├── README.md ├── unicorn_string_deobfuscator.xcodeproj └── project.pbxproj └── unicorn_string_deobfuscator └── main.c /README.md: -------------------------------------------------------------------------------- 1 | Unicorn String Deobfuscator 2 | 3 | A Unicorn based emulator to deobfuscate Equation Group string XOR obfuscation used in many samples. 4 | 5 | Instead of reversing the algo just ripped off the function and emulated it on Unicorn. 6 | 7 | Just a simple demo on how to use Unicorn to easily emulate functions you don't want to reverse because you are too lazy or they are too annoying and you just want to execute them. 8 | 9 | Requires Unicorn Engine (http://unicorn-engine.org). 10 | 11 | Have fun, 12 | fG! -------------------------------------------------------------------------------- /unicorn_string_deobfuscator.xcodeproj/project.pbxproj: -------------------------------------------------------------------------------- 1 | // !$*UTF8*$! 2 | { 3 | archiveVersion = 1; 4 | classes = { 5 | }; 6 | objectVersion = 46; 7 | objects = { 8 | 9 | /* Begin PBXBuildFile section */ 10 | 7B3D14DB1E9FA7BE00C2E6E9 /* main.c in Sources */ = {isa = PBXBuildFile; fileRef = 7B3D14DA1E9FA7BE00C2E6E9 /* main.c */; }; 11 | 7B3D14E31E9FA92000C2E6E9 /* libunicorn.1.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 7B3D14E21E9FA92000C2E6E9 /* libunicorn.1.dylib */; }; 12 | /* End PBXBuildFile section */ 13 | 14 | /* Begin PBXCopyFilesBuildPhase section */ 15 | 7B3D14D51E9FA7BE00C2E6E9 /* CopyFiles */ = { 16 | isa = PBXCopyFilesBuildPhase; 17 | buildActionMask = 2147483647; 18 | dstPath = /usr/share/man/man1/; 19 | dstSubfolderSpec = 0; 20 | files = ( 21 | ); 22 | runOnlyForDeploymentPostprocessing = 1; 23 | }; 24 | /* End PBXCopyFilesBuildPhase section */ 25 | 26 | /* Begin PBXFileReference section */ 27 | 7B3D14D71E9FA7BE00C2E6E9 /* unicorn_string_deobfuscator */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = unicorn_string_deobfuscator; sourceTree = BUILT_PRODUCTS_DIR; }; 28 | 7B3D14DA1E9FA7BE00C2E6E9 /* main.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = main.c; sourceTree = ""; }; 29 | 7B3D14E21E9FA92000C2E6E9 /* libunicorn.1.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libunicorn.1.dylib; path = ../../../../usr/local/lib/libunicorn.1.dylib; sourceTree = ""; }; 30 | /* End PBXFileReference section */ 31 | 32 | /* Begin PBXFrameworksBuildPhase section */ 33 | 7B3D14D41E9FA7BE00C2E6E9 /* Frameworks */ = { 34 | isa = PBXFrameworksBuildPhase; 35 | buildActionMask = 2147483647; 36 | files = ( 37 | 7B3D14E31E9FA92000C2E6E9 /* libunicorn.1.dylib in Frameworks */, 38 | ); 39 | runOnlyForDeploymentPostprocessing = 0; 40 | }; 41 | /* End PBXFrameworksBuildPhase section */ 42 | 43 | /* Begin PBXGroup section */ 44 | 7B3D14CE1E9FA7BE00C2E6E9 = { 45 | isa = PBXGroup; 46 | children = ( 47 | 7B3D14D91E9FA7BE00C2E6E9 /* unicorn_string_deobfuscator */, 48 | 7B3D14D81E9FA7BE00C2E6E9 /* Products */, 49 | 7B3D14E11E9FA92000C2E6E9 /* Frameworks */, 50 | ); 51 | sourceTree = ""; 52 | }; 53 | 7B3D14D81E9FA7BE00C2E6E9 /* Products */ = { 54 | isa = PBXGroup; 55 | children = ( 56 | 7B3D14D71E9FA7BE00C2E6E9 /* unicorn_string_deobfuscator */, 57 | ); 58 | name = Products; 59 | sourceTree = ""; 60 | }; 61 | 7B3D14D91E9FA7BE00C2E6E9 /* unicorn_string_deobfuscator */ = { 62 | isa = PBXGroup; 63 | children = ( 64 | 7B3D14DA1E9FA7BE00C2E6E9 /* main.c */, 65 | ); 66 | path = unicorn_string_deobfuscator; 67 | sourceTree = ""; 68 | }; 69 | 7B3D14E11E9FA92000C2E6E9 /* Frameworks */ = { 70 | isa = PBXGroup; 71 | children = ( 72 | 7B3D14E21E9FA92000C2E6E9 /* libunicorn.1.dylib */, 73 | ); 74 | name = Frameworks; 75 | sourceTree = ""; 76 | }; 77 | /* End PBXGroup section */ 78 | 79 | /* Begin PBXNativeTarget section */ 80 | 7B3D14D61E9FA7BE00C2E6E9 /* unicorn_string_deobfuscator */ = { 81 | isa = PBXNativeTarget; 82 | buildConfigurationList = 7B3D14DE1E9FA7BE00C2E6E9 /* Build configuration list for PBXNativeTarget "unicorn_string_deobfuscator" */; 83 | buildPhases = ( 84 | 7B3D14D31E9FA7BE00C2E6E9 /* Sources */, 85 | 7B3D14D41E9FA7BE00C2E6E9 /* Frameworks */, 86 | 7B3D14D51E9FA7BE00C2E6E9 /* CopyFiles */, 87 | ); 88 | buildRules = ( 89 | ); 90 | dependencies = ( 91 | ); 92 | name = unicorn_string_deobfuscator; 93 | productName = unicorn_string_deobfuscator; 94 | productReference = 7B3D14D71E9FA7BE00C2E6E9 /* unicorn_string_deobfuscator */; 95 | productType = "com.apple.product-type.tool"; 96 | }; 97 | /* End PBXNativeTarget section */ 98 | 99 | /* Begin PBXProject section */ 100 | 7B3D14CF1E9FA7BE00C2E6E9 /* Project object */ = { 101 | isa = PBXProject; 102 | attributes = { 103 | LastUpgradeCheck = 0820; 104 | ORGANIZATIONNAME = Put.as; 105 | TargetAttributes = { 106 | 7B3D14D61E9FA7BE00C2E6E9 = { 107 | CreatedOnToolsVersion = 8.2; 108 | ProvisioningStyle = Manual; 109 | }; 110 | }; 111 | }; 112 | buildConfigurationList = 7B3D14D21E9FA7BE00C2E6E9 /* Build configuration list for PBXProject "unicorn_string_deobfuscator" */; 113 | compatibilityVersion = "Xcode 3.2"; 114 | developmentRegion = English; 115 | hasScannedForEncodings = 0; 116 | knownRegions = ( 117 | en, 118 | ); 119 | mainGroup = 7B3D14CE1E9FA7BE00C2E6E9; 120 | productRefGroup = 7B3D14D81E9FA7BE00C2E6E9 /* Products */; 121 | projectDirPath = ""; 122 | projectRoot = ""; 123 | targets = ( 124 | 7B3D14D61E9FA7BE00C2E6E9 /* unicorn_string_deobfuscator */, 125 | ); 126 | }; 127 | /* End PBXProject section */ 128 | 129 | /* Begin PBXSourcesBuildPhase section */ 130 | 7B3D14D31E9FA7BE00C2E6E9 /* Sources */ = { 131 | isa = PBXSourcesBuildPhase; 132 | buildActionMask = 2147483647; 133 | files = ( 134 | 7B3D14DB1E9FA7BE00C2E6E9 /* main.c in Sources */, 135 | ); 136 | runOnlyForDeploymentPostprocessing = 0; 137 | }; 138 | /* End PBXSourcesBuildPhase section */ 139 | 140 | /* Begin XCBuildConfiguration section */ 141 | 7B3D14DC1E9FA7BE00C2E6E9 /* Debug */ = { 142 | isa = XCBuildConfiguration; 143 | buildSettings = { 144 | ALWAYS_SEARCH_USER_PATHS = NO; 145 | CLANG_ANALYZER_NONNULL = YES; 146 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; 147 | CLANG_CXX_LIBRARY = "libc++"; 148 | CLANG_ENABLE_MODULES = YES; 149 | CLANG_ENABLE_OBJC_ARC = YES; 150 | CLANG_WARN_BOOL_CONVERSION = YES; 151 | CLANG_WARN_CONSTANT_CONVERSION = YES; 152 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 153 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 154 | CLANG_WARN_EMPTY_BODY = YES; 155 | CLANG_WARN_ENUM_CONVERSION = YES; 156 | CLANG_WARN_INFINITE_RECURSION = YES; 157 | CLANG_WARN_INT_CONVERSION = YES; 158 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 159 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 160 | CLANG_WARN_UNREACHABLE_CODE = YES; 161 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 162 | CODE_SIGN_IDENTITY = "-"; 163 | COPY_PHASE_STRIP = NO; 164 | DEBUG_INFORMATION_FORMAT = dwarf; 165 | ENABLE_STRICT_OBJC_MSGSEND = YES; 166 | ENABLE_TESTABILITY = YES; 167 | GCC_C_LANGUAGE_STANDARD = gnu99; 168 | GCC_DYNAMIC_NO_PIC = NO; 169 | GCC_NO_COMMON_BLOCKS = YES; 170 | GCC_OPTIMIZATION_LEVEL = 0; 171 | GCC_PREPROCESSOR_DEFINITIONS = ( 172 | "DEBUG=1", 173 | "$(inherited)", 174 | ); 175 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 176 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 177 | GCC_WARN_UNDECLARED_SELECTOR = YES; 178 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 179 | GCC_WARN_UNUSED_FUNCTION = YES; 180 | GCC_WARN_UNUSED_VARIABLE = YES; 181 | MACOSX_DEPLOYMENT_TARGET = 10.11; 182 | MTL_ENABLE_DEBUG_INFO = YES; 183 | ONLY_ACTIVE_ARCH = YES; 184 | SDKROOT = macosx; 185 | }; 186 | name = Debug; 187 | }; 188 | 7B3D14DD1E9FA7BE00C2E6E9 /* Release */ = { 189 | isa = XCBuildConfiguration; 190 | buildSettings = { 191 | ALWAYS_SEARCH_USER_PATHS = NO; 192 | CLANG_ANALYZER_NONNULL = YES; 193 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; 194 | CLANG_CXX_LIBRARY = "libc++"; 195 | CLANG_ENABLE_MODULES = YES; 196 | CLANG_ENABLE_OBJC_ARC = YES; 197 | CLANG_WARN_BOOL_CONVERSION = YES; 198 | CLANG_WARN_CONSTANT_CONVERSION = YES; 199 