diff --git a/README.md b/README.md index d5a7141..d5b1048 100755 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ There are some pre-reqs that are included in the pip setup and the requirements. - pefile - pbkdf2 - javaobj-py3 -- pycrypto +- pycryptodome - androguard For all the decoders you will need yara and yara-python. For dealing with .NET malware you will need to install yara-python with dotnet support diff --git a/malwareconfig/crypto.py b/malwareconfig/crypto.py index 4820441..a6a0840 100644 --- a/malwareconfig/crypto.py +++ b/malwareconfig/crypto.py @@ -1,5 +1,6 @@ +import itertools import struct -from Crypto.Cipher import ARC4, DES, DES3, AES, Blowfish, XOR +from Crypto.Cipher import ARC4, DES, DES3, AES, Blowfish from Crypto.PublicKey import RSA from pbkdf2 import PBKDF2 @@ -13,8 +14,7 @@ def decrypt_rsa(key, data): # XOR def decrypt_xor(key, data): - cipher = XOR.new(key) - return cipher.decrypt(data) + return bytes([a ^ b for a, b in zip(itertools.cycle(key), data)]) # RC4 diff --git a/malwareconfig/decoders/sakula.py b/malwareconfig/decoders/sakula.py index 7fbbebf..aec45ce 100644 --- a/malwareconfig/decoders/sakula.py +++ b/malwareconfig/decoders/sakula.py @@ -67,7 +67,7 @@ def get_config(self): # RE for 1.2, 1.3, 1.4 re_pattern2 = b'([ -~]{50})([ -~]{50})([ -~]{50})([ -~]{50})([ -~]{50})([ -~]{50})([ -~]{50})([ -~]{50})([ -~]{12})(0uVVVVVV)' - xor_data = crypto.decrypt_xor('\x88', file_data) + xor_data = crypto.decrypt_xor(b'\x88', file_data) config_list = re.findall(re_pattern1, xor_data) @@ -77,7 +77,7 @@ def get_config(self): # XOR for later versions - xor_data = crypto.decrypt_xor('V', file_data) + xor_data = crypto.decrypt_xor(b'V', file_data) config_list = re.findall(re_pattern2, xor_data) diff --git a/requirements.txt b/requirements.txt index 9da9571..40504d5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,5 @@ pefile pbkdf2 javaobj-py3 -pycrypto -androguard \ No newline at end of file +pycryptodome +androguard