Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import re
- import os
- import struct
- import pefile
- def main():
- data = open(os.sys.argv[1], "rb").read()
- enc_key_patterns = [
- # .text:100059C1 000 55 push ebp
- # .text:100059C2 004 8B EC mov ebp, esp
- # .text:100059C4 004 83 EC 2C sub esp, 2Ch
- # .text:100059C7 030 C6 45 F7 00 mov [ebp+var_9], 0
- # .text:100059CB 030 6A 20 push 20h
- # .text:100059CD 034 68 58 4B 01 10 push offset unk_10014B58
- # .text:100059D2 038 E8 4D 37 00 00 call copyString
- # .text:100059D7 038 59 pop ecx
- # .text:100059D8 034 59 pop ecx
- re.compile(b""
- "\x55"
- "\x8B."
- "\x83.."
- "\xC6..."
- "\x6A(.)"
- "\x68(....)"
- "\xE8...."
- "\x59"
- "\x59"
- , re.DOTALL)
- ]
- for p in enc_key_patterns:
- enc_key_info = p.search(data)
- if not enc_key_info: continue
- break
- if not enc_key_info: return
- key_len = ord(enc_key_info.groups()[0])
- rc4_key_address = struct.unpack("<I", enc_key_info.groups()[1])[0]
- pe = pefile.PE(data=data)
- enc_string = pe.get_data(rc4_key_address - pe.OPTIONAL_HEADER.ImageBase, key_len)
- xor_keys_patterns =[
- # .text:100059E9 030 83 7D E8 20 cmp [ebp+var_18], 20h
- # .text:100059ED 030 73 16 jnb short loc_10005A05
- # .text:100059EF 030 8B 45 EC mov eax, [ebp+var_14]
- # .text:100059F2 030 03 45 E8 add eax, [ebp+var_18]
- # .text:100059F5 030 0F BE 00 movsx eax, byte ptr [eax]
- # .text:100059F8 030 83 F0 0D xor eax, 0Dh
- re.compile(b""
- "\x83..."
- "\x73."
- "\x8B.."
- "\x03.."
- "\x0F.."
- "\x83.(.)"
- , re.DOTALL)
- ]
- for x in xor_keys_patterns:
- xkey = x.search(data)
- if not xkey: continue
- break
- xkey = ord(xkey.group(1))
- print "XOR key :", hex(xkey)
- print "Encrypted RC4 key :", enc_string.encode('hex')
- print "Decrypted RC4 key :", ''.join([chr(ord(x) ^ xkey) for x in enc_string])
- if __name__ == '__main__':
- main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement