-
Notifications
You must be signed in to change notification settings - Fork 14
/
getc2_imp.py
128 lines (106 loc) · 4.11 KB
/
getc2_imp.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#!/usr/bin/python
from androguard.misc import *
import sys
from Crypto.Cipher import ARC4
from androguard.core.androconf import show_logging
import logging
from base64 import b64decode
show_logging(level=logging.FATAL)
def dropDex(apkname):
try:
a,d,dx= AnalyzeAPK(apkname)
except Exception as e:
print(e)
return
for c in dx.get_classes():
for m in c.get_methods():
try:
caller_method = m.get_method()
if caller_method.get_descriptor() != "([B [B)V":
continue
source = caller_method.get_source()
if "length" in source:
caller_xrefs = m.get_xref_from()
if len(list(caller_xrefs)) != 1:
continue
key_method = list(caller_xrefs)[0][1]
dexobj = key_method.get_source()
rc4_decrypt_key = re.findall("= {(.{100,300})};",dexobj)
if len(rc4_decrypt_key) == 0:
continue
key = re.findall("(-?[0-9]+),?",rc4_decrypt_key[0])
key = list(map(lambda x: int(x)&0xff,key))
print("Key : {}".format(key))
key = b''.join(list(map(bytes,[key])))
image_list = a.get_files()
for fil in image_list:
fullsize = a.get_file(fil)
rc4 = ARC4.new(key)
dec = rc4.decrypt(fullsize[4:])
if dec[:2] == b'PK':
filesize = int.from_bytes(fullsize[0:4],byteorder='little')
print("[+] Filesize = {}".format(filesize))
print("[+] Zip header found. Decrypted payload : {}".format(sys.argv[1]+".decrypted"))
dexname = sys.argv[1]+".decrypted"
f = open(dexname,"wb")
f.write(dec[:filesize])
f.close()
return dexname
except:
pass
def v25(source):
lines = source.split("\n")
c2 = lines[10]
key = lines[14]
if "https" not in source:
c2a = re.search("\(\"(.*)\"\)",c2).group(0)
s1 = c2a[1:-1].replace("\"","").split(", ")
s1_d = b64decode(s1[0]).decode("utf-8")
c = ARC4.new(s1[1])
panel = c.decrypt(bytes.fromhex(s1_d)).decode("utf-8")
else :
panel = re.findall("= \"(.*)\";",c2)[0]
keya = re.search("\(\"(.*)\"\)",key).group(0)
s2 = keya[1:-1].replace("\"","").split(", ")
s2_d = b64decode(s2[0]).decode("utf-8")
c2 = ARC4.new(s2[1])
key = c2.decrypt(bytes.fromhex(s2_d)).decode("utf-8")
print("[+] C&C and Key found !")
print("C&C: {}\nKey: {}".format(panel,key))
def v24(source):
lines = source.split("\n")
c2 = lines[6].strip().split("\"")[1]
key = lines[10].strip().split("\"")[1]
print("[+] C&C and Key found !")
print("C&C: {}\nKey: {}".format(c2,key))
def dropC2(dexname):
d = AnalyzeAPK(dexname)
bad_classes = ["/ooooooooooooooooo;","/oooooooooooooooooo;","/ooooooooooooooooooo;","/a;","/b;", "/c;"]
possible = []
for i in d[1][0].get_classes():
if i.name.count("/") == 3:
for c in bad_classes:
if c in i.name:
possible.append(d[1][0].get_class(i.name))
for c in possible:
done = False
for m in c.get_methods():
try:
source = m.get_source()
if source.count("this") < 55 and source.count("this") > 49:
v25(source)
return
if source.count("this") < 22 and source.count("this") > 18:
v24(source)
return
except Exception as e :
pass
if done:
break
if __name__ == '__main__':
if len(sys.argv) != 2:
print("Usage python getpayload.py pathtoapk.apk")
exit()
dexname = dropDex(sys.argv[1])
if dexname != None:
dropC2(dexname)