Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- import sys
- rc4keysize = 0x14
- mk = [["4A6522D5".decode('hex'), "6B7719733F".decode('hex')],["14D61BCE".decode('hex'), "1B3527AE8D".decode('hex')]]
- def rc4crypt(data, key):
- x = 0
- box = range(256)
- keylen = len(key)
- for i in xrange(256):
- x = (x + box[i] + ord(key[i % keylen])) % 256
- box[i], box[x] = box[x], box[i]
- y = x # rc4 mod.. normal rc4 set y to 0 this one takes the last value from x
- x = 0
- out = []
- for char in data:
- x = (x + 1) % 256
- y = (y + box[x]) % 256
- box[x], box[y] = box[y], box[x]
- out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))
- return ''.join(out)
- def unpack_file(filein, fileout):
- fdata = open(filein, 'rb').read()
- if fdata[:2] == 'MZ':
- offset_begin = 0
- offset_end = 0
- mki = None
- for index in xrange(len(fdata)):
- if (fdata[index] == mk[0][0][0]) and (fdata[index+1] == mk[0][0][1]) and (fdata[index+2] == mk[0][0][2]) and (fdata[index+3] == mk[0][0][3]):
- if offset_begin == 0:
- offset_begin = index + 4
- else:
- offset_end = index
- mki = 0
- break
- elif (fdata[index] == mk[1][0][0]) and (fdata[index+1] == mk[1][0][1]) and (fdata[index+2] == mk[1][0][2]) and (fdata[index+3] == mk[1][0][3]):
- if offset_begin == 0:
- offset_begin = index + 4
- else:
- offset_end = index
- mki = 1
- break
- if mki != None:
- size = (offset_end - offset_begin) - rc4keysize
- encdata = fdata[offset_begin : offset_begin + size]
- keydata = fdata[offset_begin + size : offset_begin + size + rc4keysize]
- rc4key = rc4crypt(keydata, mk[mki][1])
- decdata = rc4crypt(encdata, rc4key)
- open(fileout, 'wb').write( decdata )
- print '[+] Size: %s' % (hex(size))
- print '[+] DataBegin: %s' % (hex(offset_begin))
- print '[+] DataEnd: %s' % (hex(offset_end))
- print '[+] RC4 Key: %s' % (rc4key.encode('hex'))
- print '[+] File successfully unpacked and saved'
- else:
- print '[!] Failed to locate a data marker'
- else:
- print '[!] Invalid PE file'
- if __name__ == '__main__':
- if len(sys.argv) != 3:
- print 'Usage: %s <infile> <outfile>'
- exit()
- else:
- unpack_file(sys.argv[1], sys.argv[2])
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement