Skip to content

Instantly share code, notes, and snippets.

@c3rb3ru5d3d53c

c3rb3ru5d3d53c/cipherit.py

Created June 11, 2023 02:51
Show Gist options
  • Save c3rb3ru5d3d53c/3fede678ae5fc531cb84d932511f849f to your computer and use it in GitHub Desktop.
Save c3rb3ru5d3d53c/3fede678ae5fc531cb84d932511f849f to your computer and use it in GitHub Desktop.
Download ZIP
CipherIT Extractor
Raw
cipherit.py
#!/usr/bin/env python
# pip install malduck
import re
import argparse
from malduck import lznt1, rc4
__version__ = '1.0.0'
__author__ = '@c3rb3ru5d3d53c'
r_key = re.compile(r'Binary\(\w+\(\"([^\"]+)\", ?(\d+)\)')
r_ct = re.compile(r'(= \x270x|&= \x27)([A-F0-9]+)', re.MULTILINE)
def decode_string(string: str, key: int) -> str:
return ''.join([chr(int(c) - int(key)) for c in string.split('U')])
def decode_key(data):
match = r_key.search(data)
if not match: return None
return decode_string(match.group(1), int(match.group(2)))
def get_ciphertext(data):
matches = r_ct.finditer(data)
if matches is None: return None
return bytes.fromhex(''.join([x.group(2) for x in matches]))
parser = argparse.ArgumentParser(
prog=f'extractor v{__version__}',
description='Extract AutoIt Payload',
epilog=f'Author: {__author__}'
)
parser.add_argument(
'-i',
'--input',
type=str,
default=None,
help='Input File',
required=True
)
parser.add_argument(
'-o',
'--output',
type=str,
default=None,
help='Output File',
required=True
)
parser.add_argument(
'-k',
'--key',
type=str,
default=None,
help='Key',
required=False
)
args = parser.parse_args()
data = open(args.input, 'r').read()
key = args.key
if key is None: key = decode_key(data)
ct = get_ciphertext(data)
pt = lznt1(rc4(key.encode(), ct))
open(args.output, 'wb').write(pt)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment