├── C
    ├── PoSeidon
    │   ├── decryptPoseidonCfg.c
    │   └── decryptPoseidonCfg.exe
    └── queryWorkingSet.c
├── IDA
    ├── Blog_Posts
    │   └── AnalyzingPDFMalware
    │   │   └── xord.idb
    └── Flame_sKyWIper
    │   └── advnetcfg_string_deobfuscate.py
├── LICENSE
├── Python
    ├── Alina
    │   └── alinaTrafficDecode.py
    ├── AutoIT
    │   └── autoit_conv_strings.py
    ├── CherryPicker
    │   └── cherryConfig.py
    └── Framework
    │   └── decode_framework.py
├── README
├── Ruby
    ├── .placeholder
    ├── Alina
    │   ├── .gitignore
    │   ├── alina.rb
    │   └── spark.rb
    ├── Dexter
    │   └── dexter_decode.rb
    ├── FinSpy
    │   ├── README
    │   ├── extractConfig.rb
    │   ├── parseConfig.rb
    │   └── writeConfig.rb
    └── Punkey
    │   └── decPunkey.rb
└── Yara
    ├── Apache_Injection_Module
        └── apacheInjection.yara
    ├── CherryPicker
        └── cherryPicker.yar
    └── Punkey
        └── punkey.yar


/C/PoSeidon/decryptPoseidonCfg.c:
--------------------------------------------------------------------------------
  1 | /*
  2 | # Copyright
  3 | # =========
  4 | # Copyright (C) 2016 Trustwave Holdings, Inc.
  5 | #
  6 | # This program is free software: you can redistribute it and/or modify
  7 | # it under the terms of the GNU General Public License as published by
  8 | # the Free Software Foundation, either version 3 of the License, or
  9 | # (at your option) any later version.
 10 | #
 11 | # This program is distributed in the hope that it will be useful,
 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 14 | # GNU General Public License for more details.
 15 | #
 16 | # You should have received a copy of the GNU General Public License
 17 | # along with this program. If not, see <http://www.gnu.org/licenses/>
 18 | #
 19 | #
 20 | # Usage: decryptPoseidonCfg.exe </path/to/enctrypted/file.exe> <password> </path/to/output/file.txt>
 21 | # Author: Eric Merritt
 22 | # Date: 2016-01-21
 23 | #WinHost.exe.cfg jfnwn02cybn83duf37fj decrypted.txt
 24 | # =Synopsis
 25 | #
 26 | # This is a decryptor program to decrypt configuration files that are downloaded
 27 | # in association of a poseidon infection.  The configuration files contain additional
 28 | # C&C domains that are used by the malware.
 29 | #
 30 | # IMPORTANT!!!!
 31 | # This file MUST be ran on the system that encrypted it for the decryption to work.
 32 | # The APIs (CryptUnprotectData, CryptProtectData) perform encryption that can only be
 33 | # encrypted/decrypted on the system it originally was used on.
 34 | #
 35 | # Input: encrypted file, password, and output file
 36 | # Output: prints decrypted text to screen and writes output to given output file
 37 | #
 38 | # Example:  decryptPoseidonCfg.exe WinHost.exe.cfg jfnwn02cybn83duf37fj decrypted.txt
 39 | #
 40 | #
 41 | # Output: decrypted.txt (containing decrypted file contents)
 42 | */
 43 | 
 44 | #include <stdio.h>
 45 | #include "Windows.h"
 46 | #include <wincrypt.h>
 47 | #include <stdlib.h>
 48 | 
 49 | #pragma comment(lib, "Crypt32")
 50 | 
 51 | 
 52 | int main(int argc, char* argv[])
 53 | {
 54 | 	DATA_BLOB entropy;
 55 | 	DATA_BLOB DataOut;
 56 | 	DATA_BLOB DataVerify;
 57 | 	HANDLE hSourceFile = INVALID_HANDLE_VALUE;
 58 | 	HANDLE hDestinationFile = INVALID_HANDLE_VALUE;
 59 | 	PBYTE pbBuffer = NULL;
 60 | 	DWORD dwBufferLen, dwCount;
 61 | 	char *password = NULL;
 62 | 	char *encryptedFile = NULL;
 63 | 	char *outputFile = NULL;
 64 | 
 65 | 	if (argc < 4)
 66 | 	{
 67 | 		printf("%s <encrypted file> <password> <output file>", argv[0]);
 68 | 		printf("\n Press any key to exit");
 69 | 		_getch();
 70 | 		return 1;
 71 | 	}
 72 | 
 73 | 	encryptedFile = (char *)malloc(strlen(argv[1]) + 1);
 74 | 	password = (char *)malloc(strlen(argv[2]) + 1);
 75 | 	outputFile = (char *)malloc(strlen(argv[3]) + 1);
 76 | 	if (!encryptedFile || !password || !outputFile)
 77 | 	{
 78 | 		printf("Failed to allocate space for variables");
 79 | 		return -1;
 80 | 	}
 81 | 	strncpy(encryptedFile, argv[1], strlen(argv[1]) + 1);
 82 | 	strncpy(password, argv[2], strlen(argv[2]) + 1);
 83 | 	strncpy(outputFile, argv[3], strlen(argv[3]) + 1);
 84 | 
 85 | 	// Setup entropy data_blob
 86 | 	entropy.pbData = (BYTE *)password;
 87 | 	entropy.cbData = strlen(password) + 1;
 88 | 
 89 | 	// Read in the encrypted source file
 90 | 	hSourceFile = CreateFileA(
 91 | 		encryptedFile,
 92 | 		FILE_READ_DATA,
 93 | 		FILE_SHARE_READ,
 94 | 		NULL,
 95 | 		OPEN_EXISTING,
 96 | 		FILE_ATTRIBUTE_NORMAL,
 97 | 		NULL);
 98 | 	if(hSourceFile == -1 || hSourceFile == NULL)
 99 | 	{
100 | 		printf("Failed to read in encrypted file\n");
101 | 		return -1;
102 | 	}
103 | 
104 | 	// Find out the file size and allocate a buffer
105 | 	dwBufferLen = GetFileSize(hSourceFile, NULL);
106 | 	pbBuffer = (PBYTE)malloc(dwBufferLen);
107 | 	if (!pbBuffer)
108 | 	{
109 | 		printf("Failed to allocate space for encrypted buffer");
110 | 		return -1;
111 | 	}
112 | 
113 | 	if (!ReadFile(
114 | 		hSourceFile,
115 | 		pbBuffer,
116 | 		dwBufferLen,
117 | 		&dwCount,
118 | 		NULL))
119 | 	{
120 | 		CloseHandle(hSourceFile);
121 | 		printf("Error reading from source file!\n");
122 | 		return -1;
123 | 	}
124 | 
125 | 	CloseHandle(hSourceFile);
126 | 
127 | 	// Setup the encrypted data_blob
128 | 	DataOut.cbData = dwCount;
129 | 	DataOut.pbData = pbBuffer;
130 | 
131 | 	// Decrypt the file
132 | 	if (CryptUnprotectData(
133 | 		&DataOut,
134 | 		NULL,
135 | 		&entropy,                 // Optional entropy
136 | 		NULL,                 // Reserved
137 | 		NULL,                 // Here, the optional
138 | 							  // prompt structure is not
139 | 							  // used.
140 | 		CRYPTPROTECT_LOCAL_MACHINE,
141 | 		&DataVerify))
142 | 	{
143 | 		printf("The decrypted data is: %s\n", DataVerify.pbData);
144 | 
145 | 		hDestinationFile = CreateFileA(
146 | 			outputFile,
147 | 			FILE_WRITE_DATA,
148 | 			FILE_SHARE_READ,
149 | 			NULL,
150 | 			OPEN_ALWAYS,
151 | 			FILE_ATTRIBUTE_NORMAL,
152 | 			NULL);
153 | 		if (hDestinationFile == -1 || hDestinationFile == NULL)
154 | 		{
155 | 			printf("Failed to open output file for writing\n");
156 | 			return -1;
157 | 		}
158 | 
159 | 		// Write out the decrypted data to the specified file and
160 | 		WriteFile(hDestinationFile, DataVerify.pbData, strlen((char *)DataVerify.pbData), &dwCount, NULL);
161 | 		CloseHandle(hDestinationFile);
162 | 	}
163 | 	else
164 | 	{
165 | 		printf("Decryption error!");
166 | 	}
167 | }


--------------------------------------------------------------------------------
/C/PoSeidon/decryptPoseidonCfg.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SpiderLabs/malware-analysis/d5ac6334ef9721ad8e6c51a0db4fc1871e507799/C/PoSeidon/decryptPoseidonCfg.exe


--------------------------------------------------------------------------------
/C/queryWorkingSet.c:
--------------------------------------------------------------------------------
  1 | /**********************************************************************
  2 | # Copyright
  3 | # =========
  4 | # Copyright(C) 2015 Trustwave Holdings, Inc.
  5 | #
  6 | # This program is free software : you can redistribute it and / or modify
  7 | # it under the terms of the GNU General Public License as published by
  8 | # the Free Software Foundation, either version 3 of the License, or
  9 | # (at your option) any later version.
 10 | #
 11 | # This program is distributed in the hope that it will be useful,
 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
 14 | # GNU General Public License for more details.
 15 | #
 16 | # You should have received a copy of the GNU General Public License
 17 | # along with this program.If not, see <http://www.gnu.org/licenses/>
 18 | #
 19 | #
 20 | # Author: Eric Merritt
 21 | # Date: 11/05/15
 22 | #
 23 | # Description:
 24 | # This is a proof of concept application demonstrating a new technique
 25 | # scanning memory discovered in version 3 of Cherry Picker malware
 26 | #
 27 | # Usage: Usage: queryworkingset.exe [-v | -q] [PID | ProcessName]
 28 | #
 29 | *************************************************************************/
 30 | 
 31 | #define WINDOWS_LEAN_AND_MEAN
 32 | 
 33 | #include <Windows.h>
 34 | #include <Psapi.h>
 35 | #include <stdio.h>
 36 | #include <tlhelp32.h>
 37 | #include <Shlwapi.h>
 38 | 
 39 | #pragma comment ( lib, "psapi.lib" )
 40 | #pragma comment( lib, "Shlwapi.lib" )
 41 | 
 42 | BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
 43 | {
 44 |   TOKEN_PRIVILEGES tp;
 45 |   LUID luid;
 46 | 
 47 |   if (!LookupPrivilegeValue(
 48 |     NULL,            // lookup privilege on local system
 49 |     lpszPrivilege,   // privilege to lookup
 50 |     &luid))        // receives LUID of privilege
 51 |   {
 52 |     printf("LookupPrivilegeValue error: %u\n", GetLastError());
 53 |     return FALSE;
 54 |   }
 55 | 
 56 |   tp.PrivilegeCount = 1;
 57 |   tp.Privileges[0].Luid = luid;
 58 |   if (bEnablePrivilege)
 59 |     tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 60 |   else
 61 |     tp.Privileges[0].Attributes = 0;
 62 | 
 63 |   // Enable the privilege or disable all privileges.
 64 | 
 65 |   if (!AdjustTokenPrivileges(
 66 |     hToken,
 67 |     FALSE,
 68 |     &tp,
 69 |     sizeof(TOKEN_PRIVILEGES),
 70 |     (PTOKEN_PRIVILEGES)NULL,
 71 |     (PDWORD)NULL))
 72 |   {
 73 |     printf("AdjustTokenPrivileges error: %u\n", GetLastError());
 74 |     return FALSE;
 75 |   }
 76 | 
 77 |   if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
 78 | 
 79 |   {
 80 |     printf("The token does not have the specified privilege. \n");
 81 |     return FALSE;
 82 |   }
 83 | 
 84 |   return TRUE;
 85 | }
 86 | 
 87 | 
 88 | BOOL getTargetProcess(HANDLE *hProcess, DWORD *pid, TCHAR *process)
 89 | {
 90 |   HANDLE hProcessSnap;
 91 |   PROCESSENTRY32 pe32;
 92 | 
 93 |   hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 94 |   if (hProcessSnap == INVALID_HANDLE_VALUE)
 95 |     return 0;
 96 | 
 97 |   pe32.dwSize = sizeof(PROCESSENTRY32);
 98 |   if (!Process32First(hProcessSnap, &pe32))
 99 |   {
100 |     CloseHandle(hProcessSnap);          // clean the snapshot object
101 |     return 0;
102 |   }
103 |   do
104 |   {
105 |     if (_wcsicmp(pe32.szExeFile, process) == 0)
106 |     {
107 |       *hProcess = OpenProcess(
108 |         PROCESS_QUERY_INFORMATION | // Required by Alpha
109 |         PROCESS_CREATE_THREAD | // For CreateRemoteThread
110 |         PROCESS_VM_OPERATION |  // For VirtualAllocEx/VirtualFreeEx
111 |         PROCESS_VM_WRITE |  // For WriteProcessMemory
112 |         PROCESS_VM_READ |
113 |         SYNCHRONIZE |
114 |         PROCESS_DUP_HANDLE,
115 |         FALSE,
116 |         pe32.th32ProcessID);
117 |       if (hProcess == NULL)
118 |         return 0;
119 |       else
120 |       {
121 |         *pid = pe32.th32ProcessID;
122 |         CloseHandle(hProcessSnap);
123 |         return 1;
124 |       }
125 |     }
126 |   } while (Process32Next(hProcessSnap, &pe32));
127 | 
128 |   CloseHandle(hProcessSnap);
129 |   return 0;
130 | }
131 | 
132 | int main(int argc, char *argv[])
133 | {
134 |   // Need the page size information for the QueryWorkingSet memory scraping
135 |   SYSTEM_INFO info;
136 |   GetSystemInfo(&info);
137 | 
138 |   // For the PoC check and see if they want the to use VirtualQuery or QueryWorkingSet
139 |   // Also get the PID or process name to scrape cards
140 |   if (argc != 3){
141 |     printf("Usage: %s [-v | -q] [PID | ProcessName]", argv[0]);
142 |     return 0;
143 |   }
144 | 
145 |   char *queryType = (char *)malloc(strlen(argv[1] + 1));
146 |   if (!queryType)
147 |   {
148 |     printf("Failed to allocate memory\n");
149 |     return -1;
150 |   }
151 |   memcpy(queryType, argv[1], strlen(argv[1]));
152 |   queryType[strlen(argv[1])] = '\0';
153 | 
154 |   //get debug privs for the application
155 |   printf("[+] Ensuring we have the proper privs....");
156 |   HANDLE hToken;
157 |   HANDLE self = OpenProcess(
158 |     PROCESS_QUERY_INFORMATION | // Required by Alpha
159 |     PROCESS_CREATE_THREAD | // For CreateRemoteThread
160 |     PROCESS_VM_OPERATION |  // For VirtualAllocEx/VirtualFreeEx
161 |     PROCESS_VM_WRITE |  // For WriteProcessMemory
162 |     PROCESS_VM_READ,
163 |     FALSE,
164 |     GetCurrentProcessId());
165 | 
166 |   // Elevate the privs of our process
167 |   OpenProcessToken(self, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
168 |   if (!SetPrivilege(hToken, SE_DEBUG_NAME, TRUE))
169 |   {
170 |     printf(" failed\n");
171 |     return 0;
172 |   }
173 |   printf(" success\n");
174 | 
175 |   // Open target Process
176 |   printf("[+] Opening target process ");
177 |   HANDLE pos;
178 |   DWORD pid;
179 | 
180 |   // Open the process by PID or by process name
181 |   pid = atoi(argv[2]);
182 | 
183 |   // atoi fails with 0 if it isn't a number and PIDs shouldn't be 0
184 |   // You aren't finding any cc data in the System Idle Process
185 |   if (pid == 0)
186 |   {
187 |     printf("%s ", argv[2]);
188 |     wchar_t  ws[100];
189 |     swprintf(ws, 100, L"%hs", argv[2]);
190 |     if (!getTargetProcess(&pos, &pid, ws))
191 |     {
192 |       printf("failed\n");
193 |       return -1;
194 |     }
195 |     printf("[%d]... ", pid);
196 |   }
197 |   else
198 |   {
199 |     pos = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
200 |     if (!pos)
201 |     {
202 |       printf("failed\n");
203 |       return -1;
204 |     }
205 |     else
206 |     {
207 |       // Print out the name of the process for display purposes
208 |       TCHAR Buffer[MAX_PATH];
209 |       TCHAR* filename;
210 |       if (GetModuleFileNameEx(pos, 0, Buffer, MAX_PATH))
211 |       {
212 |         filename = PathFindFileName(Buffer);
213 |         printf("%S [%d]... ", filename, pid);
214 |       }
215 |     }
216 |   }
217 |   printf("success\n");
218 | 
219 |   // Virtual Query Section
220 |   if (strcmp(queryType, "-v") == 0)
221 |   {
222 |     printf("[+] Using VirtualQueryEx to scrape memory\n\n");
223 |     SIZE_T v2;
224 |     struct _MEMORY_BASIC_INFORMATION Buffer;
225 |     char *BaseAddress;
226 | 
227 |     while (1)
228 |     {
229 |       BaseAddress = (char *)0x10000;
230 |       do
231 |       {
232 |         VirtualQueryEx(pos, BaseAddress, &Buffer, 0x1Cu);
233 |         if (Buffer.State == 0x1000 && Buffer.Protect & 4 && !(Buffer.Protect & 0x100))
234 |           printf("Memory Page at Virtual Address 0x%08x", BaseAddress);
235 |         v2 = Buffer.RegionSize;
236 |         if (Buffer.RegionSize < 0x1000)
237 |         {
238 |           v2 = 0x1000;
239 |           Buffer.RegionSize = 0x1000;
240 |         }
241 |         BaseAddress = (char *)Buffer.BaseAddress + v2;
242 |       } while ((unsigned int)BaseAddress < 0x6FF00000);
243 |     }
244 | 
245 |   }
246 |   else if (strcmp(queryType, "-q") == 0)
247 |   {
248 |     printf("[+] Using QueryWorkingSet to scrape memory\n\n");
249 |     DWORD wsi_size;
250 |     PSAPI_WORKING_SET_INFORMATION wsi_1, *wsi;
251 |     wsi_1.NumberOfEntries = 0;
252 | 
253 |     while (1)
254 |     {
255 |       // Get the actual number of pages: This call will fail because we "don't have enough space"
256 |       QueryWorkingSet(pos, (LPVOID)&wsi_1, sizeof(wsi));
257 | 
258 |       // Get enough space for the page information
259 |       wsi_size = sizeof(PSAPI_WORKING_SET_INFORMATION) + sizeof(PSAPI_WORKING_SET_BLOCK) * wsi_1.NumberOfEntries;
260 |       wsi = (PSAPI_WORKING_SET_INFORMATION*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, wsi_size);
261 | 
262 |       // Now populate the working set information
263 |       if (!QueryWorkingSet(pos, (LPVOID)wsi, wsi_size))
264 |       {
265 |         printf("[-] Second QueryWorkingSet failed: %lu\n", GetLastError());
266 |         return 1;
267 |       }
268 | 
269 |       // Scan through the pages and scan the Read/Write pages for CC data
270 |       for (DWORD i = 0; i < wsi->NumberOfEntries; i++)
271 |       {
272 |         DWORD dwDumpAddress = wsi->WorkingSetInfo[i].VirtualPage << 12;
273 |         DWORD protection = (DWORD)wsi->WorkingSetInfo[i].Protection;
274 |         // We only want READ/WRITE non-shared pages with a valid address space
275 |         if (protection & 4 && !(protection & 0x100) && (dwDumpAddress >> 12 != 0xC))
276 |           printf("Memory Page at Virtual Address 0x%08x", dwDumpAddress);
277 |       }
278 |     }
279 |   }
280 |   return 0;
281 | }
282 | 


