Created
November 28, 2018 18:50
-
-
Save leoloobeek/bc278637f6e4215dcddf1812a513ce9f to your computer and use it in GitHub Desktop.
Sample Extract Payload DotNetToJScript
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| #Orginal Location https://gist.github.com/williballenthin/52debe05295266186cd2673ebf169967 | |
| ''' | |
| Carve PE files from binary data. | |
| Write them into the current directy named after their hash. | |
| Example:: | |
| $ python carvepe.py unallocated.bin | |
| INFO:__main__:found pe at 0x0, length: 0xd8000 | |
| INFO:__main__:writing pe file to 273ed32b617fd79ed1b88ebd4521a441.bin | |
| $ ls | |
| 595f44fec1e92a71d3e9e77456ba80d1.bin | |
| 71f920fa275127a7b60fa4d4d41432a3.bin | |
| 43c191bf6d6c3f263a8cd0efd4a058ab.bin | |
| author: Willi Ballenthin | |
| ''' | |
| import sys | |
| import mmap | |
| import hashlib | |
| import logging | |
| import contextlib | |
| from collections import namedtuple | |
| import pefile | |
| import argparse | |
| logger = logging.getLogger(__name__) | |
| Match = namedtuple('Match', ['offset', 'size']) | |
| def carve(data): | |
| """ | |
| find things that look like PE files from arbitrary binary data. | |
| Args: | |
| data (str): arbitrary byte string | |
| Yields: | |
| Match: one Match instance per identified PE file. | |
| """ | |
| offset = 0 | |
| while True: | |
| offset = data.find('MZ', offset) | |
| if offset == -1: | |
| break | |
| logger.debug('found MZ: 0x%x', offset) | |
| # grab a bunch of data that should include the entire binary. | |
| # assume less than 10mb. | |
| max_offset = min(len(data), offset + 10 * 1024 * 1024) | |
| payload = data[offset:max_offset] | |
| try: | |
| pe = pefile.PE(data=payload) | |
| except pefile.PEFormatError: | |
| logger.debug('not actually a PE, sorry.') | |
| else: | |
| logger.debug('yup, this looks ok.') | |
| # try to compute the size of the PE file. | |
| # we'll enumerate each section, and find the end of the last section. | |
| # this should work for most binaries, unless there is an overlay. | |
| # the PE file format does not have a true "file length" field, unfortunately. | |
| max_addr = 0 | |
| for section in sorted(pe.sections, key=lambda s: s.PointerToRawData): | |
| section_max_addr = section.PointerToRawData + section.SizeOfRawData | |
| if section_max_addr > max_addr: | |
| max_addr = section_max_addr | |
| if pe.OPTIONAL_HEADER.CheckSum == pe.generate_checksum(): | |
| logger.debug('checksum verified') | |
| yield Match(offset, max_addr) | |
| offset += 1 | |
| def main(argv=None): | |
| if argv is None: | |
| argv = sys.argv[1:] | |
| parser = argparse.ArgumentParser(description="Carve PE files from binary data.") | |
| parser.add_argument("input", type=str, | |
| help="Path to input file") | |
| parser.add_argument("-v", "--verbose", action="store_true", | |
| help="Enable debug logging") | |
| parser.add_argument("-q", "--quiet", action="store_true", | |
| help="Disable all output but errors") | |
| args = parser.parse_args() | |
| if args.verbose: | |
| logging.basicConfig(level=logging.DEBUG) | |
| elif args.quiet: | |
| logging.basicConfig(level=logging.ERROR) | |
| else: | |
| logging.basicConfig(level=logging.INFO) | |
| with open(args.input, 'rb') as f: | |
| # we're using a memory map here. | |
| # it lets us read from a large file as if it were entirely in memory. | |
