Jump to content
Usr6

RST - Python Polymorphic Engine 0.2

By Usr6, in Programare

Recommended Posts

Usr6 Newbie

Usr6

Posted
Posted

Acest engine are ca inspiratie engine-urile polymorphice utilizate de virusii anilor 90 pentru a ingreuna detectia antivirus. La fiecare executare a fisierului dupa decriptare codul malware era recriptat cu o alta parola aleasa aleator rezultand un fisier diferit. Pentru utilizarea pycrypto m-am inspirat de aici: Python and cryptography with pycrypto | Laurent Luce's Blog

Python 2.7

algoritm de criptare RC4, parola = 64 litere alese in mod aleator la fiecare executie


import random
import sys
import re
from Crypto.Cipher import ARC4
lparola = 64
nume_fisier = sys.argv[0]
continut_fisier = open(nume_fisier, "r").read()

def aleator():
    variabila = ''
    for i in range(lparola):
        variabila += random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz')
    return variabila

script ="""print "\tHello, I am RST Polymorphic Engine 0.2"
print "This script will be crypted, delete me after first run"

raw_input()
    """
#criptare initiala                                                                       #
parola = aleator()                                                                       #
obj1 = ARC4.new(parola)                                                                  #
criptat = obj1.encrypt(script).encode("hex")                                             #
#print criptat                                                                           #
lungime_criptat = hex(len(criptat))                                                      #
#print len(lungime_criptat)                                                              #
#print int(lungime_criptat, 16)                                                          #
continut_fisier += '\n##' + criptat + parola + lungime_criptat+ hex(len(lungime_criptat))#
                                                                                         #
#decriptare                                                                              #
#print continut_fisier                                                                   #
temp_1 = int(continut_fisier[-3:], 16)
#print temp_1                                                                            #
temp_2 = int(continut_fisier[-3 -temp_1: -3], 16) 
#print temp2                                                                             #
parola = continut_fisier[-3 -temp_1 -lparola:-3 -temp_1]
#print parola                                                                            #
temp_3 = -3 - temp_1 - temp_2 - lparola
temp_4 = continut_fisier[temp_3: -3 -temp_1 -lparola]
obj2 = ARC4.new(parola)
#print temp_4                                                                            #
decriptat = obj2.decrypt(temp_4.decode("hex"))
#print decriptat                                                                         #
exec(decriptat)

continut_fisier = re.sub(".{89}#\n", "", continut_fisier)                                #
continut_fisier = re.sub("\n#", "\n", continut_fisier)                                   #
#print continut_fisier                                                                   #
                                                                                         #
#recriptare                                                                              #
#decriptat = script plain text, temp_3 = offset pus cript                                #
#parola2 = aleator()
#print parola                                                                            #
#obj1 = ARC4.new(parola2)
#criptat = obj1.encrypt(decriptat).encode("hex")
#print criptat                                                                           #
#lungime_criptat = hex(len(criptat))
#print len(lungime_criptat)                                                              #
#print int(lungime_criptat, 16)                                                          #
#print criptat                                                                           #
#continut_fisier = continut_fisier[:temp_3 -1] + "#" + criptat + parola2 + lungime_criptat + hex(len(lungime_criptat))
#print continut_fisier                                                                   #

scriu = open(nume_fisier, "w")
scriu.write(continut_fisier)
scriu.close()
sys.exit()

Include o "functie" de auto-cleaning, la primul run isi elimina singur toate partile de cod inutile in viitor, totusi, scriptul care a fost criptat este necesar sa fie eliminat manual

Dupa primul run:


import random
import sys
import re
from Crypto.Cipher import ARC4
lparola = 64
nume_fisier = sys.argv[0]
continut_fisier = open(nume_fisier, "r").read()

def aleator():
    variabila = ''
    for i in range(lparola):
        variabila += random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz')
    return variabila

script ="""print "\tHello, I am RST Polymorphic Engine 0.2"
print "This script will be crypted, delete me after first run"

raw_input()
    """
temp_1 = int(continut_fisier[-3:], 16)
temp_2 = int(continut_fisier[-3 -temp_1: -3], 16) 
parola = continut_fisier[-3 -temp_1 -lparola:-3 -temp_1]
temp_3 = -3 - temp_1 - temp_2 - lparola
temp_4 = continut_fisier[temp_3: -3 -temp_1 -lparola]
obj2 = ARC4.new(parola)
decriptat = obj2.decrypt(temp_4.decode("hex"))
exec(decriptat)

parola2 = aleator()
obj1 = ARC4.new(parola2)
criptat = obj1.encrypt(decriptat).encode("hex")
lungime_criptat = hex(len(criptat))
continut_fisier = continut_fisier[:temp_3 -1] + "#" + criptat + parola2 + lungime_criptat + hex(len(lungime_criptat))

scriu = open(nume_fisier, "w")
scriu.write(continut_fisier)
scriu.close()
sys.exit()

#4049eff8b7283ce8be7131c9c3f025030fd4a2e1474c126d3c31edf7eb64b1bd6591f383230ef0e17f1cd8fe6681c95eb34005887eeefefad76b64d8d0ab301996738e47cec14186d7a283c10b65cf77cadbabf3c39c2a5e5c852082fe5b3c2850156ae02577b6d29235f7e4f339ba22a983cdc7ded692d8911e5f7fgZqSphoqERUeUEyvankUOpiuEDyVoENOCJpVNiiJcGHJHpnwgFzfItmoncWKTUMm0xf80x4

Dupa autocleaning la urmatoarele executii se mai modifica doar partea criptata:


#d8c3fae6dae61792b9389f57d143ef14d3845dab8da2ad08e25d8aef03ef1bdf3cb4938ccf607dca3c74c8522c971bee83406680a901fe32d4b9aaf60bc473216164929de7cd53bcb253646eeaad3cb71405a89f7aa931b53f3a1cb75447d289465d7cbf15dc7f46c747a3fbfc21f7ec94c3d2a84cfc825919f72041lgwkmIJdWycsxlcmlvNnzJWxnfUJFxTNYwSzIDTHgKZzDQoUrfFOtaZWHZorNMfu0xf80x4

Utilitate: scop didactic

sugestiile, criticile, etc. sunt bine venite

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...