daily pastebin goal
22%
SHARE
TWEET

Untitled

a guest Jan 17th, 2019 67 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #include <windows.h>
  2. #include <stdio.h>
  3.  
  4. /**
  5. *  by aaSSfxxx
  6. *  Usage: pwnz-istealer.exe c:\path\to\executable
  7. *  Works with Windows, Linux & MacOS under Wine
  8. **/
  9.  
  10. //Prototypes
  11. void unxor(char* chr);
  12. char* locate_str(char *data);
  13.  
  14. int main(int argc, char** argv)
  15. {
  16.     int exe_ptr = 0;
  17.     char *cfg;
  18.    
  19.     printf("iStealer extractor by aaSSfxxx\r\n");
  20.     printf("This tool is provided to detect and get data from an iStealer spywares.\r\n");
  21.     printf("This program is under BeerWare licence.\r\n");
  22.     //If no executable, exiting.
  23.     if(argc == 1)
  24.     {
  25.         printf(" Executable path needed ! Exiting.\r\n");
  26.         return 0;
  27.     }
  28.    
  29.     //Loads executable in memory
  30.     printf(" [+] Loading executable\r\n");
  31.     exe_ptr = (int)LoadLibrary(argv[1]);
  32.     if(exe_ptr == 0) {
  33.         printf(" [-] Load failed, aborting.\r\n");
  34.         return 0;
  35.     }
  36.    
  37.     //Check if executable is istealer (weak checking)
  38.     printf(" [+] Checking if executable is a iStealer stub... \r\n");
  39.     if(memchr((void*)exe_ptr, 0x454d5201, 0x40000) == NULL) {
  40.         printf (" [-] Not an iStealer program (maybe encrypted?)\r\n");
  41.         return 0;
  42.     }
  43.    
  44.     //Okay, do it!
  45.     //Extracting resources
  46.     int hRes = (int)FindResource((HMODULE)exe_ptr, "#1", RT_RCDATA);
  47.     if (hRes == 0)
  48.     {
  49.         printf(" [-] Unable to extract resource!\r\n");
  50.         return 0;
  51.     }
  52.     cfg = (char*)LoadResource((HMODULE)exe_ptr, (HANDLE)hRes);
  53.     printf(" [+] Encrypted host is %s \r\n",locate_str(cfg));
  54.    
  55.     unxor(locate_str(cfg));
  56.     printf(" [+] Decrypted host is %s \r\n",locate_str(cfg));
  57. }
  58.  
  59. char* locate_str(char *data)
  60. {
  61.     int i;
  62.     for(i=0;i<40;i++)
  63.     {
  64.         if(data[i] != 0 && data[i]!=1)
  65.             return data + i;
  66.     }
  67.     return data;
  68. }
  69.  
  70. void unxor(char* chr)
  71. {
  72.     unsigned long i;
  73.     for (i=0; i<strlen(chr); i++)
  74.         chr[i] ^= (char)((i % 5) + 1);
  75. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top