├── Andromeda └── Andromeda Removal.py ├── AterAgenMSI └── MSI config.py ├── Baber_Malware └── Baber Malware Decryptor.py ├── Domino-BackDoor └── C2 Decryptor.py ├── Emotet └── Emotet C2 Extractor.py ├── ICEDID └── Decryptor.py ├── NoEscape Ransomware └── NoEscape Decryptor.py ├── Qbot ├── Config Extractor.py ├── Decrypt_Rename_API.py ├── Full Config and Commentor in IDA.py ├── Hooked_APIS By Qbot .py ├── Qbot Second Config_Extractor.py └── lol ├── Qbot_Dec_2023 ├── Config_Extractor.py ├── Decrypter.ipynb └── README.md ├── README.md ├── Smoke Loader ├── 3 Stage Config Extractor.py ├── README.md └── Smoke Loader Deobfuscator.py └── Stealc Stealer ├── Config Decryptor.py ├── Rename and Comment in IDA.py └── pass and decrypt.py /Andromeda/Andromeda Removal.py: -------------------------------------------------------------------------------- 1 | import os 2 | import winreg 3 | #for key, value in os.environ.items(): 4 | #print(f"{key} = {value}") 5 | registry_key_1 = winreg.HKEY_LOCAL_MACHINE 6 | registry_key_2 = winreg.HKEY_CURRENT_USER 7 | keys = [r"SOFTWARE\MICROSOFT" ,r"SOFTWARE\MICROSOFT\WINDOWS NT\CURRENT VERSION\WINDOWS"] 8 | value_name="load" 9 | for key_path in keys: 10 | try: 11 | key=winreg.OpenKey(registry_key_2,key_path,0,winreg.KEY_READ | winreg.KEY_WRITE) 12 | 13 | try: 14 | value , data_type = winreg.QueryValueEx(key,value_name) 15 | print(f"{value_name} exists and its value is {value}") 16 | winreg.DeleteValue(key,value_name) 17 | print(f"{value_name} has been deleted.") 18 | 19 | except FileNotFoundError: 20 | print(f"{value_name} does not exist in the registry.") 21 | except FileNotFoundError: 22 | print(f"The specified key was not found.") 23 | except Exception as e: 24 | print(f" Error:{e}") 25 | 26 | for key_path in keys: 27 | try: 28 | key=winreg.OpenKey(registry_key_1,key_path,0,winreg.KEY_READ | winreg.KEY_WRITE) 29 | 30 | try: 31 | value , data_type = winreg.QueryValueEx(key,value_name) 32 | print(f"{value_name} exists and its value is {value}") 33 | winreg.DeleteValue(key,value_name) 34 | print(f"{value_name} has been deleted.") 35 | 36 | except FileNotFoundError: 37 | print(f"{value_name} does not exist in the registry.") 38 | except FileNotFoundError: 39 | print(f"The specified key was not found.") 40 | except Exception as e: 41 | print(f" Error:{e}") 42 | 43 | 44 | variable_name="SRC" 45 | variable_value=os.environ.get(variable_name) 46 | print(variable_value) 47 | if variable_value is not None: 48 | if os.path.isfile(variable_value): 49 | try: 50 | os.remove(variable_value) 51 | print(f"File {variable_value} has been removed") 52 | except Exception as e: 53 | print(F"Error Deleting the File :{e}") 54 | 55 | else: 56 | print(f"{variable_value} is not a valid file path.") 57 | else: 58 | print(f"{variable_name} is not defined in the environment.") 59 | -------------------------------------------------------------------------------- /AterAgenMSI/MSI config.py: -------------------------------------------------------------------------------- 1 | import msilib 2 | import json 3 | 4 | def extract_table_to_json(msi_path, table_name): 5 | db = msilib.OpenDatabase(msi_path, msilib.MSIDBOPEN_READONLY) 6 | view = db.OpenView(f"SELECT * FROM `{table_name}`") 7 | view.Execute(None) 8 | 9 | # Fetch column names 10 | columns_view = db.OpenView(f"SELECT * FROM `_Columns` WHERE `Table`='{table_name}'") 11 | columns_view.Execute(None) 12 | columns = [] 13 | record = columns_view.Fetch() 14 | while record: 15 | columns.append(record.GetString(2)) 16 | record = columns_view.Fetch() 17 | 18 | # Create a list of dictionaries to store table data 19 | data = [] 20 | record = view.Fetch() 21 | while record: 22 | row = {columns[i]: record.GetString(i + 1) for i in range(len(columns))} 23 | data.append(row) 24 | record = view.Fetch() 25 | 26 | return data 27 | 28 | def extract_custom_actions(msi_path): 29 | db = msilib.OpenDatabase(msi_path, msilib.MSIDBOPEN_READONLY) 30 | view = db.OpenView("SELECT * FROM `CustomAction`") 31 | view.Execute(None) 32 | 33 | custom_actions = [] 34 | record = view.Fetch() 35 | while record: 36 | action_type = record.GetString(1) 37 | if action_type == "install" or action_type == "DeleteTaskScheduler": 38 | custom_action = { 39 | "Action": action_type, 40 | #"Type": record.GetString(2), 41 | "Source": record.GetString(3), 42 | "Target": record.GetString(4), 43 | # Add more columns as needed 44 | } 45 | custom_actions.append(custom_action) 46 | record = view.Fetch() 47 | 48 | return custom_actions 49 | 50 | 51 | def main(): 52 | msi_path = 'A2.msi' 53 | 54 | # Extract Property table data 55 | property_data = extract_table_to_json(msi_path, "Property") 56 | 57 | # Extract CustomAction data 58 | custom_actions_data = extract_custom_actions(msi_path) 59 | 60 | # Combine data into a single dictionary 61 | combined_data = { 62 | "Property": property_data, 63 | "CustomActions": custom_actions_data 64 | } 65 | 66 | json_data = json.dumps(combined_data, indent=4) 67 | print(json_data) 68 | 69 | if __name__ == "__main__": 70 | main() 71 | -------------------------------------------------------------------------------- /Baber_Malware/Baber Malware Decryptor.py: -------------------------------------------------------------------------------- 1 | import base64 2 | import pefile 3 | #58BC 4 | def Get_data_and_Key(FilePath): 5 | pe = pefile.PE(FilePath) 6 | for section in pe.sections: 7 | if b'.rdata' in section.Name: 8 | return section.get_data()[0x2964:0x2964 + 0x4B4] ,section.get_data()[0x3ABC : 0x3ABC + 0x7C4],section.get_data()[0x58BC : 0x58BC + 0x408] 9 | 10 | filepath = r"" 11 | data1,data2,data3 = Get_data_and_Key(filepath) 12 | splitted_data = data1.split(b"\x00\x00\x00\x00") 13 | data2=data2.split(b"\x00\x00\x00\x00") 14 | data3=data3.split(b"\x00\x00\x00\x00") 15 | 16 | #print(data2) 17 | splitted_data.extend(data2) 18 | splitted_data.extend(data3) 19 | print(len(splitted_data)) 20 | 21 | result_list = [] 22 | key = b"1234niwef\x00" 23 | 24 | for str_data in splitted_data: 25 | # Add padding if necessary for base64 decoding 26 | missing_padding = len(str_data) % 4 27 | if missing_padding: 28 | str_data += b'=' * (4 - missing_padding) 29 | 30 | try: 31 | basic_operation = base64.b64decode(str_data) 32 | decrypted = "" 33 | for i in range(len(basic_operation)): 34 | x = chr(basic_operation[i] ^ key[i % len(key)]) 35 | decrypted += x 36 | result_list.append(decrypted) 37 | except Exception as e: 38 | #print(f"Error decoding: {e}") 39 | result_list.append(None) 40 | 41 | print(result_list) 42 | 43 | #for str in splitted_data: 44 | # temp=base64.b64decode(str) 45 | # 46 | # for i in range(0,x): 47 | # decrypted.join(chr(temp[i] ^ key[i%len(key)])) 48 | # 49 | #print(decrypted) 50 | -------------------------------------------------------------------------------- /Domino-BackDoor/C2 Decryptor.py: -------------------------------------------------------------------------------- 1 | output = "" 2 | key = "039b547217d35ee6e0e9efe0df360d79" 3 | size = 128 4 | key_by = bytes.fromhex(key) 5 | 6 | Data = "3ba37a4326ea70d7d7dcc1d1ed02714037b565472ffd6cd2d7c7d8d2df58e3e0342a79f6f25e3496c1d73ac1f3f73acc1c2c5d818cd99918b3dbcc8a5386435b6227217df515756aa081ffceda7f61af7c944cf1929949ad943026602a08c919a40e05e92611e831730d74b0f7b91cdc11fb9d57fcc59368b6774126a96c85aa369bee6cbd9b786000" 7 | Data_by = bytes.fromhex(Data) 8 | 9 | for i in range(size): 10 | output += chr(Data_by[i] ^ key_by[i % 16]) 11 | 12 | print(output.encode('utf-8', 'ignore')) 13 | 14 | """ 15 | output = 119.175.124|94.158.247.72 16 | """ 17 | -------------------------------------------------------------------------------- /Emotet/Emotet C2 Extractor.py: -------------------------------------------------------------------------------- 1 | import pefile 2 | import struct 3 | import binascii 4 | import socket 5 | 6 | # this function applies the decryption algorithm which i had reversed form binary 7 | def decrypter(data,key,length): 8 | decode=[] 9 | for i in range(length): 10 | decode.append(data[i] ^ key[i % len(key)]) 11 | return decode 12 | 13 | # this function retrive encrypted data which reside at the start of '.data' section 14 | def Get_PE_Data(filename): 15 | pe=pefile.PE(filename) 16 | # the next loop itrate over all sections of the pefile untill it hit data section 17 | for section in pe.sections: 18 | if b'.data' in section.Name: 19 | # the next line just return the data untill the end of the setion with SizeOfRawData as Size 20 | return section.get_data(section.VirtualAddress,section.SizeOfRawData) 21 | 22 | # the next function is the base function which applies some math changes on the data to prepare it for decryption routine 23 | def data_decrypter(): 24 | filename = r'put here your file name' 25 | # the next line retrive the data using function of Get_PE_Data 26 | extracted_data = Get_PE_Data(filename) 27 | # the next 2 lines are one of the important beacous the data block retrived is so big and all of it is not used in decryption method so 28 | # after some reversing i got that i can used null trmintor of thad encrypted blob as a end of the decryption routine 29 | # so i tried to get the index where the encrypted data ends using index function with helping of b"\x00\x00' as trminator 30 | data_end = extracted_data.index(b'\x00\x00') 31 | encrypted_config = extracted_data[:data_end] 32 | # so in the next lines which is my reversing result, the key is 4th bytes of the blob and the length is the result of XORing with second 4 bytes and the reminder is the encrypted config 33 | xor_key = encrypted_config[:4] 34 | xor_key_unpacked = struct.unpack('= len_of_decrypted: 56 | print("we will have a break bro -_- ") 57 | break 58 | data_decrypter() 59 | -------------------------------------------------------------------------------- /ICEDID/Decryptor.py: -------------------------------------------------------------------------------- 1 | from arc4 import ARC4 2 | import binascii 3 | import pefile 4 | 5 | def config_extract(filename): #this function parse pe file and extract the data from '.data' section 6 | pe = pefile.PE(filename) 7 | for section in pe.sections: 8 | if b".data" in section.Name : 9 | return section.get_data() 10 | 11 | 12 | 13 | def rc4_decrypt(key, data): # RC4 Decryption 14 | cipher = ARC4(key) 15 | decrypted = cipher.decrypt(data) 16 | return decrypted 17 | 18 | def main(): 19 | # print(input("Enter File Name")) 20 | data = config_extract('File name path ') # like C:\\Users\\ICEDID.bin 21 | 22 | # data = binascii.unhexlify(data) 23 | key = data[:8] #key is the first 8 bytes of the Blob 24 | data = data[8:592] 25 | decrypted_data = rc4_decrypt(key, data) 26 | # DA = decrypted_data.replace(b'\x00', b'').split(b'\x00') 27 | print(decrypted_data.decode('latin-1')) 28 | 29 | main() 30 | -------------------------------------------------------------------------------- /NoEscape Ransomware/NoEscape Decryptor.py: -------------------------------------------------------------------------------- 1 | import base64 2 | import pefile 3 | 4 | def Get_data_and_Key(FilePath): 5 | pe = pefile.PE(FilePath) 6 | for section in pe.sections: 7 | if b'rdata' in section.Name: 8 | key = section.get_data() [0xBAF8:0xBAF8 + 0x10] 9 | data = section.get_data() [0xBB10:0xBB10 + 0x23A0] 10 | key2 = section.get_data() [0xB8AC:0xB8AC + 0x10] 11 | data2 = section.get_data() [0xFA94:0xFA94 + 0x940] 12 | return key,data,key2,data2 13 | 14 | def rc4_decrypt(ciphertext, key): 15 | # Initialization 16 | S = list(range(256)) 17 | j = 0 18 | key_length = len(key) 19 | plaintext = bytearray(len(ciphertext)) 20 | # Key-scheduling algorithm (KSA) 21 | for i in range(256): 22 | j = (j + S[i] + key[i % key_length]) % 256 23 | S[i], S[j] = S[j], S[i] 24 | # Pseudo-random generation algorithm (PRGA) and decryption 25 | i = j = 0 26 | for idx, byte in enumerate(ciphertext): 27 | i = (i + 1) % 256 28 | j = (j + S[i]) % 256 29 | S[i], S[j] = S[j], S[i] 30 | keystream_byte = S[(S[i] + S[j]) % 256] 31 | if byte == 0x00 : 32 | continue 33 | else : 34 | plaintext[idx] = byte ^ keystream_byte 35 | return bytes(plaintext) 36 | 37 | key,data,key2,data2 = Get_data_and_Key(r"File Path") 38 | part1_decoded = base64.b64decode(data) 39 | part1_decrypted_stream = rc4_decrypt(part1_decoded,key) 40 | part2_streams_list =data2.split(b'\x00\x00\x00\x00') 41 | part2_decrypted_streams=[] 42 | for stream in part2_streams_list : 43 | if stream: 44 | b64decoded=base64.b64decode(stream) 45 | rc4_decrypted = rc4_decrypt(b64decoded,key2) 46 | part2_decrypted_streams.append(rc4_decrypted) 47 | print(part1_decrypted_stream.decode('utf-8')) 48 | for decrypted_stream in part2_decrypted_streams : 49 | print(decrypted_stream.decode('utf-8')) 50 | 51 | -------------------------------------------------------------------------------- /Qbot/Config Extractor.py: -------------------------------------------------------------------------------- 1 | import binascii 2 | import pefile 3 | 4 | 5 | def decrypter(data_string,data_key): 6 | # convert Data from Hexa to binary represtation for XOR ing Operation 7 | 8 | data_bytes =bytes.fromhex(data_string) 9 | _key = bytes.fromhex(data_key) 10 | decode = [] 11 | #The Below Loop for xoring key with index % 90 or len(_key)___________ 90 --> size of the decryption key 12 | for i in range(0,len(data_bytes)): 13 | decode.append(data_bytes[i] ^ _key[i % 90]) # you can replace 90 with len(_key) 14 | 15 | data = Make_String_table(decode) 16 | return data 17 | # this function dumps the decrypted strings into a list 18 | def Make_String_table(string_bytes): 19 | # the below line convert data from int to bytes 20 | string_bytes = bytes(string_bytes) 21 | # the below line decode the converted bytes into and readable representation 'ascii' or 'utf' 22 | string = string_bytes.decode('utf-8') 23 | # to seperate between strings we need to split the string based on Null terminator '0x00' 24 | str_table = string.split('\x00') 25 | return str_table 26 | 27 | 28 | Data ='but your hexa encrypted Data Here ' 29 | Key ='but your hexa decryption key herer ' 30 | 31 | x = decrypter(data,key) 32 | 33 | for i in x : 34 | print(i) 35 | -------------------------------------------------------------------------------- /Qbot/Decrypt_Rename_API.py: -------------------------------------------------------------------------------- 1 | 2 | import pefile 3 | import idautils 4 | import binascii 5 | import struct 6 | import ida_idaapi, ida_kernwin, ida_bytes, ida_name 7 | 8 | filename = 'FilePath' 9 | #def fix_operand(address_to_patch,string_to_paste): 10 | # address = address_to_patch 11 | # string_bytes = bytes(string_to_paste,'utf-8')+b'\x00' 12 | # for x in string_bytes: 13 | # patch_byte(address,x) 14 | # address+=1 15 | # create_strlit(prov_addr,idc.BADADDR) 16 | def rename_operand(address,string): 17 | #print(type(string)) 18 | ida_name.set_name(int(address,16), string, ida_name.SN_CHECK) 19 | def get_data_key(): 20 | pe = pefile.PE(filename) 21 | for section in pe.sections: 22 | if b'.data' in section.Name: 23 | key = section.get_data()[1216:1283] 24 | if b'.rdata' in section.Name: 25 | data = section.get_data()[32048:46118] 26 | 27 | return data,key 28 | def get_data(file_name): 29 | pe = pefile.PE(file_name) 30 | for section in pe.sections: 31 | if b'.data' in section.Name: 32 | return section.get_data()[int(b'E4',16):] 33 | def decrypt_str(hex_size): 34 | data,key = get_data_key() 35 | max_size = b'36F4' 36 | ref_need =int(hex_size,16) 37 | ref_max = int(max_size,16) 38 | 39 | flag = False 40 | decrypted ='' 41 | if ref_need < ref_max : 42 | while key[ref_need & int(b'3f',16)] != data[ref_need]: 43 | and_operation = ref_need & int(b'3f',16) 44 | decrypted +=chr((data[ref_need] ^ key[and_operation])) 45 | ref_need +=1 46 | if ref_need >= ref_max : 47 | flag = True 48 | print("i hit break ") 49 | break 50 | if not flag : 51 | chunk = ref_need - int(hex_size,16) 52 | #print(decrypted) 53 | return decrypted 54 | API_Encrypted_Chunk =0x1000800C 55 | data=get_data(r'Filepath') 56 | the_end = data.index(b'\x00\x00\x00\x00\x00\x00') 57 | print(hex(the_end)) 58 | 59 | API_encrypted = data[:the_end] 60 | print(binascii.hexlify(API_encrypted)) 61 | 62 | lol = 0 63 | jump_of_encrypted = 4 64 | while lol < len(API_encrypted): 65 | val = API_encrypted[lol:lol+4] 66 | val_to_decrypt = binascii.hexlify(API_encrypted[lol + 4 : lol + 6]) # get bytes of api to decrypt 67 | data = val_to_decrypt[2:] + val_to_decrypt[:2] # Swap the order of hexadecimal digits 68 | hex_addr = "0x" + "".join(format(byte, "02x") for byte in val[::-1]) #convert the address to effective address where the API address will reside 69 | print(hex_addr) 70 | decrypted_str = decrypt_str(data) 71 | print(decrypted_str) 72 | print("__________________________") 73 | rename_operand(hex_addr,decrypted_str) 74 | lol +=12 75 | -------------------------------------------------------------------------------- /Qbot/Full Config and Commentor in IDA.py: -------------------------------------------------------------------------------- 1 | import binascii 2 | import pefile 3 | import idaapi 4 | import idautils 5 | 6 | #the Below Function is FOR XOR Operation 7 | 8 | def decrypter(Data,key) 9 | decrypted = '' 10 | for i in range(0,len(Data)) 11 | decrypted +=chr(Data[i] ^ key[i % len(key)]) 12 | return decrypted 13 | 14 | 15 | #the Below Function is FOR Strings's Table Creation 16 | 17 | def string_table(data) 18 | str_table=[] 19 | for k in data.splitit('x00') 20 | str_table.append(k) 21 | return str_table 22 | # the Below Function of String Printing 23 | def print_str_table(str_table) 24 | for i in str_table 25 | print(i) 26 | 27 | # the Below Function searchs for a string in a string table 28 | 29 | def string_decrypt_search(arg_string, arg_key, str_addr) 30 | local_table = [] 31 | for i in range (0,len(arg_string)) 32 | local_table.append(arg_string[i] ^ (arg_key[i%len(arg_key)])) 33 | converted_table =bytes(local_table)[str_addr].decode('latin').split('x00')[0] 34 | return (str_addr,converted_table) 35 | 36 | #the Below Funtion Extracts Data from '.data' Section 37 | 38 | def extract_data(filename) 39 | pe=pefile.PE(filename) 40 | for section in pe.sections 41 | if '.data' in section.Name.decode(encoding = 'utf-8').rstrip('x00') 42 | return (section.get_data(section.VirtualAddress,section.SizeOfRawData)) 43 | 44 | # The Function Below calculates the offset between the current address of the targeted data and the start address of the .data section 45 | 46 | def calc_offsets(x_seg_start,x_start) 47 | data_offset = hex(int(x_start,16) - int (x_seg_start,16)) 48 | return data_offset 49 | 50 | 51 | ###### 52 | # data_seg_start -- start address of the provided '.data' segment 53 | # encrypted_string_addr -- start address of the encrypted strings 54 | # key_data_addr -- start address of the key strings which is used to decrypt Strings 55 | 56 | def string_decrypter(arg_encrypted_string_addr,arg_key_data_addr,str_offset) 57 | 58 | data_1 =b'' 59 | data_2 =b'' 60 | 61 | #convert arguments to the appropriated format and notation . 62 | 63 | encrypted_string_addr = hex(int(arg_encrypted_string_addr)) 64 | key_data_addr = hex(int(arg_key_data_addr)) 65 | 66 | 67 | #find the start address of the '.data' segment 68 | for segment in idautils.Segments() 69 | if'.data' == idc.get_segm_name(segment) 70 | data_seg_start = hex(int(idc.get_segm_start(segment))) 71 | 72 | 73 | #next 2 lines calcs the offset between data blogbs and start of the '.data' segment. 74 | 75 | encrypted_string_addr_rel = calc_offsets(data_seg_start,encrypted_string_addr) 76 | key_data_addr_rel = calc_offsets(data_seg_start,key_data_addr) 77 | 78 | 79 | #Next Three Lines extract '.data' section information 80 | filename=r'CUsersHackDesktopQBotrundll32_00CC0000NT_res.bin' 81 | data_encoded_extracted_1 = extract_data(filename) 82 | data_encoded_extracted_2 = extract_data(filename) 83 | 84 | # Next Six Lines Calcs the size of the encrypted string table and the XOR key ,pay attention that 85 | # I have an approach of searching up to tow end of String Maker is found 86 | d1_off = 0x00 87 | d2_off = 0x00 88 | if (b'x00x00' in data_encoded_extracted_1[int(encrypted_string_addr_rel,16)]) 89 | d1_off = (data_encoded_extracted_1[int(encrypted_string_addr_rel,16)]).index(b'x00x00') 90 | if (b'x00x00' in data_encoded_extracted_1[int(key_data_addr_rel,16)]) 91 | d2_off = (data_encoded_extracted_1[int(key_data_addr_rel,16)]).index(b'x00x00') 92 | 93 | 94 | # Next Tow Lines the Meaingful information (encrypted string and XOR Key ) are isolated . 95 | data_1 = data_encoded_extracted_1[int(encrypted_string_addr_rel,16) int(encrypted_string_addr_rel,16) + d1_off] 96 | data_2 = data_encoded_extracted_2[int(key_data_addr_rel,16) int(key_data_addr_rel,16) + d2_off] 97 | 98 | 99 | #Finally the string table is decrypted 100 | decoded_data = decrypter(data_1,data_2) 101 | item, result = string_decrypt_search(data_1,data_2,str_offset) 102 | return (string [%d] %s % (item,result)) 103 | 104 | 105 | def comment_string_offset(arg_encrypted_string_addr,arg_key_data_addr,arg_str_offset) 106 | str_function = idc.get_name_ea_simple(arg_str_offset) 107 | print(nn) 108 | for k in idautils.CodeRefsTo(str_function,0) 109 | p = idc.prev_head(k) 110 | my = idc.print_insn_mnem(p) 111 | if my in('mov','push') 112 | if my == mov 113 | if idc.get_operand_type(p,1) == 5 114 | str_off_1 = int(idc.print_operand(p,1)[-1],16) 115 | local_result_1 = string_decrypter(arg_encrypted_string_addr , arg_key_data_addr ,str_off_1) 116 | final_result_1 = (local_result_1[local_result_1.find(' ')]).strip() 117 | idc.set_cmt(k,final_result_1,0) 118 | 119 | if my == push 120 | if idc.get_operand_type(p,1) == 5 121 | str_off_1 = int(idc.print_operand(p,0)[-1],16) 122 | local_result_1 = string_decrypter(arg_encrypted_string_addr , arg_key_data_addr ,str_off_1) 123 | final_result_1 = (local_result_1[local_result_1.find(' ')]).strip() 124 | idc.set_cmt(k,final_result_1,0) 125 | 126 | else 127 | j = idc.prev_head(p) 128 | my2 = idc.print_insn_mnem(j) 129 | if my2 in ('mov','push') 130 | if my2 == 'mov' 131 | if idc.get_operand_type(j,1) == 5 132 | str_off_2 = int(idc.print_operand(j,1)[-1],16) 133 | local_result_2 = string_decrypter(arg_encrypted_string_addr , arg_key_data_addr ,str_off_2) 134 | final_result_2 = (local_result_2[local_result_2.find(' ')]).strip() 135 | idc.set_cmt(k,final_result_2,0) 136 | if my2 == 'push' 137 | if idc.get_operand_type(j,0) == 5 138 | str_off_2 = int(idc.print_operand(j,0)[-1],16) 139 | local_result_2 = string_decrypter(arg_encrypted_string_addr , arg_key_data_addr ,str_off_2) 140 | final_result_2 = (local_result_2[local_result_2.find(' ')]).strip() 141 | idc.set_cmt(k,final_result_2,0) 142 | 143 | 144 | string_slot = string_decrypter(0x1001D5A8,0x1001E3F8,1486) 145 | string_slot = string_decrypter(0x1001D0B0,0x1001D050,708) 146 | print(n+ string_slot) 147 | 148 | comment_string_offset(0x1001D5A8,0x1001E3F8,az_w_decrypt_string) # replace with your decryption Function Name 149 | comment_string_offset(0x1001D5A8,0x1001E3F8,az_w_decrypt_string_1) # replace with your decryption Function Name 150 | comment_string_offset(0x1001D0B0,0x1001D050,az_w_decrypt_string_2) # replace with your decryption Function Name 151 | 152 | -------------------------------------------------------------------------------- /Qbot/Hooked_APIS By Qbot .py: -------------------------------------------------------------------------------- 1 | import binascii 2 | import sys 3 | import struct 4 | import pefile 5 | filename = sys.argv[1] 6 | def get_data_key(): 7 | # val = input("Enter Hex Val passed to Decryption Function") 8 | pe = pefile.PE(filename) 9 | for section in pe.sections: 10 | if b'.data' in section.Name: 11 | key = section.get_data()[1216:1283] 12 | if b'.rdata' in section.Name: 13 | data = section.get_data()[32048:46118] 14 | 15 | return data,key 16 | def decrypt_str(hex_size): 17 | data,key = get_data_key() 18 | max_size = b'36F4' 19 | ref_need =int(hex_size,16) 20 | ref_max = int(max_size,16) 21 | 22 | flag = False 23 | decrypted ='' 24 | if ref_need < ref_max : 25 | while key[ref_need & int(b'3f',16)] != data[ref_need]: 26 | and_operation = ref_need & int(b'3f',16) 27 | decrypted +=chr((data[ref_need] ^ key[and_operation])) 28 | ref_need +=1 29 | if ref_need >= ref_max : 30 | flag = True 31 | print("i hit break ") 32 | break 33 | if not flag : 34 | chunk = ref_need - int(hex_size,16) 35 | return decrypted 36 | 37 | def parse_struct(struct_data): 38 | dll = struct_data[:2] 39 | API = struct_data[4:6] 40 | dll = binascii.hexlify(dll[::-1]) 41 | API = binascii.hexlify(API[::-1]) 42 | print("Dll : {0} API : {1} ".format(decrypt_str(dll),decrypt_str(API))) 43 | 44 | 45 | def get_all_struct(struct_off , len_hooks): 46 | ptr_data = 0 47 | for i in range(0,len_hooks): 48 | data = struct_off[ptr_data:ptr_data + 21] 49 | parse_struct(data) 50 | ptr_data +=21 51 | 52 | print("-----------------------------------------------") 53 | 54 | def main(): 55 | data = open(filename,'rb').read() 56 | get_all_struct(data[0x23d20:],10) 57 | get_all_struct(data[0x23bd4:],1) 58 | get_all_struct(data[0x23bf0:],10) 59 | get_all_struct(data[0x23df8:],8) 60 | 61 | 62 | 63 | main() 64 | -------------------------------------------------------------------------------- /Qbot/Qbot Second Config_Extractor.py: -------------------------------------------------------------------------------- 1 | import pefile # hash of loader 7FC3F5E06BBAAD459AF71D3C0D28C51B7802546984F886F14A1B12A779FFF6F8 2 | # hash of 32-bit dll(Qbot) 4229F9F1C316C207783F484BA2BC518074180F87DDB01E47328A4F6F23F97089 3 | 4 | filename = 'file path' # enter file path here 5 | max_size = b'36F4' # Max size granted from the sample 6 | 7 | def enter_hex_val(): # this function parse data and keys from file using PEFILE module 8 | val = input("Enter Hex Val passed to Decryption Function") # this input is used to control what digits to decrypt cause if the value was wrong it will result no correct strings 9 | pe = pefile.PE(filename) 10 | for section in pe.sections: 11 | if b'.data' in section.Name: 12 | key = section.get_data()[1216:1283] # the key blob reside at offset (0x04C0 to 0x0503 RVA 13 | if b'.rdata' in section.Name: 14 | data = section.get_data()[32048:46118] # the data blob resides at offset (0x7D30 to 0xB426 RVA 15 | 16 | return data,key,val 17 | 18 | data,key,needed_size = enter_hex_val() # need_size --> this var contain a hexa value the determine which chunk to decrypt and 19 | # this value is passed to the decryption function 20 | 21 | ref_need =int(needed_size,16) # creating INT refernces to use them inside loop 22 | ref_max = int(max_size,16) 23 | 24 | flag = False 25 | decrypted ='' 26 | 27 | if ref_need < ref_max : # the algorithem is that it do "and operation" between the passed hex value and byte '3f' 28 | # then it XOR the result of this operation with data of address [passed hexa value] 29 | while key[ref_need & int(b'3f',16)] != data[ref_need]: 30 | and_operation = ref_need & int(b'3f',16) 31 | decrypted +=chr((data[ref_need] ^ key[and_operation])) 32 | ref_need +=1 33 | if ref_need >= ref_max : 34 | flag = True # this part to alter if there is any mistake in passed hexa value 35 | print("i hit break and value is bigger then blob size ") 36 | break 37 | if not flag : 38 | chunk = ref_need - int(needed_size,16) 39 | print(decrypted) 40 | 41 | -------------------------------------------------------------------------------- /Qbot/lol: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Qbot_Dec_2023/Config_Extractor.py: -------------------------------------------------------------------------------- 1 | from Crypto.Cipher import AES 2 | import hashlib 3 | import binascii 4 | import pefile 5 | path=r"file path" 6 | 7 | # this function retrieve the AES Key,AES encrypted data, and The Encrypted coonfig 8 | def get_data(): 9 | pe=pefile.PE(path) 10 | key_val=b'' 11 | AES_encrypted=b'' 12 | blob_data=b'' 13 | key_val_length=0xA7 14 | AES_encrypted_len=0xC0 15 | blob_data_len=0x165D 16 | 17 | for section in pe.sections : 18 | if b".data" in section.Name: 19 | key_val=section.get_data()[157696:157696 + key_val_length] # key to be hashed and used as AES decryption Key 20 | AES_encrypted=section.get_data()[157488 :157488 + AES_encrypted_len] # AES Encrpyted Data to be decrypted and used to decrypted the encrypted config 21 | blob_data= section.get_data()[157872 : 157872 + blob_data_len] # Encrypted Config 22 | return AES_encrypted,blob_data,key_val 23 | 24 | 25 | 26 | # this function retrieve the AES Key,AES encrypted data, and The Encrypted config 27 | 28 | def get_data_2(): 29 | pe=pefile.PE(path) 30 | key_val_2 = b'' 31 | AES_encrypted_2 = b'' 32 | blob_data_2 =b'' 33 | key_val_2_len = 0x47 34 | AES_encrypted_2_len = 0x90 35 | blob_data_2_len =0x5AD 36 | for section in pe.sections : 37 | if b".data" in section.Name: 38 | key_val_2 = section.get_data()[151888 : 151888 + key_val_2_len] # key to be hashed and used as AES decryption Key 39 | AES_encrypted_2 = section.get_data()[151968 : 151968 + AES_encrypted_2_len] # AES Encrypted Data to be decrypted and used to decrypt the encrypted config 40 | blob_data_2 = section.get_data()[152128 : 152128 + blob_data_2_len] # Encrypted Config 41 | return AES_encrypted_2,blob_data_2,key_val_2 42 | 43 | # this function retrieve the AES Key,AES encrypted data, and The Encrypted config 44 | def get_data_3(): 45 | pe=pefile.PE(path) 46 | key_val_3 = b'' 47 | AES_encrypted_3 = b'' 48 | blob_data_3 =b'' 49 | key_val_3_len = 0x58 50 | AES_encrypted_3_len = 0x100 51 | blob_data_3_len =0x17 52 | 53 | for section in pe.sections : 54 | if b".data" in section.Name: 55 | key_val_3=section.get_data()[156416 : 156416 + key_val_3_len] # key to be hashed and used as AES decryption Key 56 | AES_encrypted_3=section.get_data()[156512 : 156512 + AES_encrypted_3_len] # AES Encrypted Data to be decrypted and used to decrypt the encrypted config 57 | blob_data_3=section.get_data()[156392 : 156392 + blob_data_3_len] # Encrypted Config 58 | return AES_encrypted_3,blob_data_3,key_val_3 59 | 60 | # This function gets the length of the AES decrypted data 61 | def get_original_length(unpadded_data): # unpadded_data is the AES decrypted data 62 | padding_length = unpadded_data[-1] 63 | 64 | original_length = len(unpadded_data) - padding_length 65 | return original_length 66 | 67 | #this function uses AES crypto to decrypt the data that will be used as a key to decrypt the original config 68 | def decrypt_data_using_AES(encrypted_data, session_key): 69 | iv = encrypted_data[:16] 70 | cipher = AES.new(session_key, AES.MODE_CBC, iv) 71 | encrypted_data=encrypted_data[16:] 72 | decrypted_data = cipher.decrypt(encrypted_data) 73 | original_length = get_original_length(decrypted_data) 74 | return decrypted_data,original_length 75 | 76 | 77 | # This function uses the AES-decrypted data to decrypt the config 78 | def mw_decryypt(decrypted_AES_Data,AES_d_length,encrypted_blob_,index_val,max_index_): 79 | flag = 1 80 | ref_index_val=index_val 81 | X=0 82 | decrypted_string="" 83 | while encrypted_blob_[ref_index_val] != decrypted_AES_Data[ref_index_val%AES_d_length]: # This loop iterates until it hits a matching in the char between the AES-Encrypted data and the encrypted config 84 | # to get the length of the required chunk to be decrypted 85 | ref_index_val+=1 86 | if ref_index_val >= max_index_: 87 | flag=0 88 | break 89 | if flag: 90 | X = ref_index_val - index_val # X is the length 91 | 92 | for i in range(0,X): # Decryption block 93 | xor_val =encrypted_blob_[index_val + i] ^ decrypted_AES_Data[(index_val +i) % AES_d_length] 94 | decrypted_string+=chr(xor_val) 95 | return str(decrypted_string) 96 | 97 | def decrypt_1(): # This function decrypts the first blob of configuration 98 | encrypted_data,encrypted_blob,key_to_be_hashed = get_data() 99 | session_key = derive_session_key(key_to_be_hashed) 100 | 101 | 102 | decrypted_data,orginal_len = decrypt_data_using_AES(encrypted_data, session_key) 103 | decrypted_data=list(decrypted_data) 104 | decrypted_data[orginal_len]=0x00 105 | decrypted_data=decrypted_data[:orginal_len + 1] 106 | max_index = 0x165b 107 | idx=0 108 | while idx {dec_str}") 111 | idx +=len(dec_str)+1 112 | print("_______________________________________________________") 113 | 114 | 115 | def decrypt_2(): # this function decrypts the second blob of configuration 116 | encrypted_data,encrypted_blob,key_to_be_hashed = get_data_2() 117 | session_key = derive_session_key(key_to_be_hashed) 118 | 119 | 120 | decrypted_data,orginal_len = decrypt_data_using_AES(encrypted_data, session_key) 121 | decrypted_data=list(decrypted_data) 122 | decrypted_data[orginal_len]=0x00 123 | decrypted_data=decrypted_data[:orginal_len + 1] 124 | max_index=0x5AB 125 | idx=0 126 | while idx {dec_str}") 130 | idx +=len(dec_str)+1 131 | print("_______________________________________________________") 132 | 133 | def decrypt_3(): # This function decrypts the third blob of configuration 134 | encrypted_data,encrypted_blob,key_to_be_hashed = get_data_3() 135 | session_key = derive_session_key(key_to_be_hashed) 136 | decrypted_data,orginal_len = decrypt_data_using_AES(encrypted_data, session_key) 