waliedassar

MagedDecrypter

May 3rd, 2015
358
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #This script decrypts .net executables encrypted by Maged Encrypter
  2. #Decoder for some obfuscated njRat version
  3. #Link:
  4. import os,sys,time,hashlib,base64
  5. from Crypto.Cipher import DES3
  6. import base64
  7.  
  8.  
  9.    
  10. def XXcipherDecode3DESXX(encFile,outFile):
  11.     fKeyText = "\x35\x00\x35\x00\x36\x00\x20\x00\x4d\x00\x41\x00\x47\x00\x45\x00\x44\x00\x4b\x00\x48\x00\x4f\x00\x41\x00\x47\x06\x2e\x06\x2b\x06\x35\x06\x2a\x06\x42\x06\x2b\x06\x35\x06\x47\x06\x4a\x00\x41\x00\x21\x00\x40\x00\x23\x00\x24\x00\x25\x00\x5e\x00\x33\x06\x4a\x06\x28\x06\x47\x06\x33\x06\x4a\x06\x2a\x06\x35\x06\x2b\x06\x26\x00"
  12.    
  13.  
  14.     keyChars = fKeyText.decode('utf-16').encode("utf-8")
  15.     m = hashlib.md5()
  16.     m.update(keyChars)
  17.     key = m.hexdigest()
  18.     key_hex = key.decode('hex')
  19.    
  20.     cipher = DES3.new( key_hex, DES3.MODE_ECB)
  21.     fIn = open(encFile,"rb")
  22.     contentX = fIn.read()
  23.     contextX_b64 = base64.b64decode(contentX)
  24.     fIn.close()
  25.    
  26.     decryptedX = cipher.decrypt(contextX_b64)
  27.    
  28.     fOut = open(outFile,"wb")
  29.     fOut.write(decryptedX)
  30.     fOut.close()
  31.     return 0
  32.  
  33.  
  34.  
  35. def main():
  36.     if len(sys.argv)!=3:
  37.         print "Usage: Decode_njRat_3Des.py input_with_base64_text.txt outputfile.exe"
  38.         sys.exit(-1)
  39.     else:
  40.         retX = XXcipherDecode3DESXX(sys.argv[1],sys.argv[2])
  41.         sys.exit(retX)
  42.  
  43. if __name__ == "__main__":
  44.     main()
RAW Paste Data