Guest User

Untitled

a guest
Aug 24th, 2014
178
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2. import sys
  3.  
  4. rc4keysize = 0x14
  5. mk = [["4A6522D5".decode('hex'), "6B7719733F".decode('hex')],["14D61BCE".decode('hex'), "1B3527AE8D".decode('hex')]]
  6.  
  7. def rc4crypt(data, key):
  8.     x = 0
  9.     box = range(256)
  10.     keylen = len(key)
  11.     for i in xrange(256):
  12.         x = (x + box[i] + ord(key[i % keylen])) % 256
  13.         box[i], box[x] = box[x], box[i]
  14.    
  15.     y = x # rc4 mod.. normal rc4 set y to 0 this one takes the last value from x
  16.     x = 0
  17.     out = []
  18.     for char in data:
  19.         x = (x + 1) % 256
  20.         y = (y + box[x]) % 256
  21.         box[x], box[y] = box[y], box[x]
  22.         out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))    
  23.     return ''.join(out)
  24.  
  25. def unpack_file(filein, fileout):
  26.     fdata = open(filein, 'rb').read()
  27.     if fdata[:2] == 'MZ':
  28.         offset_begin = 0
  29.         offset_end = 0
  30.         mki = None
  31.         for index in xrange(len(fdata)):
  32.             if (fdata[index] == mk[0][0][0]) and (fdata[index+1] == mk[0][0][1]) and (fdata[index+2] == mk[0][0][2]) and (fdata[index+3] == mk[0][0][3]):
  33.                 if offset_begin == 0:
  34.                     offset_begin = index + 4
  35.                 else:
  36.                     offset_end = index
  37.                     mki = 0
  38.                     break
  39.             elif (fdata[index] == mk[1][0][0]) and (fdata[index+1] == mk[1][0][1]) and (fdata[index+2] == mk[1][0][2]) and (fdata[index+3] == mk[1][0][3]):
  40.                 if offset_begin == 0:
  41.                     offset_begin = index + 4
  42.                 else:
  43.                     offset_end = index
  44.                     mki = 1
  45.                     break
  46.         if mki != None:
  47.             size    = (offset_end - offset_begin) - rc4keysize
  48.             encdata = fdata[offset_begin : offset_begin + size]
  49.             keydata = fdata[offset_begin + size : offset_begin + size + rc4keysize]
  50.             rc4key  = rc4crypt(keydata, mk[mki][1])
  51.             decdata = rc4crypt(encdata, rc4key)
  52.             open(fileout, 'wb').write( decdata )
  53.             print '[+] Size: %s' % (hex(size))
  54.             print '[+] DataBegin: %s' % (hex(offset_begin))
  55.             print '[+] DataEnd: %s' % (hex(offset_end))
  56.             print '[+] RC4 Key: %s' % (rc4key.encode('hex'))
  57.             print '[+] File successfully unpacked and saved'
  58.         else:
  59.             print '[!] Failed to locate a data marker'
  60.     else:
  61.         print '[!] Invalid PE file'
  62.  
  63.        
  64. if __name__ == '__main__':
  65.     if len(sys.argv) != 3:
  66.         print 'Usage: %s <infile> <outfile>'
  67.         exit()
  68.     else:
  69.         unpack_file(sys.argv[1], sys.argv[2])
RAW Paste Data