def parse_1f5e1840(raw, ctx, rsa_key):
data = decrypt_common(raw, rsa_key)
length = data[:4]
length = from_uint32(length)
aplib_unpacked = crypto.aplib_unpack(data[4:], length)
save_binary(aplib_unpacked, ctx, 'injects')
save_binary(aplib_unpacked, 'injects')
def raw_binary_decrypt(raw, ctx, rsa_key, idname):
serpent_decrypted = decrypt_common(raw, rsa_key)
pprint('decrypted data, magic verification:', idname,
serpent_decrypted[:4], 'ARCH')
assert serpent_decrypted[:4] == 'ARCH'
aplib_unpacked = crypto.aplib_unpack(serpent_decrypted[16:])
pprint('blob decrypted, sample data:', aplib_unpacked.encode('hex')[:60])
pprint('decryption successful, saving data to file')
save_binary(aplib_unpacked, ctx, 'exe')
if idname is not None:
if 'dropped_files' not in ctx:
ctx['dropped_files'] = {}
ctx['dropped_files'][idname] = raw
def parse_08750ec5(raw, ctx, rsa_key):
data = decrypt_common(raw, rsa_key)
key0 = from_uint32(data[0:4])
key1 = from_uint32(data[4:8])
length = from_uint32(data[8:12])
decrypted = nymaim_decrypt_data_2(data[12:], key0, key1)
assert len(decrypted) == length
aplib_unpacked = crypto.aplib_unpack(decrypted[16:])
pprint('and another nested chunk...')
indent()
nymaim_blob_parse(aplib_unpacked, ctx, rsa_key)
undent()
def parse_0c526e8b(raw, ctx, rsa_key):
unknown_header = raw[:8]
pprint('some header: ', unknown_header.encode('hex'))
key0 = from_uint32(raw[8:12])
key1 = from_uint32(raw[12:16])
length = from_uint32(raw[16:20])
pprint('encrypted data length: ', length)
unpacked_config = nymaim_decrypt_data_2(raw[20:], key0, key1)
pprint('decrypted data, magic verification:', unpacked_config[:4], 'ARCH')
assert unpacked_config[:4] == 'ARCH'
aplib_unpacked = crypto.aplib_unpack(unpacked_config[16:])
pprint('yet another nested chunk... Seriously, wtf nymaim?')
indent()
nymaim_blob_parse(aplib_unpacked, ctx, rsa_key)
undent()