137 | decrypted_data=list(decrypted_data) 138 | decrypted_data[orginal_len]=0x00 139 | decrypted_data=decrypted_data[:orginal_len + 1] 140 | max_index= 0x9 141 | idx = 0x00 142 | dec_str=mw_decryypt(decrypted_data,orginal_len,encrypted_blob,idx,max_index) 143 | print(dec_str) 144 | print("_______________________________________________________") 145 | -------------------------------------------------------------------------------- /Qbot_Dec_2023/Decrypter.ipynb: -------------------------------------------------------------------------------- 1 | { 2 | "cells": [ 3 | { 4 | "cell_type": "code", 5 | "execution_count": 90, 6 | "id": "846f2ea9-dc75-4f01-8776-985f098865f2", 7 | "metadata": {}, 8 | "outputs": [], 9 | "source": [ 10 | "from Crypto.Cipher import AES\n", 11 | "import hashlib\n", 12 | "import binascii\n", 13 | "import pefile\n", 14 | "path=r\"C:\\Users\\REM\\Desktop\\Mal DB\\Mal DB\\Qbot Latest\\Dll\\qbot__payload.bin\"\n", 15 | "#from Header_file import encrypted_blob,encrypted_data,input_data" 16 | ] 17 | }, 18 | { 19 | "cell_type": "code", 20 | "execution_count": 40, 21 | "id": "290beae7-3a5a-46f4-a12f-e8795642caef", 22 | "metadata": {}, 23 | "outputs": [], 24 | "source": [ 25 | "def get_data():\n", 26 | " pe=pefile.PE(path)\n", 27 | " key_val=b''\n", 28 | " AES_encrypted=b''\n", 29 | " blob_data=b''\n", 30 | " key_val_length=0xA7\n", 31 | " AES_encrypted_len=0xC0\n", 32 | " blob_data_len=0x165D\n", 33 | " \n", 34 | " for section in pe.sections :\n", 35 | " if b\".data\" in section.Name:\n", 36 | " key_val=section.get_data()[157696:157696 + key_val_length]\n", 37 | " AES_encrypted=section.get_data()[157488 :157488 + AES_encrypted_len]\n", 38 | " blob_data= section.get_data()[157872 : 157872 + blob_data_len]\n", 39 | " #print(\"we got it\")\n", 40 | " return AES_encrypted,blob_data,key_val" 41 | ] 42 | }, 43 | { 44 | "cell_type": "code", 45 | "execution_count": 68, 46 | "id": "14d7fa0d-0ab1-47c7-b7ea-3507d8d2a830", 47 | "metadata": {}, 48 | "outputs": [], 49 | "source": [ 50 | "def get_data_2():\n", 51 | " pe=pefile.PE(path)\n", 52 | " key_val_2 = b''\n", 53 | " AES_encrypted_2 = b''\n", 54 | " blob_data_2 =b''\n", 55 | " key_val_2_len = 0x47\n", 56 | " AES_encrypted_2_len = 0x90\n", 57 | " blob_data_2_len =0x5AD\n", 58 | " for section in pe.sections :\n", 59 | " if b\".data\" in section.Name:\n", 60 | " key_val_2 = section.get_data()[151888 : 151888 + key_val_2_len]\n", 61 | " AES_encrypted_2 = section.get_data()[151968 : 151968 + AES_encrypted_2_len]\n", 62 | " blob_data_2 = section.get_data()[152128 : 152128 + blob_data_2_len]\n", 63 | " return AES_encrypted_2,blob_data_2,key_val_2 " 64 | ] 65 | }, 66 | { 67 | "cell_type": "code", 68 | "execution_count": 93, 69 | "id": "3ee3e6a4-dcd8-44ef-85bf-eac2e1bad6ff", 70 | "metadata": {}, 71 | "outputs": [], 72 | "source": [ 73 | "def get_data_3():\n", 74 | " pe=pefile.PE(path)\n", 75 | " key_val_3 = b''\n", 76 | " AES_encrypted_3 = b''\n", 77 | " blob_data_3 =b''\n", 78 | " key_val_3_len = 0x58\n", 79 | " AES_encrypted_3_len = 0x100\n", 80 | " blob_data_3_len =0x17\n", 81 | " \n", 82 | " for section in pe.sections :\n", 83 | " if b\".data\" in section.Name: \n", 84 | " key_val_3=section.get_data()[156416 : 156416 + key_val_3_len]\n", 85 | " AES_encrypted_3=section.get_data()[156512 : 156512 + AES_encrypted_3_len]\n", 86 | " blob_data_3=section.get_data()[156392 : 156392 + blob_data_3_len]\n", 87 | " #print(section.get_data().find(pattern))\n", 88 | " #print(AES_encrypted_3)\n", 89 | " return AES_encrypted_3,blob_data_3,key_val_3 " 90 | ] 91 | }, 92 | { 93 | "cell_type": "code", 94 | "execution_count": 29, 95 | "id": "50810129-e6f2-4f1c-a420-2b58a011e753", 96 | "metadata": {}, 97 | "outputs": [], 98 | "source": [ 99 | "def get_original_length(unpadded_data):\n", 100 | " # The last byte of PKCS7-padded data indicates the padding length\n", 101 | " padding_length = unpadded_data[-1]\n", 102 | " \n", 103 | " # The original length is the total length minus the padding length\n", 104 | " original_length = len(unpadded_data) - padding_length\n", 105 | " return original_length" 106 | ] 107 | }, 108 | { 109 | "cell_type": "code", 110 | "execution_count": 30, 111 | "id": "65968def-c3ee-43c4-a57a-e600aa555b5f", 112 | "metadata": {}, 113 | "outputs": [], 114 | "source": [ 115 | "def derive_session_key(data):\n", 116 | " # Use SHA-256 to hash the input data\n", 117 | " hashed_data = hashlib.sha256(data).digest()\n", 118 | " return hashed_data" 119 | ] 120 | }, 121 | { 122 | "cell_type": "code", 123 | "execution_count": 31, 124 | "id": "46962771-4a47-43ae-b250-6743f2a19017", 125 | "metadata": {}, 126 | "outputs": [], 127 | "source": [ 128 | "def decrypt_data_using_AES(encrypted_data, session_key):\n", 129 | " # The first 16 bytes of the encrypted data are used as the IV\n", 130 | " iv = encrypted_data[:16]\n", 131 | " # Create an AES cipher object in CBC mode with the derived \n", 132 | " # key and IV\n", 133 | " cipher = AES.new(session_key, AES.MODE_CBC, iv)\n", 134 | " encrypted_data=encrypted_data[16:]\n", 135 | " # Decrypt the remaining bytes of the encrypted data\n", 136 | " decrypted_data = cipher.decrypt(encrypted_data)\n", 137 | " original_length = get_original_length(decrypted_data)\n", 138 | " return decrypted_data,original_length" 139 | ] 140 | }, 141 | { 142 | "cell_type": "code", 143 | "execution_count": 116, 144 | "id": "e8d6a5f9-050e-4357-9f7b-7260dcff0248", 145 | "metadata": {}, 146 | "outputs": [], 147 | "source": [ 148 | "def mw_decryypt(decrypted_AES_Data,AES_d_length,encrypted_blob_,index_val,max_index_):\n", 149 | " flag = 1\n", 150 | " ref_index_val=index_val\n", 151 | " X=0\n", 152 | " decrypted_string=\"\"\n", 153 | " while encrypted_blob_[ref_index_val] != decrypted_AES_Data[ref_index_val%AES_d_length]:\n", 154 | " ref_index_val+=1\n", 155 | " if ref_index_val >= max_index_:\n", 156 | " flag=0\n", 157 | " break\n", 158 | " if flag:\n", 159 | " X = ref_index_val - index_val\n", 160 | "\n", 161 | " for i in range(0,X):\n", 162 | " xor_val =encrypted_blob_[index_val + i] ^ decrypted_AES_Data[(index_val +i) % AES_d_length]\n", 163 | " decrypted_string+=chr(xor_val)\n", 164 | " return str(decrypted_string)" 165 | ] 166 | }, 167 | { 168 | "cell_type": "code", 169 | "execution_count": 127, 170 | "id": "ec894a04-40ec-4998-a986-fa2d55ffe202", 171 | "metadata": {}, 172 | "outputs": [], 173 | "source": [ 174 | "# Example usage:\n", 175 | "#input_data = b'This is the data for session key derivation.'\n", 176 | "def decrypt_1():\n", 177 | " encrypted_data,encrypted_blob,key_to_be_hashed = get_data()\n", 178 | " session_key = derive_session_key(key_to_be_hashed)\n", 179 | " \n", 180 | " \n", 181 | " decrypted_data,orginal_len = decrypt_data_using_AES(encrypted_data, session_key)\n", 182 | " decrypted_data=list(decrypted_data)\n", 183 | " decrypted_data[orginal_len]=0x00\n", 184 | " decrypted_data=decrypted_data[:orginal_len + 1]\n", 185 | " max_index = 0x165b\n", 186 | " idx=0\n", 187 | " while idx {dec_str}\")\n", 190 | " idx +=len(dec_str)+1\n", 191 | " print(\"_______________________________________________________\")\n", 192 | " \n", 193 | " \n", 194 | "def decrypt_2():\n", 195 | " encrypted_data,encrypted_blob,key_to_be_hashed = get_data_2()\n", 196 | " session_key = derive_session_key(key_to_be_hashed)\n", 197 | " \n", 198 | " \n", 199 | " decrypted_data,orginal_len = decrypt_data_using_AES(encrypted_data, session_key)\n", 200 | " decrypted_data=list(decrypted_data)\n", 201 | " decrypted_data[orginal_len]=0x00\n", 202 | " decrypted_data=decrypted_data[:orginal_len + 1]\n", 203 | " max_index=0x5AB\n", 204 | " idx=0\n", 205 | " while idx {dec_str}\")\n", 209 | " idx +=len(dec_str)+1\n", 210 | " print(\"_______________________________________________________\")\n", 211 | "\n", 212 | "def decrypt_3():\n", 213 | " encrypted_data,encrypted_blob,key_to_be_hashed = get_data_3()\n", 214 | " session_key = derive_session_key(key_to_be_hashed)\n", 215 | " decrypted_data,orginal_len = decrypt_data_using_AES(encrypted_data, session_key)\n", 216 | " decrypted_data=list(decrypted_data)\n", 217 | " decrypted_data[orginal_len]=0x00\n", 218 | " decrypted_data=decrypted_data[:orginal_len + 1]\n", 219 | " max_index= 0x9\n", 220 | " idx = 0x00\n", 221 | " dec_str=mw_decryypt(decrypted_data,orginal_len,encrypted_blob,idx,max_index)\n", 222 | " print(dec_str)\n" 223 | ] 224 | }, 225 | { 226 | "cell_type": "code", 227 | "execution_count": 129, 228 | "id": "08fad3ae-f494-4b21-b46e-f6668d97ab12", 229 | "metadata": {}, 230 | "outputs": [ 231 | { 232 | "name": "stdout", 233 | "output_type": "stream", 234 | "text": [ 235 | "0x0 --> powershell.exe -encodedCommand \n", 236 | "_______________________________________________________\n", 237 | "0x20 --> SoNuce]ugdiB3c[doMuce2s81*uXmcvP\n", 238 | "_______________________________________________________\n", 239 | "0x41 --> %s \"$%s = \\\"%s\\\"; & $%s\"\n", 240 | "_______________________________________________________\n", 241 | "0x5a --> net view\n", 242 | "_______________________________________________________\n", 243 | "0x63 --> Start screenshot\n", 244 | "_______________________________________________________\n", 245 | "0x74 --> /c ping.exe -n 6 127.0.0.1 & type \"%s\\System32\\calc.exe\" > \"%s\"\n", 246 | "_______________________________________________________\n", 247 | "0xb6 --> %s.%u\n", 248 | "_______________________________________________________\n", 249 | "0xbc --> whoami /all\n", 250 | "_______________________________________________________\n", 251 | "0xc8 --> Self test OK.\n", 252 | "_______________________________________________________\n", 253 | "0xd6 --> qwinsta\n", 254 | "_______________________________________________________\n", 255 | "0xde --> cmd\n", 256 | "_______________________________________________________\n", 257 | "0xe2 --> SELF_TEST_1\n", 258 | "_______________________________________________________\n", 259 | "0xee --> adrclient.dll\n", 260 | "_______________________________________________________\n", 261 | "0xfc --> %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d\n", 262 | "_______________________________________________________\n", 263 | "0x155 --> ewW300ns6&6HyygkKzfVVCJHq210vQLq7*uCNorQns\n", 264 | "_______________________________________________________\n", 265 | "0x180 --> nltest /domain_trusts /all_trusts\n", 266 | "_______________________________________________________\n", 267 | "0x1a2 --> %s \\\"$%s = \\\\\\\"%s\\\\\\\\; & $%s\\\"\n", 268 | "_______________________________________________________\n", 269 | "0x1c1 --> ProgramData\n", 270 | "_______________________________________________________\n", 271 | "0x1cd --> nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s\n", 272 | "_______________________________________________________\n", 273 | "0x209 --> runas\n", 274 | "_______________________________________________________\n", 275 | "0x20f --> powershell.exe -encodedCommand %S\n", 276 | "_______________________________________________________\n", 277 | "0x231 --> ipconfig /all\n", 278 | "_______________________________________________________\n", 279 | "0x23f --> %u;%u;%u;\n", 280 | "_______________________________________________________\n", 281 | "0x249 --> route print\n", 282 | "_______________________________________________________\n", 283 | "0x255 --> schtasks.exe /Delete /F /TN %u\n", 284 | "_______________________________________________________\n", 285 | "0x274 --> schtasks.exe /Create /RU \"NT AUTHORITY\\SYSTEM\" /SC ONSTART /TN %u /TR \"%s\" /NP /F\n", 286 | "_______________________________________________________\n", 287 | "0x2c6 --> error res='%s' err=%d len=%u\n", 288 | "_______________________________________________________\n", 289 | "0x2e3 --> c:\\ProgramData\n", 290 | "_______________________________________________________\n", 291 | "0x2f2 --> Component_08\n", 292 | "_______________________________________________________\n", 293 | "0x2ff --> netstat -nao\n", 294 | "_______________________________________________________\n", 295 | "0x30c --> Self check\n", 296 | "_______________________________________________________\n", 297 | "0x317 --> at.exe %u:%u \"%s\" /I\n", 298 | "_______________________________________________________\n", 299 | "0x32c --> /teorema505\n", 300 | "_______________________________________________________\n", 301 | "0x338 --> Microsoft\n", 302 | "_______________________________________________________\n", 303 | "0x342 --> Component_07\n", 304 | "_______________________________________________________\n", 305 | "0x34f --> microsoft.com,google.com,kernel.org,www.wikipedia.org,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com\n", 306 | "_______________________________________________________\n", 307 | "0x3d5 --> p%08x\n", 308 | "_______________________________________________________\n", 309 | "0x3db --> SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\n", 310 | "_______________________________________________________\n", 311 | "0x414 --> powershell.exe\n", 312 | "_______________________________________________________\n", 313 | "0x423 --> \"%s\\system32\\schtasks.exe\" /Create /ST %02u:%02u /RU \"NT AUTHORITY\\SYSTEM\" /SC ONCE /tr \"%s\" /Z /ET %02u:%02u /tn %s\n", 314 | "_______________________________________________________\n", 315 | "0x498 --> arp -a\n", 316 | "_______________________________________________________\n", 317 | "0x49f --> .lnk\n", 318 | "_______________________________________________________\n", 319 | "0x4a4 --> ERROR: GetModuleFileNameW() failed with error: %u\n", 320 | "_______________________________________________________\n", 321 | "0x4d6 --> net localgroup\n", 322 | "_______________________________________________________\n", 323 | "0x4e5 --> cmd.exe /c set\n", 324 | "_______________________________________________________\n", 325 | "0x4f4 --> ProfileImagePath\n", 326 | "_______________________________________________________\n", 327 | "0x505 --> \\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n", 328 | "_______________________________________________________\n", 329 | "0x535 --> Self test FAILED!!!\n", 330 | "_______________________________________________________\n", 331 | "0x549 --> net share\n", 332 | "_______________________________________________________\n", 333 | "0x553 --> Self check ok!\n", 334 | "_______________________________________________________\n", 335 | "0x562 --> ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER\n", 336 | "_______________________________________________________\n" 337 | ] 338 | } 339 | ], 340 | "source": [ 341 | "#decrypt_1()\n", 342 | "decrypt_2()\n", 343 | "#decrypt_3()" 344 | ] 345 | }, 346 | { 347 | "cell_type": "code", 348 | "execution_count": null, 349 | "id": "cd3b11ab-1afe-4bfe-9652-62d766bad844", 350 | "metadata": {}, 351 | "outputs": [], 352 | "source": [] 353 | }, 354 | { 355 | "cell_type": "code", 356 | "execution_count": null, 357 | "id": "5dfbe40f-42c7-4513-94b4-374335da9940", 358 | "metadata": {}, 359 | "outputs": [], 360 | "source": [] 361 | } 362 | ], 363 | "metadata": { 364 | "kernelspec": { 365 | "display_name": "Python 3 (ipykernel)", 366 | "language": "python", 367 | "name": "python3" 368 | }, 369 | "language_info": { 370 | "codemirror_mode": { 371 | "name": "ipython", 372 | "version": 3 373 | }, 374 | "file_extension": ".py", 375 | "mimetype": "text/x-python", 376 | "name": "python", 377 | "nbconvert_exporter": "python", 378 | "pygments_lexer": "ipython3", 379 | "version": "3.9.9" 380 | } 381 | }, 382 | "nbformat": 4, 383 | "nbformat_minor": 5 384 | } 385 | -------------------------------------------------------------------------------- /Qbot_Dec_2023/README.md: -------------------------------------------------------------------------------- 1 | Blob 1 #0x0 --> displayName 2 | _______________________________________________________ 3 | Blob 1 #0xc --> ws2_32.dll 4 | _______________________________________________________ 5 | Blob 1 #0x17 --> image/jpeg 6 | _______________________________________________________ 7 | Blob 1 #0x22 --> aswhooka.dll 8 | _______________________________________________________ 9 | Blob 1 #0x2f --> cmd.exe 10 | _______________________________________________________ 11 | Blob 1 #0x37 --> LOCALAPPDATA 12 | _______________________________________________________ 13 | Blob 1 #0x44 --> gdi32.dll 14 | _______________________________________________________ 15 | Blob 1 #0x4e --> egui.exe;ekrn.exe 16 | _______________________________________________________ 17 | Blob 1 #0x60 --> System32 18 | _______________________________________________________ 19 | Blob 1 #0x69 --> hvsi 20 | _______________________________________________________ 21 | Blob 1 #0x6e --> %SystemRoot%\System32\wextract.exe 22 | _______________________________________________________ 23 | Blob 1 #0x91 --> netapi32.dll 24 | _______________________________________________________ 25 | Blob 1 #0x9e --> FALSE 26 | _______________________________________________________ 27 | Blob 1 #0xa4 --> ByteFence.exe 28 | _______________________________________________________ 29 | Blob 1 #0xb2 --> Win32_PhysicalMemory 30 | _______________________________________________________ 31 | Blob 1 #0xc7 --> %SystemRoot%\explorer.exe 32 | _______________________________________________________ 33 | Blob 1 #0xe1 --> 1234567890 34 | _______________________________________________________ 35 | Blob 1 #0xec --> SonicWallClientProtectionService.exe;SWDash.exe 36 | _______________________________________________________ 37 | Blob 1 #0x11c --> open 38 | _______________________________________________________ 39 | Blob 1 #0x121 --> shlwapi.dll 40 | _______________________________________________________ 41 | Blob 1 #0x12d --> %SystemRoot%\System32\wermgr.exe 42 | _______________________________________________________ 43 | Blob 1 #0x14e --> urlmon.dll 44 | _______________________________________________________ 45 | Blob 1 #0x159 --> winsta0\default 46 | _______________________________________________________ 47 | Blob 1 #0x169 --> frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe 48 | _______________________________________________________ 49 | Blob 1 #0x3ff --> %SystemRoot%\System32\SearchIndexer.exe 50 | _______________________________________________________ 51 | Blob 1 #0x427 --> Win32_Product 52 | _______________________________________________________ 53 | Blob 1 #0x435 --> pstorec.dll 54 | _______________________________________________________ 55 | Blob 1 #0x441 --> csc_ui.exe 56 | _______________________________________________________ 57 | Blob 1 #0x44c --> */* 58 | _______________________________________________________ 59 | Blob 1 #0x450 --> shell32.dll 60 | _______________________________________________________ 61 | Blob 1 #0x45c --> Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe 62 | _______________________________________________________ 63 | Blob 1 #0x49a --> %SystemRoot%\System32\Utilman.exe 64 | _______________________________________________________ 65 | Blob 1 #0x4bc --> MsMpEng.exe 66 | _______________________________________________________ 67 | Blob 1 #0x4c8 --> SOFTWARE\Microsoft\Windows Defender\SpyNet 68 | _______________________________________________________ 69 | Blob 1 #0x4f3 --> coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe 70 | _______________________________________________________ 71 | Blob 1 #0x522 --> snxhk_border_mywnd 72 | _______________________________________________________ 73 | Blob 1 #0x535 --> Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") 74 | Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") 75 | For Each objFile in colFiles 76 | objFile.Copy("%s") 77 | Next 78 | _______________________________________________________ 79 | Blob 1 #0x621 --> user32.dll 80 | _______________________________________________________ 81 | Blob 1 #0x62c --> application/x-shockwave-flash 82 | _______________________________________________________ 83 | Blob 1 #0x64a --> kernelbase.dll 84 | _______________________________________________________ 85 | Blob 1 #0x659 --> bdagent.exe;vsserv.exe;vsservppl.exe 86 | _______________________________________________________ 87 | Blob 1 #0x67e --> %SystemRoot%\SysWOW64\wermgr.exe 88 | _______________________________________________________ 89 | Blob 1 #0x69f --> root\SecurityCenter2 90 | _______________________________________________________ 91 | Blob 1 #0x6b4 --> %s\%08X.dll 92 | _______________________________________________________ 93 | Blob 1 #0x6c0 --> Packages 94 | _______________________________________________________ 95 | Blob 1 #0x6c9 --> SubmitSamplesConsent 96 | _______________________________________________________ 97 | Blob 1 #0x6de --> %S.%06d 98 | _______________________________________________________ 99 | Blob 1 #0x6e6 --> WRSA.exe 100 | _______________________________________________________ 101 | Blob 1 #0x6ef --> Create 102 | _______________________________________________________ 103 | Blob 1 #0x6f6 --> Win32_DiskDrive 104 | _______________________________________________________ 105 | Blob 1 #0x706 --> ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe 106 | _______________________________________________________ 107 | Blob 1 #0x733 --> Content-Type: application/x-www-form-urlencoded 108 | _______________________________________________________ 109 | Blob 1 #0x763 --> MBAMService.exe;mbamgui.exe 110 | _______________________________________________________ 111 | Blob 1 #0x77f --> kernel32.dll 112 | _______________________________________________________ 113 | Blob 1 #0x78c --> .cfg 114 | _______________________________________________________ 115 | Blob 1 #0x791 --> abcdefghijklmnopqrstuvwxyz 116 | _______________________________________________________ 117 | Blob 1 #0x7ac --> regsvr32.exe 118 | _______________________________________________________ 119 | Blob 1 #0x7ba --> mcshield.exe 120 | _______________________________________________________ 121 | Blob 1 #0x7c7 --> t=%s time=[%02d:%02d:%02d-%02d/%02d/%d] 122 | _______________________________________________________ 123 | Blob 1 #0x7ef --> %s\system32\ 124 | _______________________________________________________ 125 | Blob 1 #0x7fc --> %SystemRoot%\System32\backgroundTaskHost.exe 126 | _______________________________________________________ 127 | Blob 1 #0x829 --> aswhookx.dll 128 | _______________________________________________________ 129 | Blob 1 #0x836 --> %SystemRoot%\SysWOW64\CertEnrollCtrl.exe 130 | _______________________________________________________ 131 | Blob 1 #0x85f --> APPDATA 132 | _______________________________________________________ 133 | Blob 1 #0x867 --> SELECT * FROM AntiVirusProduct 134 | _______________________________________________________ 135 | Blob 1 #0x886 --> fmon.exe 136 | _______________________________________________________ 137 | Blob 1 #0x88f --> WQL 138 | _______________________________________________________ 139 | Blob 1 #0x893 --> \sf2.dll 140 | _______________________________________________________ 141 | Blob 1 #0x89c --> %SystemRoot%\SysWOW64\mspaint.exe 142 | _______________________________________________________ 143 | Blob 1 #0x8be --> NTUSER.DAT 144 | _______________________________________________________ 145 | Blob 1 #0x8c9 --> Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName 146 | _______________________________________________________ 147 | Blob 1 #0x912 --> https 148 | _______________________________________________________ 149 | Blob 1 #0x918 --> %SystemRoot%\explorer.exe 150 | _______________________________________________________ 151 | Blob 1 #0x932 --> %SystemRoot%\SysWOW64\WerFault.exe 152 | _______________________________________________________ 153 | Blob 1 #0x955 --> Win32_PnPEntity 154 | _______________________________________________________ 155 | Blob 1 #0x965 --> SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet 156 | _______________________________________________________ 157 | Blob 1 #0x995 --> image/gif 158 | _______________________________________________________ 159 | Blob 1 #0x99f --> iphlpapi.dll 160 | _______________________________________________________ 161 | Blob 1 #0x9ac --> ntdll.dll 162 | _______________________________________________________ 163 | Blob 1 #0x9b6 --> \\.\pipe\ 164 | _______________________________________________________ 165 | Blob 1 #0x9c0 --> Caption 166 | _______________________________________________________ 167 | Blob 1 #0x9c8 --> CommandLine 168 | _______________________________________________________ 169 | Blob 1 #0x9d4 --> wpcap.dll 170 | _______________________________________________________ 171 | Blob 1 #0x9de --> userenv.dll 172 | _______________________________________________________ 173 | Blob 1 #0x9ea --> Win32_Bios 174 | _______________________________________________________ 175 | Blob 1 #0x9f5 --> %SystemRoot%\SysWOW64\wextract.exe 176 | _______________________________________________________ 177 | Blob 1 #0xa18 --> %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe 178 | _______________________________________________________ 179 | Blob 1 #0xa4e --> WScript.Sleep %u 180 | Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") 181 | Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") 182 | errReturn = objProcess.Create("%s", null, nul, nul) 183 | WSCript.Sleep 2000 184 | Set fso = CreateObject("Scripting.FileSystemObject") 185 | fso.DeleteFile("%s") 186 | _______________________________________________________ 187 | Blob 1 #0xb90 --> vkise.exe;isesrv.exe;cmdagent.exe 188 | _______________________________________________________ 189 | Blob 1 #0xbb2 --> %SystemRoot%\SysWOW64\sethc.exe 190 | _______________________________________________________ 191 | Blob 1 #0xbd2 --> %SystemRoot%\System32\WerFault.exe 192 | _______________________________________________________ 193 | Blob 1 #0xbf5 --> mpr.dll 194 | _______________________________________________________ 195 | Blob 1 #0xbfd --> %SystemRoot%\System32\dxdiag.exe 196 | _______________________________________________________ 197 | Blob 1 #0xc1e --> %SystemRoot%\System32\mspaint.exe 198 | _______________________________________________________ 199 | Blob 1 #0xc40 --> Win32_ComputerSystem 200 | _______________________________________________________ 201 | Blob 1 #0xc55 --> avp.exe;kavtray.exe 202 | _______________________________________________________ 203 | Blob 1 #0xc69 --> vbs 204 | _______________________________________________________ 205 | Blob 1 #0xc6d --> Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0 206 | _______________________________________________________ 207 | Blob 1 #0xcaf --> SysWOW64 208 | _______________________________________________________ 209 | Blob 1 #0xcb8 --> from 210 | _______________________________________________________ 211 | Blob 1 #0xcbf --> %ProgramFiles(x86)%\Internet Explorer\iexplore.exe 212 | _______________________________________________________ 213 | Blob 1 #0xcf2 --> SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet 214 | _______________________________________________________ 215 | Blob 1 #0xd29 --> c:\\ 216 | _______________________________________________________ 217 | Blob 1 #0xd2e --> S:(ML;;NW;;;LW) 218 | _______________________________________________________ 219 | Blob 1 #0xd3e --> %ProgramFiles%\Internet Explorer\iexplore.exe 220 | _______________________________________________________ 221 | Blob 1 #0xd6c --> CSFalconService.exe;CSFalconContainer.exe 222 | _______________________________________________________ 223 | Blob 1 #0xd96 --> %SystemRoot%\SysWOW64\SearchIndexer.exe 224 | _______________________________________________________ 225 | Blob 1 #0xdbe --> Software\Classes 226 | _______________________________________________________ 227 | Blob 1 #0xdcf --> Winsta0 228 | _______________________________________________________ 229 | Blob 1 #0xdd7 --> %SystemRoot%\System32\CertEnrollCtrl.exe 230 | _______________________________________________________ 231 | Blob 1 #0xe00 --> SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet 232 | _______________________________________________________ 233 | Blob 1 #0xe32 --> aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz 234 | _______________________________________________________ 235 | Blob 1 #0xe59 --> %SystemRoot%\SysWOW64\explorer.exe 236 | _______________________________________________________ 237 | Blob 1 #0xe7c --> SELECT * FROM Win32_Processor 238 | _______________________________________________________ 239 | Blob 1 #0xe9a --> CynetEPS.exe;CynetMS.exe;CynetConsole.exe 240 | _______________________________________________________ 241 | Blob 1 #0xec4 --> %SystemRoot%\SysWOW64\AtBroker.exe 242 | _______________________________________________________ 243 | Blob 1 #0xee7 --> LocalLow 244 | _______________________________________________________ 245 | Blob 1 #0xef0 --> Name 246 | _______________________________________________________ 247 | Blob 1 #0xef5 --> TRUE 248 | _______________________________________________________ 249 | Blob 1 #0xefa --> aabcdeefghiijklmnoopqrstuuvwxyyz 250 | _______________________________________________________ 251 | Blob 1 #0xf1b --> reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s" 252 | _______________________________________________________ 253 | Blob 1 #0xf4a --> type=0x%04X 254 | _______________________________________________________ 255 | Blob 1 #0xf56 --> SELECT * FROM Win32_OperatingSystem 256 | _______________________________________________________ 257 | Blob 1 #0xf7a --> Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") 258 | Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") 259 | errReturn = objProcess.Create("%s", null, nul, nul) 260 | _______________________________________________________ 261 | Blob 1 #0x104e --> %SystemRoot%\SysWOW64\Utilman.exe 262 | _______________________________________________________ 263 | Blob 1 #0x1070 --> fshoster32.exe 264 | _______________________________________________________ 265 | Blob 1 #0x107f --> %SystemRoot%\SysWOW64\xwizard.exe 266 | _______________________________________________________ 267 | Blob 1 #0x10a1 --> wbj.go 268 | _______________________________________________________ 269 | Blob 1 #0x10a8 --> %u.%u.%u.%u.%u.%u.%04x 270 | _______________________________________________________ 271 | Blob 1 #0x10bf --> .exe 272 | _______________________________________________________ 273 | Blob 1 #0x10c4 --> %SystemRoot%\System32\mobsync.exe 274 | _______________________________________________________ 275 | Blob 1 #0x10e6 --> SpyNetReporting 276 | _______________________________________________________ 277 | Blob 1 #0x10f6 --> %SystemRoot%\SysWOW64\explorer.exe 278 | _______________________________________________________ 279 | Blob 1 #0x1119 --> WBJ_IGNORE 280 | _______________________________________________________ 281 | Blob 1 #0x1124 --> wininet.dll 282 | _______________________________________________________ 283 | Blob 1 #0x1130 --> RepUx.exe 284 | _______________________________________________________ 285 | Blob 1 #0x113a --> C:\INTERNAL\__empty 286 | _______________________________________________________ 287 | Blob 1 #0x114e --> cscript.exe 288 | _______________________________________________________ 289 | Blob 1 #0x115a --> .dll 290 | _______________________________________________________ 291 | Blob 1 #0x115f --> CrAmTray.exe 292 | _______________________________________________________ 293 | Blob 1 #0x116c --> %SystemRoot%\System32\sethc.exe 294 | _______________________________________________________ 295 | Blob 1 #0x118c --> %SystemRoot%\System32\grpconv.exe 296 | _______________________________________________________ 297 | Blob 1 #0x11ae --> %SystemRoot%\SysWOW64\dxdiag.exe 298 | _______________________________________________________ 299 | Blob 1 #0x11cf --> ALLUSERSPROFILE 300 | _______________________________________________________ 301 | Blob 1 #0x11df --> avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe 302 | _______________________________________________________ 303 | Blob 1 #0x1205 --> wtsapi32.dll 304 | _______________________________________________________ 305 | Blob 1 #0x1212 --> %SystemRoot%\System32\AtBroker.exe 306 | _______________________________________________________ 307 | Blob 1 #0x1235 --> crypt32.dll 308 | _______________________________________________________ 309 | Blob 1 #0x1241 --> Win32_Process 310 | _______________________________________________________ 311 | Blob 1 #0x124f --> AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe 312 | _______________________________________________________ 313 | Blob 1 #0x12a2 --> c:\hiberfil.sysss 314 | _______________________________________________________ 315 | Blob 1 #0x12b4 --> %SystemRoot%\System32\SndVol.exe 316 | _______________________________________________________ 317 | Blob 1 #0x12d5 --> SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths 318 | _______________________________________________________ 319 | Blob 1 #0x130f --> xagtnotif.exe;AppUIMonitor.exe 320 | _______________________________________________________ 321 | Blob 1 #0x132e --> {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X} 322 | _______________________________________________________ 323 | Blob 1 #0x1375 --> bcrypt.dll 324 | _______________________________________________________ 325 | Blob 1 #0x1380 --> image/pjpeg 326 | _______________________________________________________ 327 | Blob 1 #0x138c --> wmic process call create 'expand "%S" "%S"' 328 | 329 | _______________________________________________________ 330 | Blob 1 #0x13b9 --> select 331 | _______________________________________________________ 332 | Blob 1 #0x13c1 --> %SystemRoot%\SysWOW64\grpconv.exe 333 | _______________________________________________________ 334 | Blob 1 #0x13e3 --> LastBootUpTime 335 | _______________________________________________________ 336 | Blob 1 #0x13f2 --> dwengine.exe;dwarkdaemon.exe;dwwatcher.exe 337 | _______________________________________________________ 338 | Blob 1 #0x141d --> %SystemRoot%\SysWOW64\mobsync.exe 339 | _______________________________________________________ 340 | Blob 1 #0x143f --> %SystemRoot%\SysWOW64\backgroundTaskHost.exe 341 | _______________________________________________________ 342 | Blob 1 #0x146c --> %SystemRoot%\SysWOW64\SndVol.exe 343 | _______________________________________________________ 344 | Blob 1 #0x148d --> SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths 345 | _______________________________________________________ 346 | Blob 1 #0x14c2 --> .dat 347 | _______________________________________________________ 348 | Blob 1 #0x14c7 --> rundll32.exe 349 | _______________________________________________________ 350 | Blob 1 #0x14d5 --> SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe 351 | _______________________________________________________ 352 | Blob 1 #0x1547 --> Initializing database... 353 | _______________________________________________________ 354 | Blob 1 #0x1560 --> advapi32.dll 355 | _______________________________________________________ 356 | Blob 1 #0x156d --> %ProgramFiles%\Windows Media Player\wmplayer.exe 357 | _______________________________________________________ 358 | Blob 1 #0x159e --> ROOT\CIMV2 359 | _______________________________________________________ 360 | Blob 1 #0x15a9 --> setupapi.dll 361 | _______________________________________________________ 362 | Blob 1 #0x15b6 --> %SystemRoot%\System32\xwizard.exe 363 | _______________________________________________________ 364 | Blob 1 #0x15d8 --> Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status 365 | _______________________________________________________ 366 | Blob 1 #0x1622 --> SystemRoot 367 | _______________________________________________________ 368 | Blob 1 #0x162d --> SOFTWARE\Microsoft\Windows\CurrentVersion\Run 369 | _______________________________________________________ 370 | Blob 2 #0x0 --> powershell.exe -encodedCommand 371 | _______________________________________________________ 372 | Blob 2 #0x20 --> SoNuce]ugdiB3c[doMuce2s81*uXmcvP 373 | _______________________________________________________ 374 | Blob 2 #0x41 --> %s "$%s = \"%s\"; & $%s" 375 | _______________________________________________________ 376 | Blob 2 #0x5a --> net view 377 | _______________________________________________________ 378 | Blob 2 #0x63 --> Start screenshot 379 | _______________________________________________________ 380 | Blob 2 #0x74 --> /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s" 381 | _______________________________________________________ 382 | Blob 2 #0xb6 --> %s.%u 383 | _______________________________________________________ 384 | Blob 2 #0xbc --> whoami /all 385 | _______________________________________________________ 386 | Blob 2 #0xc8 --> Self test OK. 387 | _______________________________________________________ 388 | Blob 2 #0xd6 --> qwinsta 389 | _______________________________________________________ 390 | Blob 2 #0xde --> cmd 391 | _______________________________________________________ 392 | Blob 2 #0xe2 --> SELF_TEST_1 393 | _______________________________________________________ 394 | Blob 2 #0xee --> adrclient.dll 395 | _______________________________________________________ 396 | Blob 2 #0xfc --> %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d 397 | _______________________________________________________ 398 | Blob 2 #0x155 --> ewW300ns6&6HyygkKzfVVCJHq210vQLq7*uCNorQns 399 | _______________________________________________________ 400 | Blob 2 #0x180 --> nltest /domain_trusts /all_trusts 401 | _______________________________________________________ 402 | Blob 2 #0x1a2 --> %s \"$%s = \\\"%s\\\\; & $%s\" 403 | _______________________________________________________ 404 | Blob 2 #0x1c1 --> ProgramData 405 | _______________________________________________________ 406 | Blob 2 #0x1cd --> nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s 407 | _______________________________________________________ 408 | Blob 2 #0x209 --> runas 409 | _______________________________________________________ 410 | Blob 2 #0x20f --> powershell.exe -encodedCommand %S 411 | _______________________________________________________ 412 | Blob 2 #0x231 --> ipconfig /all 413 | _______________________________________________________ 414 | Blob 2 #0x23f --> %u;%u;%u; 415 | _______________________________________________________ 416 | Blob 2 #0x249 --> route print 417 | _______________________________________________________ 418 | Blob 2 #0x255 --> schtasks.exe /Delete /F /TN %u 419 | _______________________________________________________ 420 | Blob 2 #0x274 --> schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F 421 | _______________________________________________________ 422 | Blob 2 #0x2c6 --> error res='%s' err=%d len=%u 423 | _______________________________________________________ 424 | Blob 2 #0x2e3 --> c:\ProgramData 425 | _______________________________________________________ 426 | Blob 2 #0x2f2 --> Component_08 427 | _______________________________________________________ 428 | Blob 2 #0x2ff --> netstat -nao 429 | _______________________________________________________ 430 | Blob 2 #0x30c --> Self check 431 | _______________________________________________________ 432 | Blob 2 #0x317 --> at.exe %u:%u "%s" /I 433 | _______________________________________________________ 434 | Blob 2 #0x32c --> /teorema505 435 | _______________________________________________________ 436 | Blob 2 #0x338 --> Microsoft 437 | _______________________________________________________ 438 | Blob 2 #0x342 --> Component_07 439 | _______________________________________________________ 440 | Blob 2 #0x34f --> microsoft.com,google.com,kernel.org,www.wikipedia.org,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com 441 | _______________________________________________________ 442 | Blob 2 #0x3d5 --> p%08x 443 | _______________________________________________________ 444 | Blob 2 #0x3db --> SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList 445 | _______________________________________________________ 446 | Blob 2 #0x414 --> powershell.exe 447 | _______________________________________________________ 448 | Blob 2 #0x423 --> "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s 449 | _______________________________________________________ 450 | Blob 2 #0x498 --> arp -a 451 | _______________________________________________________ 452 | Blob 2 #0x49f --> .lnk 453 | _______________________________________________________ 454 | Blob 2 #0x4a4 --> ERROR: GetModuleFileNameW() failed with error: %u 455 | _______________________________________________________ 456 | Blob 2 #0x4d6 --> net localgroup 457 | _______________________________________________________ 458 | Blob 2 #0x4e5 --> cmd.exe /c set 459 | _______________________________________________________ 460 | Blob 2 #0x4f4 --> ProfileImagePath 461 | _______________________________________________________ 462 | Blob 2 #0x505 --> \System32\WindowsPowerShell\v1.0\powershell.exe 463 | _______________________________________________________ 464 | Blob 2 #0x535 --> Self test FAILED!!! 465 | _______________________________________________________ 466 | Blob 2 #0x549 --> net share 467 | _______________________________________________________ 468 | Blob 2 #0x553 --> Self check ok! 469 | _______________________________________________________ 470 | Blob 2 #0x562 --> ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER 471 | _______________________________________________________ 472 | %u&%s&%u 473 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Malwares Decryptors 2 | -------------------------------------------------------------------------------- /Smoke Loader/3 Stage Config Extractor.py: -------------------------------------------------------------------------------- 1 | from Crypto.Cipher import ARC4 2 | 3 | ipher = ARC4.new(key) 4 | 5 | dump = b'2d0c9bbe0672b7a2519cf8d4899033124f008c6bb854825507baab3d076ae7276985fcd584200e4df89c8467de25243780ac0276ecff1ba4dbcec485330e470a9d18835f855f19a2ab76494ef2323887e7d3840c058bbc1771e4be4cd6f2cbcb092880a91775e4e210c20b1483bf1168e3d20d91ecc206119caf0432bf08058bbc1771e4be4c06119da61b6ee3050b83af4533071386a41e75f9fd06139cf82932bf060081b91771e4071787af1a6dbebf071787a60160fde40a1799a92064fffe1797f807328ab80568e2e3044a8da30204419c8c300441dff80e0a419cef4639d5a84ec0ce0c41efb9765d8da87e9096d4a70841efb976248dfe7e1c16efaf76668dfe7e8e96d5a7c45c4f284ce96bca42f11a6be9ce71691241ef8b76518ddd7ebc96e6a7a35c3c2849e90c41ef9e76448dc07ea89682a7084aefaf76798de87e084aefae766d8de17e084aefa876608df97e205eef90766e8de37e9d9689a7be5c192809e92aca45f1536baace6b696e8a30540834ef8576528dd97e5e27efa5766f8df97e9d96c9a7835c502838e93dca41f15f6bf6ce22696a8a32549895daf6267d419e89aa70b12180ec1110e5b4528b785e1366c5dd547530a8d4f647d1ab1d6d6af25586f5ca7bfb7ddf1250858716b75b46ac95d0bc915b080befba76648de37e102cefa576728df97ec29687a7d25c0e280a34ef9e76308dbd7eb5962655eff376388db47ed59696a7c65c50285fe974ca65f10a6bfcce38693b8a7254d29586f67f7d4222efa376738de87e9e96c8a78f5c5d2828e921ca57f15b6bb9ce6e697f8a6254aa95c4f6207d559e9baa61b13a80a3113fe5fc5296781d1365c58a542730edd4e3474425efa976628de87e8896d3a7cd5c5d2846e96bca1bf1376bc6ce50696e8a24548d95c4f62a7d509ed2aa24b12080f7110ae5eb52c9785c133ec58f545130a0d4e34791ab4625efa976628de87e8896d3a7cd5c5d2846e96bca1bf1376bc6ce50696e8a24548d95c4f62a7d509ed2aa24b12080f7110ae5eb52807849133ec585542730d6d4b547cdab406d084aefa9766e8de07e084aefa576738dea7e084aefa476648df97e1801efb276718de17e9796d5a7925c0f2842e921ca49f15f6b' 6 | dump= binascii.unhexlify(dump) 7 | index = 0 8 | key =0x246FC425 9 | while index < len(dump): 10 | enc_length = str_data[index] #inspired from HerraCore @oalabs 11 | x = rc4crypt(dump[index+1:index+1+enc_length], struct.pack(' [Aziz Farghly](https://farghlymal.github.io/SmokeLoader-Analysis/) 5 | 6 | # Hashes 7 | C6BA6E91D40AA1507775077F9662ECB25C9F0943\ 8 | B450EB89D7EA250547333228E6820A52F22BABB2 9 | 10 | # Extracted C2 11 | hxxp://185.215.113.68/fks/index.php 12 | # Decrypted Config 13 | 14 | b'https://dns.google/resolve?name=microsoft.com' 15 | 16 | b'Software\\Microsoft\\Internet Explorer' 17 | 18 | b'advapi32.dll' 19 | 20 | b'Location:' 21 | 22 | b'plugin_size' 23 | 24 | b'user32' 25 | 26 | b'advapi32' 27 | 28 | b'urlmon' 29 | 30 | b'ole32' 31 | 32 | b'winhttp' 33 | 34 | b'ws2_32' 35 | 36 | b'dnsapi' 37 | 38 | b'shell32' 39 | 40 | b'shlwapi' 41 | 42 | b'svcVersion' 43 | 44 | b'Version' 45 | 46 | b'.bit' 47 | 48 | b'%sFF' 49 | 50 | b'%02x' 51 | 52 | b'%s%08X%08X' 53 | 54 | b'%s\\%hs' 55 | 56 | b'%s%s' 57 | 58 | b'regsvr32 /s %s' 59 | 60 | b'%APPDATA%' 61 | 62 | b'%TEMP%' 63 | 64 | b'.exe' 65 | 66 | b'.dll' 67 | 68 | b'.bat' 69 | 70 | b':Zone.Identifier' 71 | 72 | b'POST' 73 | 74 | b'Content-Type: application/x-www-form-urlencoded' 75 | 76 | b'open' 77 | 78 | b'Host: %s' 79 | 80 | b'PT10M' 81 | 82 | b'1999-11-30T00:00:00' 83 | 84 | b'Firefox Default Browser Agent %hs' 85 | 86 | b'Accept: */*\r\nReferer: http://%S%s/' 87 | 88 | b'Accept: */*\r\nReferer: https://%S%s/' 89 | b'.com' 90 | b'.org' 91 | b'.net' 92 | b'explorer.exe' 93 | -------------------------------------------------------------------------------- /Smoke Loader/Smoke Loader Deobfuscator.py: -------------------------------------------------------------------------------- 1 | # ref "https://docs.google.com/document/d/10vH-viRghPPg-TD1K2mvOfYktkUS7oGBDVRis--Fp4M/edit?usp=drive_link" @FarghlyMal 2 | # ref "https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/" @_n1ghtw0lf 3 | # ref "https://research.openanalysis.net/smoke/smokeloader/loader/config/yara/triage/2022/08/25/smokeloader.html" @herrcore 4 | # ref "https://github.com/anthonyprintup" @anthonyprintup 5 | 6 | # this script will help you to fix and decrypt the encrypted function which makes our analysis harder. 