msm-code
/ paper.asm.9319e5977756b9581c4ce3f8b6c7c31c
Created
October 21, 2016 09:35
paper.asm.9319e5977756b9581c4ce3f8b6c7c31c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| jz loc_4381B4 | |
| xchg eac, [ebp-0Ch] | |
| push 053h | |
| call sub_408D02 | |
| push 050h | |
| call sub_408D02 | |
| push edx | |
| push 8AB4BF9EH | |
| push 754A35C1H | |
| call sub_41CF77 |
msm-code
/ paper.asm.d8e2b049f81c1c7c57f717b042db6bed
Created
October 21, 2016 09:35
paper.asm.d8e2b049f81c1c7c57f717b042db6bed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| jmp 0x42424242 |
msm-code
/ paper.asm.9f309c5f45c3c13cc5004490647f08fd
Created
October 21, 2016 09:35
paper.asm.9f309c5f45c3c13cc5004490647f08fd
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| jz loc_4381B4 | |
| xchg eac, [ebp-0Ch] | |
| push 053h | |
| call push_cpu_register ; push ebx | |
| push 050h | |
| call push_cpu_register ; push eax | |
| push edx | |
| push 8AB4BF9Eh | |
| push 754A35C1h | |
| call detour_1 ; call f(8AB4BF9Eh, 754A35C1h) |
msm-code
/ paper.cpp.9fe969957d8333124adfd59d98c59b29
Created
October 21, 2016 09:35
paper.cpp.9fe969957d8333124adfd59d98c59b29
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void encrypted_memcpy(char *to, char *from, int len) { | |
| if (is_in_encrypted_section(to)) { | |
| if (is_in_encrypted_section(from)) { | |
| memcpy(to, from, len); | |
| } else { | |
| memcpy_and_encrypt(to, from, len); | |
| } | |
| } else { | |
| if (is_in_encrypted_section(from)) { | |
| memcpy_and_decrypt(to, from, len); |
msm-code
/ paper.python.3c816792f60044320ba90ebb036db304
Created
October 21, 2016 09:35
paper.python.3c816792f60044320ba90ebb036db304
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def nymaim_decrypt(self, raw, from_raw, length): | |
| from_va = from_raw + self.image_base | |
| xsize = from_va - self.off | |
| cur_key = self.key | |
| if xsize < 0: | |
| raise RuntimeError("raw too small - min is " + hex(self.off - self.image_base)) | |
| for _ in range(xsize / 4): | |
| cur_key = (cur_key + self.xstep) & 0xffffffff | |
| r = '' |
msm-code
/ paper.cpp.9649ca87fd3cc81af5e9d904e348f143
Created
October 21, 2016 09:35
paper.cpp.9649ca87fd3cc81af5e9d904e348f143
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| struct chunk { | |
| uint32_t type; | |
| uint32_t length; | |
| char data[chunk_length]; | |
| } |
msm-code
/ paper.python.de82eb5882f08c4bdbd882bd1eac058f
Created
October 21, 2016 09:35
paper.python.de82eb5882f08c4bdbd882bd1eac058f
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if hash == self.CFG_URL: # '48c2026b': | |
| parsed['urls'] += [{'url': append_http(x)} for x in filter(None, map(get_domainc, raw.split(';')))] | |
| elif hash == self.CFG_DGA_HASH: # 'd9aea02a': | |
| parsed['dga_hash'] = [uint32(h) for h in chunks(raw, 4)] | |
| elif hash == self.CFG_DOMAINS: # '095d4b1d': | |
| parsed['domains'] += map(lambda x: {'cnc': x}, filter(None, map(get_domainc, raw.split(';')))) | |
| elif hash == self.CFG_ENC_KEY: # '510be622': | |
| parsed['encryption_key'] = raw | |
| ... |
msm-code
/ paper.unk.36ceda36e9be4e2c33450c45cca7dd3e
Created
October 21, 2016 09:35
paper.unk.36ceda36e9be4e2c33450c45cca7dd3e
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ╰─$ strings decrypted_nymaim | grep -E "PortMap|upnp" | |
| DeletePortMapping | |
| urn:schemas-upnp-org:service:WANPPPConnection:1 | |
| urn:schemas-upnp-org:device:InternetGatewayDevice:1 | |
| GetSpecificPortMappingEntry | |
| upnp:rootdevice | |
| AddPortMapping | |
| AddAnyPortMapping | |
| urn:schemas-upnp-org:service:WANIPConnection:1 | |
| NewPortMappingDescription |
msm-code
/ paper.unk.b15cdefe7c7ddf047ea537cc68fd66a5
Created
October 21, 2016 09:35
paper.unk.b15cdefe7c7ddf047ea537cc68fd66a5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ╰─$ strings decrypted_nymaim | grep -E "nginx" -B 4 | |
| HTTP/1.1 200 OK | |
| Connection: close | |
| Content-Length: %u | |
| Content-Type: application/octet-stream | |
| Server: nginx/1.9.4 | |
msm-code
/ paper.python.fd38e71c7996d21488ca07737dd4dc15
Created
October 21, 2016 09:35
paper.python.fd38e71c7996d21488ca07737dd4dc15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def inner_decrypt(raw, rsa_key): | |
| encrypted_header, encrypted_data = raw[-0x40:], raw[:-0x40] | |
| decrypted_data = rsa_decrypt(encrypted_header, rsa_key) | |
| md5 = decrypted_data[0:16] | |
| blob = decrypted_data[16:32] | |
| length = from_uint32(decrypted_data[32:36]) | |
| serpent_decrypted = crypto.s_decrypt(encrypted_data, blob)[:length] | |
| assert md5 == hashlib.md5(serpent_decrypted).digest() |
OlderNewer