Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Reverse/Python/QuarantineExtrators/MalwareDefenderDecrypter.py
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
77 lines (49 sloc)
2.59 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys | |
| """ | |
| Extract PE file from a malware defender quarantine file. | |
| Base on the RC4 script from https://github.com/bozhu/RC4-Python | |
| The output file need to be cleaned manually, there is still some headers bytes inside | |
| ---------------------------------------------------------------------------- | |
| "THE BEER-WARE LICENSE" (Revision 42): | |
| @futex90 wrote this file. As long as you retain this notice you | |
| can do whatever you want with this stuff. If we meet some day, and you think | |
| this stuff is worth it, you can buy me a beer in return. | |
| ---------------------------------------------------------------------------- | |
| """ | |
| def KSA(key): | |
| keylength = len(key) | |
| S = range(256) | |
| j = 0 | |
| for i in range(256): | |
| j = (j + S[i] + key[i % keylength]) % 256 | |
| S[i], S[j] = S[j], S[i] # swap | |
| return S | |
| def PRGA(S): | |
| i = 0 | |
| j = 0 | |
| while True: | |
| i = (i + 1) % 256 | |
| j = (j + S[i]) % 256 | |
| S[i], S[j] = S[j], S[i] # swap | |
| K = S[(S[i] + S[j]) % 256] | |
| yield K | |
| def RC4(key): | |
| S = KSA(key) | |
| return PRGA(S) | |
| if __name__ == '__main__': | |
| if len(sys.argv) != 3: | |
| print "Usage: %s [malware defender file] [output file]" % __file__ | |
| sys.exit(1) | |
| key = "\x1E\x87\x78\x1B\x8D\xBA\xA8\x44\xCE\x69\x70\x2C\x0C\x78\xB7\x86\xA3\xF6\x23\xB7\x38\xF5\xED\xF9\xAF\x83\x53\x0F\xB3\xFC\x54\xFA\xA2\x1E\xB9\xCF\x13\x31\xFD\x0F\x0D\xA9\x54\xF6\x87\xCB\x9E\x18\x27\x96\x97\x90\x0E\x53\xFB\x31\x7C\x9C\xBC\xE4\x8E\x23\xD0\x53\x71\xEC\xC1\x59\x51\xB8\xF3\x64\x9D\x7C\xA3\x3E\xD6\x8D\xC9\x04\x7E\x82\xC9\xBA\xAD\x97\x99\xD0\xD4\x58\xCB\x84\x7C\xA9\xFF\xBE\x3C\x8A\x77\x52\x33\x55\x7D\xDE\x13\xA8\xB1\x40\x87\xCC\x1B\xC8\xF1\x0F\x6E\xCD\xD0\x83\xA9\x59\xCF\xF8\x4A\x9D\x1D\x50\x75\x5E\x3E\x19\x18\x18\xAF\x23\xE2\x29\x35\x58\x76\x6D\x2C\x07\xE2\x57\x12\xB2\xCA\x0B\x53\x5E\xD8\xF6\xC5\x6C\xE7\x3D\x24\xBD\xD0\x29\x17\x71\x86\x1A\x54\xB4\xC2\x85\xA9\xA3\xDB\x7A\xCA\x6D\x22\x4A\xEA\xCD\x62\x1D\xB9\xF2\xA2\x2E\xD1\xE9\xE1\x1D\x75\xBE\xD7\xDC\x0E\xCB\x0A\x8E\x68\xA2\xFF\x12\x63\x40\x8D\xC8\x08\xDF\xFD\x16\x4B\x11\x67\x74\xCD\x0B\x9B\x8D\x05\x41\x1E\xD6\x26\x2E\x42\x9B\xA4\x95\x67\x6B\x83\x98\xDB\x2F\x35\xD3\xC1\xB9\xCE\xD5\x26\x36\xF2\x76\x5E\x1A\x95\xCB\x7C\xA4\xC3\xDD\xAB\xDD\xBF\xF3\x82\x53" | |
| file = open(sys.argv[1], "r") | |
| plaintext = file.read() | |
| def convert_key(s): | |
| return [ord(c) for c in s] | |
| key = convert_key(key) | |
| keystream = RC4(key) | |
| result ="" | |
| for c in plaintext: | |
| result += chr(ord(c) ^ keystream.next()) | |
| foutput = open(sys.argv[2], "w") | |
| foutput.write(result) |