Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- #-*- coding: utf-8 -*-
- # DaRK DDoSer >= 5.1 (and maybe under :>) config extractor, written in Python 2
- # Made by a T4pZ for T4pZ, released under BeerWare licence.
- # by aaSSfxxx :þ - thx j0rn for his magic oneliner of xorstr :þ
- # This extractor uses the python PEFile library, which can be downloaded here:
- # http://code.google.com/p/pefile/ (or in your distribution's repository)
- import pefile
- import sys
- # ============ Crypto routines ===============
- def xorstr(s): return ''.join(['%c' % chr(ord(i) ^ 0xbc) for i in s])
- def crypto (key, data):
- buffer = 0
- str = ""
- for c in data:
- for k in key:
- buffer = (buffer + ord(k)) ^ 9
- xorkey = (buffer >> 3 & 0xff)
- str += chr (ord(c) ^ xorkey)
- return xorstr(str)
- # =========== Let's play faggot ! ============
- pe = pefile.PE(sys.argv[1])
- rt_res_idx = [
- entry.id for entry in
- pe.DIRECTORY_ENTRY_RESOURCE.entries].index(pefile.RESOURCE_TYPE['RT_RCDATA'])
- rt_res_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_res_idx]
- for entry in rt_res_directory.directory.entries:
- if (entry.name.__str__() == "BUBZ"):
- print "[+] DaRK DDoSer resources found"
- data_rva = entry.directory.entries[0].data.struct.OffsetToData
- size = entry.directory.entries[0].data.struct.Size
- data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
- tokens = data.split("[{#}]")
- print "Hostname: " + crypto ("darkddoser", tokens[0])
- print "Port: " + crypto ('darkddoser', tokens[1])
- print "Bot name: " + crypto ('darkddoser', tokens[2])
- print "Connect interval to the server: " + crypto ('darkddoser', tokens[3])
- print "Mutex: " + xorstr (tokens[4])
- print "Registry persistance: " + crypto ('darkddoser', tokens[5])
- print "Startup key (if enabled): " + crypto ('darkddoser', tokens[6])
- print "Startup value: " + crypto ('darkddoser', tokens[7])
- print "Version: " + crypto ('darkddoser', tokens[8])
- print "Use persistance: " + crypto ('darkddoser', tokens[9])
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement