get config from sample 7440a7b56d3670d4204a57974fa76ae76ca78168bb181640f565976d192cc159

gistfile1.txt

"""
extracts config from sample: 7440a7b56d3670d4204a57974fa76ae76ca78168bb181640f565976d192cc159
0xca7
"""

from elftools.elf.elffile import ELFFile


def read_elf(path) -> bytes:

    data_section = None 

    with open(path, 'rb') as fp:
        elffile = ELFFile(fp)
        for section in elffile.iter_sections():
            if section.name == ".data":
                print('> got .data section')
                data_section = section.data()
                break

    return data_section


def decrypt(data, xorkey):

    # buffer0 setup to [0:255]
    buffer0 = [x for x in range(0,256)]

    # "expand" the xorkey to 256 bytes
    buffer1 = list(xorkey) * (256//len(xorkey))
    buffer1 += ( list(xorkey)[0:(256 - len(buffer1))])

    # permutation step
    idx = 0
    for i in range(0,256):
        idx = buffer1[i] + buffer0[i] + idx & 0xff
        # swap
        buffer0[i],buffer0[idx] = buffer0[idx],buffer0[i]

    idx = 0
    res = list()
    for i in range(1, len(data)):
        idx = buffer0[i] + idx & 0xff
        # swap
        buffer0[i],buffer0[idx] = buffer0[idx],buffer0[i]

        value = buffer0[i] + buffer0[idx]
        xor = buffer0[ value & 0xff ]

        res.append( chr(data[i-1] ^ xor) )      

    return ''.join(res)


def main():

    xorkey = b"\x72\x30\x73\x74\x40\x23\x24"

    data = read_elf("./7440a7b56d3670d4204a57974fa76ae76ca78168bb181640f565976d192cc159.elf")
    
    data = data.split(b"\x00")
    data = list(filter(lambda x: len(x) >= 4, data))

    """
    data[0] blob1 data
    data[1] blob0 data
    """

    dec0 = decrypt(data[0], xorkey)
    print(dec0)

    dec1 = decrypt(data[1], xorkey)
    print(dec1)

    """
    note the brackets to avoid accidental clicks...
    43.140.251[.]218:8080;|1;1;1;1;1;1;1;|00-24;|
    /usr/bin/ss
    """