-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathrekoobe_config.py
More file actions
68 lines (51 loc) · 1.73 KB
/
rekoobe_config.py
File metadata and controls
68 lines (51 loc) · 1.73 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
#!/usr/bin/env python3
import sys
import json
import r2pipe
from arc4 import ARC4
def parse_config(config):
blocks = config.split("|")
config = {}
config['c2'] = blocks[0].strip(";")
config['flags'] = {}
for idx, flag in enumerate(blocks[1].rstrip(";").split(";")):
config['flags']['unknown_' + str(idx)] = int(flag)
config['hours'] = blocks[2].rstrip(";")
config['unknown'] = int(blocks[3])
return config
def rc4_decrypt(string, key):
arc4 = ARC4(key.encode())
clear = arc4.decrypt(string)
return clear
def main():
rc4_key = sys.argv[2]
r = r2pipe.open(sys.argv[1], flags=['-2'])
r.cmd("aaaa")
sections = json.loads(r.cmd("iSj"))
## Find .data section offset
for s in sections:
if s['name'] == ".data":
paddr = s['paddr']
size = s['size']
## Read .data section data
with open(sys.argv[1], "rb") as f:
f.seek(paddr)
data = f.read(size)
# Extract the streams of bytes of interest
config = data.split(b"\x00")
config = list(filter(None, config))
config = config[:4]
#config_len = int.from_bytes(config[0], byteorder='little', signed=True)
config_string = rc4_decrypt(config[1], rc4_key)
config_proc_flag = config[2][0]
#config_proc_len = config[2][1]
config_proc_str = rc4_decrypt(config[3], rc4_key)
config = parse_config(config_string.decode())
config['process_change'] = config_proc_flag
config['process_name'] = config_proc_str.decode()
print(json.dumps(config,sort_keys=True,indent=4,separators=(',', ': ')))
if __name__ == "__main__":
if len(sys.argv) < 3:
print("./rekoobe_config.py <sample> <rc4 key>")
sys.exit(1)
main()