def parse_1f5e1840(raw, ctx, rsa_key): data = decrypt_common(raw, rsa_key) length = data[:4] length = from_uint32(length) aplib_unpacked = crypto.aplib_unpack(data[4:], length) save_binary(aplib_unpacked, ctx, 'injects') save_binary(aplib_unpacked, 'injects')
def raw_binary_decrypt(raw, ctx, rsa_key, idname): serpent_decrypted = decrypt_common(raw, rsa_key) pprint('decrypted data, magic verification:', idname, serpent_decrypted[:4], 'ARCH') assert serpent_decrypted[:4] == 'ARCH' aplib_unpacked = crypto.aplib_unpack(serpent_decrypted[16:]) pprint('blob decrypted, sample data:', aplib_unpacked.encode('hex')[:60]) pprint('decryption successful, saving data to file') save_binary(aplib_unpacked, ctx, 'exe') if idname is not None: if 'dropped_files' not in ctx: ctx['dropped_files'] = {} ctx['dropped_files'][idname] = raw
def parse_08750ec5(raw, ctx, rsa_key): data = decrypt_common(raw, rsa_key) key0 = from_uint32(data[0:4]) key1 = from_uint32(data[4:8]) length = from_uint32(data[8:12]) decrypted = nymaim_decrypt_data_2(data[12:], key0, key1) assert len(decrypted) == length aplib_unpacked = crypto.aplib_unpack(decrypted[16:]) pprint('and another nested chunk...') indent() nymaim_blob_parse(aplib_unpacked, ctx, rsa_key) undent()
def parse_0c526e8b(raw, ctx, rsa_key): unknown_header = raw[:8] pprint('some header: ', unknown_header.encode('hex')) key0 = from_uint32(raw[8:12]) key1 = from_uint32(raw[12:16]) length = from_uint32(raw[16:20]) pprint('encrypted data length: ', length) unpacked_config = nymaim_decrypt_data_2(raw[20:], key0, key1) pprint('decrypted data, magic verification:', unpacked_config[:4], 'ARCH') assert unpacked_config[:4] == 'ARCH' aplib_unpacked = crypto.aplib_unpack(unpacked_config[16:]) pprint('yet another nested chunk... Seriously, wtf nymaim?') indent() nymaim_blob_parse(aplib_unpacked, ctx, rsa_key) undent()