--------------------------------------------------------------------------------
/IDA/Blog_Posts/AnalyzingPDFMalware/xord.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SpiderLabs/malware-analysis/d5ac6334ef9721ad8e6c51a0db4fc1871e507799/IDA/Blog_Posts/AnalyzingPDFMalware/xord.idb


--------------------------------------------------------------------------------
/IDA/Flame_sKyWIper/advnetcfg_string_deobfuscate.py:
--------------------------------------------------------------------------------
 1 | # Copyright
 2 | # =========
 3 | # Copyright (C) 2012 Trustwave Holdings, Inc.
 4 | #
 5 | # This program is free software: you can redistribute it and/or modify
 6 | # it under the terms of the GNU General Public License as published by
 7 | # the Free Software Foundation, either version 3 of the License, or
 8 | # (at your option) any later version.
 9 | #
10 | # This program is distributed in the hope that it will be useful,
11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | # GNU General Public License for more details.
14 | # 
15 | # You should have received a copy of the GNU General Public License
16 | # along with this program. If not, see <http://www.gnu.org/licenses/>
17 | #
18 | #
19 | # advnetcfg_string_deobfuscate.py by Josh Grunzweig 5-31-2012
20 | #
21 | # =Synopsis
22 | #
23 | # This is an idapython script designed to deobfuscate strings in the 
24 | # advnetcfg.ocx malware sample (bb5441af1e1741fca600e9c433cb1550). In this 
25 | # particular sample, the decrypt function was identified at 0x1000BE16, which
26 | # is set accordingly below. If it is discovered that the decrypt function has
27 | # been changed to a different location, please update the base_value variable
28 | # below to the appropriate value. 
29 | #
30 | # An example of the decrypt function being called can be seen below:
31 | #
32 | # .text:10003A0F                 push    edi
33 | # .text:10003A10                 mov     [ebp+var_10], esp
34 | # .text:10003A13                 and     [ebp+var_4], 0
35 | # .text:10003A17                 push    offset unk_1008FBB8
36 | # .text:10003A1C                 call    sub_1000BE16
37 | # .text:10003A21                 pop     ecx
38 | # .text:10003A22                 push    eax             ; Src
39 | # .text:10003A23                 lea     eax, [ebp+var_1C]
40 | #
41 | # In the above example, unk_1008FBB8 is set to the following:
42 | #
43 | # 90 11 80 5C B6 F8 26 DA  D1 3E C7 2C D4 87 D5 0B
44 | # C0 E3 30 00 A7 A2 23 E8  62 37 BA 8D 0E EB 72 52
45 | # C9 BC 47 37 B5 B1 40 3C  CC C2 3A 59 1A FF AF A6
46 | # 62 49 1D 0C CF CA 99 81  1A 5C FC 27 BF 06 D4 FC
47 | # D7 D3 C2 DA 00 00 9B 3C  E4 89 5C 43 40 DE 53 5F
48 | # 7D 7F 29 BE DD 8B 00 00  00 00 00 00 00 00 00 00
49 | # 
50 | # 
51 | # This script will automatically discover all XREFs to the deobfuscate function,
52 | # and will then proceed to comment each unk that is supplied to that function.
53 | # 
54 | # In addition, a number of debugging message will be displayed, to provide the
55 | # user with both the location of the unk, as well as the decoded string.
56 | #
57 | 
58 | import sys
59 | import binascii
60 | import re
61 | 
62 | base_value = 0x1000BE16
63 | 
64 | def decrypt(num):
65 |     val = ((num+5) * (num+26) ^ (((num+5) * (num+26) >> 8) ^ (((num+5) * (num+26) ^ (((num+5) * (num+26)) >> 8)) >> 16)))
66 |     return ("%2X" % val)[-2:]
67 | 
68 | def initial_decrypt(string):
69 |     string = binascii.unhexlify(string)
70 |     return_list = []
71 |     if string[16] != "\x00":
72 |         count = 0
73 |         for value in str(string[20:]):
74 |             dec_value = int(decrypt(count),16)
75 |             value_to_set = (int(binascii.hexlify(value),16) - dec_value)
76 |             if value_to_set < 0:
77 |                 dec_value = ((dec_value ^ 255)+1)*-1
78 |                 value_to_set = (int(binascii.hexlify(value),16) - dec_value)
79 |             if value_to_set != 0:
80 |                 return_list.append(chr(value_to_set))
81 |             count+=1
82 |     return ''.join(return_list)
83 | 
84 | 
85 | for ref in CodeRefsTo(base_value, 1):
86 |     new_ref = Dword(int(ref)-4)
87 |     bool_var = Byte(new_ref+16)
88 |     size = Byte(new_ref+18)+20
89 |     manybytes = GetManyBytes(new_ref, (size))
90 |     decoded_string = initial_decrypt(binascii.hexlify(manybytes))
91 |     idc.MakeRptCmt(new_ref, decoded_string)
92 |     idc.MakeName(new_ref, (re.sub('[\W_]', '_', decoded_string)+"_"+hex(new_ref)))
93 |     print("[+] Adding comment "+str(hex(new_ref))+" : \""+decoded_string+"\"")
94 |     
95 | 
96 | 
97 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                     GNU GENERAL PUBLIC LICENSE
  2 |                        Version 3, 29 June 2007
  3 | 
  4 |  Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
  5 |  Everyone is permitted to copy and distribute verbatim copies
  6 |  of this license document, but changing it is not allowed.
  7 | 
  8 |                             Preamble
  9 | 
 10 |   The GNU General Public License is a free, copyleft license for
 11 | software and other kinds of works.
 12 | 
 13 |   The licenses for most software and other practical works are designed
 14 | to take away your freedom to share and change the works.  By contrast,
 15 | the GNU General Public License is intended to guarantee your freedom to
 16 | share and change all versions of a program--to make sure it remains free
 17 | software for all its users.  We, the Free Software Foundation, use the
 18 | GNU General Public License for most of our software; it applies also to
 19 | any other work released this way by its authors.  You can apply it to
 20 | your programs, too.
 21 | 
 22 |   When we speak of free software, we are referring to freedom, not
 23 | price.  Our General Public Licenses are designed to make sure that you
 24 | have the freedom to distribute copies of free software (and charge for
 25 | them if you wish), that you receive source code or can get it if you
 26 | want it, that you can change the software or use pieces of it in new
 27 | free programs, and that you know you can do these things.
 28 | 
 29 |   To protect your rights, we need to prevent others from denying you
 30 | these rights or asking you to surrender the rights.  Therefore, you have
 31 | certain responsibilities if you distribute copies of the software, or if
 32 | you modify it: responsibilities to respect the freedom of others.
 33 | 
 34 |   For example, if you distribute copies of such a program, whether
 35 | gratis or for a fee, you must pass on to the recipients the same
 36 | freedoms that you received.  You must make sure that they, too, receive
 37 | or can get the source code.  And you must show them these terms so they
 38 | know their rights.
 39 | 
 40 |   Developers that use the GNU GPL protect your rights with two steps:
 41 | (1) assert copyright on the software, and (2) offer you this License
 42 | giving you legal permission to copy, distribute and/or modify it.
 43 | 
 44 |   For the developers' and authors' protection, the GPL clearly explains
 45 | that there is no warranty for this free software.  For both users' and
 46 | authors' sake, the GPL requires that modified versions be marked as
 47 | changed, so that their problems will not be attributed erroneously to
 48 | authors of previous versions.
 49 | 
 50 |   Some devices are designed to deny users access to install or run
 51 | modified versions of the software inside them, although the manufacturer
 52 | can do so.  This is fundamentally incompatible with the aim of
 53 | protecting users' freedom to change the software.  The systematic
 54 | pattern of such abuse occurs in the area of products for individuals to
 55 | use, which is precisely where it is most unacceptable.  Therefore, we
 56 | have designed this version of the GPL to prohibit the practice for those
 57 | products.  If such problems arise substantially in other domains, we
 58 | stand ready to extend this provision to those domains in future versions
 59 | of the GPL, as needed to protect the freedom of users.
 60 | 
 61 |   Finally, every program is threatened constantly by software patents.
 62 | States should not allow patents to restrict development and use of
 63 | software on general-purpose computers, but in those that do, we wish to
 64 | avoid the special danger that patents applied to a free program could
 65 | make it effectively proprietary.  To prevent this, the GPL assures that
 66 | patents cannot be used to render the program non-free.
 67 | 
 68 |   The precise terms and conditions for copying, distribution and
 69 | modification follow.
 70 | 
 71 |                        TERMS AND CONDITIONS
 72 | 
 73 |   0. Definitions.
 74 | 
 75 |   "This License" refers to version 3 of the GNU General Public License.
 76 | 
 77 |   "Copyright" also means copyright-like laws that apply to other kinds of
 78 | works, such as semiconductor masks.
 79 | 
 80 |   "The Program" refers to any copyrightable work licensed under this
 81 | License.  Each licensee is addressed as "you".  "Licensees" and
 82 | "recipients" may be individuals or organizations.
 83 | 
 84 |   To "modify" a work means to copy from or adapt all or part of the work
 85 | in a fashion requiring copyright permission, other than the making of an
 86 | exact copy.  The resulting work is called a "modified version" of the
 87 | earlier work or a work "based on" the earlier work.
 88 | 
 89 |   A "covered work" means either the unmodified Program or a work based
 90 | on the Program.
 91 | 
 92 |   To "propagate" a work means to do anything with it that, without
 93 | permission, would make you directly or secondarily liable for
 94 | infringement under applicable copyright law, except executing it on a
 95 | computer or modifying a private copy.  Propagation includes copying,
 96 | distribution (with or without modification), making available to the
 97 | public, and in some countries other activities as well.
 98 | 
 99 |   To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies.  Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 | 
103 |   An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License.  If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 | 
112 |   1. Source Code.
113 | 
114 |   The "source code" for a work means the preferred form of the work
115 | for making modifications to it.  "Object code" means any non-source
116 | form of a work.
117 | 
118 |   A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 | 
123 |   The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form.  A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 | 
134 |   The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities.  However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work.  For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 | 
147 |   The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 | 
151 |   The Corresponding Source for a work in source code form is that
152 | same work.
153 | 
154 |   2. Basic Permissions.
155 | 
156 |   All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met.  This License explicitly affirms your unlimited
159 | permission to run the unmodified Program.  The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work.  This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 | 
164 |   You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force.  You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright.  Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 | 
175 |   Conveying under any other circumstances is permitted solely under
176 | the conditions stated below.  Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 | 
179 |   3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 | 
181 |   No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 | 
187 |   When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 | 
195 |   4. Conveying Verbatim Copies.
196 | 
197 |   You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 | 
205 |   You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 | 
208 |   5. Conveying Modified Source Versions.
209 | 
210 |   You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 | 
214 |     a) The work must carry prominent notices stating that you modified
215 |     it, and giving a relevant date.
216 | 
217 |     b) The work must carry prominent notices stating that it is
218 |     released under this License and any conditions added under section
219 |     7.  This requirement modifies the requirement in section 4 to
220 |     "keep intact all notices".
221 | 
222 |     c) You must license the entire work, as a whole, under this
223 |     License to anyone who comes into possession of a copy.  This
224 |     License will therefore apply, along with any applicable section 7
225 |     additional terms, to the whole of the work, and all its parts,
226 |     regardless of how they are packaged.  This License gives no
227 |     permission to license the work in any other way, but it does not
228 |     invalidate such permission if you have separately received it.
229 | 
230 |     d) If the work has interactive user interfaces, each must display
231 |     Appropriate Legal Notices; however, if the Program has interactive
232 |     interfaces that do not display Appropriate Legal Notices, your
233 |     work need not make them do so.
234 | 
235 |   A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit.  Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 | 
245 |   6. Conveying Non-Source Forms.
246 | 
247 |   You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 | 
252 |     a) Convey the object code in, or embodied in, a physical product
253 |     (including a physical distribution medium), accompanied by the
254 |     Corresponding Source fixed on a durable physical medium
255 |     customarily used for software interchange.
256 | 
257 |     b) Convey the object code in, or embodied in, a physical product
258 |     (including a physical distribution medium), accompanied by a
259 |     written offer, valid for at least three years and valid for as
260 |     long as you offer spare parts or customer support for that product
261 |     model, to give anyone who possesses the object code either (1) a
262 |     copy of the Corresponding Source for all the software in the
263 |     product that is covered by this License, on a durable physical
264 |     medium customarily used for software interchange, for a price no
265 |     more than your reasonable cost of physically performing this
266 |     conveying of source, or (2) access to copy the
267 |     Corresponding Source from a network server at no charge.
268 | 
269 |     c) Convey individual copies of the object code with a copy of the
270 |     written offer to provide the Corresponding Source.  This
271 |     alternative is allowed only occasionally and noncommercially, and
272 |     only if you received the object code with such an offer, in accord
273 |     with subsection 6b.
274 | 
275 |     d) Convey the object code by offering access from a designated
276 |     place (gratis or for a charge), and offer equivalent access to the
277 |     Corresponding Source in the same way through the same place at no
278 |     further charge.  You need not require recipients to copy the
279 |     Corresponding Source along with the object code.  If the place to
280 |     copy the object code is a network server, the Corresponding Source
281 |     may be on a different server (operated by you or a third party)
282 |     that supports equivalent copying facilities, provided you maintain
283 |     clear directions next to the object code saying where to find the
284 |     Corresponding Source.  Regardless of what server hosts the
285 |     Corresponding Source, you remain obligated to ensure that it is
286 |     available for as long as needed to satisfy these requirements.
287 | 
288 |     e) Convey the object code using peer-to-peer transmission, provided
289 |     you inform other peers where the object code and Corresponding
290 |     Source of the work are being offered to the general public at no
291 |     charge under subsection 6d.
292 | 
293 |   A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 | 
297 |   A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling.  In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage.  For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product.  A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 | 
310 |   "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source.  The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 | 
318 |   If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information.  But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 | 
329 |   The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed.  Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 | 
337 |   Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 | 
343 |   7. Additional Terms.
344 | 
345 |   "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law.  If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 | 
354 |   When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it.  (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.)  You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 | 
361 |   Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 | 
365 |     a) Disclaiming warranty or limiting liability differently from the
366 |     terms of sections 15 and 16 of this License; or
367 | 
368 |     b) Requiring preservation of specified reasonable legal notices or
369 |     author attributions in that material or in the Appropriate Legal
370 |     Notices displayed by works containing it; or
371 | 
372 |     c) Prohibiting misrepresentation of the origin of that material, or
373 |     requiring that modified versions of such material be marked in
374 |     reasonable ways as different from the original version; or
375 | 
376 |     d) Limiting the use for publicity purposes of names of licensors or
377 |     authors of the material; or
378 | 
379 |     e) Declining to grant rights under trademark law for use of some
380 |     trade names, trademarks, or service marks; or
381 | 
382 |     f) Requiring indemnification of licensors and authors of that
383 |     material by anyone who conveys the material (or modified versions of
384 |     it) with contractual assumptions of liability to the recipient, for
385 |     any liability that these contractual assumptions directly impose on
386 |     those licensors and authors.
387 | 
388 |   All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10.  If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term.  If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 | 
398 |   If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 | 
403 |   Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 | 
407 |   8. Termination.
408 | 
409 |   You may not propagate or modify a covered work except as expressly
410 | provided under this License.  Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 | 
415 |   However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 | 
422 |   Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 | 
429 |   Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License.  If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 | 
435 |   9. Acceptance Not Required for Having Copies.
436 | 
437 |   You are not required to accept this License in order to receive or
438 | run a copy of the Program.  Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance.  However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work.  These actions infringe copyright if you do
443 | not accept this License.  Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 | 
446 |   10. Automatic Licensing of Downstream Recipients.
447 | 
448 |   Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License.  You are not responsible
451 | for enforcing compliance by third parties with this License.
452 | 
453 |   An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations.  If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 | 
463 |   You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License.  For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 | 
471 |   11. Patents.
472 | 
473 |   A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based.  The
475 | work thus licensed is called the contributor's "contributor version".
476 | 
477 |   A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version.  For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 | 
487 |   Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 | 
492 |   In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement).  To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 | 
499 |   If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients.  "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 | 
513 |   If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 | 
521 |   A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License.  You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 | 
536 |   Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 | 
540 |   12. No Surrender of Others' Freedom.
541 | 
542 |   If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License.  If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all.  For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 | 
552 |   13. Use with the GNU Affero General Public License.
553 | 
554 |   Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work.  The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 | 
563 |   14. Revised Versions of this License.
564 | 
565 |   The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time.  Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 | 
570 |   Each version is given a distinguishing version number.  If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation.  If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 | 
579 |   If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 | 
584 |   Later license versions may give you additional or different
585 | permissions.  However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 | 
589 |   15. Disclaimer of Warranty.
590 | 
591 |   THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 | 
600 |   16. Limitation of Liability.
601 | 
602 |   IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 | 
612 |   17. Interpretation of Sections 15 and 16.
613 | 
614 |   If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 | 
621 |                      END OF TERMS AND CONDITIONS
622 | 
623 |             How to Apply These Terms to Your New Programs
624 | 
625 |   If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 | 
629 |   To do so, attach the following notices to the program.  It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 | 
634 |     <one line to give the program's name and a brief idea of what it does.>
635 |     Copyright (C) <year>  <name of author>
636 | 
637 |     This program is free software: you can redistribute it and/or modify
638 |     it under the terms of the GNU General Public License as published by
639 |     the Free Software Foundation, either version 3 of the License, or
640 |     (at your option) any later version.
641 | 
642 |     This program is distributed in the hope that it will be useful,
643 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
644 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
645 |     GNU General Public License for more details.
646 | 
647 |     You should have received a copy of the GNU General Public License
648 |     along with this program.  If not, see <http://www.gnu.org/licenses/>.
649 | 
650 | Also add information on how to contact you by electronic and paper mail.
651 | 
652 |   If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 | 
655 |     <program>  Copyright (C) <year>  <name of author>
656 |     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 |     This is free software, and you are welcome to redistribute it
658 |     under certain conditions; type `show c' for details.
659 | 
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License.  Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 | 
664 |   You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | <http://www.gnu.org/licenses/>.
668 | 
669 |   The GNU General Public License does not permit incorporating your program
670 | into proprietary programs.  If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library.  If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License.  But first, please read
674 | <http://www.gnu.org/philosophy/why-not-lgpl.html>.
675 | 
676 | 


--------------------------------------------------------------------------------
/Python/Alina/alinaTrafficDecode.py:
--------------------------------------------------------------------------------
  1 | import sys
  2 | import struct
  3 | import urllib
  4 | 
  5 | # Copyright
  6 | # =========
  7 | # Copyright (C) 2016 Trustwave Holdings, Inc.
  8 | #
  9 | # This program is free software: you can redistribute it and/or modify
 10 | # it under the terms of the GNU General Public License as published by
 11 | # the Free Software Foundation, either version 3 of the License, or
 12 | # (at your option) any later version.
 13 | #
 14 | # This program is distributed in the hope that it will be useful,
 15 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 16 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 17 | # GNU General Public License for more details.
 18 | #
 19 | # You should have received a copy of the GNU General Public License
 20 | # along with this program. If not, see <http://www.gnu.org/licenses/>
 21 | #
 22 | #
 23 | # python alinaTrafficDecode.py [filename] by Eric Merritt 2016-03-17
 24 | #
 25 | # =Synopsis
 26 | #
 27 | # This script decodes traffic generated by several families of malware related
 28 | # to Alina.  It has been tested with the Eagle, Joker, and Spark variants.  It
 29 | # XORs the traffic with 0xAA, grab the new XOR key (bytes 18-36), parse the
 30 | # header information, decode the body, and parse the body information. The
 31 | # result is displayed to the screen.
 32 | #
 33 | # Input: Encoded traffic file
 34 | #
 35 | # Example: python alinaTrafficDecode.py encodedTraffic.txt
 36 | #
 37 | 
 38 | 
 39 | def processBody(body):
 40 |     alina = []
 41 |     alina.append('terminate ')
 42 |     alina.append('forcing ')
 43 |     alina.append('Executing ')
 44 |     alina.append('failed ')
 45 |     alina.append('success ')
 46 |     alina.append('Exception ')
 47 |     alina.append('at ')
 48 |     alina.append('Imagebase ')
 49 |     alina.append('pid ')
 50 |     alina.append('to ')
 51 |     alina.append('InternetOpen ')
 52 |     alina.append('InternetConnect ')
 53 |     alina.append('HttpOpenRequest ')
 54 |     alina.append('HttpSendRequest ')
 55 |     alina.append('HttpQueryInfo ')
 56 |     alina.append('new ')
 57 |     alina.append('logging ')
 58 |     alina.append('on ')
 59 |     alina.append('off ')
 60 |     alina.append('delete ')
 61 |     alina.append('file ')
 62 |     alina.append('Download & Execute ')
 63 |     alina.append('no ')
 64 |     alina.append('last request ')
 65 |     alina.append('seconds ago ')
 66 |     alina.append('command ')
 67 |     alina.append('get and call ')
 68 |     alina.append('called pipe and encountered version ')
 69 |     alina.append('i am ')
 70 |     alina.append('pipe ')
 71 |     alina.append('thread ')
 72 |     alina.append('restarting ')
 73 |     alina.append('httpRequest ')
 74 |     alina.append('length ')
 75 |     alina.append('checksum ')
 76 |     alina.append('fallback ')
 77 |     alina.append('verification ')
 78 |     alina.append('should be ')
 79 |     alina.append('is ')
 80 |     alina.append('CreateFileA ')
 81 |     alina.append('WriteFile ')
 82 |     alina.append('wrote ')
 83 |     alina.append('UrlDownloadToFileA ')
 84 |     alina.append('open ')
 85 |     alina.append('read ')
 86 |     alina.append('process ')
 87 | 
 88 |     for line in body.split('\n'):
 89 |         for i in range(46):
 90 |             joker = '~j~' + str(i + 1) + '~k~'
 91 |             eagle = '{[!' + str(i + 1) + '!]}'
 92 | 
 93 |             line = line.replace(joker, alina[i])
 94 |             line = line.replace(eagle, alina[i])
 95 |         print line
 96 | 
 97 | 
 98 | def decodeTraffic(traffic):
 99 |     HEADER_SIZE = 76
100 | 
101 |     if len(traffic) < HEADER_SIZE:
102 |         print "[-] Traffic is less than header size"
103 |         return
104 | 
105 |     new_traffic = ''
106 | 
107 |     for byte in traffic:
108 |         new_traffic += struct.pack('B', ord(byte) ^ 0xaa)
109 | 
110 |     key = traffic[18:36]
111 | 
112 |     # Headers
113 |     v, sv, hwid, nonce, act, pcn = struct.unpack(
114 |         "H16s8s2s8s32s", new_traffic[:68])
115 |     size = struct.unpack('<L', new_traffic[68:72])[0] - 123
116 | 
117 |     print "Header Information\n" + "=" * 30
118 |     print "[+] Version: 0x%04x" % v
119 |     print "[+] Name: %s" % sv
120 |     print "[+] Hardware ID: %s" % hwid
121 |     print "[+] Action: %s" % act
122 |     print "[+] Computer Name: %s" % pcn
123 |     print "[+] Data Length: %d\n" % size
124 | 
125 |     # Body
126 |     if (HEADER_SIZE + size + 123) != len(new_traffic):
127 |         body = cxor(new_traffic, HEADER_SIZE, size, key, 18)
128 |         handleBody(body)
129 |     else:
130 |         print "[-] Exiting... Size mismatch"
131 | 
132 | 
133 | def handleBody(body):
134 |     parameters = body.split('&')
135 |     if len(parameters) > 0:
136 |         for p in parameters:
137 |             if len(p) > 0:
138 |                 v = p.split('=')
139 |                 if len(v) > 0:
140 |                     processBody(urllib.unquote(v[1]).decode('utf8'))
141 | 
142 | 
143 | def cxor(data, offset, length, key, klen):
144 |     ret = ''
145 |     for i in range(length):
146 |         ret += chr(ord(data[offset + i]) ^ ord(key[i % klen]))
147 |     return ret
148 | 
149 | 
150 | def printUsage():
151 |     print "[-] Usage: %s file_path" % sys.argv[0]
152 | 
153 | 
154 | # Main ########################
155 | if len(sys.argv) == 2:
156 |     exfil_file = sys.argv[1]
157 |     try:
158 |         f = open(exfil_file, "rb")
159 |         traffic = f.read()
160 |         f.close()
161 |         decodeTraffic(traffic)
162 |     except IOError as e:
163 |         print e
164 |         sys.exit(1)
165 | else:
166 |     printUsage()
167 | 


--------------------------------------------------------------------------------
/Python/AutoIT/autoit_conv_strings.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | import sys
 3 | 
 4 | # Copyright
 5 | # =========
 6 | # Copyright (C) 2016 Trustwave Holdings, Inc.
 7 | #
 8 | # This program is free software: you can redistribute it and/or modify
 9 | # it under the terms of the GNU General Public License as published by
10 | # the Free Software Foundation, either version 3 of the License, or
11 | # (at your option) any later version.
12 | #
13 | # This program is distributed in the hope that it will be useful,
14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 | # GNU General Public License for more details.
17 | #
18 | # You should have received a copy of the GNU General Public License
19 | # along with this program. If not, see <http://www.gnu.org/licenses/>
20 | #
21 | #
22 | # python autoit_conv_strings.py [filename] [output] by Eric Merritt 2016-07-29
23 | #
24 | # =Synopsis
25 | #
26 | # This script decodes strings in an AutoIT script that uses character by character
27 | # string obfuscation.  This code attempts to clean up the code and make it more
28 | # readable.  
29 | #
30 | # WARNING: The output of this script will not execute
31 | #
32 | # Input: .au3 file with encoded strings
33 | #
34 | # Example: python autoit_conv_strings.py malware.au3 output.txt
35 | #
36 | 
37 | 
38 | if len(sys.argv) == 2:
39 |     output = 'output.au3'
40 |     f_input = sys.argv[1]
41 | elif len(sys.argv) == 3:
42 |     output = sys.argv[2]
43 |     f_input = sys.argv[1]
44 | else:
45 |     print 'usage: %s Input_file [output_file]' % sys.argv[0]
46 |     sys.exit(1)
47 | 
48 | searchStr = 'Chr\(_2pdqycz2\(\d{1,3}\)\)[^\S\r\n]?\&*[^\S\r\n]?'
49 | 
50 | o = open(output, 'w')
51 | f = open(f_input, 'r')
52 | 
53 | 
54 | for line in f.readlines():
55 |     matches = re.findall(searchStr, line)
56 | 
57 |     if len(matches) > 0:
58 |         for match in matches:
59 |             newChar = chr(int(re.search(r'\d{2,3}', match).group()) - 2)
60 | 
61 |             line = line.replace(match, newChar)
62 | 
63 |     o.write(line)
64 | o.close()
65 | 


--------------------------------------------------------------------------------
/Python/CherryPicker/cherryConfig.py:
--------------------------------------------------------------------------------
  1 | import sys
  2 | import re
  3 | 
  4 | # Copyright
  5 | # =========
  6 | # Copyright (C) 2015 Trustwave Holdings, Inc.
  7 | #
  8 | # This program is free software: you can redistribute it and/or modify
  9 | # it under the terms of the GNU General Public License as published by
 10 | # the Free Software Foundation, either version 3 of the License, or
 11 | # (at your option) any later version.
 12 | #
 13 | # This program is distributed in the hope that it will be useful,
 14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 16 | # GNU General Public License for more details.
 17 | #
 18 | # You should have received a copy of the GNU General Public License
 19 | # along with this program. If not, see <http://www.gnu.org/licenses/>
 20 | #
 21 | #
 22 | # python cherryPicker.py [filename] by Eric Merritt 2015-04-09
 23 | #
 24 | # =Synopsis
 25 | #
 26 | # This is a simple python script that decrypts the encoded config files
 27 | # for Cherry Picker malware.  It is encoded with a XOR string
 28 | #
 29 | # Input: filename or none to use the default kb852310.dll filename
 30 | #
 31 | # Example: python cherryPicker.py
 32 | #
 33 | # Example: python cherryPicker.py filename.dll
 34 | #
 35 | # Output: config.bin (decrypted config file)
 36 | 
 37 | 
 38 | xor_key = ['0xE6', '0x96', '0x03', '0x00', '0x84', '0x03', '0x01',
 39 |            '0x32', '0x4D', '0x36', '0xD0', '0x35', '0x5F', '0x62', '0x65',
 40 |            '0x01']
 41 | 
 42 | 
 43 | def _ror(val, bits, bit_size):
 44 |     return ((val & (2 ** bit_size - 1)) >> bits % bit_size) | \
 45 |            (val << (bit_size - (bits % bit_size)) & (2 ** bit_size - 1))
 46 | 
 47 | __ROR4__ = lambda val, bits: _ror(val, bits, 32)
 48 | 
 49 | 
 50 | def DWORD(list, start):
 51 |     i = 0
 52 |     result = '0x'
 53 |     while i < 4:
 54 |         if type(list[start + 3]) == int:
 55 |             result = result + format(list[start + 3], '02x')
 56 |         else:
 57 |             result = result + list[start + 3][2:]
 58 |         i = i + 1
 59 |         start = start - 1
 60 |     return result
 61 | 
 62 | 
 63 | def replace_bytes(buffer, start, value):
 64 |     i = 4
 65 |     indx = 0
 66 |     value = re.findall('..', value.split('0x')[1])
 67 |     while i > 0:
 68 |         buffer[start + indx] = int(value[i-1], 16)
 69 |         i = i - 1
 70 |         indx = indx + 1
 71 | 
 72 | 
 73 | def round_dword(value):
 74 |     number = value.split('0x')[1]
 75 |     if len(number) > 8:
 76 |         number = number[len(number) - 8:len(number)]
 77 |     elif len(number) < 8:
 78 |         for i in range(0, 8-len(number)):
 79 |             number = '0' + number
 80 |     return '0x' + number
 81 | 
 82 | 
 83 | def decrypt_config(buffer):
 84 |     counter = 2208
 85 | 
 86 |     while(counter >= 0):
 87 |         v2 = 48
 88 |         while v2:
 89 |             v4 = (v2 & 3) * 4
 90 |             xor = int(DWORD(xor_key, v4), 16)
 91 |             op1 = int(DWORD(buffer, counter + 4 * ((v2 - 1) & 3)), 16)
 92 |             op1 = round_dword(hex(op1 * 2))
 93 |             op2 = DWORD(buffer, counter + 4 * ((v2 + 1) & 3))
 94 |             newval = int(op1, 16) ^ int(op2, 16)
 95 |             value = v2 ^ xor ^ newval
 96 |             result = __ROR4__(value,  8)
 97 |             v2 = v2 - 1
 98 |             result = round_dword(
 99 |                 hex((result * 9) ^ int(DWORD(buffer, counter + v4), 16)))
100 |             result = round_dword(hex(xor ^ int(result, 16)))
101 | 
102 |             # Replace the buffer with the new value
103 |             replace_bytes(buffer, counter + v4, result)
104 | 
105 |         counter = counter - 1
106 |     return buffer
107 | 
108 | try:
109 |     if len(sys.argv) != 1:
110 |         f = open(sys.argv[1], 'rb')
111 |     else:
112 |         f = open('kb852310.dll', 'rb')
113 | except IOError as e:
114 |     print e
115 |     sys.exit(1)
116 | 
117 | buff = [ord(i) for i in f.read()]
118 | 
119 | decrypt_config(buff)
120 | 
121 | g = open('config.bin', 'wb')
122 | g.write(bytearray(buff))
123 | f.close()
124 | g.close()
125 | 


--------------------------------------------------------------------------------
/Python/Framework/decode_framework.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | 
 3 | # Copyright
 4 | # =========
 5 | # Copyright (C) 2015 Trustwave Holdings, Inc.
 6 | #
 7 | # This program is free software: you can redistribute it and/or modify
 8 | # it under the terms of the GNU General Public License as published by
 9 | # the Free Software Foundation, either version 3 of the License, or
10 | # (at your option) any later version.
11 | #
12 | # This program is distributed in the hope that it will be useful,
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 | # GNU General Public License for more details.
16 | #
17 | # You should have received a copy of the GNU General Public License
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>
19 | #
20 | #
21 | # Author: Eric Merritt
22 | # Date: 2015-30-11
23 | #
24 | # =Synopsis
25 | #
26 | # This is a python script to decrypt exfiltration dump files from a
27 | # FrameworkPoS variant
28 | #
29 | # Input: string or file
30 | #
31 | # Example: python decode_framework.py -f Perflib_Perfdata_f44.dat
32 | #
33 | # Example: python decode_framework.py cde8fee9cdd0dee9cdcdfce9cdfed2.c39992fd9e87ceebebf29dfe99fcd8.tt2.c8dcc4fecddec4d2c8c4dcc8c8cdd2fe.e6d2e8d2fecdd2cdcde8c4d2cdd2defcfce9e9d2cde8c4d2cdd2d2d2d2d2
34 | #
35 | # Output: stdout decoded lines
36 | 
37 | 
38 | def decode_string(line):
39 |     sub1 = "ILMxgTnvbzVtBiry3=X^KWQAG847oYdFZlR1NPe5j/mS0hODs.aU2qkCJ6H;wcu9fpE"
40 |     sub2 = "^=/0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklm;no.pqrstuvwxyz"
41 | 
42 |     data = line.split('.')
43 |     line = ''
44 | 
45 |     for hex_string in data:
46 |         if hex_string == 'tt2' or hex_string == 'tt1' or hex_string == 'notice':
47 |             line += hex_string + " "
48 |             continue
49 | 
50 |         try:
51 |             byte_array = bytearray(hex_string.decode('hex'))
52 |         except TypeError:
53 |             continue
54 |         for byte in byte_array:
55 |             try:
56 |                 line += str(sub2[sub1.index(chr(byte ^ 0xAA))])
57 |             except ValueError:
58 |                 continue
59 |         line += " "
60 |     print line
61 | # endef ############################
62 | 
63 | ###### Main ########################
64 | if '-f' in sys.argv:
65 |     exfil_file = sys.argv[2]
66 |     try:
67 |         lines = open(exfil_file).read().splitlines()
68 |     except IOError as e:
69 |         print e
70 |         sys.exit(1)
71 |     print "[+] Reading in FrameworkPoS Exfil file: %s\n" % sys.argv[2] + \
72 |         "=" * 90
73 |     for line in lines:
74 |         decode_string(line)
75 | elif len(sys.argv) == 2:
76 |     data = sys.argv[1]
77 |     print "[+] Decoding command line exfil"
78 |     decode_string(data)
79 | else:
80 |     print "[-] Usage: %s [-f file_name | encoded_line]" % sys.argv[0]
81 | 