| # (but its not, actually) | |
| with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as m: | |
| for match in carve(m): | |
| pe = m[match.offset:match.offset+match.size] | |
| logger.info('found pe at 0x%x, length: 0x%x', match.offset, match.size) | |
| m = hashlib.md5() | |
| m.update(pe) | |
| logger.debug('md5sum: %s', m.hexdigest()) | |
| outpath = m.hexdigest() + '.bin' | |
| logger.info('writing pe file to %s', outpath) | |
| with open(outpath, 'wb') as g: | |
| g.write(pe) | |
| if __name__ == "__main__": | |
| sys.exit(main()) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Base64 Raw Decoder | |
| function Base64Decode(str) { | |
| if (!(/^[a-z0-9+/]+={0,2}$/i.test(str)) || str.length%4 != 0) throw Error('Not base64 string'); | |
| var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; | |
| var o1, o2, o3, h1, h2, h3, h4, bits, d=[]; | |
| for (var c=0; c<str.length; c+=4) { // unpack four hexets into three octets | |
| h1 = b64.indexOf(str.charAt(c)); | |
| h2 = b64.indexOf(str.charAt(c+1)); | |
| h3 = b64.indexOf(str.charAt(c+2)); | |
| h4 = b64.indexOf(str.charAt(c+3)); | |
| bits = h1<<18 | h2<<12 | h3<<6 | h4; | |
| o1 = bits>>>16 & 0xff; | |
| o2 = bits>>>8 & 0xff; | |
| o3 = bits & 0xff; | |
| d[c/4] = String.fromCharCode(o1, o2, o3); | |
| // check for padding | |
| if (h4 == 0x40) d[c/4] = String.fromCharCode(o1, o2); | |
| if (h3 == 0x40) d[c/4] = String.fromCharCode(o1); | |
| } | |
| str = d.join(''); // use Array.join() for better performance than repeated string appends | |
| return str; | |
| } | |
| //End Base64 Decoder | |
| function setversion() { | |
| } | |
| function debug(s) {} | |
| function base64ToStream(b) { | |
| var enc = new ActiveXObject("System.Text.ASCIIEncoding"); | |
| var length = enc.GetByteCount_2(b); | |
| var ba = enc.GetBytes_4(b); | |
| var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform"); | |
| ba = transform.TransformFinalBlock(ba, 0, length); | |
| var ms = new ActiveXObject("System.IO.MemoryStream"); | |
| ms.Write(ba, 0, (length / 4) * 3); | |
| ms.Position = 0; | |
| return ms; | |
| } | |
| var serialized_obj = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+ | |
| "AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+ | |
| "dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"+ | |
| "ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"+ | |
| "AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"+ | |
| "RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"+ | |
| "eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"+ | |
| "cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"+ | |
| "aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"+ | |
| "MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"+ | |
| "dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"+ | |
| "ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"+ | |
| "B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"+ | |
| "dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"+ | |
| "CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"+ | |
| "SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"+ | |
| "cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"+ | |
| "AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"+ | |
| "AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"+ | |
