## Initial Setup

1. Download the KINS version 2.0.0.0 reference sample from [MalwareBazaar](
https://bazaar.abuse.ch/sample/d438e335c09a20fead74cc90cff02568ebaf0d226046b1d4e7fdf2656e87d960/).
2. Unpack the sample with [UNPACME](https://www.unpac.me/results/cd4f1beb-b845-4a7a-bd65-e433495eb7c7).

In [1]:
# Install required Python modules
import sys
!{sys.executable} -m pip install pefile
!{sys.executable} -m pip install pycryptodome

# Import required Python modules
import base64
import binascii
import pprint
import re
import struct

import pefile

from Crypto.Cipher import ARC4

Defaulting to user installation because normal site-packages is not writeable
Defaulting to user installation because normal site-packages is not writeable


In [2]:
# Load the unpacked sample
fp = open("d438e335c09a20fead74cc90cff02568ebaf0d226046b1d4e7fdf2656e87d960_unpacked", "rb")
sample = fp.read()
fp.close()

pe = pefile.PE(data=sample)

## Resolve Windows API Calls

Windows API calls are resolved by hash. The hashing algorithm is CRC32.

Pseudocode:

    FARPROC __userpurge resolve_func_by_hash@<eax>(int module_hdl@<eax>, int hash)
    {   
      // [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND]

      i = 0;
      export_dir = (*(module_hdl + 60) + module_hdl + 0x78);
      export_dir_end = export_dir->VirtualAddress + export_dir->Size;
      export_dir_rva = export_dir->VirtualAddress;
      export_dir_addr = (export_dir_rva + module_hdl);
      if ( !*(&export_dir_rva->NumberOfNames + module_hdl) )
        return 0;
      while ( 1 ) 
      {   
        name = (export_dir_addr->AddressOfNames + module_hdl + 4 * i); 
        if ( name )
        {   
          name_len = Str::_LengthA((module_hdl + *name));
          if ( Crypt::crc32Hash(name_cp, name_len) == hash )
            break;
        }   
        if ( ++i >= export_dir_addr->NumberOfNames )
          return 0;
      }
      resolved_func_rva = *(export_dir_addr->AddressOfFunctions
                          + 4 * *(export_dir_addr->AddressOfNameOrdinals + 2 * i + module_hdl)
                          + module_hdl);
      if ( export_dir_rva > resolved_func_rva || export_dir_end < resolved_func_rva )
        return (module_hdl + resolved_func_rva);
    ... 

In [3]:
for example in [b"ExitProcess", b"GetModuleFileNameW", b"CreateProcessW", b"HttpOpenRequestA"]:
    func_hash = binascii.crc32(example)
    print(f"{example}: 0x{func_hash:08x}")

b'ExitProcess': 0x251097cc
b'GetModuleFileNameW': 0xfc6b42f1
b'CreateProcessW': 0x5c856c47
b'HttpOpenRequestA': 0x447d086b


## Decrypt Strings

Pseudocode:

    int __usercall CryptedStrings::_getA@<eax>(unsigned __int16 id@<ax>, int buffer@<edi>)
    {
      s_enc_str *enc_string_addr; // eax
      int i; // ecx
      int v4; // esi
      char v5; // dl
      int result; // eax

      enc_string_addr = &word_423130[4 * id];
      for ( i = 0; i < enc_string_addr->len; *(v4 + buffer) = v5 )
      {
        v4 = i;
        v5 = i ^ LOBYTE(enc_string_addr->xor_key) ^ *(enc_string_addr->encbuf + i);
        ++i;
      }
      result = enc_string_addr->len;
      *(result + buffer) = 0;
      return result;
    }

Disassembly:

    .text:0042105D                               CryptedStrings___getA proc near
    .text:0042105D
    .text:0042105D 0F B7 C0                                      movzx   eax, ax
    .text:00421060 8D 04 C5 30 31 42 00                          lea     eax, word_423130[eax*8]
    .text:00421067 33 D2                                         xor     edx, edx
    .text:00421069 33 C9                                         xor     ecx, ecx
    .text:0042106B 66 3B 50 02                                   cmp     dx, [eax+2]
    .text:0042106F 73 19                                         jnb     short loc_42108A
    .text:00421071 56                                            push    esi
    .text:00421072
    .text:00421072                               loc_421072:
    .text:00421072 8B 50 04                                      mov     edx, [eax+4]
    .text:00421075 0F B7 F1                                      movzx   esi, cx
    .text:00421078 8A 14 32                                      mov     dl, [edx+esi]
    .text:0042107B 32 10                                         xor     dl, [eax]
    .text:0042107D 32 D1                                         xor     dl, cl
    .text:0042107F 41                                            inc     ecx
    .text:00421080 88 14 3E                                      mov     [esi+edi], dl
    .text:00421083 66 3B 48 02                                   cmp     cx, [eax+2]
    .text:00421087 72 E9                                         jb      short loc_421072
    .text:00421089 5E                                            pop     esi
    .text:0042108A
    .text:0042108A                               loc_42108A:
    .text:0042108A 0F B7 40 02                                   movzx   eax, word ptr [eax+2]
    .text:0042108E C6 04 38 00                                   mov     byte ptr [eax+edi], 0
    .text:00421092 C3                                            retn
    .text:00421092                               CryptedStrings___getA endp

In [4]:
def decrypt_string(pe, id_):
    match = re.search(rb'\x8d\x04\xc5(?P<enc_strings_addr>[\s\S]{4})', 
        pe.get_memory_mapped_image())
    
    enc_strings_addr = struct.unpack("I", match.group("enc_strings_addr"))[0]
    
    enc_string_addr = enc_strings_addr + 8 * id_
    enc_string_rva = enc_string_addr - pe.OPTIONAL_HEADER.ImageBase
    
    xor_key = pe.get_word_at_rva(enc_string_rva)
    encbuf_len = pe.get_word_at_rva(enc_string_rva + 2)
    encbuf_addr = pe.get_dword_at_rva(enc_string_rva + 4)
    encbuf_rva = encbuf_addr - pe.OPTIONAL_HEADER.ImageBase
    
    if encbuf_len == 0:
        return ""
    
    try:
        encbuf = pe.get_data(encbuf_rva, encbuf_len)
    except:
        return ""

    plainbuf = b""
    for i in range(len(encbuf)):
        pb = (i ^ xor_key ^ encbuf[i]) & 0xff
        plainbuf += struct.pack("B", pb)
        
    try:
        return plainbuf.decode()
    except:
        pass
    
    return ""


for i in range(516):
    plain_string = decrypt_string(pe, i)
    print(f"{i}: {plain_string}")

0: explorer.exe
1: 
2: anonymous
3: smtp
4: ftp
5: pop3
6: %s://%s:%s@%s:%u/
7: 
8: 
9: imap
10: ZCID: %S

11: Grabbed data from: %s

%S
12: %BOTID%
13: *UNKNOWN*
14: 
15: grabbed\%S_%02u_%02u_%02u.txt
16: Content-Type: %s

17: application/x-www-form-urlencoded
18: HTTP authentication (encoded): %S

19: HTTP authentication: username="%s", password="%s"

20:  *BLOCKED*
21: 
22: *EMPTY*
23: %s%s
User input: %s
%sRequest:

%S
24: X-Frame-Options
25: 
26: user_pref("browser.startup.homepage", "%s");
user_pref("browser.startup.page", 1);

27: 
28: 
29: profiles.ini
30: user_pref("%s", %s);

31: msvcp100.dll
32: cookies.sqlite
33: %s
Path: %s
%s=%s

34: Mozilla cookies:
%S
35: Alternate-Protocol
36: PR_GetNameForIdentity
37: 
38: Mozilla Firefox
39: Path
40: SELECT baseDomain,name,value FROM moz_cookies;
41: nspr4.dll
42: privacy.clearOnShutdown.cookies security.warn_viewing_mixed security.warn_viewing_mixed.show_once security.warn_submit_insecure security.warn_submit_insecure.show_once secu

## Extract Version

Pseudocode:

    ...
    version = 0x2000000;
    r = BinStorage::_addItem(binStorage, 0, 10003u, 0x20000u, &version, 4u);
    ...
    
