Created
June 22, 2016 22:16
-
-
Save mak/76246abc03a563b8ed9461a50da98fa0 to your computer and use it in GitHub Desktop.
Revisions
-
mak created this gist
Jun 22, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,33 @@ import sys import hashlib import struct import requests def decode(data,seed,step): r = [] k = seed for c in map(ord,data): r.append(chr(c ^ k)) k = (k + step) % 256 return ''.join(r) d = requests.get(sys.argv[1]).content if not d: print '[-] nope, no locky here' sys.exit(1) cksum = struct.unpack('I',d[-4:])[0] d = d[:-4][::-1] seed = ord(d[0]) ^ ord('M') step = (ord(d[1]) ^ ord('Z')) - seed exe = decode(d,seed,step) pe_off = struct.unpack('H',exe[0x3c:0x3c+2])[0] if len(exe) > pe_off and exe[pe_off] == 'P' and exe[pe_off+1] == 'E': fname = hashlib.sha256(exe).hexdigest() print '[+] decoded with seed: %d and step: %d' % (seed,step) print '[+] saving as %s.exe' % fname with open(fname+'.exe','w') as f: f.write(exe) else: print '[-] nope, sorry world changed'