def encoded_code_address(self):
ind = 3 if self.osa == 0x32 else 4
for rl in ['$code2']:
for match in match_rule(rl, self.rules[rl], self.filedata):
opcodes = match.strings[0][2]
ind = ind + 3 if 'C78424'.decode('hex') == opcodes[:3] else ind
value = to_str_dword(to_hex_dword(opcodes[ind: ind + 4]) - 1)
address = self.pe.get_rva_from_offset(match.strings[0][0])
data_search = self.pe.get_data(address, 150)
size = self.encoded_size(data_search)
address = self.pe.get_rva_from_offset(self.filedata.index(value) + 4)
return address, size
return None, None
def decode_code(self):
enc_addr, size_loop = self.encoded_code_address()
xor_val, rol_val = self.xor_rol_value()
message('Encoded code ROL {}'.format(int(rol_val)))
message('Encoded code XOR Key: {}'.format(hex(xor_val).upper()))
message('Encoded code Size: {}'.format(hex(size_loop).upper()))
encoded_data = self.encoded_data(enc_addr, size_loop)
decoded_code = ''
for i in range(0, size_loop):
dword = encoded_data[i]
dword ^= xor_val
dword = rol(dword, rol_val)
if self.osa == 0x64:
dword ^= xor_val
decoded_code += to_str_dword(dword)
return decoded_code
def decode(self):
loader_code = extract_binaries(readFile(self.filepath))
# now the malware is patching some export values (some "random")
pe = pefile.PE(data=loader_code)
exports = get_exports(pe)
exports_write = {
2: '\x00'.join(list("\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\ter")),
3: 't',
5: '-SDBbot-Random-XORKey-@Tera0017-' * 4,
6: to_str_dword(pe.OPTIONAL_HEADER.ImageBase),
}
for exp in exports:
if exp + 1 not in exports_write:
continue
address = pe.get_offset_from_rva(exports[exp])
data = exports_write[exp + 1]
loader_code = edit_data(loader_code, address, data)
# #1 and some other functions are encrypted with the XOR key (I ignore this step)
# #2 reg path and 3 random chars
# #3 1 random char
# #5 contains the xor key of len 0x80, I will add some "random" value
# #6 image base
return loader_code