Disassembly:

    ...
    .text:0040885C 8D 45 F4                                      lea     eax, [ebp+version]
    .text:0040885F 50                                            push    eax
    .text:00408860 57                                            push    edi
    .text:00408861 68 13 27 00 00                                push    2713h
    .text:00408866 56                                            push    esi
    .text:00408867 8B C3                                         mov     eax, ebx
    .text:00408869 C7 45 F4 00 00 00 02                          mov     [ebp+version], 2000000h
    .text:00408870 E8 D6 EE 00 00                                call    BinStorage___addItem
    ...

In [5]:
match = re.search(rb'\x68\x13\x27\x00\x00[\s\S]{1,8}?\xc7\x45[\s\S](?P<version>[\s\S]{4})', 
    pe.get_memory_mapped_image())

version_bytes = match.group("version")
version = ".".join([str(b) for b in version_bytes[::-1]])
print(version)

2.0.0.0


## Decrypt BaseConfig

The BaseConfig is decrypted using a virtual machine (VM). Source code for the VM is [here](https://github.com/nyx0/KINS/blob/master/source/common/configcrypt.cpp). The decryption pseudocode looks like this:

      ...
      vm_code = Mem::copyEx(&g_vm_code, 4096u);
      if ( vm_code )
      {
        vm_context.ecx = 0;
        qmemcpy(&base_config, &g_enc_base_config, sizeof(base_config));
        vm_context.eip = vm_code;
        vm_context.edi = &base_config;
        dword_42B238 = &base_config;
        while ( (vm_opcode_handlers[*vm_context.eip])(&vm_context) )
          ;
        Mem::free(vm_code);
      }
      ...
      
Disassembly:

    ...
    .text:00405195 68 00 10 00 00                                push    1000h
    .text:0040519A 68 F0 43 42 00                                push    offset g_vm_code
    .text:0040519F E8 54 9D 00 00                                call    Mem__copyEx
    .text:004051A4 89 45 F8                                      mov     [ebp+var_8], eax
    .text:004051A7 85 C0                                         test    eax, eax
    .text:004051A9 74 45                                         jz      short loc_4051F0
    .text:004051AB 83 65 AC 00                                   and     [ebp+vm_context.ecx], 0
    .text:004051AF 8D BD 2C FC FF FF                             lea     edi, [ebp+base_config]
    .text:004051B5 BE F0 53 42 00                                mov     esi, offset g_enc_base_config
    .text:004051BA B9 78 03 00 00                                mov     ecx, 888
    .text:004051BF F3 A4                                         rep movsb
    ...
    .text:004051DD FF 14 85 88 93 42 00                          call    vm_opcode_handlers[eax*4]
    ...

The VM's context is stored in a 76-byte structure:

    00000000 struct vm_context // sizeof=0x4C
    00000000 {
    00000000     LPBYTE eip;
    00000004     LPBYTE edi;
    00000008     DWORD ecx;
    0000000C     DWORD r[16];                        // registers
    0000004C };

Example VM byte-code looks like:

    .rdata:004243F0 g_vm_code       db  1Ah
    .rdata:004243F0
    .rdata:004243F1                 db 0BEh
    .rdata:004243F2                 db    0
    .rdata:004243F3                 db  97h
    .rdata:004243F4                 db    5
    .rdata:004243F5                 db    0
    .rdata:004243F6                 db  91h
    .rdata:004243F7                 db    3
    .rdata:004243F8                 db  50h ; P
    .rdata:004243F9                 db 0C5h
    .rdata:004243FA                 db    8
    ....
    
There are 69 opcodes performing common CPU instructions:
    
    .data:00429388 vm_opcode_handlers dd offset instr_nop_byte
    .data:00429388
    .data:00429388
    .data:0042938C                 dd offset instr_nop_word
    .data:00429390                 dd offset instr_nop_dword
    .data:00429394                 dd offset instr_xor_byte
    .data:00429398                 dd offset instr_xor_word
    .data:0042939C                 dd offset instr_xor_dword
    .data:004293A0                 dd offset instr_add_byte
    .data:004293A4                 dd offset instr_add_word
    .data:004293A8                 dd offset instr_add_dword
    .data:004293AC                 dd offset instr_sub_byte
    .data:004293B0                 dd offset instr_sub_word
    .data:004293B4                 dd offset instr_sub_dword
    .data:004293B8                 dd offset instr_rol_byte
    .data:004293BC                 dd offset instr_rol_word
    .data:004293C0                 dd offset instr_rol_dword
    .data:004293C4                 dd offset instr_ror_byte
    .data:004293C8                 dd offset instr_ror_word
    .data:004293CC                 dd offset instr_ror_dword
    .data:004293D0                 dd offset instr_not_byte
    .data:004293D4                 dd offset instr_not_word
    .data:004293D8                 dd offset instr_not_dword
    .data:004293DC                 dd offset instr_reorder
    .data:004293E0                 dd offset instr_rc4_crypt
    .data:004293E4                 dd offset instr_setecx_byte
    .data:004293E8                 dd offset instr_setecx_word
    .data:004293EC                 dd offset instr_setecx_dword
    .data:004293F0                 dd offset instr_setedi_SHORT
    .data:004293F4                 dd offset instr_loop_byte
    .data:004293F8                 dd offset instr_loop_word
    .data:004293FC                 dd offset instr_mov_r_const_byte
    .data:00429400                 dd offset instr_mov_r_const_word
    .data:00429404                 dd offset instr_mov_r_const_dword
    .data:00429408                 dd offset instr_mov_r_r_byte
    .data:0042940C                 dd offset instr_mov_r_r_word
    .data:00429410                 dd offset instr_mov_r_r_dword
    .data:00429414                 dd offset instr_add_r_r_byte
    .data:00429418                 dd offset instr_add_r_r_word
    .data:0042941C                 dd offset instr_add_r_r_dword
    .data:00429420                 dd offset instr_sub_r_r_byte
    .data:00429424                 dd offset instr_sub_r_r_word
    .data:00429428                 dd offset instr_sub_r_r_dword
    .data:0042942C                 dd offset instr_xor_r_r_byte
    .data:00429430                 dd offset instr_xor_r_r_word
    .data:00429434                 dd offset instr_xor_r_r_dword
    .data:00429438                 dd offset instr_add_r_const_byte
    .data:0042943C                 dd offset instr_add_r_const_word
    .data:00429440                 dd offset instr_add_r_const_dword
    .data:00429444                 dd offset instr_sub_r_const_byte
    .data:00429448                 dd offset instr_sub_r_const_word
    .data:0042944C                 dd offset instr_sub_r_const_dword
    .data:00429450                 dd offset instr_xor_r_const_byte
    .data:00429454                 dd offset instr_xor_r_const_word
    .data:00429458                 dd offset instr_xor_r_const_dword
    .data:0042945C                 dd offset instr_stos_add_byte
    .data:00429460                 dd offset instr_stos_add_word
    .data:00429464                 dd offset instr_stos_add_dword
    .data:00429468                 dd offset instr_stos_sub_byte
    .data:0042946C                 dd offset instr_stos_sub_word
    .data:00429470                 dd offset instr_stos_sub_dword
    .data:00429474                 dd offset instr_stos_xor_byte
    .data:00429478                 dd offset instr_stos_xor_word
    .data:0042947C                 dd offset instr_stos_xor_dword
    .data:00429480                 dd offset instr_lods_byte
    .data:00429484                 dd offset instr_lods_word
    .data:00429488                 dd offset instr_lods_dword
    .data:0042948C                 dd offset instr_stos_byte
    .data:00429490                 dd offset instr_stos_word
    .data:00429494                 dd offset instr_stos_dword
    .data:00429498                 dd offset instr_leave
    
As an example, the first opcode in the code above is opcode 26 (0x1a). Each opcode has an XOR key (e.g. 0xB1 below) used to calculate the next EIP. Opcode 26's pseudocode looks like:

    char __thiscall instr_setedi_SHORT(vm_context *vm_context)
    {
      LPBYTE v1; // eax
      BYTE v2; // dl
      BYTE *v3; // eax
      char v4; // dl

      v1 = vm_context->eip + 1;
      v2 = *v1;
      vm_context->eip = v1;
      vm_context->edi += *v1;
      v3 = v1 + 2;
      v4 = v2 ^ 0xB1;
      vm_context->eip = v3;
      if ( (*v3 & 0x80u) != 0 )
        *v3 = (v4 ^ *v3) & 0x7F;
      return 1;
    }

In [6]:
class ZVM:

    def __init__(self, code, data, xor_keys):
        self.code = code
        self.data = data
        self.xor_keys = xor_keys

        self.eip = 0
        self.ecx = 0
        self.edi = 0

        self.regs = []
        for i in range(16):
            self.regs.append(0)


    def run(self):
        count = 0

        ret = True
        while ret:
            count += 1

            op_num = self.code[self.eip]
            op_str = "op_%d" % op_num
            op = getattr(self, op_str)

            # @DEBUG
            #print("count: %d" % count)
            #print("op: %s" % op_str)
            #print("eip: %d" % self.eip)
            #print("ecx: %d" % self.ecx)
            #print("edi: %d" % self.edi)

            ret = op(self.xor_keys[op_num])

        return bytes(self.data)


    def calc_xor_key(self, eip, key):
        # work around a compiler optimization
        if not key:
            xor_key = ~eip
        else:
            xor_key = eip ^ key

        return xor_key


    def update_eip(self, num_bytes, xor_key):
        self.eip += num_bytes

        if self.code[self.eip] & 0x80:
            self.code[self.eip] = (self.code[self.eip] ^ xor_key) & 0x7f

            
    @staticmethod
    def rol(num, count, size):
        return ((num << count) | (num >> (size-count)))
    
    
    @staticmethod
    def ror(num, count, size):
        return ((num >> count) | (num << (size-count)))


    def op_0(self, key):
        # instr_nop_BYTE
        xor_key = self.calc_xor_key(self.code[self.eip+0], key)

        self.update_eip(1, xor_key)
        return True


    def op_1(self, key):
        # instr_nop_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.update_eip(2, xor_key)
        return True


    def op_2(self, key):
        # instr_nop_DWORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.update_eip(4, xor_key)
        return True


    def op_3(self, key):
        # instr_xor_BYTE
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.eip += 1

        arg = struct.unpack("B", self.code[self.eip:self.eip+1])[0]
        data_arg = struct.unpack("B", self.data[self.edi:self.edi+1])[0]
        val = struct.pack("B", (data_arg ^ arg) & 0xff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+1:]

        self.edi += 1
        self.update_eip(1, xor_key)
        return True


    def op_4(self, key):
        # instr_xor_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.eip += 1

        arg = struct.unpack("H", self.code[self.eip:self.eip+2])[0]
        data_arg = struct.unpack("H", self.data[self.edi:self.edi+2])[0]
        val = struct.pack("H", (data_arg ^ arg) & 0xffff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+2:]

        self.edi += 2
        self.update_eip(2, xor_key)
        return True


    def op_5(self, key):
        # instr_xor_DWORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.eip += 1

        arg = struct.unpack("I", self.code[self.eip:self.eip+4])[0]
        data_arg = struct.unpack("I", self.data[self.edi:self.edi+4])[0]
        val = struct.pack("I", (data_arg ^ arg) & 0xffffffff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+4:]

        self.edi += 4
        self.update_eip(4, xor_key)
        return True


    def op_6(self, key):
        # instr_add_BYTE
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.eip += 1

        arg = struct.unpack("B", self.code[self.eip:self.eip+1])[0]
        data_arg = struct.unpack("B", self.data[self.edi:self.edi+1])[0]
        val = struct.pack("B", (data_arg + arg) & 0xff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+1:]

        self.edi += 1
        self.update_eip(1, xor_key)
        return True


    def op_7(self, key):
        # instr_add_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.eip += 1

        arg = struct.unpack("H", self.code[self.eip:self.eip+2])[0]
        data_arg = struct.unpack("H", self.data[self.edi:self.edi+2])[0]
        val = struct.pack("H", (data_arg + arg) & 0xffff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+2:]
       
        self.edi += 2
        self.update_eip(2, xor_key)
        return True


    def op_8(self, key):
        # instr_add_DWORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.eip += 1

        arg = struct.unpack("I", self.code[self.eip:self.eip+4])[0]
        data_arg = struct.unpack("I", self.data[self.edi:self.edi+4])[0]
        val = struct.pack("I", (data_arg + arg) & 0xffffffff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+4:]

        self.edi += 4
        self.update_eip(4, xor_key)
        return True


    def op_9(self, key):
        # instr_sub_BYTE
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.eip += 1

        arg = struct.unpack("B", self.code[self.eip:self.eip+1])[0]
        data_arg = struct.unpack("B", self.data[self.edi:self.edi+1])[0]
        val = struct.pack("B", (data_arg - arg) & 0xff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+1:]

        self.edi += 1
        self.update_eip(1, xor_key)
        return True


    def op_10(self, key):
        # instr_sub_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.eip += 1

        arg = struct.unpack("H", self.code[self.eip:self.eip+2])[0]
        data_arg = struct.unpack("H", self.data[self.edi:self.edi+2])[0]
        val = struct.pack("H", (data_arg - arg) & 0xffff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+2:]

        self.edi += 2
        self.update_eip(2, xor_key)
        return True


    def op_11(self, key):
        # instr_sub_DWORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.eip += 1

        arg = struct.unpack("I", self.code[self.eip:self.eip+4])[0]
        data_arg = struct.unpack("I", self.data[self.edi:self.edi+4])[0]
        val = struct.pack("I", (data_arg - arg) & 0xffffffff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+4:]

        self.edi += 4
        self.update_eip(4, xor_key)
        return True


    def op_12(self, key):
        # instr_rol_BYTE
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        arg = self.code[self.eip+1] & 0x7
        data_arg = struct.unpack("B", self.data[self.edi:self.edi+1])[0]
        val = struct.pack("B", self.rol(data_arg, arg, 8) & 0xff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+1:]

        self.edi += 1
        self.update_eip(2, xor_key)
        return True


    def op_13(self, key):
        # instr_rol_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        arg = self.code[self.eip+1] & 0xF
        data_arg = struct.unpack("H", self.data[self.edi:self.edi+2])[0]
        val = struct.pack("H", self.rol(data_arg, arg, 16) & 0xffff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+2:]

        self.edi += 2
        self.update_eip(2, xor_key)
        return True


    def op_14(self, key):
        # instr_rol_DWORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        arg = self.code[self.eip+1] & 0x1f
        data_arg = struct.unpack("I", self.data[self.edi:self.edi+4])[0]
        val = struct.pack("I", self.rol(data_arg, arg, 32) & 0xffffffff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+4:]

        self.edi += 4
        self.update_eip(2, xor_key)
        return True


    def op_15(self, key):
        # instr_ror_BYTE
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        arg = self.code[self.eip+1] & 0x7
        data_arg = struct.unpack("B", self.data[self.edi:self.edi+1])[0]
        val = struct.pack("B", self.ror(data_arg, arg, 8) & 0xff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+1:]

