khr0x40sh · March 23, 2023 20:14
diff --git a/decrypt_phase3.py b/decrypt_phase3.py
 import os
 import base64
 from Crypto.Cipher import AES
 import gzip, zlib

 def decrypt(data, key):
    cipher = AES.new(key, AES.MODE_CBC, data[:AES.block_size])
    return cipher.decrypt(data[AES.block_size:])

 def decompress(data):
    if len(data)> 0:
        for i in range(64):
            try:
                if data[:-i] == '\x00':
                    data = data[:-i]
            except:
                pass
        return zlib.decompress(data, 15 + 32)
    else:
        return None

 ##key
 key = base64.b64decode("nUbFDDJadpsuGML4Jxsq58nILvjoNu76u4FIHVGIKSQ=")  #found in phase 2 response

 ### get all files with %3fdVfhJmc2ciKvPOC
 path = "./destdir"
 dir_list = os.listdir(path)

 files = []
 dec = []
 for file in dir_list:
    if "%3fdVfhJmc2ciKvPOC" in file:
        with open(path+"/"+file,'rb') as f:
            files.append([file, f.read()]) #could do operations here, but bad practice with file i/o

 for filename,filebytes in files:
    if bytearray([0x89, 0x50, 0x4E,0x47]) in filebytes[:4]: # PNG header, def not base64 or html
        temp = decompress(decrypt(filebytes[1500:], key))
        try:
            temp = base64.b64decode(temp)
        except:
            pass
        dec.append([filename, temp])
    else:
        try:
            temp = decrypt(base64.b64decode(filebytes.decode().strip('\x00')), key)
            try:
                temp = base64.b64decode(temp)
            except:
                pass
            dec.append([filename, temp])
            #dec.append([filename, decrypt(base64.b64decode(filebytes.decode().strip('\x00')))])
        except:
            #maybe it isn't base64
            print("[!] Could not decrypt {}:\n{}\n".format(filename, filebytes[:10]))


 for f,d in dec:
    if None != d:
        if b"loadmodule" in d[:32]:
            if b'TVqQAAMAAAAEAAAA/' in d[23:41]:
                #we have a bin here, may have to remove !d-3dion@LD!-d
                with open('./dec_'+f+'.bin', 'wb') as f:
                    f.write(base64.b64decode(d[23:].decode().strip('\x00')))
        elif bytearray([0x89, 0x50, 0x4E,0x47]) in d[:8]:
            #we got a screenshot
            with open('./dec_'+f+'.png', 'wb') as f:
                f.write(d)
        else:
            print("Dumping unknown data from {} to {}".format(f,("dec_"+f+".dec")))
            with open('./dec_'+f+'.dec', 'wb') as f:
                f.write(d)
	import os
	import base64
	from Crypto.Cipher import AES
	import gzip, zlib

	def decrypt(data, key):
	cipher = AES.new(key, AES.MODE_CBC, data[:AES.block_size])
	return cipher.decrypt(data[AES.block_size:])

	def decompress(data):
	if len(data)> 0:
	for i in range(64):
	try:
	if data[:-i] == '\x00':
	data = data[:-i]
	except:
	pass
	return zlib.decompress(data, 15 + 32)
	else:
	return None

	##key
	key = base64.b64decode("nUbFDDJadpsuGML4Jxsq58nILvjoNu76u4FIHVGIKSQ=") #found in phase 2 response

	### get all files with %3fdVfhJmc2ciKvPOC
	path = "./destdir"
	dir_list = os.listdir(path)

	files = []
	dec = []
	for file in dir_list:
	if "%3fdVfhJmc2ciKvPOC" in file:
	with open(path+"/"+file,'rb') as f:
	files.append([file, f.read()]) #could do operations here, but bad practice with file i/o

	for filename,filebytes in files:
	if bytearray([0x89, 0x50, 0x4E,0x47]) in filebytes[:4]: # PNG header, def not base64 or html
	temp = decompress(decrypt(filebytes[1500:], key))
	try:
	temp = base64.b64decode(temp)
	except:
	pass
	dec.append([filename, temp])
	else:
	try:
	temp = decrypt(base64.b64decode(filebytes.decode().strip('\x00')), key)
	try:
	temp = base64.b64decode(temp)
	except:
	pass
	dec.append([filename, temp])
	#dec.append([filename, decrypt(base64.b64decode(filebytes.decode().strip('\x00')))])
	except:
	#maybe it isn't base64
	print("[!] Could not decrypt {}:\n{}\n".format(filename, filebytes[:10]))


	for f,d in dec:
	if None != d:
	if b"loadmodule" in d[:32]:
	if b'TVqQAAMAAAAEAAAA/' in d[23:41]:
	#we have a bin here, may have to remove !d-3dion@LD!-d
	with open('./dec_'+f+'.bin', 'wb') as f:
	f.write(base64.b64decode(d[23:].decode().strip('\x00')))
	elif bytearray([0x89, 0x50, 0x4E,0x47]) in d[:8]:
	#we got a screenshot
	with open('./dec_'+f+'.png', 'wb') as f:
	f.write(d)
	else:
	print("Dumping unknown data from {} to {}".format(f,("dec_"+f+".dec")))
	with open('./dec_'+f+'.dec', 'wb') as f:
	f.write(d)