SHARE
TWEET

Jimmy RC4 extraction

a guest Aug 7th, 2017 286 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. import re
  2. import os
  3. import struct
  4. import pefile
  5.  
  6. def main():
  7.     data = open(os.sys.argv[1], "rb").read()
  8.  
  9.     enc_key_patterns = [
  10.  
  11.         # .text:100059C1 000 55 push ebp
  12.         # .text:100059C2 004 8B EC mov ebp, esp
  13.         # .text:100059C4 004 83 EC 2C sub esp, 2Ch
  14.         # .text:100059C7 030 C6 45 F7 00 mov [ebp+var_9], 0
  15.         # .text:100059CB 030 6A 20 push 20h
  16.         # .text:100059CD 034 68 58 4B 01 10 push offset unk_10014B58
  17.         # .text:100059D2 038 E8 4D 37 00 00 call copyString
  18.         # .text:100059D7 038 59 pop ecx
  19.         # .text:100059D8 034 59 pop ecx
  20.  
  21.         re.compile(b""
  22.                 "\x55"
  23.                 "\x8B."
  24.                 "\x83.."
  25.                 "\xC6..."
  26.                 "\x6A(.)"
  27.                 "\x68(....)"
  28.                 "\xE8...."
  29.                 "\x59"
  30.                 "\x59"
  31.                 , re.DOTALL)
  32.     ]
  33.  
  34.    
  35.     for p in enc_key_patterns:
  36.         enc_key_info = p.search(data)
  37.         if not enc_key_info: continue
  38.         break
  39.    
  40.     if not enc_key_info: return
  41.    
  42.     key_len = ord(enc_key_info.groups()[0])
  43.     rc4_key_address = struct.unpack("<I", enc_key_info.groups()[1])[0]
  44.  
  45.     pe = pefile.PE(data=data)
  46.     enc_string = pe.get_data(rc4_key_address - pe.OPTIONAL_HEADER.ImageBase, key_len)
  47.  
  48.     xor_keys_patterns =[
  49.  
  50.  
  51.         # .text:100059E9 030 83 7D E8 20 cmp [ebp+var_18], 20h
  52.         # .text:100059ED 030 73 16 jnb short loc_10005A05
  53.         # .text:100059EF 030 8B 45 EC mov eax, [ebp+var_14]
  54.         # .text:100059F2 030 03 45 E8 add eax, [ebp+var_18]
  55.         # .text:100059F5 030 0F BE 00 movsx eax, byte ptr [eax]
  56.         # .text:100059F8 030 83 F0 0D xor eax, 0Dh
  57.  
  58.         re.compile(b""
  59.                 "\x83..."
  60.                 "\x73."
  61.                 "\x8B.."
  62.                 "\x03.."
  63.                 "\x0F.."
  64.                 "\x83.(.)"
  65.                 , re.DOTALL)
  66.  
  67.     ]
  68.  
  69.     for x in xor_keys_patterns:
  70.         xkey = x.search(data)
  71.         if not xkey: continue
  72.         break
  73.  
  74.     xkey = ord(xkey.group(1))
  75.  
  76.     print "XOR key :", hex(xkey)
  77.     print "Encrypted RC4 key :", enc_string.encode('hex')
  78.     print "Decrypted RC4 key :", ''.join([chr(ord(x) ^ xkey) for x in enc_string])
  79.  
  80. if __name__ == '__main__':
  81.     main()
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top