API tools faq
paste
Advertisement
S-ed

Dexter Decode PHP Script

S-ed
Jan 5th, 2013
268
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 2.19 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. /*
  3. ** deDexterPHP (06.01.2013)
  4. ** by Alexey Mak (S-ed)
  5. ** This is a simple PHP script that is designed to decode the data affected by Dexter malware
  6. ** Based on original Ruby scrip by Josh Grunzweig
  7. ** https://github.com/SpiderLabs/Malware_Analysis/blob/master/Ruby/Dexter/dexter_decode.rb
  8. **
  9. ** This program is free software: you can redistribute it and/or modify
  10. ** it under the terms of the GNU General Public License as published by
  11. ** the Free Software Foundation, either version 3 of the License, or
  12. ** (at your option) any later version.
  13. **
  14. ** This program is distributed in the hope that it will be useful,
  15. ** but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. ** GNU General Public License for more details.
  18. **
  19. ** You should have received a copy of the GNU General Public License
  20. ** along with this program. If not, see <http://www.gnu.org/licenses/>
  21. **
  22. ** Copyright (C) 2012 Alexey Mak
  23. */
  24.  
  25. function xor_decode($text, $key) {
  26.   $key_length = strlen($key);
  27.   $encoded_data = base64_decode($text);
  28.   $result = "";
  29.   $length = strlen($encoded_data);
  30.   for ($i = 0; $i < $length; $i++) {
  31.     $tmp = $encoded_data[$i];
  32.  
  33.     for ($j = 0; $j < $key_length; $j++) {
  34.         $tmp = chr(ord($tmp) ^ ord($key[$j]));
  35.     }
  36.  
  37.     $result .= $tmp;
  38.   }
  39.   return $result;
  40. }
  41.  
  42. function searchKey($data){
  43.         foreach (explode("&", $data) as $param) {
  44.                 $param_arr = preg_split("/=/", $param, 2);
  45.                 if( $param_arr[0] == "val" ){
  46.             return base64_decode($param_arr[1]);
  47.         }
  48.         }
  49.         return false;
  50. }
  51.  
  52. function deDexter($data, $key){
  53.         $decoded_data = "";
  54.         foreach (explode("&", $data) as $param) {
  55.                 $param_arr = preg_split("/=/", $param, 2);
  56.                 if( $param_arr[0] != "val" ){
  57.                         $decoded_data .= $param_arr[0]."=".xor_decode($param_arr[1], $key)."\n";
  58.                 }
  59.         }
  60.         return $decoded_data;
  61. }
  62.  
  63. //Example
  64. $data = "Some Your Encrypted data";
  65.  
  66. $key = searchKey($data); //search for key separated on case of several calls of deDexter() using same key
  67. $data = deDexter($data, $key);
  68. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!