Dump-GUY · April 4, 2023 11:06
diff --git a/LangID_BruteForce_Rorschach.py b/LangID_BruteForce_Rorschach.py
 from pprint import pprint
 from dumpulator import Dumpulator

 # ------------------Initialization ------------------
 languages = {'0x436' : "Afrikaans_South_Africa", '0x041c' : "Albanian_Albania", '0x045e' : "Amharic_Ethiopia", '0x401' : "Arabic_Saudi_Arabia",
             '0x1401' : "Arabic_Algeria", '0x3c01' : "Arabic_Bahrain", '0x0c01' : "Arabic_Egypt", '0x801' : "Arabic_Iraq", '0x2c01' : "Arabic_Jordan",
             '0x3401' : "Arabic_Kuwait", '0x3001' : "Arabic_Lebanon", '0x1001' : "Arabic_Libya", '0x1801' : "Arabic_Morocco", '0x2001' : "Arabic_Oman",
             '0x4001' : "Arabic_Qatar", '0x2801' : "Arabic_Syria", '0x1c01' : "Arabic_Tunisia", '0x3801' : "Arabic_UAE", '0x2401' : "Arabic_Yemen",
             '0x042b' : "Armenian_Armenia", '0x044d' : "Assamese", '0x082c' : "Azeri_Cyrillic", '0x042c' : "Azeri_Latin", '0x042d' : "Basque",
             '0x423' : "Belarusian", '0x445' : "Bengali_India", '0x845' : "Bengali_Bangladesh", '0x141A' : "Bosnian_BosniaHerzegovina", '0x402' : "Bulgarian",
             '0x455' : "Burmese", '0x403' : "Catalan", '0x045c' : "Cherokee_United_States", '0x804' : "Chinese_Peoples_Republic_of_China", 
             '0x1004' : "Chinese_Singapore", '0x404' : "Chinese_Taiwan", '0x0c04' : "Chinese_Hong_Kong_SAR", '0x1404' : "Chinese_Macao_SAR", '0x041a' : "Croatian",
             '0x101a' : "Croatian_BosniaHerzegovina", '0x405' : "Czech", '0x406' : "Danish", '0x465' : "Divehi", '0x413' : "Dutch_Netherlands", '0x813' : "Dutch_Belgium",
             '0x466' : "Edo", '0x409' : "English_United_States", '0x809' : "English_United_Kingdom", '0x0c09' : "English_Australia", '0x2809' : "English_Belize",
             '0x1009' : "English_Canada", '0x2409' : "English_Caribbean", '0x3c09' : "English_Hong_Kong_SAR", '0x4009' : "English_India", '0x3809' : "English_Indonesia",
             '0x1809' : "English_Ireland", '0x2009' : "English_Jamaica", '0x4409' : "English_Malaysia", '0x1409' : "English_New_Zealand", '0x3409' : "English_Philippines",
             '0x4809' : "English_Singapore", '0x1c09' : "English_South_Africa", '0x2c09' : "English_Trinidad", '0x3009' : "English_Zimbabwe", '0x425' : "Estonian",
             '0x438' : "Faroese", '0x429' : "Farsi", '0x464' : "Filipino", '0x040b' : "Finnish", '0x040c' : "French_France", '0x080c' : "French_Belgium",
             '0x2c0c' : "French_Cameroon", '0x0c0c' : "French_Canada", '0x240c' : "French_Democratic_Rep_of_Congo", '0x300c' : "French_Cote_dIvoire",
             '0x3c0c' : "French_Haiti", '0x140c' : "French_Luxembourg", '0x340c' : "French_Mali", '0x180c' : "French_Monaco", '0x380c' : "French_Morocco",
             '0xe40c' : "French_North_Africa", '0x200c' : "French_Reunion", '0x280c' : "French_Senegal", '0x100c' : "French_Switzerland", 
             '0x1c0c' : "French_West_Indies", '0x462' : "Frisian_Netherlands", '0x467' : "Fulfulde_Nigeria", '0x042f' : "FYRO_Macedonian", '0x083c' : "Gaelic_Ireland",
             '0x043c' : "Gaelic_Scotland", '0x456' : "Galician", '0x437' : "Georgian", '0x407' : "German_Germany", '0x0c07' : "German_Austria", '0x1407' : "German_Liechtenstein",
             '0x1007' : "German_Luxembourg", '0x807' : "German_Switzerland", '0x408' : "Greek", '0x474' : "Guarani_Paraguay", '0x447' : "Gujarati", '0x468' : "Hausa_Nigeria",