--------------------------------------------------------------------------------
/README:
--------------------------------------------------------------------------------
1 | This repository was created as a way to provide the Information Security
2 | community with any tools or files related to malware analysis. 
3 | 
4 | Please note that no malicious files are being stored in the repository.
5 | 


--------------------------------------------------------------------------------
/Ruby/.placeholder:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SpiderLabs/malware-analysis/d5ac6334ef9721ad8e6c51a0db4fc1871e507799/Ruby/.placeholder


--------------------------------------------------------------------------------
/Ruby/Alina/.gitignore:
--------------------------------------------------------------------------------
 1 | # Compiled source #
 2 | ###################
 3 | *.com
 4 | *.class
 5 | *.dll
 6 | *.exe
 7 | *.o
 8 | *.so
 9 | 
10 | # Packages #
11 | ############
12 | *.7z
13 | *.dmg
14 | *.gz
15 | *.iso
16 | *.jar
17 | *.rar
18 | *.tar
19 | *.zip
20 | *.war
21 | *.ear
22 | 
23 | # Logs and databases #
24 | ######################
25 | *.log
26 | *.sql
27 | *.sqlite
28 | 
29 | # OS generated files #
30 | ######################
31 | .DS_Store?
32 | ehthumbs.db
33 | Icon?
34 | Thumbs.db
35 | *.DS_Store
36 | 
37 | # Xcode
38 | *.pbxuser
39 | *.mode1v3
40 | *.mode2v3
41 | *.perspectivev3
42 | *.xcuserstate
43 | project.xcworkspace/
44 | xcuserdata/
45 | 
46 | #Eclipse
47 | .classpath
48 | .project
49 | .settings
50 | 
51 | # Generated files
52 | /web-app/WEB-INF
53 | build/
54 | *.[oa]
55 | *.pyc
56 | 
57 | # Other source repository archive directories (protects when importing)
58 | .hg
59 | .svn
60 | CVS
61 | 
62 | # env files
63 | env/
64 | 
65 | # config folder
66 | config/
67 | 
68 | # automatic backup files
69 | *~.nib
70 | *.swp
71 | *~
72 | *(Autosaved).rtfd/
73 | Backup[ ]of[ ]*.pages/
74 | Backup[ ]of[ ]*.key/
75 | Backup[ ]of[ ]*.numbers/
76 | 


--------------------------------------------------------------------------------
/Ruby/Alina/alina.rb:
--------------------------------------------------------------------------------
  1 | # Copyright
  2 | # =========
  3 | # Copyright (C) 2013 Trustwave Holdings, Inc.
  4 | #
  5 | # This program is free software: you can redistribute it and/or modify
  6 | # it under the terms of the GNU General Public License as published by
  7 | # the Free Software Foundation, either version 3 of the License, or
  8 | # (at your option) any later version.
  9 | #
 10 | # This program is distributed in the hope that it will be useful,
 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 13 | # GNU General Public License for more details.
 14 | # 
 15 | # You should have received a copy of the GNU General Public License
 16 | # along with this program. If not, see <http://www.gnu.org/licenses/>
 17 | #
 18 | #
 19 | # alina.rb by Josh Grunzweig 10-04-2013
 20 | #
 21 | # =Synopsis
 22 | #
 23 | # This is a simple Ruby script that is designed to decode the network 
 24 | # traffic sent by the Alina POS malware. This script is designed to work on
 25 | # versions 5.2-6.0. It may work on newer versions as well, however, it has
 26 | # not been tested against these. 
 27 | #
 28 | # Example: ruby alina.rb -f file_containing_traffic.txt
 29 | #
 30 | # Example: ruby alina.rb -d "traffic_in_hex"
 31 | #
 32 | # Full Example:
 33 | # JGrunzweig> ruby alina.rb -d a9afebc6c3c4cb8adc9f8499aaaaaaaaaaaacf929b92939c989b8389dfdacecbdecfaaaaeeefe6e6f2feaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa78aaaaaac601038d0151505f041307530c1014555759515638255708140b5a1304040c1544555704515064255708140f5b1307530c1144555753515639255709140d5d1305550c1417555103515731255609140a081307550c141155540052
 34 | # Header Information
 35 | # ------------------
 36 | # Static Value: "\x03\x05"
 37 | # Alina Version: "Alina v5.3"
 38 | # Volume Serial: "e818962"
 39 | # Random Bytes: "1)"
 40 | # Command: "#update"
 41 | # Hostname: "DELLXT"
 42 | # Unknown: "\xD2\x00\x00\x00"
 43 | # Unknown: "l\xAB\xA9'"
 44 | # 
 45 | # Payload Decoded
 46 | # ---------------
 47 | # diag=[:88 <ea>] {[!29!]}{[!1!]}
 48 | # &
 49 | #
 50 | 
 51 | # Extend functions taken from Eric Monti's rbkb
 52 | # https://github.com/emonti/rbkb
 53 | class String
 54 | 	def unhexify(d=/\s*/)
 55 | 		self.strip.gsub(/([A-Fa-f0-9]{1,2})#{d}?/) { $1.hex.chr }
 56 | 	end
 57 | 
 58 | 	def xor(k)
 59 | 		i=0
 60 | 		self.bytes.map do |b|
 61 | 	  		x = k.getbyte(i) || k.getbyte(i=0)
 62 | 	  		i+=1
 63 | 			(b ^ x).chr
 64 | 		end.join
 65 | 	end
 66 | end
 67 | 
 68 | def usage
 69 | 	puts "Usage: ruby #{__FILE__} (-f|-d) (file|hex)"
 70 | 	exit 1
 71 | end
 72 | 
 73 | def decrypt(data)
 74 | 	decoded = data.xor("\xAA")
 75 | 	start = data[76..-1]
 76 | 	puts "Header Information"
 77 | 	puts "------------------"
 78 | 	puts "Static Value: #{decoded[0..1].inspect}"
 79 | 	puts "Alina Version: #{decoded[2..16].gsub("\x00",'').inspect}"
 80 | 	puts "Volume Serial: #{decoded[17..24].gsub("\x00",'').inspect}"
 81 | 	puts "Random Bytes: #{decoded[25..26].inspect}"
 82 | 	puts "Command: #{decoded[27..35].gsub("\x00",'').inspect}"
 83 | 	puts "Hostname: #{decoded[36..67].gsub("\x00",'').inspect}"
 84 | 	puts "Unknown: #{decoded[68..71].inspect}"
 85 | 	puts "Unknown: #{decoded[72..75].inspect}"
 86 | 	puts
 87 | 
 88 | 	c = 0
 89 | 	dataStr = ""
 90 | 	start.each_char do |x| 
 91 | 		dataStr << x.xor(decoded[(c % 18)+18])
 92 | 		c = c+1
 93 | 	end
 94 | 	puts "Payload Decoded"
 95 | 	puts "---------------"
 96 | 	puts dataStr.gsub(/\%([0-9a-f]{2})/){ $1.unhexify }
 97 | end
 98 | 
 99 | usage unless (opt = ARGV.shift)
100 | usage unless (opt.downcase=='-f' or opt.downcase=='-d')
101 | 	
102 | if (opt == '-f')
103 | 	usage unless (file = ARGV.shift)
104 | 	f = File.read(file)
105 | 	decrypt(f)
106 | elsif (opt == '-d')
107 | 	usage unless (data = ARGV.shift)
108 | 	decrypt(data.unhexify)
109 | end
110 | 


--------------------------------------------------------------------------------
/Ruby/Alina/spark.rb:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env ruby
  2 | #
  3 | # Copyright
  4 | # =========
  5 | # Copyright 2014 - Trustwave Holdings, All rights reserved
  6 | #
  7 | # This program is free software: you can redistribute it and/or modify
  8 | # it under the terms of the GNU General Public License as published by
  9 | # the Free Software Foundation, either version 3 of the License, or
 10 | # (at your option) any later version.
 11 | #
 12 | # This program is distributed in the hope that it will be useful,
 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 15 | # GNU General Public License for more details.
 16 | # 
 17 | # You should have received a copy of the GNU General Public License
 18 | # along with this program. If not, see <http://www.gnu.org/licenses/>
 19 | #
 20 | #
 21 | # spark.rb by Eric Merritt 12-08-2014
 22 | #
 23 | #
 24 | # == Requirement
 25 | # Utilizes ruby black bag gem by Eric Monti
 26 | # 
 27 | # https://github.com/emonti/rbkb
 28 | #
 29 | # == Description
 30 | # 	
 31 | # This is a simple Ruby script that is designed to decode the network
 32 | # traffic sent by Alina POS malware.  This script is designed to work
 33 | # on the Spark v1.1 variant
 34 | #
 35 | # Example: ruby spark.rb "traffic_in_hex
 36 | #
 37 | 
 38 | require "rbkb"
 39 | 
 40 | 
 41 | def parseFile(arr)
 42 | 
 43 | 	out = File.open("output.txt", "w")
 44 | 
 45 | 	#malware versioning info
 46 | 	printf "Malware ver: \tSpark v%d.%d\n", arr[0], arr[1]
 47 | 	out << "Malware ver:\tSpark v" << arr[0].to_i(16).to_s << "." << arr[1].to_i(16).to_s << "\n"
 48 | 
 49 | 	#user agent used
 50 | 	index = arr.index("20")
 51 | 	uagent = arr[0x2..index].join
 52 | 	printf "User Agent: \t%s\n", uagent.gsub(/../) { |pair| pair.hex.chr }
 53 | 	out << "User Agent: \t" << uagent.gsub(/../) { |pair| pair.hex.chr } << "\n"
 54 | 
 55 | 	#a unique identifier for the infected system
 56 | 	code = arr[index+2..index+12].join
 57 | 	index += 15
 58 | 	printf "Unique Code: \t%s\n", code.gsub(/../) { |pair| pair.hex.chr }
 59 | 	out << "Unique Code: \t" <<  code.gsub(/../) { |pair| pair.hex.chr } << "\n"
 60 | 
 61 | 	#types are cards and update
 62 | 	index2 = index + 6
 63 | 	fileType = arr[index..index2].join
 64 | 	printf "Filetype: \t%s\n", fileType.gsub(/../) { |pair| pair.hex.chr }
 65 | 	out << "Filetype: \t" << fileType.gsub(/../) { |pair| pair.hex.chr } << "\n"
 66 | 	
 67 | 	#hostname of the victim machine
 68 | 	index = index2 + 2
 69 | 	index2 = arr[index..arr.length].index("00") + index
 70 | 	hostname = arr[index..index2].join
 71 | 	printf "Vic Hostname: \t%s\n", hostname.gsub(/../) { |pair| pair.hex.chr }
 72 | 	out << "Vic Hostname: \t" << hostname.gsub(/../) { |pair| pair.hex.chr } << "\n"
 73 | 	
 74 | 	#card or diag(diagnostic?) data
 75 | 	index = 76
 76 | 	#should be card or diag
 77 | 	while not index == arr.length
 78 | 		index2 = arr[index..arr.length].index("3d") + index
 79 | 		comType = arr[index..index2-1].join
 80 | 		printf "command: \t%s => ", comType.gsub(/../) { |pair| pair.hex.chr }
 81 | 		out << "command: \t=> " << comType.gsub(/../) { |pair| pair.hex.chr } 
 82 | 
 83 | 		index = index2 + 1
 84 | 		index2 = arr[index..arr.length].index("26") + index
 85 | 		com = arr[index..index2-1]
 86 | 		com = com.join.gsub(/../) { |pair| pair.hex.chr }
 87 | 		printf "%s\n", com.urldec
 88 | 		out << com.urldec << "\n"
 89 | 
 90 | 		index = index2 + 1
 91 | 	end
 92 | 	out.close()
 93 | end
 94 | 
 95 | ###############################################
 96 | # 					Main					  #
 97 | ###############################################
 98 | 
 99 | if ARGV.include?("-h") or ARGV.include?("-?")
100 |   STDERR.puts "usage: #{File.basename($0)}  [filename]"
101 |   exit 1
102 | elsif fname = ARGV.shift
103 |   dat = File.open(fname, 'rb')
104 | else
105 |   STDERR.puts "usage: #{File.basename($0)}  [filename]"
106 |   exit 1
107 | end
108 | 
109 | line = Array.new
110 | newLine = Array.new
111 | out = File.open("output.raw", 'wb')
112 | 
113 | dat.each_char { |i|
114 | 	line.push(i.unpack("H2")[0])
115 | }
116 | 
117 | #Get the key out of the encoded bytes
118 | xorKey = line[0x12..0x23]
119 | 
120 | #xor the whole thing by 0xAA
121 | line.each_with_index{ |i, index|
122 | 	newLine.push(i.unhexify.xor("\xAA").chr.hexify)
123 | }
124 | 
125 | #running XOR key over the remaining bytes
126 | counter = 0
127 | 
128 | #decode the other half of the POST
129 | newLine.each_with_index { |val, index|
130 | 	#First 76 bytes are header information and are decoded by the above 0xAA XOR key
131 | 	if(index > 75)
132 | 		newLine[index] = val.unhexify.xor(xorKey[counter % 18].unhexify).chr.hexify
133 | 		counter += 1
134 | 	end	
135 | }
136 | 
137 | #write to output.raw
138 | newLine.each{ |i|
139 | 	out.write(i.unhexify)
140 | }
141 | out.close
142 | 
143 | #parse the input 
144 | parseFile(newLine)
145 | 
146 | puts "\n\nRaw text:\toutput.raw\nFormatted text:\toutput.txt"
147 | 


--------------------------------------------------------------------------------
/Ruby/Dexter/dexter_decode.rb:
--------------------------------------------------------------------------------
 1 | # Copyright
 2 | # =========
 3 | # Copyright (C) 2012 Trustwave Holdings, Inc.
 4 | #
 5 | # This program is free software: you can redistribute it and/or modify
 6 | # it under the terms of the GNU General Public License as published by
 7 | # the Free Software Foundation, either version 3 of the License, or
 8 | # (at your option) any later version.
 9 | #
10 | # This program is distributed in the hope that it will be useful,
11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | # GNU General Public License for more details.
14 | # 
15 | # You should have received a copy of the GNU General Public License
16 | # along with this program. If not, see <http://www.gnu.org/licenses/>
17 | #
18 | #
19 | # dexter_decode.rb by Josh Grunzweig 12-27-2012
20 | #
21 | # =Synopsis
22 | #
23 | # This is a simple Ruby script that is designed to take the POST data sent by
24 | # the Dexter malware, and decode the data present using the Base64 encoded
25 | # key that is supplied. More information about how this data is decoded, and
26 | # what values are present can be found here: 
27 | # http://blog.spiderlabs.com/2012/12/the-dexter-malware-getting-your-hands-dirty.html
28 | #
29 | # This script was tested against cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785,
30 | # however, it may work against other variants as well. 
31 | #
32 | # Example: ruby dexter_decode.rb 'page=AwICB1VWVwRMUVVYVUxVUwAHTABWAFZMUVJTUlECWAVVVlVU&val=ZnJ0a2o='
33 | # KEY: frtkj
34 | # ["page", "bccf476e-0494-42af-a7a7-03230c9d4745"]
35 | #
36 | 
37 | 
38 | require 'base64'
39 | 
40 | class String
41 |   # Taken from Eric Monti's excellent Ruby Black Bag Ruby gem. More information
42 |   # about this gem can be found here: https://github.com/emonti/rbkb
43 |   #
44 |   # xor against a key. key will be repeated or truncated to self.size.
45 |   def xor(k)
46 |     i=0
47 |     self.bytes.map do |b|
48 |       x = k.getbyte(i) || k.getbyte(i=0)
49 |       i+=1 
50 |       (b ^ x).chr
51 |     end.join
52 |   end
53 | end
54 | 
55 | string = ARGV.shift
56 | unless string
57 |   puts "Usage: ruby dexter_decode.rb <POST_DATA>"
58 |   exit
59 | end
60 | 
61 | key = ""
62 | params = string.split("&")
63 | params.each do |param|
64 |   param.scan(/^(\w+)=(\S+)$/) do |name, str|
65 |     if name == "val"
66 |       key = Base64.decode64(str)
67 |     end
68 |   end
69 | end
70 | 
71 | puts "KEY: #{key}"
72 | 
73 | params = string.split("&")
74 | params.each do |param|
75 |   param.scan(/^(\w+)=(\S+)$/) do |name, str|
76 |     b64_decoded = Base64.decode64(str)
77 |     res_var = ""
78 |     b64_decoded.each_char do |char|
79 |       var = char
80 |       key.each_char do |key_char|
81 |         var = var.xor(key_char)
82 |       end
83 |       res_var << var
84 |     end
85 |     p [name, res_var] unless name == "val"
86 |   end
87 | end
88 | 
89 | 


--------------------------------------------------------------------------------
/Ruby/FinSpy/README:
--------------------------------------------------------------------------------
 1 | FinSpy Helper Scripts
 2 | =====================
 3 | 
 4 | The following three scripts are contained in this folder which may be used to
 5 | assist the aspiring reverse engineer who wishes to investigate Android samples
 6 | which belong to the FinSpy family.
 7 | 
 8 | * extractConfig.rb: Extract the raw configuration from a FinSpy APK
 9 | * parseConfig.rb: Take the previously extracted config and parse it
10 | * writeConfig.rb: Overwrite a FinSpy APK configuration with one of your choosing
11 | 


