Exemplo n.º 1
0
def formbook_patch_encrypted_bytecode():
    text_segm = ida_segment.get_segm_by_name('.text')
    if not text_segm:
        return idaapi.BADADDR

    seg_start = text_segm.startEA
    seg_end = text_segm.endEA
    fb_decrypt = FormBookDecryption()
    rc4_key = "faddefad156c45629c95d5f429363b0653ad5c1d".decode('hex')  # same as rc4_final from formbook_decrypt_hashes_and_strings()

    for i in [(0x40, 0x48), (0x41, 0x49), (0x42, 0x4a), (0x43, 0x4b), (0x44, 0x4c)]:
        egg_pattern = ''.join('{:02x} '.format(x) for x in [i[0], 0x90, 0x90, 0x90, i[1]])
        encrypted_start = idaapi.find_binary(seg_start, seg_end, egg_pattern, 16, idaapi.SEARCH_DOWN)
        if encrypted_start != idaapi.BADADDR:
            encrypted_end = idaapi.find_binary(encrypted_start + 5, seg_end, "90 90 90 90", 16, idaapi.SEARCH_DOWN)
            if encrypted_end != idaapi.BADADDR:
                encrypted_start += 5
                patch_length = encrypted_end - encrypted_start
                if idaapi.visit_patched_bytes(encrypted_start, encrypted_end, callback_on_patched_bytes) == 0:
                    encrypted_buff = idaapi.get_bytes(encrypted_start, patch_length)
                    decrypted_buff = fb_decrypt.decrypt_func2(encrypted_buff, rc4_key)
                    print('Patching encrypted bytecode at 0x{:x} ({:d} bytes)'.format(encrypted_start, patch_length))
                    idaapi.patch_many_bytes(encrypted_start, decrypted_buff)
                else:
                    print('Encrypted bytecode at 0x{:x} ({:d} bytes) is already patched'.format(encrypted_start, patch_length))
Exemplo n.º 2
0
    def decrypt_c2c_uri(self):
        import json
        import r2pipe
        import validators
        sys.path.append(os.path.abspath('external/tildedennis/formbook/'))
        from formbook_decryption import FormBookDecryption

        fb_decrypt = FormBookDecryption()

        encbuf6_addr = '0x{0:08X}'.format(self.enc_buffers[2]['addr'] + 7)
        encbuf7_addr = '0x{0:08X}'.format(self.enc_buffers[5]['addr'] + 7)
        encbuf8_addr = '0x{0:08X}'.format(self.enc_buffers[0]['addr'] + 7)
        encbuf9_addr = '0x{0:08X}'.format(self.enc_buffers[3]['addr'] + 7)

        self.r2.cmd('s %s' % encbuf6_addr)
        encbuf6_s0 = self.r2.cmd(
            'p8 %s' % str(self.enc_buffers[2]['size'] * 2)).decode("hex")
        self.r2.cmd('s %s' % encbuf7_addr)
        encbuf7_s0 = self.r2.cmd(
            'p8 %s' % str(self.enc_buffers[5]['size'] * 2)).decode("hex")
        self.r2.cmd('s %s' % encbuf8_addr)
        encbuf8_s0 = self.r2.cmd(
            'p8 %s' % str(self.enc_buffers[0]['size'] * 2)).decode("hex")
        self.r2.cmd('s %s' % encbuf9_addr)
        encbuf9_s0 = self.r2.cmd(
            'p8 %s' % str(self.enc_buffers[3]['size'] * 2)).decode("hex")

        rc4_key_two = fb_decrypt.decrypt_func1(encbuf6_s0,
                                               self.enc_buffers[2]['size'])
        rc4_key_one = fb_decrypt.decrypt_func1(encbuf7_s0,
                                               self.enc_buffers[5]['size'])
        encbuf8_s1 = fb_decrypt.decrypt_func1(encbuf8_s0,
                                              self.enc_buffers[0]['size'])
        encbuf9_s1 = fb_decrypt.decrypt_func1(encbuf9_s0,
                                              self.enc_buffers[3]['size'])

        rc4_key = FormBook.sha1(encbuf9_s1)
        encbuf8_s2 = fb_decrypt.decrypt_func2(encbuf8_s1, rc4_key)

        self.r2.cmd('s 0x%08x' % json.loads(
            self.r2.cmd("axtj %s" % '0x{0:08X}'.format(
                self.enc_buffers[0]['addr'])))[0]['from'])

        while json.loads(self.r2.cmd('pdj 1'))[0]['type'] != 'push':
            self.r2.cmd('so 1')

        c2_size = json.loads(self.r2.cmd('pdj 1'))[0]['val']
        found = False
        for i, c in enumerate(encbuf8_s2):
            encrypted_c2c_uri = encbuf8_s2[i:i + c2_size]
            encrypted_c2c_uri = fb_decrypt.decrypt_func2(
                encrypted_c2c_uri, rc4_key_two)
            c2c_uri = fb_decrypt.decrypt_func2(encrypted_c2c_uri, rc4_key_one)
            if validators.url('http://' +
                              '{:s}'.format(c2c_uri).replace('\x00', '')):
                print '[+] C&C URI found: hxxp://{:s}'.format(c2c_uri)
Exemplo n.º 3
0
def formbook_decrypt_hashes_and_strings():
    fb_decrypt = FormBookDecryption()

    # PE base address: 0x00400000
    encbuf1_addr = 0x0041AF4C  # fake prologue
    encbuf2_addr = 0x0041B160  # fake prologue
    encbuf3_addr = 0x0041AAA4  # fake prologue
    encbuf4_addr = 0x00419A83  # fake prologue

    # decrypt_func1 input length buffer is unknown
    # but is always >= output length
    encbuf1_s0 = idaapi.get_bytes(encbuf1_addr, 0x139 * 2)
    encbuf2_s0 = idaapi.get_bytes(encbuf2_addr, 0x35C * 2)
    encbuf3_s0 = idaapi.get_bytes(encbuf3_addr, 0x14 * 2)
    encbuf4_s0 = idaapi.get_bytes(encbuf4_addr, 0x9d3 * 2)

    encbuf1_s1 = fb_decrypt.decrypt_func1(encbuf1_s0, 0x139)
    encbuf2_s1 = fb_decrypt.decrypt_func1(encbuf2_s0, 0x35c)
    encbuf3_s1 = fb_decrypt.decrypt_func1(encbuf3_s0, 0x14)
    encrypted_strings = fb_decrypt.decrypt_func1(encbuf4_s0, 0x9d3)

    rc4_key_one = formbook_compute_sha1(encbuf1_s1)
    rc4_key_two = formbook_compute_sha1(encbuf3_s1)

    encbuf2_s2 = fb_decrypt.decrypt_func2(encbuf2_s1, rc4_key_one)
    encrypted_hashes_array = fb_decrypt.decrypt_func2(encbuf2_s2, rc4_key_two)

    rc4_key_pre_final = formbook_compute_sha1(encrypted_hashes_array)
    rc4_key_final = fb_decrypt.decrypt_func2(encbuf3_s1, rc4_key_pre_final)

    formbook_decrypt_hashes(fb_decrypt, rc4_key_final, encrypted_hashes_array)
    formbook_decrypt_strings(fb_decrypt, rc4_key_final, encrypted_strings)
def formbook_decrypt_c2c_uri():
    fb_decrypt = FormBookDecryption()

    encbuf6_addr = 0x0041AAA4  # fake prologue
    encbuf7_addr = 0x0041AE45  # fake prologue
    encbuf8_addr = 0x0041AF4C  # fake prologue
    encbuf9_addr = 0x00419A83  # fake prologue

    encbuf7_s0 = idaapi.get_bytes(encbuf7_addr, 0x14 * 2)
    encbuf6_s0 = idaapi.get_bytes(encbuf6_addr, 0x14 * 2)
    encbuf8_s0 = idaapi.get_bytes(encbuf8_addr, 0x139 * 2)
    encbuf9_s0 = idaapi.get_bytes(encbuf9_addr, 0x9d3 * 2)

    rc4_key_two = fb_decrypt.decrypt_func1(encbuf6_s0, 0x14)
    rc4_key_one = fb_decrypt.decrypt_func1(encbuf7_s0, 0x14)
    encbuf8_s1 = fb_decrypt.decrypt_func1(encbuf8_s0, 0x139)
    encbuf9_s1 = fb_decrypt.decrypt_func1(encbuf9_s0, 0x9d3)

    rc4_key = formbook_compute_sha1(encbuf9_s1)
    encbuf8_s2 = fb_decrypt.decrypt_func2(encbuf8_s1, rc4_key)

    encrypted_c2c_uri = encbuf8_s2[220:220+44]  # 44 is the length of the C&C URI
    encrypted_c2c_uri = fb_decrypt.decrypt_func2(encrypted_c2c_uri, rc4_key_two)
    c2c_uri = fb_decrypt.decrypt_func2(encrypted_c2c_uri, rc4_key_one)
    print('C&C URI: {:s}'.format(c2c_uri))
Exemplo n.º 5
0
def formbook_decrypt_image_name():
    fb_decrypt = FormBookDecryption()

    encbuf5_addr = 0x41AACE  # fake prologue
    encbuf5_s0 = idaapi.get_bytes(encbuf5_addr, 0x222 * 2)
    encbuf5_s1 = fb_decrypt.decrypt_func1(encbuf5_s0, 0x222)

    buff_dbg = '\x00\x00\x01\x01\x00\x00\x01\x00\x01\x00\x01\x00\x00\x00\x00\x00'
    rc4_key = formbook_compute_sha1(buff_dbg)

    print('Encrypted image name decryption:')
    j = 0
    enc_str_len = 13  # each encrypted string is 13 bytes long
    f = open('decrypted_image_name.txt', 'w')
    for i in range(0, len(encbuf5_s1), enc_str_len):
        enc_img_name = encbuf5_s1[i:i+enc_str_len]
        if j < 2:  # the 2 first strings are obfuscated with an additional routine
            enc_img_name = formbook_string_byte_substraction(enc_img_name, j)
        dec_image_name = str(fb_decrypt.decrypt_func2(enc_img_name, rc4_key))
        line = '{:d} {:s}'.format(j, dec_image_name)
        print(line)
        print(line, file=f)
        j += 1
    f.close()
Exemplo n.º 6
0
    def formbook_decrypt(self, key1, key2, config, config_size, strings_data, strings_size, url_size, hashs_data, hashs_size):
        fb_decrypt = FormBookDecryption()
        p_data = OrderedDict()

        rc4_key_one = fb_decrypt.decrypt_func1(key1, 0x14)
        rc4_key_two = fb_decrypt.decrypt_func1(key2, 0x14)
        encbuf2_s1 = fb_decrypt.decrypt_func1(hashs_data, hashs_size)
        encbuf8_s1 = fb_decrypt.decrypt_func1(config, config_size)
        encbuf9_s1 = fb_decrypt.decrypt_func1(strings_data, strings_size)

        rc4_key_1 = self.formbook_compute_sha1(encbuf8_s1)
        rc4_key_2 = self.formbook_compute_sha1(encbuf9_s1)
        rc4_key_3 = self.formbook_compute_sha1(rc4_key_two)
        encbuf2_s2 = fb_decrypt.decrypt_func2(encbuf2_s1, rc4_key_1)
        encbuf8_s2 = fb_decrypt.decrypt_func2(encbuf8_s1, rc4_key_2)

        n = 1
        for i in xrange(config_size):
            encrypted_c2c_uri = encbuf8_s2[i:i + url_size]
            encrypted_c2c_uri = fb_decrypt.decrypt_func2(encrypted_c2c_uri, rc4_key_two)
            c2c_uri = fb_decrypt.decrypt_func2(encrypted_c2c_uri, rc4_key_one)
            if "www." in c2c_uri:
                p_data["C&C URI " + str(n)] = c2c_uri
                n += 1

        encrypted_hashes_array = fb_decrypt.decrypt_func2(encbuf2_s2, rc4_key_3)
        rc4_key_pre_final = self.formbook_compute_sha1(encrypted_hashes_array)
        rc4_key_final = fb_decrypt.decrypt_func2(rc4_key_two, rc4_key_pre_final)

        p_data = self.formbook_decrypt_strings(fb_decrypt, p_data, rc4_key_final, encbuf9_s1)

        return p_data