Last active
April 28, 2021 13:31
Revisions
-
Midi12 revised this gist
Apr 28, 2021 . 1 changed file with 41 additions and 0 deletions.There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,44 @@ ''' sub_180001F5C+34 mov rdx, 0C9A201E140208649h sub_180001F5C+3E mov rcx, 213228A830CCCFFEh sub_180001F5C+48 mov qword ptr [rbp+var_10], rdx sub_180001F5C+4C mov qword ptr [rbp+var_10+8], rcx sub_180001F5C+50 mov rax, 5068B50F657EF22h ; <- encrypted name sub_180001F5C+5A movups xmm2, [rbp+var_10] sub_180001F5C+5E mov qword ptr [rbp+ModuleName], rax sub_180001F5C+62 mov r14, 5638B3DF636EF65h ; <- xor key sub_180001F5C+6C mov qword ptr [rbp+var_40+8], rcx sub_180001F5C+70 mov rax, 0E0E85073937B9CBh ; <- encrypted name sub_180001F5C+7A mov qword ptr [rbp+ModuleName+8], rax sub_180001F5C+7E lea rcx, [rbp+ModuleName] ; lpModuleName sub_180001F5C+82 movups xmm0, xmmword ptr [rbp+ModuleName] sub_180001F5C+86 mov rax, 27F7CFB34B9F0B6Ah ; <- encrypted name sub_180001F5C+90 mov qword ptr [rbp+var_40], rdx sub_180001F5C+94 pxor xmm2, [rbp+var_40] sub_180001F5C+99 mov rsi, 0E6B85743944B98Ah ; <- xor key sub_180001F5C+A3 mov qword ptr [rbp+var_20], rax sub_180001F5C+A7 mov rdi, 278ECFDF4BFD0B07h ; <- xor key sub_180001F5C+B1 mov rax, 7064B132AC9F2FB2h ; <- encrypted name sub_180001F5C+BB mov qword ptr [rbp+var_60], r14 sub_180001F5C+BF mov qword ptr [rbp+var_20+8], rax sub_180001F5C+C3 mov rbx, 7008B15EACFB2F9Ch ; <- xor key sub_180001F5C+CD movups xmm1, [rbp+var_20] sub_180001F5C+D1 mov qword ptr [rbp+var_60+8], rsi sub_180001F5C+D5 pxor xmm0, xmmword ptr [rbp+var_60] sub_180001F5C+DA mov qword ptr [rbp+var_50], rdi sub_180001F5C+DE mov qword ptr [rbp+var_50+8], rbx sub_180001F5C+E2 pxor xmm1, [rbp+var_50] sub_180001F5C+E7 movdqa [rbp+var_20], xmm1 sub_180001F5C+EC movdqa xmmword ptr [rbp+ModuleName], xmm0 sub_180001F5C+F1 movdqa [rbp+var_10], xmm2 sub_180001F5C+F6 call cs:GetModuleHandleW ; <- call using the plaintext string on the stack encrypted strings & corresponding xor key are passed into xmm registers using immediate value operands and xored together using ''' def xor(a, b): return (a ^ b) & 0xFF -
Apr 28, 2021 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Apr 28, 2021 .There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,77 @@ def xor(a, b): return (a ^ b) & 0xFF def xorl(a, b): res = [] for i in range(len(a)): res.append(xor(a[i], b[i])) return res def expand(i): return [b for b in i.to_bytes(8, byteorder = 'little')] def get_wchar(data, offset): return chr(int(data[offset] + (data[offset + 1] << 8)) & 0xFFFF) def get_string_len_w(data, offset): i = 0 length = 0 cw = get_wchar(data, offset + i) while(cw != '\x00'): length += 1 i += 2 cw = get_wchar(data, offset + i) return length def get_string_w(data, offset): s = '' length = get_string_len_w(data, offset) for i in range(length): s += get_wchar(data, offset + (i * 2)) return s ''' data format [ (data_part_0, data_part_1, key_part_0, key_part_1), ... ] call template decipher_string_0([ (,,,), (,,,) ]) ''' FIX_UNICODE = [0, 0] def decipher_string_0(data): s = '' for i in range(len(data)): mod_name_0 = data[i][0] mod_name_1 = data[i][1] mod_name = expand(mod_name_0) + expand(mod_name_1) key_mod_name_0 = data[i][2] key_mod_name_1 = data[i][3] key_mod_name = expand(key_mod_name_0) + expand(key_mod_name_1) s += get_string_w([b for b in xorl(mod_name, key_mod_name)] + FIX_UNICODE, 0) return s first_GetModuleHandleW_str = decipher_string_0([ (0x5068B50F657EF22,0xE0E85073937B9CB,0x5638B3DF636EF65,0xE6B85743944B98A), (0x27F7CFB34B9F0B6A,0x7064B132AC9F2FB2,0x278ECFDF4BFD0B07,0x7008B15EACFB2F9C) ]) print('First GetModuleHandleW : ' + first_GetModuleHandleW_str) second_GetModuleHandleW_str = decipher_string_0([ (0x5638B3DF636EF65,0xE6B85743944B98A,0x5178B54F658EF30,0xE0A85183914B9F3), (0x27A0CFAD4B980B7E,0x7008B132AC972FF8,0x278ECFDF4BFD0B07,0x7008B15EACFB2F9C) ]) print('Second GetModuleHandleW : ' + second_GetModuleHandleW_str)