--------------------------------------------------------------------------------
/Ruby/FinSpy/extractConfig.rb:
--------------------------------------------------------------------------------
 1 | # Copyright
 2 | # =========
 3 | # Copyright (C) 2012 Trustwave Holdings, Inc.
 4 | #
 5 | # This program is free software: you can redistribute it and/or modify
 6 | # it under the terms of the GNU General Public License as published by
 7 | # the Free Software Foundation, either version 3 of the License, or
 8 | # (at your option) any later version.
 9 | #
10 | # This program is distributed in the hope that it will be useful,
11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | # GNU General Public License for more details.
14 | # 
15 | # You should have received a copy of the GNU General Public License
16 | # along with this program. If not, see <http://www.gnu.org/licenses/>
17 | #
18 | #
19 | # extractConfig.rb by Josh Grunzweig 9-30-2012
20 | #
21 | # =Synopsis
22 | #
23 | # This is a simple Ruby script that is designed to pull out, or extract, the 
24 | # configuration from an Android FinSpy sample.
25 | #
26 | # The configuration file is piped to STDOUT, but it is of course trivial to 
27 | # have it sent to a file instead.
28 | #
29 | # Example: ruby extractConfig.rb finSpy.apk > config.dat
30 | #
31 | # Once the configuration has been extracted, it can be manipulated in a hex
32 | # editor, or parsed using the accompanying parseConfig.rb Ruby script.
33 | #
34 | 
35 | require 'base64'
36 | 
37 | file = ARGV.shift
38 | unless file
39 |   puts "Usage: extractConfig.rb <finspy_sample>"
40 |   exit
41 | end
42 | 
43 | f = File.new(file, 'rb')
44 | fd = f.read
45 | str = fd.scan(/PK\x01\x02.{32}(.{6})(.{4}assets\/Configurations\/dumms\d+\.dat)/m).collect{|x| x[0].to_s}.join
46 | str.gsub!("\u0000",'')
47 | puts Base64.decode64(str)
48 | f.close
49 | 


--------------------------------------------------------------------------------
/Ruby/FinSpy/parseConfig.rb:
--------------------------------------------------------------------------------
  1 | # Copyright
  2 | # =========
  3 | # Copyright (C) 2012 Trustwave Holdings, Inc.
  4 | #
  5 | # This program is free software: you can redistribute it and/or modify
  6 | # it under the terms of the GNU General Public License as published by
  7 | # the Free Software Foundation, either version 3 of the License, or
  8 | # (at your option) any later version.
  9 | #
 10 | # This program is distributed in the hope that it will be useful,
 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 13 | # GNU General Public License for more details.
 14 | # 
 15 | # You should have received a copy of the GNU General Public License
 16 | # along with this program. If not, see <http://www.gnu.org/licenses/>
 17 | #
 18 | #
 19 | # parseConfig.rb by Josh Grunzweig 9-30-2012
 20 | #
 21 | # =Synopsis
 22 | #
 23 | # This is a simple Ruby script that is designed to parse the configuration from 
 24 | # an Android FinSpy sample. A lookup table is utilized to determine types of 
 25 | # data within the configuration file, and all results are put into STDOUT.
 26 | #
 27 | # The script makes use of two functions from Eric Monti's rbkb library (credited
 28 | # below).
 29 | #
 30 | 
 31 | file = ARGV.shift
 32 | 
 33 | unless file
 34 |   puts "Usage: ruby parseConfig.rb <config_file>"
 35 |   exit
 36 | end
 37 | 
 38 | hFile = File.open(file, "rb")
 39 | fileData = hFile.read
 40 | 
 41 | @nHash = {4522400=>"TlvTypeMobileTrackingStartRequest",
 42 |  4522656=>"TlvTypeMobileTrackingStopRequest",
 43 |  4523376=>"TlvTypeMobileTrackingDataV10",
 44 |  4535200=>"TlvTypeMobileTrackingConfig",
 45 |  4535440=>"TlvTypeMobileTrackingConfigRaw",
 46 |  4538432=>"TlvTypeMobileTrackingTimeInterval",
 47 |  4538688=>"TlvTypeMobileTrackingDistance",
 48 |  4538928=>"TlvTypeMobileTrackingSendOnAnyChannel",
 49 |  6291872=>"TlvTypeMobileLoggingMetaInfo",
 50 |  6292096=>"TlvTypeMobileLoggingData",
 51 |  4456864=>"TlvTypeMobileBlackberryMessengerMetaInfo",
 52 |  4457088=>"TlvTypeMobileBlackberryMessengerData",
 53 |  4457328=>"TlvTypeMobileBlackberryMsChatID",
 54 |  4457600=>"TlvTypeMobileBlackberryMsConversationPartners",
 55 |  4587936=>"TlvTypeMobilePhoneCallLogsMetaInfo",
 56 |  4588192=>"TlvTypeMobilePhoneCallLogsData",
 57 |  4588400=>"TlvTypeMobilePhoneCallLogsType",
 58 |  4588672=>"TlvTypeMobilePhoneCallAdditionalInformation",
 59 |  4588912=>"TlvTypeMobilePhoneCallLogsCallerNumber",
 60 |  4589168=>"TlvTypeMobilePhoneCallLogsCalleeNumber",
 61 |  4589440=>"TlvTypeMobilePhoneCallLogsCallerName",
 62 |  4589696=>"TlvTypeMobilePhoneCallLogsCalleeName",
 63 |  4591680=>"TlvTypeMobilePhoneCallLogLastEntryEndtime",
 64 |  4325792=>"TlvTypeMobileSMSMetaInfo",
 65 |  4326016=>"TlvTypeMobileSMSData",
 66 |  4326256=>"TlvTypeSMSSenderNumber",
 67 |  4326512=>"TlvTypeSMSRecipientNumber",
 68 |  4326768=>"TlvTypeSMSDirection",
 69 |  4326528=>"TlvTypeSMSInformation",
 70 |  4391328=>"TlvTypeMobileAddressBookMetaInfo",
 71 |  4391552=>"TlvTypeMobileAddressBookData",
 72 |  4407360=>"TlvTypeMobileAddressBookChecksum",
 73 |  8978752=>"TlvTypeMobileProxyMasterCommSig",
 74 |  8979104=>"TlvTypeMobileProxyMasterComm",
 75 |  8979360=>"TlvTypeMobileMasterProxyComm",
 76 |  8979616=>"TlvTypeProxyMasterMobileHeartBeatAnswer",
 77 |  8979872=>"TlvTypeMobileMasterProxyCommNotification",
 78 |  8782176=>"TlvTypeProxyMobileTargetCommSig",
 79 |  8782496=>"TlvTypeProxyMobileTargetComm",
 80 |  8782752=>"TlvTypeProxyMasterMobileTargetComm",
 81 |  1507744=>"TlvTypeAccessedFileMetaInfo",
 82 |  1507968=>"TlvTypeAccessedFileAccessTime",
 83 |  1508224=>"TlvTypeAccessedFileAccessEvent",
 84 |  1508496=>"TlvTypeAccessedFileRecording",
 85 |  1508736=>"TlvTypeAccessedApplicationName",
 86 |  1508912=>"TlvTypeConfigRecordImagesFromExplorer",
 87 |  1519776=>"TlvTypeGetAccessedConfigRequest",
 88 |  1520032=>"TlvTypeAccessedConfigReply",
 89 |  1520288=>"TlvTypeSetAccessedConfigRequest",
 90 |  1520448=>"TlvTypeConfigAccessedEvents",
 91 |  2240672=>"TlvTypeGetMouseClicksConfigRequest",
 92 |  2240928=>"TlvTypeMouseClicksConfigReply",
 93 |  2241184=>"TlvTypeSetMouseClicksConfigRequest",
 94 |  2228640=>"TlvTypeMouseClicksMetaInfo",
 95 |  2228896=>"TlvTypeMouseClicksFrame",
 96 |  2232448=>"TlvTypeMouseClicksEncodingType",
 97 |  2232896=>"TlvTypeConfigMouseClicksRectangle",
 98 |  2233152=>"TlvTypeConfigMouseClicksSensitivity",
 99 |  2233408=>"TlvTypeConfigMouseClicksType",
100 |  2175136=>"TlvTypeGetVoIPConfigRequest",
101 |  2175392=>"TlvTypeVoIPConfigReply",
102 |  2175648=>"TlvTypeSetVoIPConfigRequest",
103 |  2163104=>"TlvTypeVoIPMetaInfo",
104 |  2166912=>"TlvTypeVoIPEncodingType",
105 |  2167168=>"TlvTypeVoIPSessionType",
106 |  2167424=>"TlvTypeVoIPApplicationName",
107 |  2167696=>"TlvTypeVoIPAppScreenshot",
108 |  2167952=>"TlvTypeVoIPAudioRecording",
109 |  2168112=>"TlvTypeConfigVoIPScreenshotEnabled",
110 |  2109600=>"TlvTypeGetForensicsConfigRequest",
111 |  2109856=>"TlvTypeForensicsConfigReply",
112 |  2110112=>"TlvTypeSetForensicsConfigRequest",
113 |  2097568=>"TlvTypeUploadForensicsApplicationRequest",
114 |  2097824=>"TlvTypeUploadForensicsApplicationReply",
115 |  2098080=>"TlvTypeUploadForensicsApplicationChunk",
116 |  2098336=>"TlvTypeUploadForensicsApplicationDoneRequest",
117 |  2098592=>"TlvTypeUploadForensicsApplicationDoneReply",
118 |  2101664=>"TlvTypeRemoveForensicsApplicationRequest",
119 |  2101920=>"TlvTypeRemoveForensicsApplicationReply",
120 |  2105760=>"TlvTypeForensicsAppExecuteRequest",
121 |  2106016=>"TlvTypeForensicsAppExecuteReply",
122 |  2106272=>"TlvTypeForensicsAppExecuteResult",
123 |  2106528=>"TlvTypeForensicsAppExecuteResultChunk",
124 |  2106784=>"TlvTypeForensicsAppExecuteResultDone",
125 |  2107040=>"TlvTypeForensicsCancelAppExecuteRequest",
126 |  2107296=>"TlvTypeForensicsCancelAppExecuteReply",
127 |  2113680=>"TlvTypeConfigForensicsApplicationInfoGeneric",
128 |  2113952=>"TlvTypeConfigForensicsApplicationInfo",
129 |  2117760=>"TlvTypeConfigForensicsApplicationName",
130 |  2117952=>"TlvTypeConfigForensicsApplicationSize",
131 |  2118208=>"TlvTypeConfigForensicsApplicationID",
132 |  2118528=>"TlvTypeConfigForensicsApplicationCmdline",
133 |  2118784=>"TlvTypeConfigForensicsApplicationOutput",
134 |  2118976=>"TlvTypeConfigForensicsApplicationTimeout",
135 |  2119232=>"TlvTypeConfigForensicsApplicationVersion",
136 |  2119552=>"TlvTypeForensicsFriendlyName",
137 |  2119808=>"TlvTypeConfigForensicsApplicationOutputPrepend",
138 |  2120064=>"TlvTypeConfigForensicsApplicationOutputContentType",
139 |  1638816=>"TlvTypeDeletedFileMetaInfo",
140 |  1639296=>"TlvTypeDeletedFileDeletionTime",
141 |  1639552=>"TlvTypeDeletedFileRecycleBin",
142 |  1639808=>"TlvTypeDeletedMethod",
143 |  1640064=>"TlvTypeDeletedApplicationName",
144 |  1640336=>"TlvTypeDeletedFileRecording",
145 |  1650848=>"TlvTypeGetDeletedConfigRequest",
146 |  1651104=>"TlvTypeDeletedConfigReply",
147 |  1651360=>"TlvTypeSetDeletedConfigRequest",
148 |  1573280=>"TlvTypePrintFileMetaInfo",
149 |  1573520=>"TlvTypePrintFrame",
150 |  1581184=>"TlvTypePrintApplicationName",
151 |  1581440=>"TlvTypePrintFilename",
152 |  1581696=>"TlvTypePrintEncodingType",
153 |  1585312=>"TlvTypeGetPrintConfigRequest",
154 |  1585568=>"TlvTypePrintConfigReply",
155 |  1585824=>"TlvTypeSetPrintConfigRequest",
156 |  1442208=>"TlvTypeChangedFileMetaInfo",
157 |  1442432=>"TlvTypeChangedFileChangeTime",
158 |  1442688=>"TlvTypeChangedFileChangeEvent",
159 |  1442960=>"TlvTypeChangedFileRecording",
160 |  1454240=>"TlvTypeGetChangedConfigRequest",
161 |  1454496=>"TlvTypeChangedConfigReply",
162 |  1454752=>"TlvTypeSetChangedConfigRequest",
163 |  1454912=>"TlvTypeConfigChangedEvents",
164 |  1311136=>"TlvTypeSkypeAudioMetaInfo",
165 |  1311376=>"TlvTypeSkypeAudioRecording",
166 |  1311648=>"TlvTypeSkypeTextRecording",
167 |  1311904=>"TlvTypeSkypeFileMetaInfo",
168 |  1312144=>"TlvTypeSkypeFileRecording",
169 |  1312416=>"TlvTypeSkypeContactsRecording",
170 |  1312640=>"TlvTypeSkypeContactsUserData",
171 |  1323168=>"TlvTypeGetSkypeConfigRequest",
172 |  1323424=>"TlvTypeSkypeConfigReply",
173 |  1323680=>"TlvTypeSetSkypeConfigRequest",
174 |  1324336=>"TlvTypeConfigSkypeAudioEnable",
175 |  1324592=>"TlvTypeConfigSkypeTextEnable",
176 |  1324848=>"TlvTypeConfigSkypeFileEnable",
177 |  1325104=>"TlvTypeConfigSkypeContactsListEnable",
178 |  1327232=>"TlvTypeSkypeAudioEncodingType",
179 |  1327488=>"TlvTypeSkypeLoggedInUserAccountName",
180 |  1327744=>"TlvTypeSkypeConversationPartnerAccountName",
181 |  1328000=>"TlvTypeSkypeConversationPartnerDisplayName",
182 |  1328256=>"TlvTypeSkypeChatMembers",
183 |  1328512=>"TlvTypeSkypeTextMessage",
184 |  1328768=>"TlvTypeSkypeChatID",
185 |  1329024=>"TlvTypeSkypeSenderAccountName",
186 |  1329280=>"TlvTypeSkypeSenderDisplayName",
187 |  1329536=>"TlvTypeSkypeIncoming",
188 |  1329792=>"TlvTypeSkypeSessionType",
189 |  1192096=>"TlvTypeGetKeyloggerConfigRequest",
190 |  1192352=>"TlvTypeKeyloggerConfigReply",
191 |  1192608=>"TlvTypeSetKeyloggerConfigRequest",
192 |  1180064=>"TlvTypeStartKeyLoggingRequest",
193 |  1180320=>"TlvTypeStartKeyLoggingReply",
194 |  1180576=>"TlvTypeKeyLoggingFrame",
195 |  1180832=>"TlvTypeStopKeyLoggingRequest",
196 |  1181088=>"TlvTypeKeyLoggingStoppedReply",
197 |  1196416=>"TlvTypeKLFrameData",
198 |  1126560=>"TlvTypeGetVideoConfigRequest",
199 |  1126816=>"TlvTypeVideoConfigReply",
200 |  1127072=>"TlvTypeSetVideoConfigRequest",
201 |  1114528=>"TlvTypeStartScreenRequest",
202 |  1114784=>"TlvTypeStartScreenReply",
203 |  1115040=>"TlvTypeScreenFrame",
204 |  1115296=>"TlvTypeStopScreenRequest",
205 |  1115552=>"TlvTypeScreenStoppedReply",
206 |  1115808=>"TlvTypeStartScreenRecording",
207 |  1122720=>"TlvTypeStartWebCamRequest",
208 |  1122976=>"TlvTypeStartWebCamReply",
209 |  1123232=>"TlvTypeWebCamFrame",
210 |  1123488=>"TlvTypeStopWebCamRequest",
211 |  1123744=>"TlvTypeWebCamStoppedReply",
212 |  1124000=>"TlvTypeStartWebCamRecording",
213 |  1130560=>"TlvTypeVDFrameID",
214 |  1130896=>"TlvTypeVDFrameData",
215 |  1131136=>"TlvTypeOriginalVideoResolution",
216 |  1131392=>"TlvTypeVideoResolution",
217 |  1066112=>"TlvTypeVideoSessionType",
218 |  1066368=>"TlvTypeVideoEncodingType",
219 |  1132160=>"TlvTypeAutomaticRecordingUID",
220 |  1061024=>"TlvTypeGetAudioConfigRequest",
221 |  1061280=>"TlvTypeAudioConfigReply",
222 |  1061536=>"TlvTypeSetAudioConfigRequest",
223 |  1048992=>"TlvTypeStartMicrophoneRequest",
224 |  1049248=>"TlvTypeStartMicrophoneReply",
225 |  1049504=>"TlvTypeMicrophoneFrame",
226 |  1049760=>"TlvTypeStopMicrophoneRequest",
227 |  1050016=>"TlvTypeMicrophoneStoppedReply",
228 |  1050272=>"TlvTypeStartMicrophoneRecording",
229 |  1052736=>"TlvTypeMICFrameID",
230 |  1053072=>"TlvTypeMICFrameData",
231 |  1053312=>"TlvTypeAudioSessionType",
232 |  1053568=>"TlvTypeAudioEncodingType",
233 |  328096=>"TlvTypeGetSchedulerConfigRequest",
234 |  328352=>"TlvTypeSchedulerConfigReply",
235 |  328608=>"TlvTypeSetSchedulerConfigRequest",
236 |  331920=>"TlvTypeSchedulerTask",
237 |  332192=>"TlvTypeSchedulerTaskRecordByTime",
238 |  332448=>"TlvTypeSchedulerTaskRecordScreenWhenAppRuns",
239 |  332704=>"TlvTypeSchedulerTaskRecordMicWhenAppUsesIt",
240 |  332960=>"TlvTypeSchedulerTaskRecordWebCamWhenAppUsesIt",
241 |  360592=>"TlvTypeSCHTaskConfiguration",
242 |  360752=>"TlvTypeSCHTaskEnabled",
243 |  361344=>"TlvTypeSCHTaskStartDateTime",
244 |  361600=>"TlvTypeSCHTaskStopDateTime",
245 |  362112=>"TlvTypeSCHApplicationName",
246 |  362288=>"TlvTypeSCHApplicationWindowOnly",
247 |  299168=>"TlvTypeGetCmdLineConfigRequest",
248 |  299424=>"TlvTypeCmdLineConfigReply",
249 |  299680=>"TlvTypeSetCmdLineConfigRequest",
250 |  262560=>"TlvTypeStartCmdLineSessionRequest",
251 |  262816=>"TlvTypeStartCmdLineSessionReply",
252 |  263072=>"TlvTypeStopCmdLineSessionRequest",
253 |  263328=>"TlvTypeCmdLineSessionStoppedReply",
254 |  263584=>"TlvTypeCmdLineExecute",
255 |  263840=>"TlvTypeCmdLineExecutionResult",
256 |  266352=>"TlvTypeCmdLineExecuteCommand",
257 |  266560=>"TlvTypeCmdLineExecuteAnswerID",
258 |  266864=>"TlvTypeCmdLineExecuteAnswerData",
259 |  168096=>"TlvTypeGetFileSystemConfigRequest",
260 |  168352=>"TlvTypeFileSystemConfigReply",
261 |  168608=>"TlvTypeSetFileSystemConfigRequest",
262 |  131488=>"TlvTypeGetAllDrivesRequest",
263 |  131744=>"TlvTypeGetAllDrivesReply",
264 |  135328=>"TlvTypeGetFolderContentsRequest",
265 |  135584=>"TlvTypeGetFolderContentsReply",
266 |  135840=>"TlvTypeGetFolderContentsNext",
267 |  136096=>"TlvTypeGetFolderContentsEnd",
268 |  139424=>"TlvTypeDownloadFileRequest",
269 |  139680=>"TlvTypeCancelDownloadFileRequest",
270 |  139936=>"TlvTypeDownloadFileReply",
271 |  140192=>"TlvTypeDownloadFileNext",
272 |  140448=>"TlvTypeDownloadFileEnd",
273 |  140704=>"TlvTypeCancelDownloadFileReply",
274 |  143520=>"TlvTypeUploadFileRequest",
275 |  143776=>"TlvTypeCancelUploadFileRequest",
276 |  144032=>"TlvTypeUploadFileReply",
277 |  144288=>"TlvTypeUploadFileNext",
278 |  144544=>"TlvTypeUploadFileEnd",
279 |  144800=>"TlvTypeUploadFileCompleted",
280 |  145056=>"TlvTypeCancelUploadFileReply",
281 |  147616=>"TlvTypeDeleteFileRequest",
282 |  147872=>"TlvTypeDeleteFileReply",
283 |  151968=>"TlvTypeSearchFileRequest",
284 |  152224=>"TlvTypeSearchFileReply",
285 |  152480=>"TlvTypeSearchFileNext",
286 |  152736=>"TlvTypeSearchFileEnd",
287 |  152992=>"TlvTypeCancelSearchFileRequest",
288 |  153248=>"TlvTypeCancelSearchFileReply",
289 |  159888=>"TlvTypeFSFileDataChunk",
290 |  160128=>"TlvTypeFSDiskDrive",
291 |  160384=>"TlvTypeFSFullPath",
292 |  160640=>"TlvTypeFSFilename",
293 |  160896=>"TlvTypeFSFileExtension",
294 |  161088=>"TlvTypeFSDiskDriveType",
295 |  161408=>"TlvTypeFSFileSize",
296 |  161584=>"TlvTypeFSIsFolder",
297 |  161840=>"TlvTypeFSReadOnly",
298 |  162096=>"TlvTypeFSHidden",
299 |  162352=>"TlvTypeFSSystem",
300 |  162688=>"TlvTypeFSFileCreationTime",
301 |  162944=>"TlvTypeFSFileLastAccessTime",
302 |  163200=>"TlvTypeFSFileLastWriteTime",
303 |  163472=>"TlvTypeFSFullPathM",
304 |  8978848=>"TlvTypeMasterMobileTargetConn",
305 |  7471520=>"TlvTypeMasterTargetConn",
306 |  7405984=>"TlvTypeMasterAgentLogin",
307 |  7406240=>"TlvTypeMasterAgentLoginAnswer",
308 |  7406752=>"TlvTypeMasterAgentTargetList",
309 |  7407008=>"TlvTypeMasterAgentTargetOnlineList",
310 |  7407264=>"TlvTypeMasterAgentTargetInfoReply",
311 |  7407520=>"TlvTypeMasterAgentUserList",
312 |  7407776=>"TlvTypeMasterAgentUserListReply",
313 |  7408032=>"TlvTypeMasterAgentTargetArchivedList",
314 |  7408288=>"TlvTypeMasterAgentTargetListEx",
315 |  7408544=>"TlvTypeMasterAgentTargetOnlineListEx",
316 |  7408800=>"TlvTypeMasterAgentMobileTargetArchivedList",
317 |  7409056=>"TlvTypeMasterAgentMobileTargetList",
318 |  7409312=>"TlvTypeMasterAgentMobileTargetOnlineList",
319 |  7409824=>"TlvTypeMasterAgentQueryFirst",
320 |  7410080=>"TlvTypeMasterAgentQueryNext",
321 |  7410336=>"TlvTypeMasterAgentQueryLast",
322 |  7410592=>"TlvTypeMasterAgentQueryAnswer",
323 |  7410848=>"TlvTypeMasterAgentRemoveRecord",
324 |  7411104=>"TlvTypeMasterAgentTargetInfoExReply",
325 |  7411344=>"TlvTypeTargetInfoExProperty",
326 |  7411616=>"TlvTypeTargetInfoExPropertyValue",
327 |  7411840=>"TlvTypeTargetInfoExPropertyValueName",
328 |  7411968=>"TlvTypeTargetInfoExPropertyValueData",
329 |  7412384=>"TlvTypeMasterAgentAlarm",
330 |  7413920=>"TlvTypeMasterAgentRetrieveData",
331 |  7414176=>"TlvTypeMasterAgentRetrieveDataAnswer",
332 |  7414432=>"TlvTypeMasterAgentRemoveUser",
333 |  7414688=>"TlvTypeMasterAgentRemoveTarget",
334 |  7414944=>"TlvTypeMasterAgentRetrieveDataComments",
335 |  7415200=>"TlvTypeMasterAgentUpdateDataComments",
336 |  7415712=>"TlvTypeMasterAgentRetrieveActivityLogging",
337 |  7415968=>"TlvTypeMasterAgentRetrieveMasterLogging",
338 |  7416224=>"TlvTypeMasterAgentRetrieveAgentActivityLogging",
339 |  7417248=>"TlvTypeMasterAgentSendUserGUIConfig",
340 |  7417504=>"TlvTypeMasterAgentGetUserGUIConfigRequest",
341 |  7417760=>"TlvTypeMasterAgentGetUserGUIConfigReply",
342 |  7418016=>"TlvTypeMasterAgentProxyList",
343 |  7418272=>"TlvTypeMasterAgentProxyInfoReply",
344 |  7419040=>"TlvTypeMasterAgentNameValuePacket",
345 |  7419248=>"TlvTypeMasterAgentValueName",
346 |  7419392=>"TlvTypeMasterAgentValueData",
347 |  7419808=>"TlvTypeMasterAgentRetrieveTargetHistory",
348 |  7421088=>"TlvTypeMasterAgentInstallMasterLicense",
349 |  7421344=>"TlvTypeMasterAgentInstallSoftwareUpdate",
350 |  7421600=>"TlvTypeMasterAgentInstallSoftwareUpdateChunk",
351 |  7421856=>"TlvTypeMasterAgentInstallSoftwareUpdateDone",
352 |  7422112=>"TlvTypeMasterAgentSoftwareUpdateInfo",
353 |  7422368=>"TlvTypeMasterAgentSoftwareUpdateInfoReply",
354 |  7422624=>"TlvTypeMasterAgentSoftwareUpdate",
355 |  7422880=>"TlvTypeMasterAgentSoftwareUpdateReply",
356 |  7423136=>"TlvTypeMasterAgentSoftwareUpdateNext",
357 |  7423392=>"TlvTypeMasterAgentAddTimeSchedule",
358 |  7423648=>"TlvTypeMasterAgentAddScreenSchedule",
359 |  7423904=>"TlvTypeMasterAgentAddLockedSchedule",
360 |  7424160=>"TlvTypeMasterAgentRemoveSchedule",
361 |  7424416=>"TlvTypeMasterAgentGetSchedulerList",
362 |  7424672=>"TlvTypeMasterAgentSchedulerTimeAction",
363 |  7424928=>"TlvTypeMasterAgentSchedulerScreenAction",
364 |  7425184=>"TlvTypeMasterAgentSchedulerLockedAction",
365 |  7425440=>"TlvTypeMasterAgentProjectSoftwareUpdateInfo",
366 |  7425696=>"TlvTypeMasterAgentProjectSoftwareUpdateInfoReply",
367 |  7425952=>"TlvTypeMasterAgentProjectSoftwareUpdate",
368 |  7426112=>"TlvTypeMasterAgentSchedulerID",
369 |  7426368=>"TlvTypeMasterAgentSchedulerStartTime",
370 |  7426624=>"TlvTypeMasterAgentSchedulerStopTime",
371 |  7427488=>"TlvTypeMasterAgentAddRecordedDataAvailableSchedule",
372 |  7427744=>"TlvTypeMasterAgentSchedulerRecordedDataAvailableAction",
373 |  7428256=>"TlvTypeMasterAgentRetrieveRemoteMasterData",
374 |  7428512=>"TlvTypeMasterAgentRetrieveRemoteMasterDataReply",
375 |  7428768=>"TlvTypeMasterAgentDeleteRemoteMasterData",
376 |  7429024=>"TlvTypeMasterAgentRetrieveOfflineMasterData",
377 |  7429280=>"TlvTypeMasterAgentRetrieveOfflineMasterDataReply",
378 |  7429536=>"TlvTypeMasterAgentDeleteOfflineMasterData",
379 |  7430304=>"TlvTypeMasterAgentQueryFirstEx",
380 |  7430560=>"TlvTypeMasterAgentQueryNextEx",
381 |  7430816=>"TlvTypeMasterAgentQueryLastEx",
382 |  7431072=>"TlvTypeMasterAgentQueryAnswerEx",
383 |  7431328=>"TlvTypeMasterAgentSendUserPreferences",
384 |  7431584=>"TlvTypeMasterAgentGetUserPreferencesRequest",
385 |  7431840=>"TlvTypeMasterAgentGetUserPreferencesReply",
386 |  7432096=>"TlvTypeMasterAgentListMCFilesRequest",
387 |  8415392=>"TlvTypeMasterAgentListMCFilesReply",
388 |  7432608=>"TlvTypeMasterAgentDeleteMCFiles",
389 |  7432864=>"TlvTypeMasterAgentSendMCFiles",
390 |  7433120=>"TlvTypeMasterAgentMCStatisticsRequest",
391 |  7433376=>"TlvTypeMasterAgentMCStatisticsReply",
392 |  7433616=>"TlvTypeMasterAgentMCStatisticsValues",
393 |  7434400=>"TlvTypeMasterAgentTrojanKeyRequest",
394 |  7434656=>"TlvTypeMasterAgentTrojanKeyReply",
395 |  7434912=>"TlvTypeMasterAgentEvProtectionX509Request",
396 |  7435168=>"TlvTypeMasterAgentEvProtectionX509Reply",
397 |  7435424=>"TlvTypeMasterAgentEvProtectionImportCert",
398 |  7435680=>"TlvTypeMasterAgentEvProtectionImportCertCompleted",
399 |  7435936=>"TlvTypeMasterAgentConfigurationRequest",
400 |  7436192=>"TlvTypeMasterAgentConfigurationReply",
401 |  7436448=>"TlvTypeMasterAgentConfigurationUpdateRequest",
402 |  7436704=>"TlvTypeMasterAgentConfigurationUpdateRequestCompleted",
403 |  7436944=>"TlvTypeMasterAgentConfiguration",
404 |  7437216=>"TlvTypeMasterAgentConfigurationValue",
405 |  7437424=>"TlvTypeMasterAgentConfigurationValueName",
406 |  7437568=>"TlvTypeMasterAgentConfigurationValueData",
407 |  7437984=>"TlvTypeMasterAgentConfigurationTransferDone",
408 |  7438496=>"TlvTypeMasterAgentRetrieveTargetFile",
409 |  7438752=>"TlvTypeMasterAgentRetrieveTargetFileAnswer",
410 |  7438912=>"TlvTypeMasterAgentAlarmEntryID",
411 |  7439168=>"TlvTypeMasterAgentAlarmEntryVersion",
412 |  7439424=>"TlvTypeMasterAgentAlarmTriggerFlags",
413 |  7439776=>"TlvTypeMasterAgentGetAlarmList",
414 |  7440032=>"TlvTypeMasterAgentAddAlarmEntry",
415 |  7440288=>"TlvTypeMasterAgentRemoveAlarmEntry",
416 |  7440544=>"TlvTypeMasterAgentAlarmEntry",
417 |  7440800=>"TlvTypeMasterAgentSystemStatus",
418 |  7441056=>"TlvTypeMasterAgentSystemStatusRequest",
419 |  7441312=>"TlvTypeMasterAgentSystemStatusReply",
420 |  7441552=>"TlvTypeMasterAgentLicenseValues",
421 |  7441824=>"TlvTypeMasterAgentLicenseValuesRequest",
422 |  7442080=>"TlvTypeMasterAgentLicenseValuesReply",
423 |  7442592=>"TlvTypeMasterAgentGetNetworkConfigurationRequest",
424 |  7442848=>"TlvTypeMasterAgentSetNetworkConfigurationRequest",
425 |  7443104=>"TlvTypeMasterAgentSetNetworkConfigurationReply",
426 |  7443360=>"TlvTypeMasterAgentRetrieveAllowedModulesList",
427 |  7443616=>"TlvTypeMasterAgentRetrieveAllowedModulesListAnswer",
428 |  7446688=>"TlvTypeMasterAgentRemoveAllTargetData",
429 |  7446944=>"TlvTypeMasterAgentForceDownloadRecordedData",
430 |  7447200=>"TlvTypeMasterAgentTargetCreateNotification",
431 |  7447456=>"TlvTypeMasterAgentMobileTargetInfoReply",
432 |  7447696=>"TlvTypeMasterAgentMobileTargetInfoValues",
433 |  7450784=>"TlvTypeMasterAgentAlert",
434 |  7454880=>"TlvTypeMasterAgentAddUser",
435 |  7455392=>"TlvTypeMasterAgentAddUserReply",
436 |  7455648=>"TlvTypeMasterAgentModifyUser",
437 |  7455904=>"TlvTypeMasterAgentSetUserPermission",
438 |  7456160=>"TlvTypeMasterAgentSetTargetPermission",
439 |  7456400=>"TlvTypeMasterAgentUserPermission",
440 |  7456656=>"TlvTypeMasterAgentTargetPermission",
441 |  7456928=>"TlvTypeMasterAgentUserPermissionValuePacket",
442 |  7457184=>"TlvTypeMasterAgentTargetPermissionValuePacket",
443 |  7457344=>"TlvTypeMasterAgentUserPermissionValueName",
444 |  7457600=>"TlvTypeMasterAgentTargetPermissionValueName",
445 |  7457856=>"TlvTypeMasterAgentUserPermissionValueData",
446 |  7458112=>"TlvTypeMasterAgentTargetPermissionValueData",
447 |  7458464=>"TlvTypeMasterAgentModifyPassword",
448 |  7458656=>"TlvTypeMasterAgentMobileTargetPermissionValueName",
449 |  7458976=>"TlvTypeMasterAgentUploadFile",
450 |  7459232=>"TlvTypeMasterAgentUploadFileChunk",
451 |  7459488=>"TlvTypeMasterAgentUploadFileDone",
452 |  7459744=>"TlvTypeMasterAgentUploadFilesTransferDone",
453 |  7460000=>"TlvTypeMasterAgentGetTargetModuleConfigRequest",
454 |  7460256=>"TlvTypeMasterAgentRemoveFile",
455 |  7460512=>"TlvTypeMasterAgentMobileProxyList",
456 |  7460768=>"TlvTypeMasterAgentSMSProxyList",
457 |  7461024=>"TlvTypeMasterAgentSMSProxyInfoReply",
458 |  7461280=>"TlvTypeMasterAgentCallPhoneNumberList",
459 |  7461536=>"TlvTypeMasterAgentCallPhoneNumberInfoReply",
460 |  7461792=>"TlvTypeMasterAgentGetMobileTargetModuleConfigRequest",
461 |  7462048=>"TlvTypeMasterAgentSendSMS",
462 |  7469984=>"TlvTypeMasterAgentEncryptionRequired",
463 |  7470752=>"TlvTypeAgentMasterComm",
464 |  7470240=>"TlvTypeMasterAgentFileCompleted",
465 |  7470496=>"TlvTypeMasterAgentRequestCompleted",
466 |  7471008=>"TlvTypeMasterAgentRequestStatus",
467 |  7733664=>"TlvTypeRelayProxyComm",
468 |  8454800=>"TlvTypeRelayData",
469 |  7734176=>"TlvTypeRelayDummyHeartbeat",
470 |  7668128=>"TlvTypeMasterTargetComm",
471 |  7668384=>"TlvTypeTargetCloseAllLiveStreaming",
472 |  7471424=>"TlvTypeProxyMasterCommSig",
473 |  7471776=>"TlvTypeProxyMasterComm",
474 |  7472032=>"TlvTypeMasterProxyComm",
475 |  7472288=>"TlvTypeProxyMasterHeartBeatAnswer",
476 |  7472544=>"TlvTypeProxyMasterDisconnect",
477 |  7472704=>"TlvTypeProxyMasterNotification",
478 |  7473056=>"TlvTypeProxyMasterRequest",
479 |  7473312=>"TlvTypeMasterProxyCommNotification",
480 |  7473568=>"TlvTypeMasterCheckTargetDisconnect",
481 |  7536960=>"TlvTypeProxyTargetCommSig",
482 |  7537312=>"TlvTypeProxyTargetComm",
483 |  7537568=>"TlvTypeProxyMasterTargetComm",
484 |  7537728=>"TlvTypeProxyTargetRequestCrypto",
485 |  7538064=>"TlvTypeProxyTargetAnswerCrypto",
486 |  8454544=>"TlvTypeProxyData",
487 |  8458400=>"TlvTypeProxyTargetDisconnect",
488 |  8458656=>"TlvTypeProxyMobileTargetDisconnect",
489 |  8458912=>"TlvTypeProxyDummyHeartbeat",
490 |  8459168=>"TlvTypeProxyMobileDummyHeartbeat",
491 |  8585616=>"TlvTypeAgentData",
492 |  8585808=>"TlvTypeAgentQueryID",
493 |  8586048=>"TlvTypeAgentQueryModSubmodID",
494 |  8586304=>"TlvTypeAgentQueryFromDate",
495 |  8586560=>"TlvTypeAgentQueryToDate",
496 |  8586816=>"TlvTypeAgentQuerySortOrder",
497 |  8587136=>"TlvTypeAgentQueryValueFilter",
498 |  8587328=>"TlvTypeAgentUID",
499 |  8520080=>"TlvTypeMasterData",
500 |  8520768=>"TlvTypeMasterMode",
501 |  8521024=>"TlvTypeMasterToken",
502 |  8521344=>"TlvTypeMasterQueryResult",
503 |  8522368=>"TlvTypeMasterAlarmString",
504 |  8651152=>"TlvTypeMobileTargetData",
505 |  8651376=>"TlvTypeMobileTargetHeartBeatV10",
506 |  8651632=>"TlvTypeMobileTargetExtendedHeartBeatV10",
507 |  8651888=>"TlvTypeMobileHeartBeatReplyV10",
508 |  8653472=>"TlvTypeMobileInstalledModulesReply",
509 |  8656032=>"TlvTypeMobileTargetUploadModuleRequest",
510 |  8656288=>"TlvTypeMobileTargetUploadModuleReply",
511 |  8656544=>"TlvTypeMobileTargetUploadModuleChunk",
512 |  8656800=>"TlvTypeMobileTargetUploadModuleDoneRequest",
513 |  8657056=>"TlvTypeMobileTargetUploadModuleDoneReply",
514 |  8657312=>"TlvTypeMobileTargetRemoveModuleRequest",
515 |  8657568=>"TlvTypeMobileTargetRemoveModuleReply",
516 |  8655008=>"TlvTypeMobileTargetOfflineUploadModuleRequest",
517 |  8657824=>"TlvTypeMobileTargetOfflineUploadModuleReply",
518 |  8658080=>"TlvTypeMobileTargetOfflineUploadModuleChunk",
519 |  8658336=>"TlvTypeMobileTargetOfflineUploadModuleDoneRequest",
520 |  8658592=>"TlvTypeMobileTargetOfflineUploadModuleDoneReply",
521 |  8658848=>"TlvTypeMobileTargetOfflineError",
522 |  8659104=>"TlvTypeMobileTargetError",
523 |  8659360=>"TlvTypeMobileTargetGetRecordedFilesRequest",
524 |  8659616=>"TlvTypeMobileTargetRecordedFilesReply",
525 |  8659872=>"TlvTypeMobileTargetRecordedFileDownloadRequest",
526 |  8660128=>"TlvTypeMobileTargetRecordedFileDownloadReply",
527 |  8660384=>"TlvTypeMobileTargetRecordedFileDownloadChunk",
528 |  8660640=>"TlvTypeMobileTargetRecordedFileDownloadCompleted",
529 |  8660896=>"TlvTypeMobileTargetRecordedFileDeleteRequest",
530 |  8661152=>"TlvTypeMobileTargetRecordedFileDeleteReply",
531 |  8663968=>"TlvTypeMobileTargetOfflineConfig",
532 |  8664224=>"TlvTypeMobileTargetEmergencyConfigAsTLV",
533 |  8664432=>"TlvTypeMobileTargetEmergencyConfig",
534 |  8671392=>"TlvTypeMobileTargetLoadModuleRequest",
535 |  8671648=>"TlvTypeMobileTargetLoadModuleReply",
536 |  8671904=>"TlvTypeMobileTargetUnLoadModuleRequest",
537 |  8672160=>"TlvTypeMobileTargetUnLoadModuleReply",
538 |  8675472=>"TlvTypeMobileTargetHeartbeatEvents",
539 |  8675648=>"TlvTypeMobileTargetHeartbeatInterval",
540 |  8675984=>"TlvTypeMobileTargetHeartbeatRestrictions",
541 |  8676208=>"TlvTypeConfigSMSPhoneNumber",
542 |  8676496=>"TlvTypeMobileTargetPositioning",
543 |  8676672=>"TlvTypeMobileTrojanUID",
544 |  8676976=>"TlvTypeMobileTrojanID",
545 |  8677296=>"TlvTypeMobileTargetLocationChangedRange",
546 |  8677440=>"TlvTypeConfigMobileAutoRemovalDateTime",
547 |  8677808=>"TlvTypeConfigOverwriteProxyAndPhones",
548 |  8678000=>"TlvTypeConfigCallPhoneNumber",
549 |  8679488=>"TlvTypeLocationAreaCode",
550 |  8679744=>"TlvTypeCellID",
551 |  8680048=>"TlvTypeMobileCountryCode",
552 |  8680304=>"TlvTypeMobileNetworkCode",
553 |  8680560=>"TlvTypeIMSI",
554 |  8680816=>"TlvTypeIMEI",
555 |  8681072=>"TlvTypeGPSLatitude",
556 |  8681328=>"TlvTypeGPSLongitude",
557 |  8681520=>"TlvTypeFirstHeartbeat",
558 |  8681872=>"TlvTypeInstalledModules",
559 |  8683568=>"TlvTypeValidGPSValues",
560 |  8389008=>"TlvTypeTargetData",
561 |  8389280=>"TlvTypeTargetHeartBeat",
562 |  8389680=>"TlvTypeTargetKeepSessionAlive",
563 |  8390000=>"TlvTypeTargetLocalIP",
564 |  8390256=>"TlvTypeTargetGlobalIP",
565 |  8390448=>"TlvTypeTargetState",
566 |  8390784=>"TlvTypeTargetID",
567 |  8391072=>"TlvTypeGetInstalledModulesRequest",
568 |  8391328=>"TlvTypeInstalledModulesReply",
569 |  8391488=>"TlvTypeTrojanUID",
570 |  8391808=>"TlvTypeTrojanID",
571 |  8392000=>"TlvTypeTrojanMaxInfections",
572 |  8392240=>"TlvTypeScreenSaverOn",
573 |  8392496=>"TlvTypeScreenLocked",
574 |  8392752=>"TlvTypeRecordedDataAvailable",
575 |  8393024=>"TlvTypeDownloadedRecordedDataTimeStamp",
576 |  8393280=>"TlvTypeInstallationMode",
577 |  8393552=>"TlvTypeTargetRemoveNotification",
578 |  8393792=>"TlvTypeTargetPlatformBits",
579 |  8394032=>"TlvTypeRemoveItselfMaxInfectionReached",
580 |  8394288=>"TlvTypeRemoveItselfAtMasterRequest",
581 |  8394544=>"TlvTypeRemoveItselfAtAgentRequest",
582 |  8394912=>"TlvTypeRemoveItselfAtAgentReqRequest",
583 |  8395072=>"TlvTypeRecordedFilesDownloadTotal",
584 |  8395328=>"TlvTypeRecordedFilesDownloadProgress",
585 |  8395632=>"TlvTypeTargetLicenseInfo",
586 |  8395840=>"TlvTypeRemoveTargetLicenseInfo",
587 |  8396176=>"TlvTypeTargetAllConfigurations",
588 |  8396960=>"TlvTypeTargetError",
589 |  8401056=>"TlvTypeGetTargetConfigRequest",
590 |  8401312=>"TlvTypeTargetConfigReply",
591 |  8401568=>"TlvTypeSetTargetConfigRequest",
592 |  8402304=>"TlvTypeConfigTargetID",
593 |  8402496=>"TlvTypeConfigTargetHeartbeatInterval",
594 |  8402800=>"TlvTypeConfigTargetProxy",
595 |  8403008=>"TlvTypeConfigTargetPort",
596 |  8403584=>"TlvTypeConfigAutoRemovalDateTime",
597 |  8403776=>"TlvTypeConfigAutoRemovalIfNoProxy",
598 |  8404032=>"TlvTypeInternalAutoRemovalElapsedTime",
599 |  8405040=>"TlvTypeConfigActiveHiding",
600 |  8409248=>"TlvTypeTargetLoadModuleRequest",
601 |  8409504=>"TlvTypeTargetLoadModuleReply",
602 |  8409760=>"TlvTypeTargetUnLoadModuleRequest",
603 |  8410016=>"TlvTypeTargetUnLoadModuleReply",
604 |  8410272=>"TlvTypeTargetUploadModuleRequest",
605 |  8410528=>"TlvTypeTargetUploadModuleReply",
606 |  8410784=>"TlvTypeTargetUploadModuleChunk",
607 |  8411040=>"TlvTypeTargetUploadModuleDoneRequest",
608 |  8411296=>"TlvTypeTargetUploadModuleDoneReply",
609 |  8411552=>"TlvTypeTargetRemoveModuleRequest",
610 |  8411808=>"TlvTypeTargetRemoveModuleReply",
611 |  8412064=>"TlvTypeTargetOfflineUploadModuleRequest",
612 |  8412320=>"TlvTypeTargetOfflineUploadModuleReply",
613 |  8412576=>"TlvTypeTargetOfflineUploadModuleChunk",
614 |  8412832=>"TlvTypeTargetOfflineUploadModuleDoneRequest",
615 |  8413088=>"TlvTypeTargetOfflineUploadModuleDoneReply",
616 |  8413344=>"TlvTypeTargetOfflineError",
617 |  8413600=>"TlvTypeTargetUploadError",
618 |  8417440=>"TlvTypeTargetGetRecordedFilesRequest",
619 |  8417696=>"TlvTypeTargetRecordedFilesReply",
620 |  8417952=>"TlvTypeTargetRecordedFileDownloadRequest",
621 |  8418208=>"TlvTypeTargetRecordedFileDownloadReply",
622 |  8418464=>"TlvTypeTargetRecordedFileDownloadChunk",
623 |  8418720=>"TlvTypeTargetRecordedFileDownloadCompleted",
624 |  8418976=>"TlvTypeTargetRecordedFileDeleteRequest",
625 |  8419232=>"TlvTypeTargetRecordedFileDeleteReply",
626 |  8419488=>"TlvTypeTargetGetRecordedFilesRequestEx",
627 |  8419744=>"TlvTypeTargetRecordedFilesReplyEx",
628 |  8420000=>"TlvTypeTargetRecordedFileDeleteRequestEx",
629 |  8420256=>"TlvTypeTargetRecordedFilesDownloadRequestEx",
630 |  16744768=>"TlvTypeProxyConnectionBroken",
631 |  16712000=>"TlvTypeTargetConnectionBroken",
632 |  16712256=>"TlvTypeAgentConnectionBroken",
633 |  16712512=>"TlvTypeTargetOffline",
634 |  16646544=>"TlvTypePlaintext",
635 |  16646800=>"TlvTypeCompression",
636 |  16647056=>"TlvTypeEncryption",
637 |  16647232=>"TlvTypeTargetUID",
638 |  16647536=>"TlvTypeIPAddress",
639 |  16647808=>"TlvTypeUserName",
640 |  16648064=>"TlvTypeComputerName",
641 |  16648304=>"TlvTypeLoginName",
642 |  16648560=>"TlvTypePassphrase",
643 |  16648832=>"TlvTypeRecordID",
644 |  16649088=>"TlvTypeOwner",
645 |  16649344=>"TlvTypeMetaData",
646 |  16649536=>"TlvTypeModuleID",
647 |  16649856=>"TlvTypeOSName",
648 |  16650048=>"TlvTypeModuleSubID",
649 |  16650320=>"TlvTypeErrorCode",
650 |  16650560=>"TlvTypeOffset",
651 |  16650816=>"TlvTypeLength",
652 |  16651088=>"TlvTypeRequestID",
653 |  16651328=>"TlvTypeRequestType",
654 |  16651584=>"TlvTypeVersion",
655 |  16651840=>"TlvTypeMachineID",
656 |  16652096=>"TlvTypeMajorNumber",
657 |  16652352=>"TlvTypeMinorNumber",
658 |  16652656=>"TlvTypeGlobalIPAddress",
659 |  16652912=>"TlvTypeASCII_Filename",
660 |  16653120=>"TlvTypeFilesize",
661 |  16653392=>"TlvTypeFilecount",
662 |  16653712=>"TlvTypeFiledata",
663 |  16653968=>"TlvTypeMD5Sum",
664 |  16654144=>"TlvTypeProxyPort",
665 |  16654400=>"TlvTypeStatus",
666 |  16654656=>"TlvTypeUserID",
667 |  16654912=>"TlvTypeGroupID",
668 |  16655168=>"TlvTypePermissions",
669 |  16655424=>"TlvTypeRequestCode",
670 |  16655680=>"TlvTypeDataSize",
671 |  16655936=>"TlvTypeKeyType",
672 |  16656240=>"TlvTypeEmail",
673 |  16656432=>"TlvTypeEnabled",
674 |  16656688=>"TlvTypeLicensed",
675 |  16656960=>"TlvTypeAudioFrequency",
676 |  16657216=>"TlvTypeAudioBitsPerSample",
677 |  16657472=>"TlvTypeAudioChannels",
678 |  16657728=>"TlvTypeStartTime",
679 |  16657984=>"TlvTypeStopTime",
680 |  16658240=>"TlvTypeBitMask",
681 |  16658560=>"TlvTypeTimeZone",
682 |  16658816=>"TlvTypeDateTime",
683 |  16659072=>"TlvTypeStartSessionDateTime",
684 |  16659328=>"TlvTypeStopSessionDateTime",
685 |  16659520=>"TlvTypeDateTimeRef",
686 |  16659776=>"TlvTypeScheduleRepeat",
687 |  16660032=>"TlvTypeUnixMasterDateTime",
688 |  16660288=>"TlvTypeUnixUTCDateTime",
689 |  16660544=>"TlvTypeDurationInSeconds",
690 |  16660864=>"TlvTypeMasterRefTime",
691 |  16661120=>"TlvTypeMasterRefTimeStart",
692 |  16661376=>"TlvTypeMasterRefTimeEnd",
693 |  16661568=>"TlvTypeCounter",
694 |  16661888=>"TlvTypeWhiteListEntry",
695 |  16662144=>"TlvTypeBlackListEntry",
696 |  16662336=>"TlvTypeBlackWhiteListingMode",
697 |  16662576=>"TlvTypeConfigEnabled",
698 |  16662848=>"TlvTypeConfigMaxRecordingSize",
699 |  16663104=>"TlvTypeConfigAudioQuality",
700 |  16663344=>"TlvTypeConfigVideoBlackAndWhite",
701 |  16663616=>"TlvTypeConfigVideoResolution",
702 |  16663872=>"TlvTypeConfigCaptureFrequency",
703 |  16664128=>"TlvTypeConfigVideoQuality",
704 |  16664384=>"TlvTypeConfigFilesStandardFilter",
705 |  16664704=>"TlvTypeConfigFilesCustomFilter",
706 |  16664896=>"TlvTypeConfigStandardLocation",
707 |  16665216=>"TlvTypeConfigCustomLocation",
708 |  16665408=>"TlvTypeConfigFileChunkSize",
709 |  16665664=>"TlvTypeConfigFileTransferSpeed",
710 |  16665904=>"TlvTypeConfigUploadFileOverwrite",
711 |  16666160=>"TlvTypeConfigDeleteOverReboot",
712 |  16666496=>"TlvTypeConfigCustomLocationException",
713 |  16666752=>"TlvTypeExtraData",
714 |  16667008=>"TlvTypeSignature",
715 |  16667264=>"TlvTypeComments",
716 |  16667520=>"TlvTypeDescription",
717 |  16667776=>"TlvTypeFilenameExtension",
718 |  16668032=>"TlvTypeSessionType",
719 |  16668224=>"TlvTypePeriod",
720 |  16668512=>"TlvTypeMobileTargetUID",
721 |  16668784=>"TlvTypeMobileTargetID",
722 |  16669072=>"TlvTypeMobilePlaintext",
723 |  16669328=>"TlvTypeMobileCompression",
724 |  16669584=>"TlvTypeMobileEncryption",
725 |  16669824=>"TlvTypeEncodingType",
726 |  16670576=>"TlvTypePhoneNumber",
727 |  16670784=>"TlvTypeConfigCustomLocationMode",
728 |  16674928=>"TlvTypeNetworkInterface",
729 |  16675136=>"TlvTypeNetworkInterfaceMode",
730 |  16675440=>"TlvTypeNetworkInterfaceAddress",
731 |  16675696=>"TlvTypeNetworkInterfaceNetmask",
732 |  16675952=>"TlvTypeNetworkInterfaceGateway",
733 |  16676208=>"TlvTypeNetworkInterfaceDNS_1",
734 |  16676464=>"TlvTypeNetworkInterfaceDNS_2",
735 |  16677440=>"TlvTypeLoginTime",
736 |  16677696=>"TlvTypeLogoffTime",
737 |  16678720=>"TlvTypeGeneric_Type",
738 |  16678976=>"TlvTypeChecksum",
739 |  16679280=>"TlvTypeCity",
740 |  16679536=>"TlvTypeCountry",
741 |  16679792=>"TlvTypeCountryCode",
742 |  16683072=>"TlvTypeTargetType",
743 |  16683392=>"TlvTypeDurationString",
744 |  8257792=>"TlvTypeTestMetaTypeInvalid",
745 |  8258608=>"TlvTypeTestMetaTypeBool",
746 |  8258880=>"TlvTypeTestMetaTypeUInt",
747 |  8259152=>"TlvTypeTestMetaTypeInt",
748 |  8259440=>"TlvTypeTestMetaTypeString",
749 |  8259712=>"TlvTypeTestMetaTypeUnicode",
750 |  8259984=>"TlvTypeTestMetaTypeRaw",
751 |  8260256=>"TlvTypeTestMetaTypeGroup",
752 |  8260416=>"TlvTypeTestMemberIdentifier",
753 |  8260736=>"TlvTypeTestMemberName"}
754 | 
755 | 
756 | 
757 | # Taken from Eric Monti's awesome Ruby Blackbag toolkit. He's an awesome guy 
758 | # and I'm sure he won't mind. That being said, everyone should check out his 
759 | # stuff at https://github.com/emonti/rbkb/
760 | # 
761 | module Rbkb
762 |   HEXCHARS = [("0".."9").to_a, ("a".."f").to_a].flatten
763 | end
764 | 
765 | class String
766 |   # Convert a string to ASCII hex string. Supports a few options for format:
767 |   #
768 |   #   :delim - delimter between each hex byte
769 |   #   :prefix - prefix before each hex byte
770 |   #   :suffix - suffix after each hex byte
771 |   # 
772 |   def hexify(opts={})
773 |     delim = opts[:delim]
774 |     pre = (opts[:prefix] || "")
775 |     suf = (opts[:suffix] || "")
776 |     if (rx=opts[:rx]) and not rx.kind_of? Regexp
777 |       raise "rx must be a regular expression for a character class"
778 |     end
779 |     hx=Rbkb::HEXCHARS
780 |     out=Array.new
781 |     self.each_byte do |c| 
782 |       hc = if (rx and not rx.match c.chr)
783 |              c.chr 
784 |            else
785 |              pre + (hx[(c >> 4)] + hx[(c & 0xf )]) + suf
786 |            end
787 |       out << (hc)
788 |     end
789 |     out.join(delim)
790 |   end
791 | 
792 |   # Convert ASCII hex string to raw. 
793 |   #
794 |   # Parameters:
795 |   #
796 |   #   d = optional 'delimiter' between hex bytes (zero+ spaces by default)
797 |   def unhexify(d=/\s*/)
798 |     self.strip.gsub(/([A-Fa-f0-9]{1,2})#{d}?/) { $1.hex.chr }
799 |   end
800 | end
801 | 
802 | 
803 | def formatType(num)
804 |   num.to_s(16).rjust(8, "0").unhexify.reverse
805 | end
806 | 
807 | def revEndian(str)
808 |   if str.length == 1
809 |     str.unpack("C*").first
810 |   elsif str.length == 2
811 |     str.unpack("S*").first
812 |   elsif str.length == 4
813 |     str.unpack("L*").first
814 |   elsif str.length == 8
815 |     str.unpack("Q*").first
816 |   end
817 | end
818 | 
819 | def parseTLV(str, t)
820 |   tlvSize = revEndian(str[0..3])
821 |   tlvType = revEndian(str[4..7])
822 |   tlvData = str[8..tlvSize-1]
823 |   if @nHash.has_key?(tlvType)
824 |     tabs = "\t"*t
825 |     puts
826 |     
827 |     data = nil
828 |     case @nHash[tlvType]
829 |   
830 |     when "TlvTypeMobileTargetUID"
831 |       data = revEndian(tlvData).to_s.rjust(15, '0')
832 |     when "TlvTypeMobileTrackingSendOnAnyChannel", "TlvTypeMobileTrackingTimeInterval", "TlvTypeMobileTrackingDistance", "TlvTypeMobileTargetHeartbeatEvents", "TlvTypeMobileTargetLocationChangedRange", "TlvTypeTrojanMaxInfections", "TlvTypeUserID", "TlvTypeConfigTargetPort", "TlvTypeMobileTargetHeartbeatInterval", "TlvTypeConfigAutoRemovalIfNoProxy"
833 |       data = revEndian(tlvData)
834 |     when "TlvTypeMobileTrojanUID"
835 |       data = tlvData.force_encoding("BINARY").scan(/./).reverse.join.hexify.upcase.rjust(8, '0')
836 |     when "TlvTypeVersion", "TlvTypeRequestID"
837 |       data = revEndian(tlvData).to_s.rjust(8, '0')
838 |     when "TlvTypeMobileTargetHeartBeatV10"
839 |       parseHB(tlvData, t)
840 |     when "TlvTypeConfigMobileAutoRemovalDateTime"
841 |       data = Time.at(revEndian(tlvData))
842 |     when "TlvTypeInstalledModules"
843 |       parsed = tlvData.scan(/./)
844 |       data = ""
845 |       data << "%s %s  |" % ["Logging:", parsed[68]=="\x01" ? "On" : "Off"]
846 |       data << "  %s %s  |" % ["Spy Call:", parsed[64]=="\x01" ? "On" : "Off"]
847 |       data << "  %s %s  |" % ["Call Interception:", parsed[65]=="\x01" ? "On" : "Off"]
848 |       data << "  %s %s  |" % ["SMS:", parsed[66]=="\x01" ? "On" : "Off"]
849 |       data << "  %s %s  |" % ["Address Book:", parsed[67]=="\x01" ? "On" : "Off"]
850 |       data << "  %s %s  |" % ["Tracking:", parsed[69]=="\x01" ? "On" : "Off"]
851 |       data << "  %s %s" % ["Phone Logs:", parsed[70]=="\x01" ? "On" : "Off"]
852 |     else
853 |       data = tlvData
854 |     end
855 | 
856 |     if data
857 |       printf("%sSection Size: %s\n%sSection Type: %s\n%sSection Data: ",tabs, tlvSize, tabs, @nHash[tlvType], tabs)
858 |       p data.to_s
859 |     end
860 | 
861 |     if tlvData[4..7]
862 |       if @nHash.has_key?(revEndian(tlvData[4..7]))
863 |         parseTLV(tlvData, t+1)
864 |       end
865 |     end
866 | 
867 |     if str.size > tlvSize
868 |       parseTLV(str[tlvSize..str.size-1], t)
869 |     end
870 | 
871 |   end
872 | end
873 | 
874 | 
875 | # Stripping out the last byte of the configuration. Unsure why it is there. 
876 | # Believe it might be an end marker, as I saw the same last byte in 3-4 config
877 | # files. 
878 | parseTLV(fileData[0..fileData.size-2], 0)
879 | 
880 | 
881 | 
882 | 
883 | 


--------------------------------------------------------------------------------
/Ruby/FinSpy/writeConfig.rb:
--------------------------------------------------------------------------------
 1 | # Copyright
 2 | # =========
 3 | # Copyright (C) 2012 Trustwave Holdings, Inc.
 4 | #
 5 | # This program is free software: you can redistribute it and/or modify
 6 | # it under the terms of the GNU General Public License as published by
 7 | # the Free Software Foundation, either version 3 of the License, or
 8 | # (at your option) any later version.
 9 | #
10 | # This program is distributed in the hope that it will be useful,
11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | # GNU General Public License for more details.
14 | # 
15 | # You should have received a copy of the GNU General Public License
16 | # along with this program. If not, see <http://www.gnu.org/licenses/>
17 | #
18 | #
19 | # writeConfig.rb by Josh Grunzweig 9-30-2012
20 | #
21 | # =Synopsis
22 | #
23 | # This is a simple Ruby script that is designed to write a new APK file based 
24 | # on the configuration supplied. Must supply a valid FinSpy Android sample as
25 | # the first argument.
26 | #
27 | # The new file is written as <supplied_file>_new. This of course can be changed
28 | # in the subsequent code. Simply modify the 'new_file' variable.
29 | #
30 | # Example: ruby writeConfig.rb finSpy.apk config.dat
31 | #
32 | # Produces finSpy.apk_new in the same directory as finSpy.apk
33 | #
34 | # Side Note: Not the cleanest code, I admit. However, it reliably works and 
35 | # does the job.
36 | 
37 | require 'base64'
38 | 
39 | file = ARGV.shift
40 | config = ARGV.shift
41 | 
42 | unless file && config
43 |   puts "Usage: writeConfig.rb <finspy_sample> <config>"
44 |   exit
45 | end
46 | 
47 | new_file = file.chomp+"_new"
48 | 
49 | fil = File.open(file, "rb")
50 | f = fil.read
51 | f2 = f.dup
52 | 
53 | conf = File.open(config, "rb")
54 | c = conf.read
55 | 
56 | nfile = File.open(new_file, "wb")
57 | orig_config = ""
58 | 
59 | f.scan(/PK\x01\x02.{32}(.{6})(.{4}assets\/Configurations\/dumms\d+\.dat)/m).each do |x| 
60 |   orig_config << x[0].to_s
61 | end
62 | 
63 | orig_config.gsub!("\u0000",'')
64 | 
65 | new_config = Base64.encode64(c.chomp)
66 | new_chomped = new_config.scan(/..?.?.?.?.?/m)
67 | 
68 | count = 0
69 | f.scan(/PK\x01\x02.{32}((.{6})(.{4}assets\/Configurations\/dumms\d+\.dat))/m) do |x| 
70 |   offset = Regexp.last_match.offset(0)[0]
71 |   range = new_chomped[count]
72 |   if !range.nil?
73 |     if range.size < 6
74 |       range = range + ("\x00"*(6-range.size))
75 |     end
76 |     f2[offset+36..offset+41] = range
77 |   end
78 |   count+=1
79 | end
80 | 
81 | nfile.write(f2)
82 | [nfile, fil, conf].each{|x| x.close}
83 | puts "Done. #{new_file} written."
84 | 
85 | 