| "bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"+ | |
| "NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"+ | |
| "ZW1ibHkGFwAAAARMb2FkCg8MAAAAABQAAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"+ | |
| "YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAbQeOWwAAAAAA"+ | |
| "AAAA4AAiIAsBMAAACgAAAAgAAAAAAAAWKAAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA"+ | |
| "AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAxCcA"+ | |
| "AE8AAAAAQAAADAQAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAIwmAAAcAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"+ | |
| "AAAALnRleHQAAAAcCAAAACAAAAAKAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAADAQAAABA"+ | |
| "AAAABgAAAAwAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAASAAAAAAAAAAAA"+ | |
| "AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAPgnAAAAAAAASAAAAAIABQB0IAAAGAYAAAEAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAagIoDgAACnIB"+ | |
| "AABwcgEAAHAWHzAoDwAACiYqIgMoEAAACiYqQlNKQgEAAQAAAAAADAAAAHYyLjAuNTA3MjcAAAAA"+ | |
| "BQBsAAAABAIAACN+AABwAgAAgAIAACNTdHJpbmdzAAAAAPAEAAAMAAAAI1VTAPwEAAAQAAAAI0dV"+ | |
| "SUQAAAAMBQAADAEAACNCbG9iAAAAAAAAAAIAAAFHFQAACQAAAAD6ATMAFgAAAQAAABQAAAACAAAA"+ | |
| "AgAAAAEAAAAQAAAADgAAAAEAAAADAAAAAABkAQEAAAAAAAYA1ADYAQYAQQHYAQYAIQCmAQ8A+AEA"+ | |
| "AAYASQCOAQYAtwCOAQYAmACOAQYAKAGOAQYA9ACOAQYADQGOAQYAYACOAQYANQC5AQYAEwC5AQYA"+ | |
| "ewCOAQYAQwJ4AQoAYgIHAgoASgIHAgoAHAIHAgoAfwEHAg4AOwKmAQAAAAABAAAAAAABAAEAAQAQ"+ | |
| "AC4CAAA9AAEAAQBQIAAAAACGGKABBgABAGsgAAAAAIYAOAIQAAEAAAABAF8BCQCgAQEAEQCgAQYA"+ | |
| "GQCgAQoAKQCgARAAMQCgARAAOQCgARAAQQCgARAASQCgARAAUQCgARAAWQCgARAAYQCgARUAaQCg"+ | |
| "ARAAcQCgARAAeQCgAQYAgQBdAhoAoQBXAiUALgALADQALgATAD0ALgAbAFwALgAjAGUALgArAHoA"+ | |
| "LgAzAKQALgA7AKQALgBDAGUALgBLAKoALgBTAKQALgBbAKQALgBjAM8ALgBrAPkAQwBbAAYBBIAA"+ | |
| "AAEAAAAAAAAAAAAAAAAAbQIAAAIAAAAAAAAAAAAAACsACgAAAAAAAgAAAAAAAAAAAAAAKwAHAgAA"+ | |
| "AAACAAAAAAAAAAAAAAArAHgBAAAAAAAAADxNb2R1bGU+AG1zY29ybGliAEd1aWRBdHRyaWJ1dGUA"+ | |
| "RGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRy"+ | |
| "aWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJp"+ | |
| "YnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0"+ | |
| "dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0"+ | |
| "dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1"+ | |
| "dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAcGF0aABFeGFtcGxlQXNzZW1ibHkuZGxs"+ | |
| "AFN5c3RlbQBNZXNzYWdlQm94SWNvbgBTeXN0ZW0uUmVmbGVjdGlvbgAuY3RvcgBTeXN0ZW0uRGlh"+ | |
| "Z25vc3RpY3MAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNv"+ | |
| "bXBpbGVyU2VydmljZXMARGVidWdnaW5nTW9kZXMAU3lzdGVtLldpbmRvd3MuRm9ybXMATWVzc2Fn"+ | |
| "ZUJveEJ1dHRvbnMAVGVzdENsYXNzAFJ1blByb2Nlc3MAT2JqZWN0AERpYWxvZ1Jlc3VsdABTdGFy"+ | |
| "dABTaG93AE1lc3NhZ2VCb3gARXhhbXBsZUFzc2VtYmx5AAAAAAAJVABlAHMAdAAAAEnXcY+11JRN"+ | |
| "jfsQ6jsuSB0ABCABAQgDIAABBSABARERBCABAQ4EIAEBAgoABBFFDg4RSRFNBQABElEOCLd6XFYZ"+ | |
| "NOCJCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAIAAAAAABQBAA9F"+ | |
| "eGFtcGxlQXNzZW1ibHkAACkBACRFeGFtcGxlIEFzc2VtYmx5IGZvciBEb3ROZXRUb0pTY3JpcHQA"+ | |
| "AAUBAAAAACQBAB9Db3B5cmlnaHQgwqkgSmFtZXMgRm9yc2hhdyAyMDE3AAApAQAkNTY1OThmMWMt"+ | |
| "NmQ4OC00OTk0LWEzOTItYWYzMzdhYmU1Nzc3AAAMAQAHMS4wLjAuMAAABQEAAQAAAAAAAG0HjlsA"+ | |