        self.edi += 1
        self.update_eip(2, xor_key)
        return True


    def op_16(self, key):
        # instr_ror_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        arg = self.code[self.eip+1] & 0xf
        data_arg = struct.unpack("H", self.data[self.edi:self.edi+2])[0]
        val = struct.pack("H", self.ror(data_arg, arg, 16) & 0xffff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+2:]

        self.edi += 2
        self.update_eip(2, xor_key)
        return True


    def op_17(self, key):
        # instr_ror_DWORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        arg = self.code[self.eip+1] & 0x1f
        data_arg = struct.unpack("I", self.data[self.edi:self.edi+4])[0]
        val = struct.pack("I", self.ror(data_arg, arg, 32) & 0xffffffff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+4:]

        self.edi += 4
        self.update_eip(2, xor_key)
        return True


    def op_18(self, key):
        # instr_not_BYTE
        xor_key = self.calc_xor_key(self.code[self.eip], key)

        self.eip += 1

        data_arg = struct.unpack("B", self.data[self.edi:self.edi+1])[0]
        val = struct.pack("B", (~data_arg) & 0xff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+1:]

        self.edi += 1
        self.update_eip(0, xor_key)
        return True


    def op_19(self, key):
        # instr_not_WORD
        xor_key = self.calc_xor_key(self.code[self.eip], key)

        self.eip += 1

        data_arg = struct.unpack("H", self.data[self.edi:self.edi+2])[0]
        val = struct.pack("H", (~data_arg) & 0xffff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+2:]

        self.edi += 2
        self.update_eip(0, xor_key)
        return True


    def op_20(self, key):
        # instr_not_DWORD
        xor_key = self.calc_xor_key(self.code[self.eip], key)

        self.eip += 1

        data_arg = struct.unpack("I", self.data[self.edi:self.edi+4])[0]
        val = struct.pack("I", (~data_arg) & 0xffffffff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+4:]

        self.edi += 4
        self.update_eip(0, xor_key)
        return True


    def op_21(self, key):
        # instr_reorder
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        arg = self.code[self.eip+1]
        data_arg = struct.unpack("I", self.data[self.edi:self.edi+4])[0]
        for i in range(4):
            pos = arg & 3
            arg >>= 2
            value = data_arg & 0xff
            data_arg >>= 8

            val = struct.pack("B", value)
            self.data = self.data[:self.edi+pos] + val + self.data[self.edi+pos+1:]

        self.edi += 4
        self.update_eip(2, xor_key)
        return True


    def op_22(self, key):
        # instr_rc4_crypt
        xor_key = self.calc_xor_key(self.code[self.eip+3], key)

        key_size = self.code[self.eip+1]
        data_size = self.code[self.eip+2]

        rc4 = ARC4.new(self.code[self.eip+3:self.eip+3+key_size])
        val = rc4.decrypt(self.data[self.edi:self.edi+data_size])
        self.data = self.data[:self.edi] + val + self.data[self.edi+data_size:]

        self.edi += data_size
        self.update_eip(3+key_size, xor_key)
        return True


    def op_24(self, key):
        # instr_setecx_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.eip += 1

        arg = struct.unpack("H", self.code[self.eip:self.eip+2])[0]
        self.ecx = arg & 0xffff

        self.update_eip(2, xor_key)
        return True


    def op_26(self, key):
        # instr_setedi_SHORT
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.eip += 1

        arg = struct.unpack("H", self.code[self.eip:self.eip+2])[0]
        self.edi = (self.edi + arg) & 0xffff

        self.update_eip(2, xor_key)
        return True


    def op_27(self, key):
        # instr_loop_BYTE
        if not key:
            xor_key = self.code[self.eip+1]
        else:
            xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        #xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        if self.code[self.eip+1+1] & 0x80:
            self.code[self.eip+1+1] = (self.code[self.eip+1+1] ^ xor_key) & 0x7f

        self.eip += 1

        if self.ecx != 0:
            self.ecx -= 1
            self.eip = self.eip + 1 - struct.unpack("B", self.code[self.eip:self.eip+1])[0]
        else:
            self.eip += 1

        return True


    def op_28(self, key):
        # instr_loop_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        if self.code[self.eip+1+2] & 0x80:
            self.code[self.eip+1+2] = (self.code[self.eip+1+2] ^ xor_key) & 0x7f

        self.eip += 1

        if self.ecx != 0:
            self.ecx -= 1
            self.eip = self.eip + 2 - struct.unpack("H", self.code[self.eip:self.eip+2])[0]
        else:
            self.eip += 2

        return True


    def op_29(self, key):
        # instr_mov_r_const_BYTE
        xor_key = self.calc_xor_key(self.code[self.eip+2], key)

        self.regs[self.code[self.eip+1] & 0xf] = self.code[self.eip+2]

        self.update_eip(3, xor_key)
        return True


    def op_30(self, key):
        # instr_mov_r_const_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+2], key)

        arg = struct.unpack("H", self.code[self.eip+2:self.eip+2+2])[0]
        self.regs[self.code[self.eip+1] & 0xf] = arg

        self.update_eip(4, xor_key)
        return True


    def op_31(self, key):
        # instr_mov_r_const_DWORD
        xor_key = self.calc_xor_key(self.code[self.eip+2], key)

        arg = struct.unpack("I", self.code[self.eip+2:self.eip+2+4])[0]
        self.regs[self.code[self.eip+1] & 0xf] = arg

        self.update_eip(6, xor_key)
        return True


    def op_32(self, key):
        # instr_mov_r_r_BYTE
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.regs[self.code[self.eip+1] & 0xf] = (self.regs[self.code[self.eip+1] >> 4]) & 0xff

        self.update_eip(2, xor_key)
        return True


    def op_33(self, key):
        # instr_mov_r_r_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.regs[self.code[self.eip+1] & 0xf] = (self.regs[self.code[self.eip+1] >> 4]) & 0xffff

        self.update_eip(2, xor_key)
        return True


    def op_34(self, key):
        # instr_mov_r_r_DWORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.regs[self.code[self.eip+1] & 0xf] = (self.regs[self.code[self.eip+1] >> 4]) & 0xffffffff

        self.update_eip(2, xor_key)
        return True


    def op_35(self, key):
        # instr_add_r_r_BYTE
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.regs[self.code[self.eip+1] & 0xf] += (self.regs[self.code[self.eip+1] >> 4]) & 0xff

        self.update_eip(2, xor_key)
        return True


    def op_36(self, key):
        # instr_add_r_r_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.regs[self.code[self.eip+1] & 0xf] += (self.regs[self.code[self.eip+1] >> 4]) & 0xffff

        self.update_eip(2, xor_key)
        return True


    def op_37(self, key):
        # instr_add_r_r_DWORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.regs[self.code[self.eip+1] & 0xf] += (self.regs[self.code[self.eip+1] >> 4]) & 0xffffffff

        self.update_eip(2, xor_key)
        return True


    def op_38(self, key):
        # instr_sub_r_r_BYTE
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.regs[self.code[self.eip+1] & 0xf] -= (self.regs[self.code[self.eip+1] >> 4]) & 0xff

        self.update_eip(2, xor_key)
        return True


    def op_39(self, key):
        # instr_sub_r_r_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.regs[self.code[self.eip+1] & 0xf] -= (self.regs[self.code[self.eip+1] >> 4]) & 0xffff

        self.update_eip(2, xor_key)
        return True


    def op_40(self, key):
        # instr_sub_r_r_DWORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.regs[self.code[self.eip+1] & 0xf] -= (self.regs[self.code[self.eip+1] >> 4]) & 0xffffffff

        self.update_eip(2, xor_key)
        return True


    def op_41(self, key):
        # instr_xor_r_r_BYTE
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.regs[self.code[self.eip+1] & 0xf] ^= (self.regs[self.code[self.eip+1] >> 4]) & 0xff

