-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathcohhoc_decode.rb
executable file
·96 lines (86 loc) · 2.11 KB
/
cohhoc_decode.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/usr/bin/env ruby
require 'base64'
require 'crabstone'
require 'optparse'
require 'pedump'
include Crabstone
####################################
# Cohhoc config parser
# Nick Hoffman @infoseckitten
# For more information on cohhoc - https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf
#
#
# Usage - cohhoc_decode.rb -f fd11d2f0f1d388404de4bb8d872ac897.exe
# 3ZWJtYWlsbiludGFybmV0c2VydmljZW4jb21 -> webmail.intarnetservice.com
# oZWxwbjdlYm1haWxlcnNlcnZpY2VzbiNvbU= -> help.webmailerservices.com
####################################
def decode(config)
decode = Base64.decode64(config)
uri = ""
decode.each_byte do |b|
#shr dl,6
#shl al,2
#or dl,al
uri += (((b<<6)%0xff |(b>>2)%0xff)).chr
end
return uri
end
def fetch_real_addr(offset)
@pe.dump.va2file(offset - @loadaddr)
end
options = Hash.new
OptionParser.new do |opts|
opts.banner = "Usage: cohhoc_decode.rb -f evil.exe"
opts.on("-f","--file FILE", "Filename") do |file|
options[:file] = file
end
opts.on("-h","--help", "Show this message") do
puts opts
exit
end
end.parse!
if options[:file]
f = File.new(options[:file],'rb')
file = f.read
f.close
@pe = PEdump.new(options[:file]).dump
@loadaddr = @pe.dump.pe.ioh.ImageBase
#scan for the pushes of a hard offset
matches = file.scan(/\x68...\x00/)
#build the disassembler
cs = Disassembler.new(ARCH_X86, MODE_32)
configs = Hash.new
matches.each do |item|
cs.disasm(item,0x0).each do |i|
if i.id == X86::INS_PUSH
if i.op_str.to_s.hex > @loadaddr
configs[fetch_real_addr(i.op_str.to_s.hex)] = 1
end
end
end
end
possible_config = Hash.new
configs.each_key do |offset|
next if offset.nil?
count = 0
config = ""
while true
if file[offset+count].eql?("\x00")
break
elsif file[offset+count].nil?
break
else
config += file[count+offset]
count += 1
end
end
if config =~ /[0-9a-zA-Z\+\=]{10,}/
possible_config[config] = 1
end
end
possible_config.each_key do |item|
if decode(item) =~ /[a-zA-Z0-9\.]{5,}/
print "#{item} -> #{decode(item)}\n"
end
end
end