--------------------------------------------------------------------------------
/Ruby/Punkey/decPunkey.rb:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env ruby
 2 | require 'openssl'
 3 | require 'base64'
 4 | 
 5 | # Copyright
 6 | # =========
 7 | # Copyright (C) 2015 Trustwave Holdings, Inc.
 8 | #
 9 | # This program is free software: you can redistribute it and/or modify
10 | # it under the terms of the GNU General Public License as published by
11 | # the Free Software Foundation, either version 3 of the License, or
12 | # (at your option) any later version.
13 | #
14 | # This program is distributed in the hope that it will be useful,
15 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 | # GNU General Public License for more details.
18 | #
19 | # You should have received a copy of the GNU General Public License
20 | # along with this program. If not, see <http://www.gnu.org/licenses/>
21 | #
22 | #
23 | # decPunkey.rb by Eric Merritt 2015-04-09
24 | #
25 | # =Synopsis
26 | #
27 | # This is a simple Ruby script that decrypts traffic encrypted
28 | # by Punkey.  The encryption is AES-128-cbc and used embedded
29 | # keys to encrypt exfiltration traffic.  Both keylogger and
30 | # card holder data are encrypted by this method.
31 | #
32 | # Input: Base64 encoded string
33 | #
34 | # Note: be sure it is URL decoded
35 | #
36 | # Example: ruby decPunkey.rb -f file_containing_base64_string(s).txt
37 | #
38 | # Example: ruby decPunkey.rb -b "base64 encoded string"
39 | #
40 | 
41 | # Extend functions taken from Eric Monti's rbkb
42 | # https://github.com/emonti/rbkb
43 | class String
44 |   def unhexify(d=/\s*/)
45 |     self.strip.gsub(/([A-Fa-f0-9]{1,2})#{d}?/) { $1.hex.chr }
46 |   end
47 | end
48 | 
49 | def decrypt_data(encrypted_data, key, iv, cipher_type)
50 |   aes = OpenSSL::Cipher::Cipher.new(cipher_type)
51 |   aes.decrypt
52 |   aes.key = key
53 |   aes.iv = iv if iv != nil
54 |   aes.update(encrypted_data) + aes.final
55 | end
56 | 
57 | def usage
58 |   puts "Usage: ruby #{__FILE__} (-f|-b) (file|base64)"
59 |   exit 1
60 | end
61 | 
62 | key = 'f4150d4a1ac5708c29e437749045a39a'.unhexify()
63 | iv = '86afc43868fea6abd40fbf6d5ed50905'.unhexify()
64 | mode = 'aes-128-cbc'
65 | 
66 | usage unless (opt = ARGV.shift)
67 | usage unless (opt.downcase=='-f' or opt.downcase=='-b')
68 | 
69 | if (opt == '-f')
70 |   usage unless (file = ARGV.shift)
71 |   f = File.read(file)
72 |   puts decrypt_data(Base64.decode64(f), key, iv, mode)
73 | elsif (opt == '-b')
74 |   usage unless (data = ARGV.shift)
75 |   puts decrypt_data(Base64.decode64(data), key, iv, mode)
76 | end
77 | 


--------------------------------------------------------------------------------
/Yara/Apache_Injection_Module/apacheInjection.yara:
--------------------------------------------------------------------------------
 1 | /*
 2 | 
 3 |   Copyright
 4 |   =========
 5 |   Copyright (C) 2013 Trustwave Holdings, Inc.
 6 |  
 7 |   This program is free software: you can redistribute it and/or modify
 8 |   it under the terms of the GNU General Public License as published by
 9 |   the Free Software Foundation, either version 3 of the License, or
10 |   (at your option) any later version.
11 |  
12 |   This program is distributed in the hope that it will be useful,
13 |   but WITHOUT ANY WARRANTY; without even the implied warranty of
14 |   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 |   GNU General Public License for more details.
16 |  
17 |   You should have received a copy of the GNU General Public License
18 |   along with this program. If not, see <http://www.gnu.org/licenses/>
19 | 
20 |   ---------
21 | 
22 |   This YARA signature will attempt to detect instances of the newly discovered
23 |   Apache iFrame injection module. Please take a minute to look at the references
24 |   contained in the metadata section of the rule for further information.
25 | 
26 |   This signature attempts to identify the unique XTEA function used for config
27 |   decryption. Additionally, it will attempt to identify the XTEA keys discovered
28 |   in the samples already encountered by SpiderLabs.
29 | 
30 | */
31 | 
32 | 
33 | rule apacheInjectionXtea {
34 |   meta:
35 |     description = "Detection for new Apache injection module spotted in wild."
36 |     in_the_wild = true
37 |     reference1 = "http://blog.sucuri.net/2013/06/new-apache-module-injection.html"
38 |     reference2 = "TBD"
39 | 
40 |   strings:
41 |     $xteaFunction = { 8B 0F 8B 57 04 B8 F3 3A 62 CC 41 89 C0 41 89 C9 41 89 CA 41 C1 E8 0B 41 C1 E2 04 41 C1 E9 05 41 83 E0 03 45 31 D1 46 8B 04 86 41 01 C9 41 01 C0 05 47 86 C8 61 45 31 C8 44 29 C2 49 89 C0 41 83 E0 03 41 89 D1 41 89 D2 46 8B 04 86 41 C1 E9 05 41 C1 E2 04 45 31 D1 41 01 D1 41 01 C0 45 31 C8 44 29 C1 85 C0 75 A3 89 0F 89 57 04 C3 }
42 |     $xteaKey1 = { 4A F5 5E 5E B9 8A E1 63 30 16 B6 15 23 51 66 03 }
43 |     $xteaKey2 = { 68 2C 16 4A 30 A8 14 1F 1E AD 0D 24 E1 0E 10 01 }
44 | 
45 |   condition:
46 |     $xteaFunction or any of ($xteaKey*)
47 | }
48 | 


--------------------------------------------------------------------------------
/Yara/CherryPicker/cherryPicker.yar:
--------------------------------------------------------------------------------
 1 | rule cherryPicker
 2 | {
 3 |     meta:
 4 |         author = "Trustwave SpiderLabs"
 5 |         date = "2015-11-17"
 6 |         description = "Used to detect Cherry Picker malware.  Blog: https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/?page=1&year=0&month=0"
 7 |     strings:
 8 |         $string1 = "srch1mutex" nocase
 9 |         $string2 = "SYNC32TOOLBOX" nocase
10 |         $string3 = "kb852310.dll"
11 |         $config1 = "[config]" nocase
12 |         $config2 = "timeout"
13 |         $config3 = "r_cnt"
14 |         $config4 = "f_passive"
15 |         $config5 = "prlog"
16 |     condition:
17 |         any of ($string*) or all of ($config*)
18 | 
19 | }
20 | 
21 | rule cherryInstaller
22 | {
23 |     strings:
24 |         $string1 = "(inject base: %08x)"
25 |         $string2 = "injected ok"
26 |         $string3 = "inject failed"
27 |         $string4 = "-i name.dll - install path dll"
28 |         $string5 = "-s name.dll procname|PID - inject dll into processes or PID"
29 |         $fileinfect1 = "\\ServicePackFiles\\i386\\user32.dll"
30 |         $fileinfect2 = "\\dllcache\\user32.dll"
31 |         $fileinfect3 = "\\user32.tmp"
32 | 
33 |     condition:
34 |         all of ($string*) or all of ($fileinfect*)
35 | }
36 | 


--------------------------------------------------------------------------------
/Yara/Punkey/punkey.yar:
--------------------------------------------------------------------------------
 1 | rule Punkey
 2 | {
 3 |   meta:
 4 |     author = "Trustwave SpiderLabs"
 5 |     date = "2015-04-09"
 6 |     description = "Used to detect Punkey malware.  Blog: https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/"
 7 |   strings:
 8 |     $pdb1 = "C:\\Documents and Settings\\Administrator\\Desktop\\Verios\\jusched\\jusched32.pdb" nocase
 9 |     $pdb2 = "C:\\Documents and Settings\\Administrator\\Desktop\\Verios\\jusched\\troi.pdb" nocase
10 |     $pdb3 = "D:\\freelancer\\gale.kreeb\\jusched10-19\\jusched32.pdb" nocase
11 |     $pdb4 = "D:\\freelancer\\gale.kreeb\\jusched10-19\\troi.pdb" nocase
12 |     $pdb5 = "C:\\Users\\iptables\\Desktop\\x86\\jusched32.pdb" nocase
13 |     $pdb6 = "C:\\Users\\iptables\\Desktop\\x86\\troi.pdb"
14 |     $pdb7 = "C:\\Users\\iptables\\Desktop\\27 Octomber\\jusched10-27\\troi.pdb" nocase
15 |     $pdb8 = "D:\\work\\visualstudio\\jusched\\dllx64.pdb" nocase
16 |     $string0 = "explorer.exe" nocase
17 |     $string1 = "jusched.exe" nocase
18 |     $string2 = "dllx64.dll" nocase
19 |     $string3 = "exportDataApi" nocase
20 |     $memory1 = "troi.exe"
21 |     $memory2 = "unkey="
22 |     $memory3 = "key="
23 |     $memory4 = "UPDATE"
24 |     $memory5 = "RUN"
25 |     $memory6 = "SCANNING"
26 |     $memory7 = "86afc43868fea6abd40fbf6d5ed50905"
27 |     $memory8 = "f4150d4a1ac5708c29e437749045a39a"
28 | 
29 |   condition:
30 |     (any of ($pdb*)) or (all of ($str*)) or (all of ($mem*))
31 | }
32 | 


--------------------------------------------------------------------------------