elvanderb

PHDays Quals 2014: myfavmalware

Jan 27th, 2014
315
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # compute the RC4 key used to decrypt the last DLL. It simulates the discussion between the different IPs.
  2. from hashlib import md5
  3. from struct import pack
  4. # from https://github.com/bozhu/RC4-Python/blob/master/rc4.py
  5. def KSA(key):
  6.     keylength = len(key)
  7.  
  8.     S = range(256)
  9.  
  10.     j = 0
  11.     for i in range(256):
  12.         j = (j + S[i] + key[i % keylength]) % 256
  13.         S[i], S[j] = S[j], S[i]  # swap
  14.  
  15.     return S
  16.  
  17.  
  18. def PRGA(S):
  19.     i = 0
  20.     j = 0
  21.     while True:
  22.         i = (i + 1) % 256
  23.         j = (j + S[i]) % 256
  24.         S[i], S[j] = S[j], S[i]  # swap
  25.  
  26.         K = S[(S[i] + S[j]) % 256]
  27.         yield K
  28.  
  29.  
  30. def RC4(key):
  31.     S = KSA(key)
  32.     return PRGA(S)
  33. #end
  34.  
  35. IPs = [0x0A003C71, 0x0A006983, 0x0A005877, 0x0A00494C, 0x0A001D2B, 0x0A005029, 0x0A000650]
  36. MD5IPs = [md5(pack("<I", ip)).digest() for ip in IPs]
  37. secrets = ["850fcd3857dadb7266bfe468aedde5aa837601e6b76ee5bf9ee81768f34eaa470bd97985bac43103cd75159ec7ae9b309fd3561b7a7468d53fd5a1490c75cf9a45bf3ccfdded23ca9b350ef5e8ae14788d44b1cf4cfa89ca8f8e9ef9c81c9a90e91fec446961c58e1e79dad61b4c4c26".decode("hex")[i*0x10:(i+1)*0x10] for i in xrange(7)]
  38.  
  39. xor = lambda a,b : "".join(chr(ord(x)^ord(y)) for x,y in zip(a,b))
  40. enc = "00 12 FF AA 7F 95 BE F9 5D 49 B9 93 34 83 A6 E1 1B 54 B5 7B 77 55 8B 64 FF 0E DA C7 41 A5 27 6D 81 CD 6E 43 E1 A8 3F 08 CD 8F 6F 82 A8 59 0C 23 3A 8A 97 66 5E 69 68 1F 76 A5 42 5E EE BB C8 78 85 E2 C0 14 91 45 0F B8 DB 82 40 FB D3 D2 0E A5 45 E8 CA 4F 17 35 11 FB 89 68 EC D7 13 1C B6 80 FC EA AC 58 60 E3 08 08".replace(" ", "").decode("hex")
  41.  
  42. def hop(ip, msg) :
  43.     msg = chr(ord(msg[0]) + 1) + msg[1:] + MD5IPs[ip]
  44.     msg = msg[:4] + md5(msg).digest()
  45.     if msg[0] == '\x07' :
  46.         k = [ord(c) for c in xor(secrets[ip], msg[4:])]
  47.         if xor(enc, "".join(chr(c) for c,_ in zip(RC4(k), xrange(2)))) == "MZ" :
  48.             print "".join("%02X"%c for c in k)
  49.             print xor(enc, "".join(chr(c) for c,_ in zip(RC4(k), xrange(0x40))))[0x3c:].encode("hex")
  50.         return
  51.     hop((ip+3) % 7, msg)
  52.  
  53. for i in xrange(7) :
  54.     msg = "\x00\x00\x00\x00" + MD5IPs[i]
  55.     for j in xrange(7) :
  56.         hop(j, msg)
RAW Paste Data