Open IlluminatiFish opened 3 months ago
This seems to have been further obfuscated after the pyobfuscate, if not a different obfuscation schema entirely. I'll look into it and see if this should be added into the existing pyobfuscate deobf, or be its own thing entirely.
Seemingly pyobfuscate uses a new schema. Generated 3 samples earlier and none were deobfuscated. Tested with a simple one line program (print("hi")
), and the file contents look similar to the whoisbuild
sample included above.
Tested on latest version @ a1c7ee2c9c3a44319b275ee217f1559cd0c0843f
switzrr@switz-nyarch ~/dev/mal/testing % vipyr-deobf -ds -t=pyobfuscate pyobfuscate-2.py
[2024-08-08 07:58:10,176]:INFO:Running deobf of pyobfuscate-2.py with schema <pyobfuscate>
[2024-08-08 07:58:10,176]:INFO:Running pyobfuscate
[2024-08-08 07:58:10,177]:ERROR:Payload not found
[2024-08-08 07:58:10,177]:INFO:Code has been deobfuscated successfully
Traceback (most recent call last):
File "/home/switzrr/.local/bin/vipyr-deobf", line 8, in <module>
sys.exit(run())
^^^^^
File "/home/switzrr/dev/vipyrsec-deobfuscator/src/vipyr_deobf/cli.py", line 160, in run
output = run_deobf(data, schema)
^^^^^^^^^^^^^^^^^^^^^^^
File "/home/switzrr/dev/vipyrsec-deobfuscator/src/vipyr_deobf/cli.py", line 73, in run_deobf
return format_func(*results) if isinstance(results, tuple) else format_func(results)
^^^^^^^^^^^^^^^^^^^^
File "/home/switzrr/dev/vipyrsec-deobfuscator/src/vipyr_deobf/deobfuscators/pyobfuscate.py", line 136, in format_pyobfuscate
webhooks = WEBHOOK_REGEX.findall(deobfed_code)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: expected string or bytes-like object, got 'NoneType'
apologies in advance for the sample, it ends up breaking markdown so trying to use code tags is annoying
Using a longer script, it generated the following to run the payload:
fromstring1 = "-_+!1@2#3$4%5^6&7*8(9)0qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFG"
alphanumeric = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
lIlllllIl = "ihQlwp=="
lIIIIIlI = "e2)dtYTmyh)Eym=="
IlIlIlIIIIllI = "uq*h%(p="
IllIIllIlll = "+p=="
def fromb64(base64str):
fromstring = (
"-_+!1@2#3$4%5^6&7*8(9)0qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFG".encode()
)
alphanum = (
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".encode()
)
translatedbytes = bytes.maketrans(fromstring, alphanum)
return base64.b64decode(base64str.translate(translatedbytes)).decode()
import zlib
exec(
zlib.decompress(bytes.fromhex(payload.replace("!", "").replace("\n", ""))).decode(
"utf-8"
)
)
I'm confident enough saying that this is a new version/schema of pyobfuscate.
https://inspector.pypi.io/project/whoisbuild/1.0.1/packages/91/2b/0be0b33c7a81a7bd66820ac29d02245f6b90efbecd8729d100de73cd3bae/whoisbuild-1.0.1.tar.gz/whoisbuild-1.0.1/whoisbuild/utils.py
For some reason this
pyobfuscate
sample is not being detected nor deobfuscated properly even if the obfuscation schema is supplied explicitly.