| "AAAAAgAAABwBAACoJgAAqAgAAFJTRFOrQw2XgethRr2CF5AWbhDDAQAAAEM6XFVzZXJzXFJlc2Vh"+ | |
| "cmNoXERvd25sb2Fkc1xEb3ROZXRUb0pTY3JpcHQtbWFzdGVyXEV4YW1wbGVBc3NlbWJseVxvYmpc"+ | |
| "UmVsZWFzZVxFeGFtcGxlQXNzZW1ibHkucGRiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAA7CcAAAAAAAAAAAAABigAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "APgnAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAA"+ | |
| "AAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAAsAMAAAAAAAAAAAAAsAM0AAAA"+ | |
| "VgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAA"+ | |
| "AD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8A"+ | |
| "AAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBBADAAABAFMAdAByAGkAbgBn"+ | |
| "AEYAaQBsAGUASQBuAGYAbwAAAOwCAAABADAAMAAwADAAMAA0AGIAMAAAAGIAJQABAEMAbwBtAG0A"+ | |
| "ZQBuAHQAcwAAAEUAeABhAG0AcABsAGUAIABBAHMAcwBlAG0AYgBsAHkAIABmAG8AcgAgAEQAbwB0"+ | |
| "AE4AZQB0AFQAbwBKAFMAYwByAGkAcAB0AAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUA"+ | |
| "AAAAAAAAAABIABAAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAARQB4AGEAbQBw"+ | |
| "AGwAZQBBAHMAcwBlAG0AYgBsAHkAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEA"+ | |
| "LgAwAC4AMAAuADAAAABIABQAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEUAeABhAG0AcABs"+ | |
| "AGUAQQBzAHMAZQBtAGIAbAB5AC4AZABsAGwAAABiAB8AAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkA"+ | |
| "ZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIABKAGEAbQBlAHMAIABGAG8AcgBzAGgAYQB3"+ | |
| "ACAAMgAwADEANwAAAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAA"+ | |
| "AABQABQAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAARQB4AGEAbQBwAGwAZQBB"+ | |
| "AHMAcwBlAG0AYgBsAHkALgBkAGwAbAAAAEAAEAABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAA"+ | |
| "RQB4AGEAbQBwAGwAZQBBAHMAcwBlAG0AYgBsAHkAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQBy"+ | |
| "AHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIA"+ | |
| "cwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAIAAADAAAABg4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ | |
| "AAAAAAAAAAAAAAAAAAAAAAENAAAABAAAAAkXAAAACQYAAAAJFgAAAAYaAAAAJ1N5c3RlbS5SZWZs"+ | |
| "ZWN0aW9uLkFzc2VtYmx5IExvYWQoQnl0ZVtdKQgAAAAKCwAA"; | |
| var entry_class = 'TestClass'; | |
| try { | |
| setversion(); | |
| var stm = base64ToStream(serialized_obj); | |
| var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter'); | |
| var al = new ActiveXObject('System.Collections.ArrayList'); | |
| var d = fmt.Deserialize_2(stm); | |
| al.Add(undefined); | |
| var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class); | |
| //Extract Serialized Object to file.bin | |
| var base64decoded = Base64Decode(serialized_obj); | |
| var TextStream = WScript.CreateObject('ADODB.Stream'); | |
| TextStream.Type = 2; | |
| TextStream.charSet = 'iso-8859-1'; | |
| TextStream.Open(); | |
| TextStream.WriteText(base64decoded); | |
| var BinaryStream = WScript.CreateObject('ADODB.Stream'); | |
| BinaryStream.Type = 1; | |
| BinaryStream.Open(); | |
| TextStream.Position = 0; | |
| TextStream.CopyTo(BinaryStream); | |
| BinaryStream.SaveToFile("file.bin", 2); | |
| BinaryStream.Close(); | |
| //End Extract | |
| //Go Rip that MZ Header. | |
| //File.Bin is the serialized object that contains the assembly | |
| } catch (e) { | |
| debug(e.message); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment