
157 | 	}
158 | 	return out
159 | }
160 | 
161 | func xor(data []byte, key []byte) []byte {
162 | 	out := []byte{}
163 | 	for i := 0; i < len(data); i++ {
164 | 		out = append(out, (data[i] ^ (key[(i % len(key))])))
165 | 	}
166 | 	return out
167 | }
168 | 
169 | func banner() {
170 | 	red := color.New(color.FgRed).Add(color.Bold)
171 | 	blue := color.New(color.FgBlue).Add(color.Bold)
172 | 	green := color.New(color.FgGreen).Add(color.Bold)
173 | 	banner, _ := base64.StdEncoding.DecodeString("CiAgICAgX19fXyAgX19fXyAgX19fXyAgXyAgX18KICAgIC8gIF8gXC9fICAgXC8gIF8gXC8gfC8gLwogICAgfCAvIFx8IC8gICAvfCAvIFx8fCAgIC8gCiAgICB8IHwtfHwvICAgL198IFxfL3x8ICAgXCAKICAgIFxfLyBcfFxfX19fL1xfX19fL1xffFxfXAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PSAgICAgICAgICAgICAgICAgICAgICAgIAoK")
174 | 	red.Print(string(banner))
175 | 	blue.Print("# Author: ")
176 | 	green.Println("Ege Balcı")
177 | 	fmt.Println("") // Line feed
178 | }
179 | 


--------------------------------------------------------------------------------