        self.update_eip(2, xor_key)
        return True


    def op_42(self, key):
        # instr_xor_r_r_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.regs[self.code[self.eip+1] & 0xf] ^= (self.regs[self.code[self.eip+1] >> 4]) & 0xffff

        self.update_eip(2, xor_key)
        return True


    def op_43(self, key):
        # instr_xor_r_r_DWORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        self.regs[self.code[self.eip+1] & 0xf] ^= (self.regs[self.code[self.eip+1] >> 4]) & 0xffffffff

        self.update_eip(2, xor_key)
        return True


    def op_44(self, key):
        # instr_add_r_const_BYTE
        xor_key = self.calc_xor_key(self.code[self.eip+2], key)

        arg = struct.unpack("B", self.code[self.eip+2:self.eip+2+1])[0]
        self.regs[self.code[self.eip+1] & 0xf] += arg

        self.update_eip(3, xor_key)
        return True


    def op_45(self, key):
        # instr_add_r_const_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+2], key)

        arg = struct.unpack("H", self.code[self.eip+2:self.eip+2+2])[0]
        self.regs[self.code[self.eip+1] & 0xf] += arg

        self.update_eip(4, xor_key)
        return True


    def op_46(self, key):
        # instr_add_r_const_DWORD
        xor_key = self.calc_xor_key(self.code[self.eip+2], key)

        arg = struct.unpack("I", self.code[self.eip+2:self.eip+2+4])[0]
        self.regs[self.code[self.eip+1] & 0xf] += arg

        self.update_eip(6, xor_key)
        return True


    def op_47(self, key):
        # instr_sub_r_const_BYTE
        xor_key = self.calc_xor_key(self.code[self.eip+2], key)

        arg = struct.unpack("B", self.code[self.eip+2:self.eip+2+1])[0]
        self.regs[self.code[self.eip+1] & 0xf] -= arg

        self.update_eip(3, xor_key)
        return True


    def op_48(self, key):
        # instr_sub_r_const_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+2], key)

        arg = struct.unpack("H", self.code[self.eip+2:self.eip+2+2])[0]
        self.regs[self.code[self.eip+1] & 0xf] -= arg

        self.update_eip(4, xor_key)
        return True


    def op_49(self, key):
        # instr_sub_r_const_DWORD
        xor_key = self.calc_xor_key(self.code[self.eip+2], key)

        arg = struct.unpack("I", self.code[self.eip+2:self.eip+2+4])[0]
        self.regs[self.code[self.eip+1] & 0xf] -= arg

        self.update_eip(6, xor_key)
        return True


    def op_50(self, key):
        # instr_xor_r_const_BYTE
        xor_key = self.calc_xor_key(self.code[self.eip+2], key)

        arg = struct.unpack("B", self.code[self.eip+2:self.eip+2+1])[0]
        self.regs[self.code[self.eip+1] & 0xf] ^= arg

        self.update_eip(3, xor_key)
        return True
        

    def op_51(self, key):
        # instr_xor_r_const_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+2], key)

        arg = struct.unpack("H", self.code[self.eip+2:self.eip+2+2])[0]
        self.regs[self.code[self.eip+1] & 0xf] ^= arg

        self.update_eip(4, xor_key)
        return True


    def op_52(self, key):
        # instr_xor_r_const_DWORD
        xor_key = self.calc_xor_key(self.code[self.eip+2], key)

        arg = struct.unpack("I", self.code[self.eip+2:self.eip+2+4])[0]
        self.regs[self.code[self.eip+1] & 0xf] ^= arg

        self.update_eip(6, xor_key)
        return True


    def op_53(self, key):
        # instr_stos_add_BYTE
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        reg_arg = self.regs[self.code[self.eip+1] & 0xf] & 0xff
        data_arg = struct.unpack("B", self.data[self.edi:self.edi+1])[0]
        val = struct.pack("B", (reg_arg + data_arg) & 0xff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+1:]

        self.edi += 1
        self.update_eip(2, xor_key)
        return True


    def op_54(self, key):
        # instr_stos_add_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        reg_arg = self.regs[self.code[self.eip+1] & 0xf] & 0xffff
        data_arg = struct.unpack("H", self.data[self.edi:self.edi+2])[0]
        val = struct.pack("H", (reg_arg + data_arg) & 0xffff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+2:]

        self.edi += 2
        self.update_eip(2, xor_key)
        return True


    def op_55(self, key):
        # instr_stos_add_DWORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        reg_arg = self.regs[self.code[self.eip+1] & 0xf] & 0xffffffff
        data_arg = struct.unpack("I", self.data[self.edi:self.edi+4])[0]
        val = struct.pack("I", (reg_arg + data_arg) & 0xffffffff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+4:]

        self.edi += 4
        self.update_eip(2, xor_key)
        return True


    def op_56(self, key):
        # instr_stos_sub_BYTE
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        reg_arg = self.regs[self.code[self.eip+1] & 0xf] & 0xff
        data_arg = struct.unpack("B", self.data[self.edi:self.edi+1])[0]
        val = struct.pack("B", (data_arg - reg_arg) & 0xff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+1:]

        self.edi += 1
        self.update_eip(2, xor_key)
        return True


    def op_57(self, key):
        # instr_stos_sub_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        reg_arg = self.regs[self.code[self.eip+1] & 0xf] & 0xffff
        data_arg = struct.unpack("H", self.data[self.edi:self.edi+2])[0]
        val = struct.pack("H", (data_arg - reg_arg) & 0xffff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+2:]

        self.edi += 2
        self.update_eip(2, xor_key)
        return True


    def op_58(self, key):
        # instr_stos_sub_DWORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        reg_arg = self.regs[self.code[self.eip+1] & 0xf] & 0xffffffff
        data_arg = struct.unpack("I", self.data[self.edi:self.edi+4])[0]
        val = struct.pack("I", (data_arg - reg_arg) & 0xffffffff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+4:]

        self.edi += 4
        self.update_eip(2, xor_key)
        return True


    def op_59(self, key):
        # instr_stos_xor_BYTE
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        reg_arg = self.regs[self.code[self.eip+1] & 0xf] & 0xff
        data_arg = struct.unpack("B", self.data[self.edi:self.edi+1])[0]
        val = struct.pack("B", reg_arg ^ data_arg)
        self.data = self.data[:self.edi] + val + self.data[self.edi+1:]

        self.edi += 1
        self.update_eip(2, xor_key)
        return True


    def op_60(self, key):
        # instr_stos_xor_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        reg_arg = self.regs[self.code[self.eip+1] & 0xf] & 0xffff
        data_arg = struct.unpack("H", self.data[self.edi:self.edi+2])[0]
        val = struct.pack("H", reg_arg ^ data_arg)
        self.data = self.data[:self.edi] + val + self.data[self.edi+2:]

        self.edi += 2
        self.update_eip(2, xor_key)
        return True


    def op_61(self, key):
        # instr_stos_xor_DWORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        reg_arg = self.regs[self.code[self.eip+1] & 0xf] & 0xffffffff
        data_arg = struct.unpack("I", self.data[self.edi:self.edi+4])[0]
        val = struct.pack("I", reg_arg ^ data_arg)
        self.data = self.data[:self.edi] + val + self.data[self.edi+4:]

        self.edi += 4
        self.update_eip(2, xor_key)
        return True


    def op_62(self, key):
        # instr_lods_BYTE
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        data_arg = struct.unpack("B", self.data[self.edi:self.edi+1])[0]
        self.regs[self.code[self.eip+1] & 0xf] = data_arg

        self.update_eip(2, xor_key)
        return True


    def op_63(self, key):
        # instr_lods_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        data_arg = struct.unpack("H", self.data[self.edi:self.edi+2])[0]
        self.regs[self.code[self.eip+1] & 0xf] = data_arg

        self.update_eip(2, xor_key)
        return True


    def op_64(self, key):
        # instr_lods_DWORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        data_arg = struct.unpack("I", self.data[self.edi:self.edi+4])[0]
        self.regs[self.code[self.eip+1] & 0xf] = data_arg

        self.update_eip(2, xor_key)
        return True


    def op_65(self, key):
        # instr_stos_BYTE
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        val = struct.pack("B", (self.regs[self.code[self.eip+1] & 0xf]) & 0xff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+1:]

        self.edi += 1
        self.update_eip(2, xor_key)
        return True


    def op_66(self, key):
        # instr_stos_WORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        val = struct.pack("H", (self.regs[self.code[self.eip+1] & 0xf]) & 0xffff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+2:]

        self.edi += 2
        self.update_eip(2, xor_key)
        return True


    def op_67(self, key):
        # instr_stos_DWORD
        xor_key = self.calc_xor_key(self.code[self.eip+1], key)

        val = struct.pack("I", (self.regs[self.code[self.eip+1] & 0xf]) & 0xffffffff)
        self.data = self.data[:self.edi] + val + self.data[self.edi+4:]

        self.edi += 4
        self.update_eip(2, xor_key)
        return True


    def op_68(self, key):
        # instr_leave
        return False

In [7]:
match = re.search(rb'\x68(?P<vm_code_len>\x00\x10\x00\x00)\x68(?P<vm_code_addr>[\s\S]{4})\xe8[\s\S]{0,32}\xbe(?P<enc_base_config_addr>[\s\S]{4})\xb9(?P<enc_base_config_len>[\s\S]{2}\x00\x00)[\s\S]{0,32}\xff\x14\x85(?P<vm_handlers_addr>[\s\S]{4})',
    pe.get_memory_mapped_image())

vm_code_len = struct.unpack("I", match.group("vm_code_len"))[0]
vm_code_addr = struct.unpack("I", match.group("vm_code_addr"))[0]
enc_base_config_addr = struct.unpack("I", match.group("enc_base_config_addr"))[0]
enc_base_config_len = struct.unpack("I", match.group("enc_base_config_len"))[0]
vm_handlers_addr = struct.unpack("I", match.group("vm_handlers_addr"))[0]

vm_code_rva = vm_code_addr - pe.OPTIONAL_HEADER.ImageBase
vm_code = pe.get_data(vm_code_rva, vm_code_len)

vm_handlers_rva = vm_handlers_addr - pe.OPTIONAL_HEADER.ImageBase
num_vm_handlers = 69
vm_handlers = pe.get_data(vm_handlers_rva, 4*num_vm_handlers)

enc_base_config_rva = enc_base_config_addr - pe.OPTIONAL_HEADER.ImageBase
enc_base_config = pe.get_data(enc_base_config_rva, enc_base_config_len)

# extract xor keys from the handlers
xor_keys = []
for i in range(num_vm_handlers):
    handler_addr = struct.unpack("I", vm_handlers[i*4:i*4+4])[0]
    handler_rva = handler_addr - pe.OPTIONAL_HEADER.ImageBase
    # 48 bytes is arbitrary
    handler = pe.get_data(handler_rva, 48)
    
    # find end of the handler
    ret_match = re.search(rb'\xc3', handler)
    if ret_match:
        handler = handler[:ret_match.end()]
    
    for regex in [
        rb"\x80\xf2(?P<xor_key>[\s\S]{1})",
        rb"\x80\xf3(?P<xor_key>[\s\S]{1})",
        rb"\x34(?P<xor_key>[\s\S]{1})"
    ]:
        match = re.search(regex, handler)
        if match:
            xor_key = struct.unpack("B", match.group("xor_key"))[0]
            xor_keys.append(xor_key)
            break
            
# instr_leave doesn't have a key
xor_keys.append(0)
            
vm = ZVM(bytearray(vm_code), bytearray(enc_base_config), xor_keys)
base_config = vm.run()

print(base_config)

b'\x19\xaa\xc7\xaf)Wk\x04\xa7\xa8\\\xca\xd5\xe3\x96\x97=\x80\x86\xb6P8\xcd\xd7M^A\x05dr4\xd9\x1c\xf4\xfa\xed\xf2v\xa5\x94B\xf5\x13\xc8ki+d/\x9bc\x94X7\x85\x89\x00$\x00\x00\xd3\xf2\xf4\x03QF\x8f~\x8b\x9d\xd1\x0e\xd2\x89rLJ\xad\xfb\xd7\xcd\xbd\x06c\xbdV\xb5~.\x81[\xbb@\xd9\xf4\xa7q:;\xdb\x1c\x1b\xcc\xbf\xfb\xac\xd3\xbd\xd4\x13vS\x9c\xafY\xf7\xc3D\t\x90A\xf2=\xe8\xc2\x85\xdb\xb5-\xed9~\xe93\xed[\x91-\x83V\xedX\xad\x9eC\xccC\xc3\xfajW8$r \xb4\xa5\x81\xb3\xb4\xc3\xaa\xfb\xba\x16k\x9f\x19^\xa5\xfd\x1c\xae\xccH\xbd)\x83\xb8"4\xc9\x08\xaeS4mJ\xd9q\xd5\xaf\xc94\x84\xb7\xe96\xc9\x91Z\x19\xdf\xcf#5E\x90\x87_\x8f\x0f\x17I\x81ctem\xb6\xe2\xb9z+<>aY[\xfee\x93\xb1\xb1_Z\x03~\xfem\xdb\xb2\xf4\xbf\x87@\xefW2\xc6\xf1\x11\xc7ct\xb0\xae\xae\xa5\x19\xd3\xbd\x08\xc5\xa8\x9c\x06\xdd\x1eQu\x89 \xc5\x00\x006IL=m\x01M\x05\xf8\xfb\xceo,Gr\'W\n\x9d\x8f\xa6\xce|\xb1F\x1cFw\xcaM\xc1\x1e\xcd\x9d\x07\xe8\xd8\x81\x8a\x11\x86;V\x05\xe5\xab\x96\xd0 hZ\xd6\x01\x00\x01\x00\xdf\xdbo\xc6wv\xb3\xfb\x00\x00\x00\x00\xc9\xad\x0

## Parse BaseConfig

In [8]:
def rc4_keystate(S, in_buf):
    out_buf = b""

    i = S[256]
    j = S[257]
    
    for in_byte in in_buf:
        (i, j, S, K) = rc4_prga(i, j, S)
        out_byte = in_byte ^ K
        out_buf += struct.pack("B", out_byte)

    return out_buf


def rc4_prga(i, j, S):
    i = (i + 1) % 256
    j = (j + S[i]) % 256

    S = bytearray(S)
    S[i], S[j] = S[j], S[i]
    S = bytes(S)

    K = S[(S[i] + S[j]) % 256]

    return (i, j, S, K)


flags = struct.unpack("I", base_config[0x38:0x38+4])[0]
print(f"flags: 0x{flags:x}\n")

defaultBotnet = base_config[0x112:0x112+21].split(b"\x00\x00")[0].decode()
print(f"defaultBotnet: {defaultBotnet}\n")

delay1 = struct.unpack("I", base_config[0x148:0x148+4])[0]
print(f"delay1: {delay1}\n")

module_xor_key = base_config[0x154]
print(f"module_xor_key: {module_xor_key}\n")

rc4_key_state = base_config[0x15f:0x15f+258]
print(f"rc4_key_state: {rc4_key_state}\n")

rc6_key_state = base_config[0x294:0x294+176]
print(f"rc6_key_state: {rc6_key_state}\n")

fake_c2 = base_config[0x34c:0x34c+101].split(b"\x00")[0].decode().replace("http", "hxxp")
print(f"fake_c2: {fake_c2}\n")

# c2s are encrypted with rc4
enc_c2_1 = base_config[0x3d:0x3d+101]
c2_1 = rc4_keystate(rc4_key_state, enc_c2_1).split(b"\x00")[0].decode().replace("http", "hxxp")
print(f"c2_1: {c2_1}\n")

enc_c2_2 = base_config[0xac:0xac+101]
# the second c2 is decrypted with the reverse of rc4_key_state
key_state = rc4_key_state[:256][::-1] + rc4_key_state[256:]
c2_2 = rc4_keystate(key_state, enc_c2_2).split(b"\x00")[0].decode().replace("http", "hxxp")
print(f"c2_2: {c2_2}\n")

flags: 0x2400

defaultBotnet: 

delay1: 65537

module_xor_key: 0

rc4_key_state: b'\xd1\x02\xce<s\x93\xe0\xbf}t_\xb9x\xc4k\xc61\xa3\x108\xba.\xd7D\xbdJ\x9d\xf6p%#\xeb\xc0\xfd\xb89ho\x8f/\x1c\x1eb\x8a\x0b(\xc1\xe9\n "67\x9c\x0e\x84@\x1b\x07\xdbG\x1f\x11\x01\x85SnP\xee\x17>?\x0c\xd2\xad\xa1QU~\xca\xbc\xf1\xd8C;\xff\xd5z\'L\xb2|\xab:,[T\x90i\xb3\x89\xd0g\xa8\xaael\x06\xacq\xcdB!\xc3\x05\xf2\x8d\x80Y\xdd\xbeM\x95R\xe1\x08`\xc2\xb4\xf9d\xaf\xcf\xa5\xe4\x96\x91r\xc5\xfb\xd9\xc9Vv\xe2\x81\x98$\x12\x88\x8e\xb0\x97]K\x8cF\xa4\x15\xb1\xa6\x92\xf5a\x87Af\xe3)\xa9O-\xfe\xedEy\xdc\x7fZmH\xeaj\xe5\xa2\t\xf7\xd4\x83\xd6+\xf3\x04w\xd34&N\x18W=\x86\xa0\xf0\xef\xec\x82\xb7\x9a3\x8b\\\x03\xc8\x0fu\xde\xcb\xe60\xdf\xda\xb6\xbb\xaeI\xc7\x94\x9e{\xf4\x19\x1dc\xf8\xe8\xa7X\r\x9f\xfc\x13\x99\x142\x00\xe7\xb5\x16*5\x1a\xcc\xfa^\x9b\x00\x00'

rc6_key_state: b'Z\xd6\xe8\xa2Lc\xabl\x19\xc1L|\xdaE\x1c\xcd6\xff\xeaw\xc3$\x84\xf2L\xe2\xd8w\xee\x9e\xb2s\xd2\x14{a\xc5\xc1\x83e\x7f<\x15\xecT\xef\xba~\xbf^\xfa\xbe6\xdbt

## Download and Decrypt DynamicConfig

![](kins_2.0.0.0_pcap.png)

The DynamicConfig is stored encrypted in an JPG file (e.g. config.jpg):

![](config.jpg)

First the JPG magic bytes (0xff, 0xd8) are checked. Next, a text comment (0xff, 0xfe) with a tag of 0x103f is extracted. This data is base64 decoded, RC6 decrypted using a RC6 keystate from the BaseConfig, and its signature checked with an embedded RSA key.

Pseudocode:

    bool __userpurge extract_config_from_image@<al>(int a1@<ebx>, char a2) 
    {   
      // [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND]

      v2 = *a1;
      v3 = **a1 == 0xFF;                            // look for jpg magic bytes
      var_5 = 0;
      if ( v3 || v2[1] == 0xD8 )                    // look for jpg magic bytes
      {   
        v4 = &v2[*(a1 + 4)];
        while ( 1 ) 
        {   
          if ( v2 > v4 )
            return 0;
          if ( *v2 == 0xFF && v2[1] == 0xFE && *(v2 + 2) == 0x103F )// find text comment marker
                                                    //  
                                                    // 0x103F is a tag indicating this is where the config is
            break;
          ++v2;
        }   
        no_b64_buf = Crypt::_base64Decode(*(v2 + 10), v2 + 14, &no_b64_buf_len);
        Mem::free(*a1);
        *a1 = no_b64_buf;
        *(a1 + 4) = no_b64_buf_len;
        ... 
        if ( !BinStorage::_unpack_rc6_check_rsa_signature(&base_config.rc6_key, *a1, *(a1 + 4), &v15, &g_rsa_key, 276) )
        ... 

In [9]:
def rol(num, count, size):
    return ((num << count) | (num >> (size-count)))


def ror(num, count, size):
    return ((num >> count) | (num << (size-count)))


def rc6_keystate(key_state, in_buf):
    S = []
    for i in range(0, len(key_state), 4): 
        S.append(struct.unpack("I", key_state[i:i+4])[0])

    plain_buf = []
    for i in range(0, len(in_buf), 16):
        enc_block = in_buf[i:i+16]
        plain_block = rc6_decrypt(enc_block, S)
        plain_buf.append(plain_block)

    plain_buf = b"".join(plain_buf)

    return plain_buf


def rc6_decrypt(enc_block, S): 
    # from https://github.com/shashankrao/RC6-Block-Cipher
    # clean up fixed an unknown bug
    (A, B, C, D) = struct.unpack("IIII", enc_block)
    r = 20

    C = (C - S[2 * r + 3]) % 2**32
    A = (A - S[2 * r + 2]) % 2**32
    for i in range(r, 0, -1):
        (A, B, C, D) = (D, A, B, C)

        t_temp = (B * (2 * B + 1)) & 0xffffffff
        t = rol(t_temp, 5, 32) & 0xffffffff

        u_temp = (D * (2 * D + 1)) & 0xffffffff
        u = rol(u_temp, 5, 32) & 0xffffffff

        C_temp = (C - S[2 * i + 1]) & 0xffffffff
        tmod = t % 32
        C = (ror(C_temp, tmod, 32) ^ u) & 0xffffffff

        A_temp = (A - S[2 * i]) & 0xffffffff
        umod = u % 32
        A = (ror(A_temp, umod, 32) ^ t) & 0xffffffff

    D = (D - S[1]) % 2**32
    B = (B - S[0]) % 2**32

    plain_block = struct.pack("IIII", A, B, C, D)

    return plain_block


def visual_decrypt(enc_buf):
    buf = bytearray(enc_buf)

    for i in range(len(buf)-1, 0, -1):
        buf[i] ^= buf[i-1]

    plain_buf = bytes(buf)

    return plain_buf


# Load JPG containing encrypted config
fp = open("config.jpg", "rb")
config_jpg = fp.read()
fp.close()

# find text comment
match = re.search(rb'\xff\xfe\x3f\x10', config_jpg)
chunk_offset = match.start()
chunk_size = struct.unpack("I", config_jpg[chunk_offset+10:chunk_offset+10+4])[0]
chunk = config_jpg[chunk_offset+14:chunk_offset+14+chunk_size]

chunk_no_b64 = base64.b64decode(chunk)

round1 = rc6_keystate(rc6_key_state, chunk_no_b64)
binstorage = visual_decrypt(round1)
print(binstorage)

b'I\xb5\xed@\xcc\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\n\x00\x00\x00<\xe9\x99D\x00\x00\x00\x005N\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00&\x87pY\x00\x00\x00\x00"N\x00\x00\x04\x00\x00\x00\x18\x00\x00\x00\x18\x00\x00\x00http://istyle.ge/bot.exe\x00\x00\x00\x00.N\x00\x00\x04\x00\x00\x00\x1c\x00\x00\x00\x1c\x00\x00\x00http://istyle.ge/mod_vnc.bin\x00\x00\x00\x004N\x00\x00\x04\x00\x00\x00\x1c\x00\x00\x00\x1c\x00\x00\x00http://istyle.ge/mod_spm.bin\x00\x00\x00\x00#N\x00\x00\x04\x00\x00\x00\x19\x00\x00\x00\x19\x00\x00\x00http://istyle.ge/gate.php\x00\x00\x00\x00%N\x00\x00\x05\x00\x00\x00\xa4\x00\x00\x00\xd3\x00\x00\x00\xdb\xff\xff\xff!*.microsoft.com/*\x00!http:/\tm\xd6}\xed\xfdyspace\x16\x15\x14s\x15w\x00\xb0\xbf\xbd\xfd.grup1ant\x02der.es5\xc0\xda\xff?odnoklassniki.)\x1b\xfb?\xbb{vko3kte\x16@*/login.K6`Ovmp\x12atl\x10$:\xdb\x8e\xfd\x0bvappl\x8d/m\x96/\x1a`\xfb\xd8\'digg\x15news1\x00\x00\x00\x00\x00\x00\x00\x90\x00\xff\x00\x00\x00\x00\x01\x00\x00\x00\t\x00\x00\x00L\x00\x

