dr4k0nia · July 19, 2023 08:13
diff --git a/DuckTail_Unpacker_ADAPTER.cs b/DuckTail_Unpacker_ADAPTER.cs
 using System;
 using System.Diagnostics;
 using System.IO;
 using System.Linq;
 using System.Reflection;
 using System.Threading;

 public class Program
 {
 	private void Main()
 	{
 		Assembly assembly = Assembly.LoadFile("C:\\Users\\analyzer\\Desktop\\DuckTail samples\\ADAPTERBOOT.dll");
 		string data = (string)assembly.ManifestModule.ResolveField(67108869)!.GetValue(null);
 		data = Reverse(data);
 		MethodBase decryptMethod = assembly.ManifestModule.ResolveMethod(100663314);
 		object instance = Activator.CreateInstance(assembly.ManifestModule.ResolveType(33554438));
 		byte[] result = Convert.FromBase64String((string)decryptMethod.Invoke(instance, new object[1] { data }));
 		File.WriteAllBytes("C:\\Users\\analyzer\\Desktop\\DuckTail samples\\ADAPTER_PAYLOAD.dll", result);
 	}

 	public static string Reverse(string input)
 	{
 		return string.Join("", input.Reverse().ToList());
 	}
 }
diff --git a/DuckTail_Unpacker_Google.cs b/DuckTail_Unpacker_Google.cs
 using System;
 using System.Diagnostics;
 using System.IO;
 using System.Reflection;
 using System.Text;
 using System.Threading;

 public class UserQuery
 {
 	private void Main()
 	{
 		Assembly assembly = Assembly.LoadFile("C:\\Users\\analyzer\\Desktop\\DuckTail samples\\pw485rpaysp9trgrbpxi.dll");
 		Type type = assembly.ManifestModule.ResolveType(33554438);
 		byte[] keyFromResource = Convert.FromBase64String("gERbWq+F3syepJDKrz4eNwn97oHg/ByxW/ddxgBw5v0BuXxEYPRXaj5GpXeNbrMW21Uj/mQbm4Qnqf+4JxfLLb2SyfXB2dYUpYRDmVekJOxER+urTeiZ5R74HLb1n0Ime3e6+qW9VAF+Dljg2AEs");
 		byte[] key2Byte = Encoding.UTF8.GetBytes("text/html; charset=ISO-8859-1");
 		MethodBase dataMethod = assembly.ManifestModule.ResolveMethod(100663321);
 		object instance = Activator.CreateInstance(type);
 		byte[] data = (byte[])dataMethod.Invoke(instance, new object[0]);
 		MethodBase decryptionMethod = assembly.ManifestModule.ResolveMethod(100663323);
 		byte[] result = (byte[])decryptionMethod.Invoke(instance, new object[3] { keyFromResource, key2Byte, data });
 		File.WriteAllBytes("C:\\Users\\analyzer\\Desktop\\DuckTail samples\\payload.bin", result);
 	}
 }
diff --git a/info.md b/info.md
	using System;
	using System.Diagnostics;
	using System.IO;
	using System.Linq;
	using System.Reflection;
	using System.Threading;

	public class Program
	{
	private void Main()
	{
	Assembly assembly = Assembly.LoadFile("C:\\Users\\analyzer\\Desktop\\DuckTail samples\\ADAPTERBOOT.dll");
	string data = (string)assembly.ManifestModule.ResolveField(67108869)!.GetValue(null);
	data = Reverse(data);
	MethodBase decryptMethod = assembly.ManifestModule.ResolveMethod(100663314);
	object instance = Activator.CreateInstance(assembly.ManifestModule.ResolveType(33554438));
	byte[] result = Convert.FromBase64String((string)decryptMethod.Invoke(instance, new object[1] { data }));
	File.WriteAllBytes("C:\\Users\\analyzer\\Desktop\\DuckTail samples\\ADAPTER_PAYLOAD.dll", result);
	}

	public static string Reverse(string input)
	{
	return string.Join("", input.Reverse().ToList());
	}
	}