             '0x475' : "Hawaiian_United_States", '0x040d' : "Hebrew", '0x439' : "Hindi", '0x040e' : "Hungarian", '0x469' : "Ibibio_Nigeria", '0x040f' : "Icelandic",
             '0x470' : "Igbo_Nigeria", '0x421' : "Indonesian", '0x045d' : "Inuktitut", '0x410' : "Italian_Italy", '0x810' : "Italian_Switzerland", '0x411' : "Japanese",
             '0x044b' : "Kannada", '0x471' : "Kanuri_Nigeria", '0x860' : "Kashmiri", '0x460' : "Kashmiri_Arabic", '0x043f' : "Kazakh", '0x453' : "Khmer", '0x457' : "Konkani",
             '0x412' : "Korean", '0x440' : "Kyrgyz_Cyrillic", '0x454' : "Lao", '0x476' : "Latin", '0x426' : "Latvian", '0x427' : "Lithuanian", '0x043e' : "Malay_Malaysia",
             '0x083e' : "Malay_Brunei_Darussalam", '0x044c' : "Malayalam", '0x043a' : "Maltese", '0x458' : "Manipuri", '0x481' : "Maori_New_Zealand", '0x044e' : "Marathi",
             '0x450' : "Mongolian_Cyrillic", '0x850' : "Mongolian_Mongolian", '0x461' : "Nepali", '0x861' : "Nepali_India", '0x414' : "Norwegian_Bokmal", 
             '0x814' : "Norwegian_Nynorsk", '0x448' : "Oriya", '0x472' : "Oromo", '0x479' : "Papiamentu", '0x463' : "Pashto", '0x415' : "Polish", '0x416' : "Portuguese_Brazil",
             '0x816' : "Portuguese_Portugal", '0x446' : "Punjabi", '0x846' : "Punjabi_Pakistan", '0x046B' : "Quecha_Bolivia", '0x086B' : "Quecha_Ecuador", 
             '0x0C6B' : "Quecha_Peru", '0x417' : "Rhaeto-Romanic", '0x418' : "Romanian", '0x818' : "Romanian_Moldava", '0x419' : "Russian", '0x819' : "Russian_Moldava",
             '0x043b' : "Sami_Lappish", '0x044f' : "Sanskrit", '0x046c' : "Sepedi", '0x0c1a' : "Serbian_Cyrillic", '0x081a' : "Serbian_Latin", '0x459' : "Sindhi_India",
             '0x859' : "Sindhi_Pakistan", '0x045b' : "Sinhalese_Sri_Lanka", '0x041b' : "Slovak", '0x424' : "Slovenian", '0x477' : "Somali", '0x042e' : "Sorbian", 
             '0x0c0a' : "Spanish_Spain_Modern_Sort", '0x040a' : "Spanish_Spain_Traditional_Sort", '0x2c0a' : "Spanish_Argentina", '0x400a' : "Spanish_Bolivia",
             '0x340a' : "Spanish_Chile", '0x240a' : "Spanish_Colombia", '0x140a' : "Spanish_Costa_Rica", '0x1c0a' : "Spanish_Dominican_Republic", 
             '0x300a' : "Spanish_Ecuador", '0x440a' : "Spanish_El_Salvador", '0x100a' : "Spanish_Guatemala", '0x480a' : "Spanish_Honduras", '0xe40a' : "Spanish_Latin_America",
             '0x080a' : "Spanish_Mexico", '0x4c0a' : "Spanish_Nicaragua", '0x180a' : "Spanish_Panama", '0x3c0a' : "Spanish_Paraguay", '0x280a' : "Spanish_Peru",
             '0x500a' : "Spanish_Puerto_Rico", '0x540a' : "Spanish_United_States", '0x380a' : "Spanish_Uruguay", '0x200a' : "Spanish_Venezuela", '0x430' : "Sutu",
             '0x441' : "Swahili", '0x041d' : "Swedish", '0x081d' : "Swedish_Finland", '0x045a' : "Syriac", '0x428' : "Tajik", '0x045f' : "Tamazight_Arabic", 
             '0x085f' : "Tamazight_Latin", '0x449' : "Tamil", '0x444' : "Tatar", '0x044a' : "Telugu", '0x041e' : "Thai", '0x851' : "Tibetan_Bhutan", 
             '0x451' : "Tibetan_Peoples_Republic_of_China", '0x873' : "Tigrigna_Eritrea", '0x473' : "Tigrigna_Ethiopia", '0x431' : "Tsonga", '0x432' : "Tswana",
             '0x041f' : "Turkish", '0x442' : "Turkmen", '0x480' : "Uighur_China", '0x422' : "Ukrainian", '0x420' : "Urdu", '0x820' : "Urdu_India", '0x843' : "Uzbek_Cyrillic",
             '0x443' : "Uzbek_Latin", '0x433' : "Venda", '0x042a' : "Vietnamese", '0x452' : "Welsh", '0x434' : "Xhosa", '0x478' : "Yi", '0x043d' : "Yiddish", '0x046a' : "Yoruba",
             '0x435' : "Zulu", '0x04ff' : "HID_Human_Interface_Device"}

