Skip to content

Instantly share code, notes, and snippets.

@dr4k0nia
Last active October 6, 2022 20:39
Show Gist options
  • Save dr4k0nia/dc23c1c3bec75a17597ae2448c8640d0 to your computer and use it in GitHub Desktop.
Save dr4k0nia/dc23c1c3bec75a17597ae2448c8640d0 to your computer and use it in GitHub Desktop.
Simple Decryption Routine for strings and 2nd stage payload of malware sample SHA256: 169bf7d8d5240de6e4d3df6f6be95198075c22620d84d5e95cfc3c5f4e2e4f43
void Main()
{
Decrypt("bISU^wHNIS").Dump();
Decrypt("fTTBJEK^").Dump();
Decrypt("kHFC").Dump();
var file = File.ReadAllBytes("ThomasEdinson.bin");
var result = file.Select(new Func<byte, int, byte>(stageDecryption)).ToArray<byte>();
File.WriteAllBytes("ThomasEdinson_Decrypted.bin", result);
}
string Decrypt(string input)
{
return string.Concat(input.Select(new Func<char, char>(stringDecryption)).ToArray<char>());
}
// Token: 0x060000C9
internal char stringDecryption(char c)
{
return (char)(c ^ '\'');
}
// Argument supplied to in the EntryPoint method
string key = "ИисусDi4a4ter";
// Taken from Token: 0x060000CB
internal byte stageDecryption(byte x, int i)
{
return (byte)(key[i % key.Length] ^ (char)x);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment