-
Notifications
You must be signed in to change notification settings - Fork 75
/
Copy pathdexter_decode.rb
88 lines (80 loc) · 2.46 KB
/
dexter_decode.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# Copyright
# =========
# Copyright (C) 2012 Trustwave Holdings, Inc.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>
#
#
# dexter_decode.rb by Josh Grunzweig 12-27-2012
#
# =Synopsis
#
# This is a simple Ruby script that is designed to take the POST data sent by
# the Dexter malware, and decode the data present using the Base64 encoded
# key that is supplied. More information about how this data is decoded, and
# what values are present can be found here:
# http://blog.spiderlabs.com/2012/12/the-dexter-malware-getting-your-hands-dirty.html
#
# This script was tested against cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785,
# however, it may work against other variants as well.
#
# Example: ruby dexter_decode.rb 'page=AwICB1VWVwRMUVVYVUxVUwAHTABWAFZMUVJTUlECWAVVVlVU&val=ZnJ0a2o='
# KEY: frtkj
# ["page", "bccf476e-0494-42af-a7a7-03230c9d4745"]
#
require 'base64'
class String
# Taken from Eric Monti's excellent Ruby Black Bag Ruby gem. More information
# about this gem can be found here: https://github.com/emonti/rbkb
#
# xor against a key. key will be repeated or truncated to self.size.
def xor(k)
i=0
self.bytes.map do |b|
x = k.getbyte(i) || k.getbyte(i=0)
i+=1
(b ^ x).chr
end.join
end
end
string = ARGV.shift
unless string
puts "Usage: ruby dexter_decode.rb <POST_DATA>"
exit
end
key = ""
params = string.split("&")
params.each do |param|
param.scan(/^(\w+)=(\S+)$/) do |name, str|
if name == "val"
key = Base64.decode64(str)
end
end
end
puts "KEY: #{key}"
params = string.split("&")
params.each do |param|
param.scan(/^(\w+)=(\S+)$/) do |name, str|
b64_decoded = Base64.decode64(str)
res_var = ""
b64_decoded.each_char do |char|
var = char
key.each_char do |key_char|
var = var.xor(key_char)
end
res_var << var
end
p [name, res_var] unless name == "val"
end
end