7 | 8 | import pefile 9 | import binascii 10 | import struct 11 | filepath=r"Malware Path" 12 | decrypted_file =r"path of the file to write the compressed payload after decryption" 13 | x_64_size =0x2E46 # x64 payload size 14 | x_86_size=0x22F8 # x86 payload size 15 | 16 | def get_encrypted_s3(): # this function retrive the encrypted payload of the next stage to decrypt it using another function 17 | pe=pefile.PE(filepath) 18 | for section in pe.sections: 19 | if b'text' in section.Name: 20 | return (section.get_data()[0x463a:0x463a+x_64_size],section.get_data()[0x2342:0x2342+ x_86_size]) 21 | 22 | 23 | def xor_chunk(offset, n,key): # this function decrypts the code of the next function to be executed 24 | ea = 0x400000 + offset 25 | for i in range(n): 26 | byte = ord(idc.get_bytes(ea+4, 1)) 27 | bytekey0x50 28 | idc.patch_byte(a+i, byte) 29 | 30 | 31 | xor_chunk(0x3292,0x2C,0x41) # arguments 1- offset of the function that will be decrypted 2- number of bytes of the function 3-Key for this function 32 | 33 | def xor_chunk_API(offset, n, key, is_big_endian=False): # This function decrypts API Hashes before translating these hashes to API addresses 34 | ea = 0x400000 + offset 35 | for i in range(0, (n//4)*4, 4): 36 | # Get a chunk of 4 bytes 37 | chunk = idc.get_bytes(ea + i, 4) 38 | 39 | # Reverse byte order if using big-endian 40 | if is_big_endian: 41 | chunk = chunk[::-1] 42 | # Convert the bytes to an integer 43 | value = int.from_bytes(chunk, byteorder='little') 44 | # XOR the integer with the key 45 | xor_result = value ^ key 46 | # Convert the result back to bytes 47 | xor_bytes = xor_result.to_bytes(4, byteorder='little') 48 | # Patch the original bytes with the XOR result 49 | idc.patch_bytes(ea + i, xor_bytes) 50 | 51 | 52 | def xor_chunk_s3( data, dword_key, b_key): # this function the third stage 53 | decrypted=b'' 54 | #print(data) 55 | for i in range(0,(len(data)//4)*4,4): # u can replace "(len(data)//4)*4" with size of the stream %4 but you will miss one byte may be 56 | _4_bytes= struct.unpack(" 0: # because the stream may not accept division by 4,so we need to handle the last (1,2,3) bytes 62 | last_decrypted=[] # with one byte as XOR Key. 63 | for byte in data[-last_bytes_len:]: 64 | last_decrypted.append(byte ^ b_key) 65 | print(last_decrypted) 66 | decrypted+=bytes(last_decrypted) 67 | return decrypted 68 | 69 | decrypted_86 = xor_chunk_s3(data_86,0x880BD3F6,0xF6) 70 | size_86=hex(struct.unpack("> 4 )&0xFF) | ((data[b_data[count]] * 4)&0xFF)) 44 | mapped_data.append(((data[b_data[count + 1]] * 16)&0xFF) | ((data[b_data[count + 2 ]] >> 2)&0xFF)) 45 | mapped_data.append((data[b_data[count+3]]) | ((data[b_data[count + 2]] << 6) & 0xFF)) 46 | count+=4 47 | if count >= len(b_data): 48 | break 49 | if (b_data[-1]==0x3d): 50 | mapped_data[-1] = 0 51 | if (b_data[-2]==0x3d): 52 | mapped_data[-2] = 0 53 | byte_array=bytes(mapped_data) 54 | print(rc4_decrypt(byte_array,RC4_Key).decode("utf-8")) 55 | 56 | def extract_and_decrypt(): 57 | pe = pefile.PE(file) 58 | for section in pe.sections: 59 | if b'.rdata' in section.Name : 60 | encrypted_block = section.get_data()[3080:11844] 61 | usefull_chunks=[] 62 | current_chunk=bytearray() 63 | for byte in encrypted_block: 64 | if byte != 0x00: 65 | current_chunk.append(byte) 66 | else: 67 | if current_chunk: 68 | usefull_chunks.append(bytes(current_chunk)) 69 | current_chunk=bytearray() 70 | if current_chunk: 71 | usefull_chunks.append(bytes(current_chunk)) 72 | x=0 73 | for chunk in usefull_chunks: 74 | map_base64_to_enc(chunk,len(chunk)) 75 | x+=1 76 | print(x) 77 | extract_and_decrypt() 78 | -------------------------------------------------------------------------------- /Stealc Stealer/Rename and Comment in IDA.py: -------------------------------------------------------------------------------- 1 | import pefile 2 | import idautils 3 | import idc 4 | import ida_idaapi, ida_kernwin, ida_bytes, ida_name 5 | file = r"file path" 6 | 7 | def rc4_decrypt(ciphertext, key): 8 | # Initialization 9 | S = list(range(256)) 10 | j = 0 11 | key_length = len(key) 12 | plaintext = bytearray(len(ciphertext)) 13 | 14 | for i in range(256): 15 | j = (j + S[i] + key[i % key_length]) % 256 16 | S[i], S[j] = S[j], S[i] 17 | 18 | 19 | i = j = 0 20 | for idx, byte in enumerate(ciphertext): 21 | i = (i + 1) % 256 22 | j = (j + S[i]) % 256 23 | S[i], S[j] = S[j], S[i] 24 | keystream_byte = S[(S[i] + S[j]) % 256] 25 | if byte == 0x00 : #this the modified part of RC4 to ignore null bytes form decryption 26 | continue 27 | else : 28 | plaintext[idx] = byte ^ keystream_byte 29 | 30 | return bytes(plaintext) 31 | 32 | def get_PE_Data(file_name): 33 | pe=pefile.PE(file_name) 34 | for section in pe.sections: 35 | if b'.rdata' in section.Name: 36 | Key = section.get_data()[3056:3076] 37 | encryption_block = section.get_data()[2056:3032] 38 | return Key,encryption_block 39 | 40 | def map_base64_to_enc(b_data,len_of_base): 41 | RC4_Key,data = get_PE_Data(file) 42 | count = 0 43 | mapped_data=[] 44 | for i in range(0,len(b_data),3): 45 | mapped_data.append(((data[b_data[count + 1]] >> 4 )&0xFF) | ((data[b_data[count]] * 4)&0xFF)) 46 | 47 | mapped_data.append(((data[b_data[count + 1]] * 16)&0xFF) | ((data[b_data[count + 2 ]] >> 2)&0xFF)) 48 | 49 | mapped_data.append((data[b_data[count+3]]) | ((data[b_data[count + 2]] << 6) & 0xFF)) 50 | 51 | count+=4 52 | 53 | if count >= len(b_data): 54 | break 55 | if (b_data[-1]==0x3d): 56 | 57 | mapped_data[-1] = 0 58 | if (b_data[-2]==0x3d): 59 | 60 | mapped_data[-2] = 0 61 | 62 | byte_array=bytes(mapped_data) 63 | 64 | return (rc4_decrypt(byte_array,RC4_Key).decode('utf-8',errors='ignore')) 65 | 66 | def Modify_Xrefs(Decryption_routin): 67 | Xrefs = idautils.CodeRefsTo(Decryption_routin,0) 68 | 69 | count=0 70 | for x in Xrefs: 71 | ea = idc.prev_head(x) 72 | inst_type = ida_ua.ua_mnem(ea) 73 | type = idc.get_operand_type(ea,1) 74 | operand_address = idc.get_operand_value(ea,1) 75 | size = 200 76 | data__ = idaapi.get_bytes(operand_address,size) 77 | if operand_address != -1 : 78 | index=data__.index(b'\x00\x00') 79 | count +=1 80 | data__=data__[:index] 81 | decrypted_str = map_base64_to_enc(data__,len(data__)) 82 | idc.set_cmt(x,decrypted_str,0) 83 | print(decrypted_str) 84 | dword_address = idc.next_head(x) 85 | dword_value = idc.get_operand_value(dword_address,0) 86 | rename_operand(dword_value,decrypted_str) 87 | else: 88 | continue 89 | def rename_operand(address,string): 90 | ida_name.set_name(address, string, ida_name.SN_CHECK) 91 | Decryption_fun_address = 0x00403047 92 | Modify_Xrefs(Decryption_fun_address) 93 | -------------------------------------------------------------------------------- /Stealc Stealer/pass and decrypt.py: -------------------------------------------------------------------------------- 1 | # this file contain how the real code looks like , here i am talking about debuggging and testing your code several times so it does not come from the first time :) 2 | import pefile 3 | #import idautils 4 | #import idc 5 | file = r"C:\Users\REM\Desktop\Mal DB\Stealc Stealer\Stealc" 6 | def rc4_decrypt(ciphertext, key): 7 | # Initialization 8 | S = list(range(256)) 9 | j = 0 10 | key_length = len(key) 11 | plaintext = bytearray(len(ciphertext)) 12 | 13 | # Key-scheduling algorithm (KSA) 14 | for i in range(256): 15 | j = (j + S[i] + key[i % key_length]) % 256 16 | S[i], S[j] = S[j], S[i] 17 | 18 | # Pseudo-random generation algorithm (PRGA) and decryption 19 | i = j = 0 20 | for idx, byte in enumerate(ciphertext): 21 | i = (i + 1) % 256 22 | j = (j + S[i]) % 256 23 | S[i], S[j] = S[j], S[i] 24 | keystream_byte = S[(S[i] + S[j]) % 256] 25 | if byte == 0x00 : 26 | continue 27 | else : 28 | plaintext[idx] = byte ^ keystream_byte 29 | 30 | return bytes(plaintext) 31 | 32 | 33 | def get_PE_Data(file_name): 34 | pe=pefile.PE(file_name) 35 | for section in pe.sections: 36 | if b'.rdata' in section.Name: 37 | Key = section.get_data()[3056:3076] 38 | encryption_block = section.get_data()[2056:3032] 39 | return Key,data 40 | 41 | def map_base64_to_enc(b_data,len_of_base): # u can decode it using base64.decode() function but i do it for fun and practice :( 42 | RC4_Key,data = get_PE_Data(file) 43 | count = 0 44 | mapped_data=[] 45 | for i in range(0,len(b_data),3): 46 | mapped_data.append(((data[b_data[count + 1]] >> 4 )&0xFF) | ((data[b_data[count]] * 4)&0xFF)) 47 | # print(f"operation {i}") 48 | mapped_data.append(((data[b_data[count + 1]] * 16)&0xFF) | ((data[b_data[count + 2 ]] >> 2)&0xFF)) 49 | # print(f"operation {i+1}") 50 | mapped_data.append((data[b_data[count+3]]) | ((data[b_data[count + 2]] << 6) & 0xFF)) 51 | # print(f"operation {i+2}") 52 | count+=4 53 | if count >= len(b_data): 54 | break 55 | if (b_data[-1]==0x3d): 56 | # print("we got = sign") 57 | mapped_data[-1] = 0 58 | if (b_data[-2]==0x3d): 59 | # print("we got = sign") 60 | mapped_data[-2] = 0 61 | # print(mapped_data) 62 | byte_array=bytes(mapped_data) 63 | # print(byte_array) 64 | # print(RC4_Key) 65 | print(rc4_decrypt(byte_array,RC4_Key).decode("utf-8")) 66 | 67 | 68 | base_64_str=input("Enter Base64 value : \n ").encode('utf-8') 69 | len_base_str =len(base_64_str) 70 | map_base64_to_enc(base_64_str,len_base_str) 71 | 72 | # if (len_base_str % 3): 73 | # len_base_str=len_base_str - (len_base_str % 3) + 3 74 | # len_base_str = int(8 * (len_base_str / 6 ) + 1) 75 | --------------------------------------------------------------------------------