Haruka HarukaMa

Wasted one afternoon to manually deobfuscate the js from one drainer website. (see here for the "deobfuscated" reference js and script used to generate the file)

You can use the code to decrypt the traffic and even create arbitrary payload to send to their backend server.

What's the domain of that backend server? You need to find it out yourself.

The code below is in public domain.

	import bz2
	import io
	import os
	from hashlib import sha1

	from utils import read_uint32

	plar = open("geekbench.plar", "rb")
	dest = "./plar"

	{
	"immutable_parameters": {
	"min_committee_member_count": 11,
	"min_witness_count": 11,
	"num_special_accounts": 0,
	"num_special_assets": 0
	},
	"initial_accounts": [
	{
	"active_key": "BTS6MRyAjQq8ud7hVNYcfnVPJqcVpscN5So8BhtHuGYqET5GDW5CV",

	using System;
	using System.Collections.Generic;
	using System.Diagnostics;
	using System.Drawing;
	using System.Linq;
	using System.Runtime.InteropServices;
	using System.Windows.Forms;
	using Test.OBS;

	namespace Test {

	1:07:030 root I[KERNEL]: /Users/MrX/src/ppsspp/Core/HLE/sceKernelThread.cpp:2093 276=sceKernelCreateThread(name=psp_base, entry=08804244, prio=20, stacksize=643072)
	41:07:030 root I[KERNEL]: /Users/MrX/src/ppsspp/Core/HLE/sceKernelThread.cpp:2144 sceKernelStartThread(thread=276, argSize=33, argPtr=09fffed0)
	41:07:031 root I[KERNEL]: /Users/MrX/src/ppsspp/Core/HLE/sceKernelThread.cpp:2224 __KernelReturnFromThread: 0
	41:07:031 psp_base I[HLE]: /Users/MrX/src/ppsspp/Core/Util/BlockAllocator.cpp:379 -----------
	41:07:031 psp_base I[HLE]: /Users/MrX/src/ppsspp/Core/Util/BlockAllocator.cpp:383 Block: 08800000 - 08804000 size 00004000 taken=0 tag=(untitled)
	41:07:031 psp_base I[HLE]: /Users/MrX/src/ppsspp/Core/Util/BlockAllocator.cpp:383 Block: 08804000 - 08cf0100 size 004ec100 taken=1 tag=ELF
	41:07:031 psp_base I[HLE]: /Users/MrX/src/ppsspp/Core/Util/BlockAllocator.cpp:383 Block: 08cf0100 - 08d0a000 size 00019f00 taken=1 tag=UserSbrk
	41:07:031 psp_base I[HLE]: /Users/MrX/