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 200 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 201 | CLANG_WARN_EMPTY_BODY = YES; 202 | CLANG_WARN_ENUM_CONVERSION = YES; 203 | CLANG_WARN_INFINITE_RECURSION = YES; 204 | CLANG_WARN_INT_CONVERSION = YES; 205 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 206 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 207 | CLANG_WARN_UNREACHABLE_CODE = YES; 208 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 209 | CODE_SIGN_IDENTITY = "-"; 210 | COPY_PHASE_STRIP = NO; 211 | DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; 212 | ENABLE_NS_ASSERTIONS = NO; 213 | ENABLE_STRICT_OBJC_MSGSEND = YES; 214 | GCC_C_LANGUAGE_STANDARD = gnu99; 215 | GCC_NO_COMMON_BLOCKS = YES; 216 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 217 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 218 | GCC_WARN_UNDECLARED_SELECTOR = YES; 219 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 220 | GCC_WARN_UNUSED_FUNCTION = YES; 221 | GCC_WARN_UNUSED_VARIABLE = YES; 222 | MACOSX_DEPLOYMENT_TARGET = 10.11; 223 | MTL_ENABLE_DEBUG_INFO = NO; 224 | SDKROOT = macosx; 225 | }; 226 | name = Release; 227 | }; 228 | 7B3D14DF1E9FA7BE00C2E6E9 /* Debug */ = { 229 | isa = XCBuildConfiguration; 230 | buildSettings = { 231 | CODE_SIGN_IDENTITY = ""; 232 | DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; 233 | DEVELOPMENT_TEAM = ""; 234 | HEADER_SEARCH_PATHS = /usr/local/include; 235 | LIBRARY_SEARCH_PATHS = /usr/local/lib; 236 | PRODUCT_NAME = "$(TARGET_NAME)"; 237 | PROVISIONING_PROFILE_SPECIFIER = ""; 238 | }; 239 | name = Debug; 240 | }; 241 | 7B3D14E01E9FA7BE00C2E6E9 /* Release */ = { 242 | isa = XCBuildConfiguration; 243 | buildSettings = { 244 | CODE_SIGN_IDENTITY = ""; 245 | DEVELOPMENT_TEAM = ""; 246 | HEADER_SEARCH_PATHS = /usr/local/include; 247 | LIBRARY_SEARCH_PATHS = /usr/local/lib; 248 | PRODUCT_NAME = "$(TARGET_NAME)"; 249 | PROVISIONING_PROFILE_SPECIFIER = ""; 250 | }; 251 | name = Release; 252 | }; 253 | /* End XCBuildConfiguration section */ 254 | 255 | /* Begin XCConfigurationList section */ 256 | 7B3D14D21E9FA7BE00C2E6E9 /* Build configuration list for PBXProject "unicorn_string_deobfuscator" */ = { 257 | isa = XCConfigurationList; 258 | buildConfigurations = ( 259 | 7B3D14DC1E9FA7BE00C2E6E9 /* Debug */, 260 | 7B3D14DD1E9FA7BE00C2E6E9 /* Release */, 261 | ); 262 | defaultConfigurationIsVisible = 0; 263 | defaultConfigurationName = Release; 264 | }; 265 | 7B3D14DE1E9FA7BE00C2E6E9 /* Build configuration list for PBXNativeTarget "unicorn_string_deobfuscator" */ = { 266 | isa = XCConfigurationList; 267 | buildConfigurations = ( 268 | 7B3D14DF1E9FA7BE00C2E6E9 /* Debug */, 269 | 7B3D14E01E9FA7BE00C2E6E9 /* Release */, 270 | ); 271 | defaultConfigurationIsVisible = 0; 272 | defaultConfigurationName = Release; 273 | }; 274 | /* End XCConfigurationList section */ 275 | }; 276 | rootObject = 7B3D14CF1E9FA7BE00C2E6E9 /* Project object */; 277 | } 278 | -------------------------------------------------------------------------------- /unicorn_string_deobfuscator/main.c: -------------------------------------------------------------------------------- 1 | /* 2 | * ____ ___ .__ 3 | * | | \____ |__| ____ ___________ ____ 4 | * | | / \| |/ ___\/ _ \_ __ \/ \ 5 | * | | / | \ \ \__( <_> ) | \/ | \ 6 | * |______/|___| /__|\___ >____/|__| |___| / 7 | * \/ \/ \/ 8 | * _________ __ .__ 9 | * / _____// |________|__| ____ ____ 10 | * \_____ \\ __\_ __ \ |/ \ / ___\ 11 | * / \| | | | \/ | | \/ /_/ > 12 | * /_______ /|__| |__| |__|___| /\___ / 13 | * \/ \//_____/ 14 | * ________ ___. _____ __ 15 | * \______ \ ____ ____\_ |___/ ____\_ __ ______ ____ _____ _/ |_ ___________ 16 | * | | \_/ __ \/ _ \| __ \ __\ | \/ ___// ___\\__ \\ __\/ _ \_ __ \ 17 | * | ` \ ___( <_> ) \_\ \ | | | /\___ \\ \___ / __ \| | ( <_> ) | \/ 18 | * /_______ /\___ >____/|___ /__| |____//____ >\___ >____ /__| \____/|__| 19 | * \/ \/ \/ \/ \/ \/ 20 | * 21 | * unicorn_string_deobfuscator 22 | * 23 | * A Unicorn Emulator to deobfuscate Equation Group string XOR obfuscation 24 | * Instead of reversing the algo just ripped off the function and emulated it on Unicorn 25 | * 26 | * Created by reverser on 13/04/17. 