def test_rc4():
assert rc4.encrypt(b"Key", b"Plaintext") == unhex("bbf316e8d940af0ad3")
assert rc4.decrypt(b"Wiki", b"pedia") == unhex("1021bf0420")
assert rc4.decrypt(
b"Secret",
b"Attack at dawn") == (unhex("45a01f645fc35b383552544b9bf5"))
assert rc4(b"hello", b"world") == unhex("783ecd96cf")
def main():
with open('gpca.dat', 'rb') as cryptedfile:
data = cryptedfile.read()
result = rc4(key,data)
if result:
with open('gpca.dat.dec', 'wb') as decryptedfile:
decryptedfile.write(result)
print(f'\nDecrypted buffer! Check => gpca.dat.dec')
else:
print(f'\nMalduck was not able to decrypt buffer.')
def decrypt_conf(self, p, addr):
try:
key_addr = p.uint32v(addr + 21)
key = p.asciiz(key_addr)
data_offset = p.uint32v(addr + 26)
config_encrypted = p.readv(addr=data_offset).split(b'\0\0')[0]
config_raw = rc4(key, config_encrypted)
config_items = list(filter(None, config_raw.split(b'\x00\x00')))
for i in range(0, len(config_items)):
config_items[i] = config_items[i].strip(b'\x00')
config = {
'family': 'zloader',
'name': config_items[1].decode('utf-8'),
'campaign_id': config_items[2].decode('utf-8'),
'urls': [config_items[3].decode('utf-8')]
}
return config
except Exception as error:
log.warning(error)
def extract_binary(data: str) -> Optional[bytes]:
match = regex.search(BINARY_REGEX, data)
if not match:
return None
header = "".join(match.captures(2))
rest = "".join(match.captures(4))
key = match.group(5)
payload = header + rest
# reversed string
if payload.endswith("x0"):
payload = payload[::-1]
if not payload.startswith("0x"):
return None
binary = rc4(key.encode(), bytes.fromhex(payload[2:]))
if binary.startswith(b"\x4d\x5a"):
return binary
return None
def ref_c2(self, p):
pe_rep = PE(data=p)
raw_rc4_key = None
crypted_data = None
for section in pe_rep.sections:
if b".data" in section.Name:
section_data = section.get_data()
raw_rc4_key = section_data[16:24]
crypted_data = section_data[24:24 + 8192]
if raw_rc4_key is None or crypted_data is None:
log.error("unable to find .data section")
return
log.info("key: %s" % binascii.hexlify(raw_rc4_key))
flags = 0x280011
key_length = int((flags >> 16) / 8)
raw_hash = hashlib.sha1(raw_rc4_key).digest()[:key_length]
log.info("len of encrypted data: %s, decrypting with %s" %
(len(crypted_data), binascii.hexlify(raw_hash)))
decrypted = malduck.rc4(raw_hash, crypted_data)
entropy = self.estimate_shannon_entropy(decrypted)
log.info("decrypted data entropy: %s" % entropy)
if entropy < 1:
conf = self.parse_config(decrypted)
return conf
import rzpipe
from malduck import rc4
import sys
args = sys.argv
print(args)
if len(args) < 5:
print('wrong')
sys.exit()
r2 = rzpipe.open()
base = args[1]
off = args[2]
kl = args[3]
cl = args[4]
cmd = f'pxj {kl} @ {base} + {off}'
print(cmd)
key = r2.cmdj(cmd)
cmd = f'pxj {cl} @ {base} + {off} + {kl}'
print(cmd)
ct = r2.cmdj(cmd)
print(key)
print(ct)
pt = rc4(bytes(key), bytes(ct))
print(pt)
if b'\x00' in pt:
print(pt.decode('utf-16'))
headers = {
'User-Agent': 'cruloader'
}
# RC4 key offset at 0xC
key_offset = 12
# RC4 key size
key_size = 15
# RC4 decrypt the first layer of CruLoader
p = pe(open(infile, "rb").read(), fast_load=False)
get_rsrc = p.resource('RT_RCDATA')
rc4_key = get_rsrc[key_offset:key_offset+key_size]
encrypted = get_rsrc[28:]
decrypted = rc4(rc4_key, encrypted)
print("[+] Second layer unpacked")
if decrypted[0:2].decode('latin1') != "MZ":
print("[-] RC4 decryption failed")
# Seems malduck ROL needs data type int according to the documentation
else:
convert_rol = (decrypted[0:])
for index,value in enumerate(convert_rol):
a = rol(value, 4, bits=8)
#convert back to bytes for malduck.xor
b = bytes(chr(a), 'latin1')
dexor = xor(0xC5, b)
s += dexor
#!/usr/bin/env python3
#Todo Figure out how to ROL 4 with Python to then be able to XOR 0xC5 and find the Pastebin URL with regexp in Python
import malduck
import sys
infile = sys.argv[1]
outfile = infile + "_decrypted"
# RC4 key offset at 0xC
key_offset = 12
# RC4 key size
key_size = 15
# RC4 decrypt the first layer of CruLoader
p = malduck.pe(open(infile, "rb").read(), fast_load=False)
get_rsrc = p.resource('RT_RCDATA')
rc4_key = get_rsrc[key_offset:key_offset+key_size]
encrypted = get_rsrc[28:]
decrypted = malduck.rc4(rc4_key, encrypted)
if decrypted[0:2].decode('latin1') != "MZ":
print("RC4 decryption failed")
else:
with open (outfile, 'wb') as o:
o.write(decrypted)