## Parse DynamicConfig

The header and section structures are different than the traditional Zeus BinStorage.

In [10]:
def parse_binstorage_header(binstorage):
    header = {
        "randData": struct.unpack("I", binstorage[0:4])[0],
        "size": struct.unpack("I", binstorage[4:8])[0],
        "flags": struct.unpack("I", binstorage[8:12])[0],
        "number_of_groups": struct.unpack("I", binstorage[12:16])[0],
        "count": struct.unpack("I", binstorage[16:20])[0],
        "hash": binstorage[20:24],
    }
        
    return header


def parse_binstorage_sections(section_data, num_sections):
    CFGIDS = {
        20001: "CFGID_LAST_VERSION",
        20002: "CFGID_LAST_VERSION_URL",
        20003: "CFGID_URL_SERVER_0",
        20004: "CFGID_URL_ADV_SERVERS",
        20005: "CFGID_HTTP_FILTER",
        20006: "CFGID_HTTP_POSTDATA_FILTER",
        20007: "CFGID_HTTP_INJECTS_LIST",
        20008: "CFGID_DNS_LIST",
        20018: "CFGID_SPAM_TASK",
    }
    
    sections = []
    offset = 0
    for i in range(num_sections):
        section = {}
        
        id_ = struct.unpack("I", section_data[offset+4:offset+8])[0]
        if int(id_) in CFGIDS:
            section["id"] = f'{CFGIDS[int(id_)]} ({id_})'
        else:
            section["id"] = id_
            
        section["group_number"] = struct.unpack("I", section_data[offset+0:offset+4])[0]
        section["flags"] = struct.unpack("I", section_data[offset+8:offset+12])[0]
        section["size"] = struct.unpack("I", section_data[offset+12:offset+16])[0]
        section["realSize"] = struct.unpack("I", section_data[offset+16:offset+20])[0]
        # additional parsing of data is left as an exercise
        section["data"] = section_data[offset+20:offset+20+section["size"]]
        
        offset += 4 + 4 + 4 + 4 + 4 + section["size"]
        
        sections.append(section)
        
    return sections


binstorage_header = parse_binstorage_header(binstorage)
print("binstorage_header:\n")
pprint.pprint(binstorage_header)

binstorage_sections = parse_binstorage_sections(binstorage[24:], binstorage_header["count"])
print()
print("binstorage_sections:\n")
pprint.pprint(binstorage_sections)

binstorage_header:

{'count': 10,
 'flags': 0,
 'hash': b'<\xe9\x99D',
 'number_of_groups': 0,
 'randData': 1089320265,
 'size': 972}

binstorage_sections:

[{'data': b'&\x87pY',
  'flags': 4,
  'group_number': 0,
  'id': 20021,
  'realSize': 4,
  'size': 4},
 {'data': b'http://istyle.ge/bot.exe',
  'flags': 4,
  'group_number': 0,
  'id': 'CFGID_LAST_VERSION_URL (20002)',
  'realSize': 24,
  'size': 24},
 {'data': b'http://istyle.ge/mod_vnc.bin',
  'flags': 4,
  'group_number': 0,
  'id': 20014,
  'realSize': 28,
  'size': 28},
 {'data': b'http://istyle.ge/mod_spm.bin',
  'flags': 4,
  'group_number': 0,
  'id': 20020,
  'realSize': 28,
  'size': 28},
 {'data': b'http://istyle.ge/gate.php',
  'flags': 4,
  'group_number': 0,
  'id': 'CFGID_URL_SERVER_0 (20003)',
  'realSize': 25,
  'size': 25},
 {'data': b'\xdb\xff\xff\xff!*.microsoft.com/*\x00!http:/\tm\xd6}\xed\xfdyspa'
          b'ce\x16\x15\x14s\x15w\x00\xb0\xbf\xbd\xfd.grup1ant\x02der.e'
          b's5\xc0\xda\xff?odnoklassniki.)

## Commands

Commands are referenced by hash. The hashing algorithm is CRC32 with a DWORD XOR of the lowercase wide string name.

Pseudocode:

      ... 
      while ( !str_by_crc32_xor_0x9E3D05C_W(-1, *command_name, g_cmd_hashes[2 * index]) )
      {   
        if ( ++index >= 29 )
          goto LABEL_36;
      }   
      v26 = 2;
      v27 = 327;                                // '<InitVal>'
      g_cmd_funcs[2 * index](&v26);
      ... 

In [11]:
command_names = [
    "config_update",
    "bot_uninstall",
    "os_shutdown",
    "bot_update",
    "os_reboot",
    "patch_ie",
    "bot_bc_remove",
    "bot_bc_add",
    "bot_httpinject_enable",
    "bot_httpinject_disable",
    "cmd_parser",
    "fs_search_add",
    "user_execute",
    "user_destroy",
    "user_logoff",
    "fs_search_remove", 
    "fs_path_get",
    "user_cookies_remove",
    "user_cookies_get",
    "user_certs_get",
    "user_certs_remove",
    "user_url_unblock",
    "user_url_block",
    "user_homepage_set",
    "user_ftpclients_get",
    "user_emailclients_get",
    "user_flashplayer_remove",
    "user_flashplayer_get",
    "bot_load_dll"
]

for command_name in command_names:
    wide = "\x00".join(command_name.lower()).encode()
    crc32 = binascii.crc32(wide + b"\x00")
    hash = crc32 ^ 0x9E3D05C
    print(f"{command_name}: 0x{hash:x}")

config_update: 0x8d9d8881
bot_uninstall: 0x44bebe20
os_shutdown: 0x974fde2a
bot_update: 0xa9fe8866
os_reboot: 0x44b89a18
patch_ie: 0x960265f0
bot_bc_remove: 0x4557b317
bot_bc_add: 0x8c429f0b
bot_httpinject_enable: 0x416644ec
bot_httpinject_disable: 0x40569c14
cmd_parser: 0x664954ab
fs_search_add: 0xa771af4
user_execute: 0x5d15f61d
user_destroy: 0x72098f9f
user_logoff: 0x48b435ca
fs_search_remove: 0xfad84898
fs_path_get: 0x664452d8
user_cookies_remove: 0x9cffdaf9
user_cookies_get: 0x1630c72f
user_certs_get: 0x20a09f8e
user_certs_remove: 0xdb7ae43e
user_url_unblock: 0xae97ca48
user_url_block: 0x1867c285
user_homepage_set: 0xe465dd7e
user_ftpclients_get: 0xf8d318b6
user_emailclients_get: 0x7acd2f38
user_flashplayer_remove: 0x63be3ea9
user_flashplayer_get: 0x3998a677
bot_load_dll: 0x5e2c6242
