Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <windows.h>
- #include <stdio.h>
- /**
- * by aaSSfxxx
- * Usage: pwnz-istealer.exe c:\path\to\executable
- * Works with Windows, Linux & MacOS under Wine
- **/
- //Prototypes
- void unxor(char* chr);
- char* locate_str(char *data);
- int main(int argc, char** argv)
- {
- int exe_ptr = 0;
- char *cfg;
- printf("iStealer extractor by aaSSfxxx\r\n");
- printf("This tool is provided to detect and get data from an iStealer spywares.\r\n");
- printf("This program is under BeerWare licence.\r\n");
- //If no executable, exiting.
- if(argc == 1)
- {
- printf(" Executable path needed ! Exiting.\r\n");
- return 0;
- }
- //Loads executable in memory
- printf(" [+] Loading executable\r\n");
- exe_ptr = (int)LoadLibrary(argv[1]);
- if(exe_ptr == 0) {
- printf(" [-] Load failed, aborting.\r\n");
- return 0;
- }
- //Check if executable is istealer (weak checking)
- printf(" [+] Checking if executable is a iStealer stub... \r\n");
- if(memchr((void*)exe_ptr, 0x454d5201, 0x40000) == NULL) {
- printf (" [-] Not an iStealer program (maybe encrypted?)\r\n");
- return 0;
- }
- //Okay, do it!
- //Extracting resources
- int hRes = (int)FindResource((HMODULE)exe_ptr, "#1", RT_RCDATA);
- if (hRes == 0)
- {
- printf(" [-] Unable to extract resource!\r\n");
- return 0;
- }
- cfg = (char*)LoadResource((HMODULE)exe_ptr, (HANDLE)hRes);
- printf(" [+] Encrypted host is %s \r\n",locate_str(cfg));
- unxor(locate_str(cfg));
- printf(" [+] Decrypted host is %s \r\n",locate_str(cfg));
- }
- char* locate_str(char *data)
- {
- int i;
- for(i=0;i<40;i++)
- {
- if(data[i] != 0 && data[i]!=1)
- return data + i;
- }
- return data;
- }
- void unxor(char* chr)
- {
- unsigned long i;
- for (i=0; i<strlen(chr); i++)
- chr[i] ^= (char)((i % 5) + 1);
- }
Add Comment
Please, Sign In to add comment