 rtlexituserprocess_addr = 0x7FF9DDB6D980 # In case we hit the forbidden language ID it goes to exit immediately
 forbidden_langs = {}

 # ------------------ Setting + Starting Dumpulator ------------------
 for key_id in languages.keys():
    try:
        dp = Dumpulator("notepad.dmp", quiet=True)
        dp.regs.rax = int(key_id, 16)
        dp.start(dp.regs.rip, rtlexituserprocess_addr)
        # Language ID is Forbidden as we reached RtlExitUserProcess
        forbidden_langs[key_id] = languages[key_id]

    # Language ID is OK as we did not reach RtlExitUserProcess
    except:
        continue

 # ------------------ RESULTS ------------------
 print("\n\nRansomware's forbidden system languages:\n")
 pprint(forbidden_langs)
	from pprint import pprint
	from dumpulator import Dumpulator

	# ------------------Initialization ------------------
	languages = {'0x436' : "Afrikaans_South_Africa", '0x041c' : "Albanian_Albania", '0x045e' : "Amharic_Ethiopia", '0x401' : "Arabic_Saudi_Arabia",
	'0x1401' : "Arabic_Algeria", '0x3c01' : "Arabic_Bahrain", '0x0c01' : "Arabic_Egypt", '0x801' : "Arabic_Iraq", '0x2c01' : "Arabic_Jordan",
	'0x3401' : "Arabic_Kuwait", '0x3001' : "Arabic_Lebanon", '0x1001' : "Arabic_Libya", '0x1801' : "Arabic_Morocco", '0x2001' : "Arabic_Oman",
	'0x4001' : "Arabic_Qatar", '0x2801' : "Arabic_Syria", '0x1c01' : "Arabic_Tunisia", '0x3801' : "Arabic_UAE", '0x2401' : "Arabic_Yemen",
	'0x042b' : "Armenian_Armenia", '0x044d' : "Assamese", '0x082c' : "Azeri_Cyrillic", '0x042c' : "Azeri_Latin", '0x042d' : "Basque",
	'0x423' : "Belarusian", '0x445' : "Bengali_India", '0x845' : "Bengali_Bangladesh", '0x141A' : "Bosnian_BosniaHerzegovina", '0x402' : "Bulgarian",
	'0x455' : "Burmese", '0x403' : "Catalan", '0x045c' : "Cherokee_United_States", '0x804' : "Chinese_Peoples_Republic_of_China",
	'0x1004' : "Chinese_Singapore", '0x404' : "Chinese_Taiwan", '0x0c04' : "Chinese_Hong_Kong_SAR", '0x1404' : "Chinese_Macao_SAR", '0x041a' : "Croatian",
	'0x101a' : "Croatian_BosniaHerzegovina", '0x405' : "Czech", '0x406' : "Danish", '0x465' : "Divehi", '0x413' : "Dutch_Netherlands", '0x813' : "Dutch_Belgium",
	'0x466' : "Edo", '0x409' : "English_United_States", '0x809' : "English_United_Kingdom", '0x0c09' : "English_Australia", '0x2809' : "English_Belize",
	'0x1009' : "English_Canada", '0x2409' : "English_Caribbean", '0x3c09' : "English_Hong_Kong_SAR", '0x4009' : "English_India", '0x3809' : "English_Indonesia",
	'0x1809' : "English_Ireland", '0x2009' : "English_Jamaica", '0x4409' : "English_Malaysia", '0x1409' : "English_New_Zealand", '0x3409' : "English_Philippines",
	'0x4809' : "English_Singapore", '0x1c09' : "English_South_Africa", '0x2c09' : "English_Trinidad", '0x3009' : "English_Zimbabwe", '0x425' : "Estonian",
	'0x438' : "Faroese", '0x429' : "Farsi", '0x464' : "Filipino", '0x040b' : "Finnish", '0x040c' : "French_France", '0x080c' : "French_Belgium",
	'0x2c0c' : "French_Cameroon", '0x0c0c' : "French_Canada", '0x240c' : "French_Democratic_Rep_of_Congo", '0x300c' : "French_Cote_dIvoire",
	'0x3c0c' : "French_Haiti", '0x140c' : "French_Luxembourg", '0x340c' : "French_Mali", '0x180c' : "French_Monaco", '0x380c' : "French_Morocco",
	'0xe40c' : "French_North_Africa", '0x200c' : "French_Reunion", '0x280c' : "French_Senegal", '0x100c' : "French_Switzerland",
	'0x1c0c' : "French_West_Indies", '0x462' : "Frisian_Netherlands", '0x467' : "Fulfulde_Nigeria", '0x042f' : "FYRO_Macedonian", '0x083c' : "Gaelic_Ireland",
	'0x043c' : "Gaelic_Scotland", '0x456' : "Galician", '0x437' : "Georgian", '0x407' : "German_Germany", '0x0c07' : "German_Austria", '0x1407' : "German_Liechtenstein",
	'0x1007' : "German_Luxembourg", '0x807' : "German_Switzerland", '0x408' : "Greek", '0x474' : "Guarani_Paraguay", '0x447' : "Gujarati", '0x468' : "Hausa_Nigeria",
	'0x475' : "Hawaiian_United_States", '0x040d' : "Hebrew", '0x439' : "Hindi", '0x040e' : "Hungarian", '0x469' : "Ibibio_Nigeria", '0x040f' : "Icelandic",
	'0x470' : "Igbo_Nigeria", '0x421' : "Indonesian", '0x045d' : "Inuktitut", '0x410' : "Italian_Italy", '0x810' : "Italian_Switzerland", '0x411' : "Japanese",
	'0x044b' : "Kannada", '0x471' : "Kanuri_Nigeria", '0x860' : "Kashmiri", '0x460' : "Kashmiri_Arabic", '0x043f' : "Kazakh", '0x453' : "Khmer", '0x457' : "Konkani",
	'0x412' : "Korean", '0x440' : "Kyrgyz_Cyrillic", '0x454' : "Lao", '0x476' : "Latin", '0x426' : "Latvian", '0x427' : "Lithuanian", '0x043e' : "Malay_Malaysia",
	'0x083e' : "Malay_Brunei_Darussalam", '0x044c' : "Malayalam", '0x043a' : "Maltese", '0x458' : "Manipuri", '0x481' : "Maori_New_Zealand", '0x044e' : "Marathi",
	'0x450' : "Mongolian_Cyrillic", '0x850' : "Mongolian_Mongolian", '0x461' : "Nepali", '0x861' : "Nepali_India", '0x414' : "Norwegian_Bokmal",
	'0x814' : "Norwegian_Nynorsk", '0x448' : "Oriya", '0x472' : "Oromo", '0x479' : "Papiamentu", '0x463' : "Pashto", '0x415' : "Polish", '0x416' : "Portuguese_Brazil",
	'0x816' : "Portuguese_Portugal", '0x446' : "Punjabi", '0x846' : "Punjabi_Pakistan", '0x046B' : "Quecha_Bolivia", '0x086B' : "Quecha_Ecuador",
	'0x0C6B' : "Quecha_Peru", '0x417' : "Rhaeto-Romanic", '0x418' : "Romanian", '0x818' : "Romanian_Moldava", '0x419' : "Russian", '0x819' : "Russian_Moldava",
	'0x043b' : "Sami_Lappish", '0x044f' : "Sanskrit", '0x046c' : "Sepedi", '0x0c1a' : "Serbian_Cyrillic", '0x081a' : "Serbian_Latin", '0x459' : "Sindhi_India",
	'0x859' : "Sindhi_Pakistan", '0x045b' : "Sinhalese_Sri_Lanka", '0x041b' : "Slovak", '0x424' : "Slovenian", '0x477' : "Somali", '0x042e' : "Sorbian",
	'0x0c0a' : "Spanish_Spain_Modern_Sort", '0x040a' : "Spanish_Spain_Traditional_Sort", '0x2c0a' : "Spanish_Argentina", '0x400a' : "Spanish_Bolivia",
	'0x340a' : "Spanish_Chile", '0x240a' : "Spanish_Colombia", '0x140a' : "Spanish_Costa_Rica", '0x1c0a' : "Spanish_Dominican_Republic",
	'0x300a' : "Spanish_Ecuador", '0x440a' : "Spanish_El_Salvador", '0x100a' : "Spanish_Guatemala", '0x480a' : "Spanish_Honduras", '0xe40a' : "Spanish_Latin_America",
	'0x080a' : "Spanish_Mexico", '0x4c0a' : "Spanish_Nicaragua", '0x180a' : "Spanish_Panama", '0x3c0a' : "Spanish_Paraguay", '0x280a' : "Spanish_Peru",
	'0x500a' : "Spanish_Puerto_Rico", '0x540a' : "Spanish_United_States", '0x380a' : "Spanish_Uruguay", '0x200a' : "Spanish_Venezuela", '0x430' : "Sutu",
	'0x441' : "Swahili", '0x041d' : "Swedish", '0x081d' : "Swedish_Finland", '0x045a' : "Syriac", '0x428' : "Tajik", '0x045f' : "Tamazight_Arabic",
	'0x085f' : "Tamazight_Latin", '0x449' : "Tamil", '0x444' : "Tatar", '0x044a' : "Telugu", '0x041e' : "Thai", '0x851' : "Tibetan_Bhutan",
	'0x451' : "Tibetan_Peoples_Republic_of_China", '0x873' : "Tigrigna_Eritrea", '0x473' : "Tigrigna_Ethiopia", '0x431' : "Tsonga", '0x432' : "Tswana",
	'0x041f' : "Turkish", '0x442' : "Turkmen", '0x480' : "Uighur_China", '0x422' : "Ukrainian", '0x420' : "Urdu", '0x820' : "Urdu_India", '0x843' : "Uzbek_Cyrillic",
	'0x443' : "Uzbek_Latin", '0x433' : "Venda", '0x042a' : "Vietnamese", '0x452' : "Welsh", '0x434' : "Xhosa", '0x478' : "Yi", '0x043d' : "Yiddish", '0x046a' : "Yoruba",
	'0x435' : "Zulu", '0x04ff' : "HID_Human_Interface_Device"}

	rtlexituserprocess_addr = 0x7FF9DDB6D980 # In case we hit the forbidden language ID it goes to exit immediately
	forbidden_langs = {}

	# ------------------ Setting + Starting Dumpulator ------------------
	for key_id in languages.keys():
	try:
	dp = Dumpulator("notepad.dmp", quiet=True)
	dp.regs.rax = int(key_id, 16)
	dp.start(dp.regs.rip, rtlexituserprocess_addr)
	# Language ID is Forbidden as we reached RtlExitUserProcess
	forbidden_langs[key_id] = languages[key_id]

	# Language ID is OK as we did not reach RtlExitUserProcess
	except:
	continue

	# ------------------ RESULTS ------------------
	print("\n\nRansomware's forbidden system languages:\n")
	pprint(forbidden_langs)