-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdeDexter.php
68 lines (61 loc) · 2.13 KB
/
deDexter.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
<?php
/*
** deDexterPHP (06.01.2013)
** by Alexey Mak (S-ed)
** This is a simple PHP script that is designed to decode the data affected by Dexter malware
** Based on original Ruby scrip by Josh Grunzweig
** https://github.com/SpiderLabs/Malware_Analysis/blob/master/Ruby/Dexter/dexter_decode.rb
**
** This program is free software: you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by
** the Free Software Foundation, either version 3 of the License, or
** (at your option) any later version.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
** GNU General Public License for more details.
**
** You should have received a copy of the GNU General Public License
** along with this program. If not, see <http://www.gnu.org/licenses/>
**
** Copyright (C) 2012 Alexey Mak
*/
function xor_decode($text, $key) {
$key_length = strlen($key);
$encoded_data = base64_decode($text);
$result = "";
$length = strlen($encoded_data);
for ($i = 0; $i < $length; $i++) {
$tmp = $encoded_data[$i];
for ($j = 0; $j < $key_length; $j++) {
$tmp = chr(ord($tmp) ^ ord($key[$j]));
}
$result .= $tmp;
}
return $result;
}
function searchKey($data){
foreach (explode("&", $data) as $param) {
$param_arr = preg_split("/=/", $param, 2);
if( $param_arr[0] == "val" ){
return base64_decode($param_arr[1]);
}
}
return false;
}
function deDexter($data, $key){
$decoded_data = "";
foreach (explode("&", $data) as $param) {
$param_arr = preg_split("/=/", $param, 2);
if( $param_arr[0] != "val" ){
$decoded_data .= $param_arr[0]."=".xor_decode($param_arr[1], $key)."\n";
}
}
return $decoded_data;
}
//Example
$data = "Some Your Encrypted data";
$key = searchKey($data); //search for key separated on case of several calls of deDexter() using same key
$data = deDexter($data, $key);
?>