This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from unicorn import * | |
| from unicorn.x86_const import * | |
| from capstone import * | |
| import base64 | |
| import time | |
| from collections import deque | |
| encrypt_data_code = b"\x55\x8B\xEC\x83\xEC\x18\x8B\x50\x20\x53\x8B\x58\x28\x56\x8B\x70\x24\x57\x8B\xF9\x33\x5F\x08\x33\x17\x33\x77\x04\x33\x98\x38\x02\x00\x00\x33\x90\x30\x02\x00\x00\x33\xB0\x34\x02\x00\x00\x8B\x48\x2C\x33\x4F\x0C\x33\x88\x3C\x02\x00\x00\x8B\xF9\x0B\xCA\x33\xFE\x89\x4D\xFC\x8B\xCB\x33\xCE\x89\x7D\xF8\x89\x4D\xEC\x33\x4D\xFC\x8B\xFE\x33\xFA\x89\x4D\xF4\x8B\xCF\x23\x7D\xF8\x23\xCB\x8B\x5D\xF8\xF7\xD3\x0B\xCB\x8B\x5D\xEC\x0B\xDA\x33\xCB\x33\xF9\x33\x7D\xF4\x33\xFA\x8B\xDF\x0B\xD9\x23\x5D\xFC\x33\xDE\xC1\xC1\x0D\xC1\xC3\x03\x8B\xF3\x33\xF7\x33\xF1\x89\x4D\xF8\xD1\xC6\x8B\xD1\xC1\xE2\x03\x33\xD3\x33\x55\xF4\x8B\xCE\xC1\xE1\x07\x33\xCB\xC1\xC2\x07\x8B\xDE\x33\x5D\xF8\x33\x70\x34\x33\xCA\x33\xDA\x33\x50\x3C\xC1\xC1\x16\x33\x48\x38\xC1\xC3\x05\x33\x58\x30\x8B\xFB\x33\xFA\x89\x7D\xF0\x8B\xFE\x33\xFA\x89\x7D\xF4\x8B\xF9\xF7\xD7\x89\x7D\xFC\x8B\xFE\x89\x5D\xF8\x23\xFB\x33 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import httplib2 | |
| import binascii | |
| import os | |
| import base64 | |
| import sys | |
| if len(sys.argv) < 3: | |
| print "Usage: {0} <url> <command>".format(sys.argv[0]) | |
| exit(1) |
enkomio
/ Ploutus.D_rebuilder.fs
Last active
May 28, 2024 21:19
This code extracts the real MSIL bytecode of the malware sample and rebuild a new assembly
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| open System | |
| open System.Linq | |
| open System.Reflection | |
| open System.Runtime.CompilerServices | |
| open System.Collections | |
| open System.Collections.Generic | |
| open System.Diagnostics | |
| open Microsoft.Diagnostics.Runtime | |
| open dnlib.DotNet | |
| open dnlib.DotNet.Emit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [MethodImpl(MethodImplOptions.NoInlining)] | |
| internal static uint qtlEIBBYuV(IntPtr \u0020, IntPtr a1, IntPtr \u0020, [MarshalAs(UnmanagedType.U4)] uint \u0020, IntPtr \u0020, ref uint \u0020) | |
| { | |
| // thisi s a pointer to the COREINFO_METHOD_INFO structure | |
| IntPtr ptr = \u0020; | |
| if (P9ZBIKXMsRMxLdTfcG.KOnEge1tX2) | |
| { | |
| ptr = a1; | |
| } | |
| long num; |
enkomio
/ AssemblyAlternativeLoader.fs
Last active
July 11, 2020 12:07
An alternative method to load an Assembly
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| open System | |
| open System.Reflection | |
| open System.IO | |
| /// Use the private method GetTypeByNameUsingCARules in order to load the Assembly. This method will in turn uses the internal | |
| /// method: private static extern void GetTypeByNameUsingCARules(string name, RuntimeModule scope, ObjectHandleOnStack type); | |
| let loadAssembly(filename: String, className: String, methodName: String, methodArguments: Object array) = | |
| let bindingFlags = BindingFlags.Static ||| BindingFlags.NonPublic ||| BindingFlags.Public ||| BindingFlags.Instance | |
| let assemblyName = AssemblyName.GetAssemblyName(Path.GetFullPath(filename)) | |
| let fullName = String.Format("{0},{1}", className, assemblyName.FullName) |
enkomio
/ encryption.sac
Last active
December 30, 2019 05:36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| proc main | |
| push buffer /* push arguments */ | |
| push buffer_length | |
| push key | |
| push key_length | |
| push 4 /* number of arguments */ | |
| push de_encrypt /* method to invoke */ | |
| call | |
| halt | |
| endp |
enkomio
/ packer.sacara
Created
December 17, 2019 12:59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| proc data_section | |
| S: | |
| // Hardcode the initial state of the S array | |
| byte 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F | |
| byte 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F | |
| byte 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F | |
| byte 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, 0x3D, 0x3E, 0x3F | |
| byte 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F | |
| byte 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x5B, 0x5C, 0x5D, 0x5E, 0x5F | |
| byte 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F |