27 | * (c) fG!, 2017 - reverser@put.as - https://reverse.put.as 28 | * 29 | * Public domain code, no warranties, no responsibilities, it is your problem. 30 | * Just give credits if you use any of this. 31 | * 32 | */ 33 | 34 | #include 35 | #include 36 | #include 37 | #include 38 | 39 | #define ERROR_MSG(fmt, ...) fprintf(stderr, "[ERROR] " fmt " \n", ## __VA_ARGS__) 40 | #define WARNING_MSG(fmt, ...) fprintf(stderr, "[WARNING] " fmt " \n", ## __VA_ARGS__) 41 | #define OUTPUT_MSG(fmt, ...) fprintf(stdout, fmt " \n", ## __VA_ARGS__) 42 | #define DEBUG_MSG(fmt, ...) fprintf(stdout, "[DEBUG] " fmt "\n", ## __VA_ARGS__) 43 | 44 | /* the addresses where we will install the code and stack space - since it's PIE code we can run it anywhere we want */ 45 | #define CODE_ADDRESS 0x10000000 46 | #define CODE_SIZE 8 * 1024 * 1024 47 | #define STACK_ADDRESS 0x20000000 48 | #define STACK_SIZE 8 * 1024 * 1024 49 | 50 | /* from dewdrop__v__3_3_2_2_x86_64-darwin @ 0x1000046E0 */ 51 | uint8_t deobfuscate_function_shellcode[] = 52 | "\x55" // push rbp 53 | "\x48\x89\xE5" // mov rbp, rsp 54 | "\x48\x8D\x42\x01" // lea rax, [rdx+1] 55 | "\x48\x83\xF8\x02" // cmp rax, 2 56 | "\x72\x39" // jb short loc_100004727 57 | "\x48\xF7\xDA" // neg rdx 58 | "\x8A\x06" // mov al, [rsi] 59 | "\xB9\x01\x00\x00\x00" // mov ecx, 1 60 | "\x0F\x1F\x84\x00\x00\x00\x00\x00" // nop dword ptr [rax+rax+00000000h] 61 | "\x44\x8A\x04\x0E" // mov r8b, [rsi+rcx] 62 | "\x41\x88\xC9" // mov r9b, cl 63 | "\x41\x30\xC1" // xor r9b, al 64 | "\x45\x30\xC1" // xor r9b, r8b 65 | "\x41\x80\xF1\x47" // xor r9b, 47h 66 | "\x44\x88\x4C\x0F\xFF" // mov [rdi+rcx-1], r9b 67 | "\x44\x00\xC0" // add al, r8b 68 | "\x4C\x8D\x44\x0A\x01" // lea r8, [rdx+rcx+1] 69 | "\x48\xFF\xC1" // inc rcx 70 | "\x49\x83\xF8\x01" // cmp r8, 1 71 | "\x75\xD9" // jnz short loc_100004700 72 | "\x48\x89\xF8" // mov rax, rdi 73 | "\x50" // pop rbp 74 | "\xc3"; // retn 75 | 76 | /* 77 | we could have just pressed F5 on IDA and cleanup the code but what is the fun on that? Lazy but not that much! 78 | 79 | __int64 __fastcall deobfuscate_string(__int64 a1, char *a2, __int64 a3) 80 | { 81 | __int64 v3; // rdx 82 | char v4; // al 83 | signed __int64 v5; // rcx 84 | char v6; // r8 85 | signed __int64 v7; // r8 86 | 87 | if ( (unsigned __int64)(a3 + 1) >= 2 ) 88 | { 89 | v3 = -a3; 90 | v4 = *a2; 91 | v5 = 1LL; 92 | do 93 | { 94 | v6 = a2[v5]; 95 | *(_BYTE *)(a1 + v5 - 1) = v6 ^ v4 ^ v5 ^ 0x47; 96 | v4 += v6; 97 | v7 = v3 + v5++ + 1; 98 | } 99 | while ( v7 != 1 ); 100 | } 101 | return a1; 102 | } 103 | */ 104 | 105 | /* from dewdrop__v__3_3_2_2_x86_64-darwin and other samples in Shadow Brokers dump */ 106 | char *obfuscated_strings[] = { "\xB8\xD1\xA8\x10\x74\xD8\xA2\x1A\x6A\x91\x09\x00", 107 | "\xAA\xC3\x4A\x9A\x7C\xA0\x4E\x9A\x69\x98\x1B\x00", 108 | "\xA6\xCD\x1B\xBA\x64\x9D\x61\x92\x73\x00", 109 | "\xB0\xDD\xA7\x70\x00", 110 | "\xD5\xBE\xB5\x0C\x00", 111 | "\x9D\xAF\x7B\xF6\x9B\x1A\x00", 112 | "\x80\xE9\x4E\x9A\x7C\xA0\x5F\xE4\xFF\x00", 113 | "\x0F\x01\x1C\x3B\x70\xD3\xA2\x40\x86\x61\x11\xAC\x1E\x72\xA6\x40\x84\x10\x03\x69\x00", 114 | "\x85\xEC\x50\xE0\x94\x58\xCC\x00", 115 | "\xFA\xCC\xF7\x80\x26\x79\x9D\x00", 116 | "\x12\x24\x02\x0E\x76\xAE\x7A\xF6\xC6\xEE\x00", 117 | "\x4D\x58\x8B\x1D\x7E\xF9\xEC\x9E\x66\xDA\xA6\x16\x77\xE2\x98\x1C\x6E\xFE\xF3\x8C\x65\xD5\x49\xE0\x97\x12\x3D\xF9\xF1\x25\xC3\x00", 118 | "\xF6\x9F\xB4\x68\x84\x58\xBE\x6A\x94\x63\x8E\x1B\x1E\x00", 119 | "\x92\xFB\xAC\x18\x64\xD8\xB9\x74\x94\x6E\x95\x72\xE5\xE2\x00", 120 | "\x23\x16\x19\x78\xED\x98\x6F\x97\x76\xA5\x3D\x00", 121 | "\xA8\x86\x02\x07\x00", 122 | "\x1A\x62\x8A\x72\x00", 123 | "\x8A\x98\x22\x52\x98\x51\x48\xF3\xC4\x00", 124 | "\x9D\xB7\x62\xD2\xE6\x40\xCF\x18\xA9\x70\x00", // slyheretic checkpersist strings 125 | "\x82\xE4\x0E\x0E\xE1\x21\x00", 126 | "\x76\x10\xE1\x06\x5D\xAA\x3F\xF3\x00", 127 | "\x6C\x05\x56\xEA\x9C\x0F\x00", 128 | "\xA9\xC0\x5F\xEE\x9C\x7E\x91\x00", 129 | "\x9F\xF6\xA5\x0D\x76\xD0\xAE\x12\x6C\xF7\x00", 130 | "\x56\x3F\xA5\x0D\x76\xD0\xBF\x6E\x9C\x76\x81\x00", 131 | "\x0F\x66\x45\x8D\x76\xD0\xA0\x02\x03\x1D\x6E\xDE\xB2\x6E\x9C\x1F\x00", 132 | "\x1D\x74\xA1\x05\x06\x50\xA0\x02\x03\x1D\x6E\xDE\xA3\x16\x74\xEE\xE1\x00", 133 | "\x7B\x12\xBD\x7D\xF6\xD0\xA0\x04\x1C\x66\x86\x10\x61\xE0\x00", 134 | "\xBF\xD6\x83\x25\x0D\x7C\xE2\x85\x4D\x78\xD6\xE6\x97\x6E\x88\x0A\x3D\x97\x23\x1A\x60\xB7\x59\xE4\x83\x1A\x79\xF9\x91\x3F\xD0\x00", 135 | "\x8C\xBA\x7A\xF0\x9B\x66\x9E\x0F\x00", 136 | "\x11\x27\x18\x66\x99\x0D\x00", 137 | "\x67\x43\x8E\x0F\x6C\xF1\x00", 138 | "\x03\x36\x14\x09\x00", 139 | "\x79\x5C\xE3\x94\x0F\x00", 140 | "\x89\xA4\x1B\x64\xEF\x00", 141 | "\xC8\xED\x84\x14\x7E\xED\xF9\x00", 142 | "\x48\x6F\x91\x78\xEA\x9E\x60\x9C\x72\x95\x69\x96\x68\x8C\x18\x6C\xF1\xE5\x00", 143 | "\x64\x49\x8D\x06\x77\x91\x09\x00", 144 | "\x2C\x19\x65\x8D\x01\x08\x68\x9C\x72\x9C\x1F\x00", 145 | "\x50\x78\xF9\xF5\x91\x05\x00", 146 | "\xCD\xEE\x93\x65\x9E\x77\x89\x00", 147 | "\xFD\xD3\xFC\xEC\x9F\x15\x00", 148 | "\x31\x14\x6F\x82\x10\x77\x99\x64\x83\x1A\x79\xF9\xF1\x94\x07\x00", 149 | "\x48\x6F\x91\x78\xEA\x9E\x60\x9C\x72\x95\x69\x96\x68\x8C\x18\x6C\xF1\xE5\x00", // slyheretic checkprocess 150 | "\x64\x49\x8D\x06\x77\x91\x09\x00", 151 | "\x2C\x19\x65\x8D\x01\x08\x68\x9C\x72\x9C\x1F\x00", 152 | "\x50\x78\xF9\xF5\x91\x05\x00", 153 | "\xCD\xEE\x93\x65\x9E\x77\x89\x00", 154 | "\xFD\xD3\xFC\xEC\x9F\x15\x00", 155 | "\x31\x14\x6F\x82\x10\x77\x99\x64\x83\x1A\x79\xF9\xF1\x94\x07\x00", 156 | "\x6C\x05\x56\xEA\x9C\x0F\x00", // slyheretic uninstaller 157 | "\xA9\xC0\x5F\xEE\x9C\x7E\x91\x00", 158 | "\x9F\xF6\xA5\x0D\x76\xD0\xAE\x12\x6C\xF7\x00", 159 | "\x56\x3F\xA5\x0D\x76\xD0\xBF\x6E\x9C\x76\x81\x00", 160 | "\x0F\x66\x45\x8D\x76\xD0\xA0\x02\x03\x1D\x6E\xDE\xB2\x6E\x9C\x1F\x00", 161 | "\x1D\x74\xA1\x05\x06\x50\xA0\x02\x03\x1D\x6E\xDE\xA3\x16\x74\xEE\xE1\x00", 162 | "\x7B\x12\xBD\x7D\xF6\xD0\xA0\x04\x1C\x66\x86\x10\x61\xE0\x00", 163 | "\xBF\xD6\x83\x25\x0D\x7C\xE2\x85\x4D\x78\xD6\xE6\x97\x6E\x88\x0A\x3D\x97\x23\x1A\x60\xB7\x59\xE4\x83\x1A\x79\xF9\x91\x3F\xD0\x00", 164 | "\x8C\xBA\x7A\xF0\x9B\x66\x9E\x0F\x00", 165 | "\x11\x27\x18\x66\x99\x0D\x00", 166 | "\x67\x43\x8E\x0F\x6C\xF1\x00", 167 | "\x03\x36\x14\x09\x00", 168 | "\x79\x5C\xE3\x94\x0F\x00", 169 | "\x89\xA4\x1B\x64\xEF\x00", 170 | "\xC8\xED\x84\x14\x7E\xED\xF9\x00", 171 | "\x48\x6F\x91\x78\xEA\x9E\x60\x9C\x72\x95\x69\x96\x68\x8C\x18\x6C\xF1\xE5\x00", 172 | "\x64\x49\x8D\x06\x77\x91\x09\x00", 173 | "\x2C\x19\x65\x8D\x01\x08\x68\x9C\x72\x9C\x1F\x00", 174 | "\x50\x78\xF9\xF5\x91\x05\x00", 175 | "\xCD\xEE\x93\x65\x9E\x77\x89\x00", 176 | "\xFD\xD3\xFC\xEC\x9F\x15\x00", 177 | "\x31\x14\x6F\x82\x10\x77\x99\x64\x83\x1A\x79\xF9\xF1\x94\x07\x00", 178 | "\x91\xA7\x0E\x22\x06\x6D\xBA\xF8\xAD\x54\xB6\x7B\x91\x68\xDD\xAD\x7C\x8C\x33\x59\xF5\xF0\x8E\x35\x42\xEE\x86\x44\x50\xE6\x9E\x79\xC7\xC6\x43\x85\x00", 179 | "\x76\x65\xCE\xCD\x35\x00", // noserver 180 | "\x84\x80\x13\x1C\x31\x62\xC4\x8B\x09\x04\x4F\x3D\x00", 181 | "\xB2\xB0\x62\xC2\x90\x13\x48\x31\x00", 182 | "\x7A\x70\xE0\xC1\x98\x23\x46\x8F\x1F\x54\xC3\x00", 183 | "\x8E\x98\x2C\x5F\xBC\x7B\xE6\xDE\xAC\x5F\xB4\x73\xB5\xD9\x00", 184 | "\xD8\xCC\xB4\x52\xA7\x5A\xA4\x48\xF8\xC1\x00", 185 | "\x8C\x84\x1A\x2F\x48\xB3\x35\xC9\x00", 186 | "\x4D\x4A\x9E\x3D\x7C\xF9\xEA\xC5\x90\x48\x23\x00", 187 | "\xD5\xDE\xA3\x5E\xA3\x5C\xB1\x65\xD5\x84\x4F\x3D\x00", 188 | "\xFA\xB6\x90\x70\x9B\x6C\x84\x5B\xFC\xEC\x01\x4B\xBB\xEA\x16\xFF\xAB\x43\x02\x10\xE5\x43\xC7\x06\x16\xE3\x57\xAF\x06\x14\xF9\xAB\x6B\xE2\xD6\x0F\x73\xB3\xEF\x00", 189 | "\x9E\xD2\x10\xB7\x4E\xE7\x0D\x5F\xFB\xFC\xE5\x8B\x49\xC2\x00", 190 | "\x01\x67\x40\x98\x76\xD4\xEE\x5C\x9B\x00", 191 | "\xAB\xE7\xBE\x7A\xEC\x80\x57\xE8\x49\xD0\xC3\x00", 192 | "\xFC\xD8\xE3\x9C\x71\xE2\x84\x0B\x09\x04\x2F\x18\xB1\x50\xC3\x00", 193 | "\x5F\x77\xF6\xFC\xE6\x8D\x09\x6F\xDC\xE4\x4D\xAC\x27\x00", 194 | "\xB8\xF4\x80\x06\x14\x70\xC1\x17\xE4\x4F\x8C\x00", 195 | "\xB2\xDB\xED\x5A\xB7\xC9\x00", 196 | "\xC2\xA1\x55\xD3\xED\x49\x80\x00", 197 | "\xDD\xBE\xAD\x23\x0D\x49\x80\x00", 198 | "\x96\xF5\xAC\x53\xEC\x51\xA6\x08\x72\x93\x12\x8D\x72\xE4\x7F\xA6\x00", 199 | "\x4F\x2C\x5C\xB3\xEC\x51\xA6\x08\x72\x93\x12\x8D\x72\xE4\x7F\xA6\x00", 200 | "\x0E\x6D\x5C\xB3\xEC\x51\xA6\x08\x72\x93\x12\x8D\x72\xE4\x7F\xA6\x00", 201 | "\x25\x64\x00", 202 | "\x4B\x07\x47\xAF\x62\x85\x0F\x0C\x7C\xA8\x70\xF7\xEC\xFD\x92\x6A\xD7\xE7\x08\xA7\x57\x09\xBE\x60\xF0\xCB\x00", 203 | "\x48\x5D\x85\x0D\x1B\x7E\xF5\xE4\x94\x0A\x2A\x6E\xF1\xE8\x87\x12\x74\xA9\x1B\xF8\xA1\x53\x01\x4E\xEE\xE6\xC5\x00", 204 | "\x62\x2E\xA7\x16\x7D\xE7\x9C\x7B\xE2\x96\x2D\x44\x88\x01\x1C\x6C\xB5\x47\x84\x64\xD5\x41\x82\x1D\x70\xB5\xF8\x57\xAE\x07\xF8\x57\xBE\xF7\x00", 205 | "\xB3\xFF\x9E\x7A\xFF\xEA\x9E\x78\xE2\xC5\x74\xF8\xB7\xB8\x66\x9D\x6B\x8A\x65\x8F\x5E\xE7\x08\xA7\x4E\x27\x00", 206 | "\xF7\xF0\xC6\x8D\x0B\x62\x95\x0F\x3E\xE7\x18\xB7\x7E\xF7\x00", 207 | "\x8E\xC2\x67\x96\x7D\xE7\x9C\x7B\xE2\x96\x2D\x44\x88\x01\x1C\x6C\xB5\x47\x84\x64\xD5\x41\x82\x1D\x70\xB5\xF8\x57\xAE\x07\xF8\x57\xBE\xF7\x00", 208 | "\x4D\x01\x43\xBA\x7B\xF0\x99\x6E\x9F\x77\xA4\x1B\xFC\xB7\x06\x03\x00", 209 | "\x7E\x32\x9C\x66\x87\x1A\x7E\xF8\xE2\xC5\x74\xF8\xB7\xB8\x66\x9D\x6B\x8A\x65\x8F\x5E\xE7\x08\xA7\x4E\x27\x00", 210 | "\x6D\x6A\xF6\xED\x8B\x62\x95\x0F\x3E\xE7\x18\xB7\x7E\xF7\x00", 211 | "\x82\x85\x2E\x05\x1C\x66\x93\x6E\x86\x68\xC6\x5C\xE2\x81\x0B\x16\x75\xE3\xC6\x1B\xFC\xA7\x76\xF3\x00", 212 | "\x6D\x75\x00", 213 | "\x1E\x3D\x66\xF5\xF5\x00", 214 | "\xFA\xDF\xF0\xE4\xEE\x00", 215 | "\x74\x41\x86\x0D\x0B\x00", 216 | "\x3B\x3B\x00", 217 | "\x1F\x01\x36\x12\x00", 218 | "\x46\x73\x94\x09\x00", 219 | "\x09\x3C\x68\xE9\x00", 220 | "\x50\x39\xAE\x1A\x7C\xA0\x5F\xE4\xFF\x00", 221 | "\x0A\x5B\x00", 222 | "\x5D\x0A\x00", 223 | "\x71\x04\x1E\xE4\x1A\xE1\x1D\xFC\xC4\x00", 224 | "\x25\x73\x00", 225 | "\xAE\xDB\xFE\xF4\x0D\xFE\xC7\x00", 226 | "\x4D\x6F\x9A\x28\x51\xB7\x8B\x6B\x40\x87\x67\xAF\x41\xEA\x8E\x60\x71\x8F\x77\x87\x51\xA9\x54\xEE\x00", 227 | "\x58\x0A\x00", 228 | "\x64\x07\x46\x80\x72\x00", 229 | "\x4B\x5D\xAC\x44\x93\x69\x00", 230 | "\x01\x68\x48\x90\x74\xD8\xA2\x1A\x6A\x91\x09\x00", 231 | "\x73\x68\x00", 232 | "\x58\x53\x00", 233 | "\xE4\x8D\x56\xEA\x9C\x20\x5F\xE4\xFF\x00", 234 | "\x25\x75\x3A\x25\x75\x00", 235 | "\x6C\x05\x50\xE0\x94\x58\xE9\x45\xF4\x00", 236 | "\x40\x23\x4B\xC5\x15\xAE\x58\xEB\x4F\xA6\x06\x6C\xAB\x00", 237 | "\xBF\xD6\xB4\x68\x84\x58\xE9\x45\xF4\x00", 238 | "\xE4\x87\x43\xC5\x15\xAE\x58\xEB\x4F\xA6\x06\x6C\xAB\x00", 239 | "\x0E\x67\x54\xE8\x84\x58\xBE\x6A\x94\x63\x8E\x1B\x1E\x00", 240 | "\x99\xF0\xA8\x10\x74\xD8\xB9\x74\x94\x6E\x95\x72\xE5\xE2\x00", 241 | "\xD2\xBB\xB8\x73\x94\x6D\xD7\xF5\xAE\x52\xAE\x16\x6E\x98\x06\x00", 242 | "\x25\x73\x25\x75\x00", 243 | "\x95\xFC\xA4\x03\x14\x6D\xF8\x00", 244 | "\x4B\x28\x45\xD3\xED\x0A\xF6\x5C\x9B\x00", 245 | "\x0C\x0C\x2F\x6C\x9D\x32\xC3\x00", 246 | "\xA5\xC3\x67\xCA\x94\x4F\x3D\x00", 247 | "\x6B\x0D\x7B\xF2\xE4\xAB\x35\x00", 248 | "\x30\x56\x8E\x11\x34\x3B\xD5\x00", 249 | "\x0C\x6A\x72\xFC\xF5\xBB\xD5\x00", 250 | "\x8B\xED\x70\xED\xCF\xC6\x2B\x00", 251 | "\x6B\x0D\x77\xFE\xE0\xAF\x3D\x00", 252 | "\xAD\xCB\x77\xFE\xE2\xAD\x3D\x00", 253 | "\x2B\x4D\x7C\xE5\xDD\xD4\xCB\x00", 254 | "\x9E\xF8\x80\x17\x3E\x09\x35\x00", 255 | "\x38\x5E\x9C\x35\x70\xB5\xCD\x00", 256 | "\x0D\x6B\x73\xE0\xDE\xCB\x35\x00", 257 | "\x31\x57\x89\x10\x21\x20\x23\x00", 258 | "\x11\x09\x1B\x10\x72\x90\x3C\xE3\x07\x09\x13\x8F\x32\x6E\xD1\xBD\x57\xAE\x7C\xB3\x55\xD0\xAF\x6C\xC5\x5D\xC0\xB0\x65\xCB\x59\xC0\x93\x37\x1A\x61\xF3\xDA\xA8\x0F\x4D\x8F\x22\x5C\xF3\xBD\x40\xB5\x4D\xFC\xAF\x72\xD1\x9A\x63\x99\x1E\x51\x94\x6D\x99\x03\x2C\x68\xE9\xCD\xC5\x28\x11\xA9\x2A\x00", 259 | "\xF4\xEC\xE3\xF5\x94\x63\xD4\xE3\x29\x00", 260 | "\xA5\x8D\x16\x61\x8F\x47\x10\xE5\x1E\xAF\x0C\x00", 261 | "\x7E\x56\xF0\xED\x97\x37\x3E\x00", 262 | "\x88\x80\x0C\x1D\x37\x17\x3E\x00", 263 | "\xB8\xD1\xBA\x66\x98\x2C\x58\xE8\x92\x5E\xD0\x00", // stoic sturgeon vezarat.dolat.ir 264 | "\x5A\x33\xA4\x1C\x6C\xD4\xCC\x00", 265 | "\x3C\x55\xB0\x60\x94\x58\xCC\x00", 266 | "\x8C\xE5\x51\xF2\x94\x25\x2C\x00", 267 | "\x1E\x77\xD0\x00", 268 | "\x09\x6A\x45\xD2\xEC\x04\x0A\xF2\x55\xE9\x81\x79\x00", 269 | "\x25\x4D\x37\x00", 270 | "\x96\xFE\xFF\xD7\x00", 271 | "\x85\xE6\x5D\xA3\x0D\x49\x80\x00", 272 | "\xFD\x94\xA2\x16\x78\xAC\x58\xE8\x92\x5E\xD0\x00", // stoic surgeon regular 273 | "\xE2\x8B\x44\x9C\x6C\xD4\xCC\x00", 274 | "\xD0\xB9\xA8\x10\x74\xD8\xCC\x00", 275 | "\x43\x2A\x4D\x8A\x64\xC5\x2C\x00", 276 | "\xCC\xA5\x34\x00", 277 | "\x80\xE3\x55\xD2\xEC\x04\x0A\xF2\x55\xE9\x81\x79\x00", 278 | "\x2B\x43\x2B\x00", 279 | "\x38\x50\xE3\x2F\x00", 280 | "\x41\x22\x55\xD3\xED\x49\x80\x00", 281 | "\xC1\xA8\x48\x90\x74\xD8\xBE\x6A\x94\x63\x8E\x1B\x1E\x00", 282 | "\x4F\x26\x54\xE8\x84\x58\xB9\x74\x94\x6E\x95\x72\xE5\xE2\x00", 283 | NULL }; 284 | 285 | /* 286 | * a simple helper function to map and set the initial stack and registers state 287 | */ 288 | int 289 | map_stack_and_initial_registers(uc_engine *uc) 290 | { 291 | uc_err err = UC_ERR_OK; 292 | 293 | /* stack area */ 294 | err = uc_mem_map(uc, STACK_ADDRESS, STACK_SIZE, UC_PROT_ALL); 295 | if (err != UC_ERR_OK) 296 | { 297 | ERROR_MSG("Failed to allocate Unicorn stack memory area: %s.", uc_strerror(err)); 298 | uc_close(uc); 299 | return -1; 300 | } 301 | unsigned char *zero = calloc(1, STACK_SIZE); 302 | err = uc_mem_write(uc, STACK_ADDRESS, zero, STACK_SIZE); 303 | if (err != UC_ERR_OK) 304 | { 305 | ERROR_MSG("Failed to zero stack memory."); 306 | free(zero); 307 | uc_close(uc); 308 | return -1; 309 | } 310 | free(zero); 311 | 312 | int x86_64_regs[] = { 313 | UC_X86_REG_RIP, 314 | UC_X86_REG_RAX, UC_X86_REG_RBX, UC_X86_REG_RBP, 315 | UC_X86_REG_RDI, UC_X86_REG_RSI, UC_X86_REG_RDX, UC_X86_REG_RCX, 316 | UC_X86_REG_R8, UC_X86_REG_R9, UC_X86_REG_R10, 317 | UC_X86_REG_R11, UC_X86_REG_R12, UC_X86_REG_R13, UC_X86_REG_R14, 318 | UC_X86_REG_R15, UC_X86_REG_CS, UC_X86_REG_FS, UC_X86_REG_GS, UC_X86_REG_EFLAGS 319 | }; 320 | uint64_t vals[sizeof(x86_64_regs)] = {0}; 321 | void *ptrs[sizeof(x86_64_regs)] = {0}; 322 | 323 | for (int i = 0; i < sizeof(x86_64_regs); i++) 324 | { 325 | ptrs[i] = &vals[i]; 326 | } 327 | 328 | err = uc_reg_write_batch(uc, x86_64_regs, ptrs, sizeof(x86_64_regs)); 329 | if (err != UC_ERR_OK) 330 | { 331 | ERROR_MSG("Failed to initialize all registers: %s.", uc_strerror(err)); 332 | uc_close(uc); 333 | return -1; 334 | } 335 | 336 | /* no need to set RIP because emulation will start on value set on uc_emu_start */ 337 | 338 | uint64_t r_rsp = STACK_ADDRESS + STACK_SIZE/2; 339 | err = uc_reg_write(uc, UC_X86_REG_RSP, &r_rsp); 340 | if (err != UC_ERR_OK) 341 | { 342 | ERROR_MSG("Failed to write initial RSP register: %s.", uc_strerror(err)); 343 | uc_close(uc); 344 | return -1; 345 | } 346 | err = uc_reg_write(uc, UC_X86_REG_RBP, &r_rsp); 347 | 348 | return 0; 349 | } 350 | 351 | /* 352 | * helper function to map whatever code we want at the configured address 353 | */ 354 | int 355 | map_shellcode(uc_engine *uc, void *shellcode, size_t shellcode_size) 356 | { 357 | uc_err err = UC_ERR_OK; 358 | 359 | /* allocate Unicorn code area */ 360 | err = uc_mem_map(uc, CODE_ADDRESS, CODE_SIZE, UC_PROT_ALL); 361 | if (err != UC_ERR_OK) 362 | { 363 | ERROR_MSG("Failed to allocate Unicorn code memory area: %s.", uc_strerror(err)); 364 | uc_close(uc); 365 | return -1; 366 | } 367 | /* map code */ 368 | err = uc_mem_write(uc, CODE_ADDRESS, shellcode, shellcode_size); 369 | if (err != UC_ERR_OK) 370 | { 371 | ERROR_MSG("Failed to write shellcode to Unicorn memory: %s", uc_strerror(err)); 372 | return -1; 373 | } 374 | return 0; 375 | } 376 | 377 | /* 378 | * the function responsible for decrypting each string 379 | * it essentially sets the function parameters inside Unicorn, uses Unicorn to execute the code and recovers the result 380 | */ 381 | int 382 | deobfuscate_dewdrop() 383 | { 384 | /* 385 | * we reset everything for each string - we could probably optimize this 386 | * (load all the strings and add a stub to call the function or just not restart everything) 387 | * but why bother - computers are fast, I am lazy, and this is just peanuts code 388 | */ 389 | for (char **n = obfuscated_strings; *n != NULL; n++) 390 | { 391 | uc_engine *uc = NULL; 392 | 393 | uc_err err = UC_ERR_OK; 394 | err = uc_open(UC_ARCH_X86, UC_MODE_64, &uc); 395 | if (err != UC_ERR_OK) 396 | { 397 | ERROR_MSG("Failed to open Unicorn: %s.", uc_strerror(err)); 398 | return -1; 399 | } 400 | 401 | if (map_stack_and_initial_registers(uc) != 0) 402 | { 403 | ERROR_MSG("Failed to map initial stack and registers."); 404 | uc_close(uc); 405 | return -1; 406 | } 407 | 408 | if (map_shellcode(uc, deobfuscate_function_shellcode, sizeof(deobfuscate_function_shellcode)) != 0) 409 | { 410 | ERROR_MSG("Failed to map shellcode."); 411 | uc_close(uc); 412 | return -1; 413 | } 414 | 415 | size_t obfuscated_size = strlen(*n) + 1; 416 | 417 | /* shellcode arguments is: 418 | * function(output_buf, obfuscated_string, strlen(obfuscated_string)); 419 | */ 420 | 421 | /* load the obfuscated string into stack */ 422 | if (uc_mem_write(uc, STACK_ADDRESS, *n, obfuscated_size) != UC_ERR_OK) 423 | { 424 | ERROR_MSG("Failed to write obfuscated string to Unicorn memory."); 425 | uc_close(uc); 426 | return EXIT_FAILURE; 427 | } 428 | 429 | /* set arguments into registers */ 430 | /* some local buffer far away to hold the deobfuscated string */ 431 | uint64_t reg_rdi = STACK_ADDRESS + 4096; 432 | /* the obfuscated string location */ 433 | uint64_t reg_rsi = STACK_ADDRESS; 434 | uint64_t reg_rdx = obfuscated_size; 435 | uc_reg_write(uc, UC_X86_REG_RDI, ®_rdi); 436 | uc_reg_write(uc, UC_X86_REG_RSI, ®_rsi); 437 | uc_reg_write(uc, UC_X86_REG_RDX, ®_rdx); 438 | 439 | /* minus 2 bytes because we don't want to execute the last two instructions - lazyness */ 440 | err = uc_emu_start(uc, CODE_ADDRESS, CODE_ADDRESS + sizeof(deobfuscate_function_shellcode)-2, 0, 0); 441 | 442 | char clean_string[256] = {0}; 443 | /* when Unicorn finishes we should have a decrypted string at the buffer location we pointed to */ 444 | uc_mem_read(uc, STACK_ADDRESS+4096, clean_string, obfuscated_size); 445 | printf("Obfuscated string: "); 446 | char *orig_bytes = *n; 447 | for (int i = 0; i < obfuscated_size; i++) 448 | { 449 | printf("%02x ", (unsigned char)orig_bytes[i]); 450 | } 451 | OUTPUT_MSG("-> %s", clean_string); 452 | uc_close(uc); 453 | } 454 | 455 | return 0; 456 | } 457 | 458 | void 459 | header(void) 460 | { 461 | OUTPUT_MSG("_______________________"); 462 | OUTPUT_MSG("< Equation Group Rules! >"); 463 | OUTPUT_MSG("-----------------------"); 464 | OUTPUT_MSG(" \\ ^__^"); 465 | OUTPUT_MSG(" \\ (@@)\\_______"); 466 | OUTPUT_MSG(" (__)\\ )\\/\\"); 467 | OUTPUT_MSG(" ||----w |"); 468 | OUTPUT_MSG(" || ||"); 469 | } 470 | 471 | void 472 | help(const char *name) 473 | { 474 | printf( 475 | "_______________________\n" 476 | "< Equation Group Rules! >\n" 477 | "-----------------------\n" 478 | " \\ ^__^\n" 479 | " \\ (@@)\\_______\n" 480 | " (__)\\ )\\/\\\n" 481 | " ||----w |\n" 482 | " || ||\n" 483 | " (c) fG!, 2017, 2018, All rights reserved.\n" 484 | " reverser@put.as - https://reverse.put.as\n" 485 | "---[ Usage: ]---\n" 486 | "%s\n" 487 | "", name); 488 | } 489 | 490 | int 491 | main(int argc, const char * argv[]) 492 | { 493 | // required structure for long options 494 | static struct option long_options[]={ 495 | { "verbose", required_argument, NULL, 'v' }, 496 | { "help", no_argument, NULL, 'h' }, 497 | { NULL, 0, NULL, 0 } 498 | }; 499 | int option_index = 0; 500 | int c = 0; 501 | 502 | // process command line options 503 | while ((c = getopt_long (argc, (char * const*)argv, "hv", long_options, &option_index)) != -1) 504 | { 505 | switch (c) 506 | { 507 | case 'h': 508 | help(argv[0]); 509 | exit(0); 510 | default: 511 | break; 512 | } 513 | } 514 | 515 | header(); 516 | deobfuscate_dewdrop(); 517 | 518 | return 0; 519 | } 520 | --------------------------------------------------------------------------------