search

vipyrsec / vipyrsec-deobfuscator

Rewrapping FieryIceStickie's Deobfuscation Tools
MIT License
6 stars 3 forks source link

[FIX] pyobfuscate not being detected/deobfuscated properly #49

Open IlluminatiFish opened 3 months ago

IlluminatiFish commented 3 months ago

https://inspector.pypi.io/project/whoisbuild/1.0.1/packages/91/2b/0be0b33c7a81a7bd66820ac29d02245f6b90efbecd8729d100de73cd3bae/whoisbuild-1.0.1.tar.gz/whoisbuild-1.0.1/whoisbuild/utils.py

For some reason this pyobfuscate sample is not being detected nor deobfuscated properly even if the obfuscation schema is supplied explicitly.

FieryIceStickie commented 2 months ago

This seems to have been further obfuscated after the pyobfuscate, if not a different obfuscation schema entirely. I'll look into it and see if this should be added into the existing pyobfuscate deobf, or be its own thing entirely.

Realswitzer commented 2 months ago

Seemingly pyobfuscate uses a new schema. Generated 3 samples earlier and none were deobfuscated. Tested with a simple one line program (print("hi")), and the file contents look similar to the whoisbuild sample included above.

Tested on latest version @ a1c7ee2c9c3a44319b275ee217f1559cd0c0843f

switzrr@switz-nyarch ~/dev/mal/testing % vipyr-deobf -ds -t=pyobfuscate pyobfuscate-2.py
[2024-08-08 07:58:10,176]:INFO:Running deobf of pyobfuscate-2.py with schema <pyobfuscate>
[2024-08-08 07:58:10,176]:INFO:Running pyobfuscate
[2024-08-08 07:58:10,177]:ERROR:Payload not found
[2024-08-08 07:58:10,177]:INFO:Code has been deobfuscated successfully
Traceback (most recent call last):
  File "/home/switzrr/.local/bin/vipyr-deobf", line 8, in <module>
    sys.exit(run())
             ^^^^^
  File "/home/switzrr/dev/vipyrsec-deobfuscator/src/vipyr_deobf/cli.py", line 160, in run
    output = run_deobf(data, schema)
             ^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/switzrr/dev/vipyrsec-deobfuscator/src/vipyr_deobf/cli.py", line 73, in run_deobf
    return format_func(*results) if isinstance(results, tuple) else format_func(results)
                                                                    ^^^^^^^^^^^^^^^^^^^^
  File "/home/switzrr/dev/vipyrsec-deobfuscator/src/vipyr_deobf/deobfuscators/pyobfuscate.py", line 136, in format_pyobfuscate
    webhooks = WEBHOOK_REGEX.findall(deobfed_code)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: expected string or bytes-like object, got 'NoneType'

apologies in advance for the sample, it ends up breaking markdown so trying to use code tags is annoying

Obfuscated sample, formatted with `black` `pyobfuscate = lambda getattr: [` ` ((lambda IIlII, IlIIl: setattr(__builtins__, IIlII, IlIIl))(IIlII, IlIIl))` ` for IIlII, IlIIl in getattr.items()` `]` `Il = chr(114) + chr(101)` `lI = r"[^a-zA-Z0-9]"` `lIl = chr(115) + chr(117) + chr(98)` `lllllllllllllll, llllllllllllllI, lllllllllllllIl, lllllllllIIllIIlI = (` ` __import__,` ` getattr,` ` bytes,` ` exec,` `)` `__import__("sys").setrecursionlimit(100000000)` `lllllllllIIllIIlI(` ` llllllllllllllI(` ` lllllllllllllll(lllllllllllllIl.fromhex("7a6c6962").decode()),` ` lllllllllllllIl.fromhex("6465636f6d7072657373").decode(),` ` )(` ` lllllllllllllIl.fromhex(` `"789ced5deb6eeb380e7e95ecafda6d26c8fe4d91579817080221a74dbb01d2e620cdc1cc60b1efbebe5b122f2265e5d21c07834e2d8914f9f12345db6d8f31cbfde6e3c7eb666216a77f7e6eb347933f9bb9597e9d8ecfa6fc2c5f772fa762a85b375f98f9cc9897c3ebd698d9cbc16c8eef2f875f9fa77abd59fe79f8dc16dfcf97665e0e2d8dc95685ca2c9f16ff554bb26a789ed92acba97e6c61aa116751b1a05a98aff366ab4262b57e26b7403e8d178bdd697b9c12738557b58219ae0399b247b23ccf57a61c58545f1fabafeb278d3e4bd72a33f5f463ade8a9fa5a60d07aeadb5f44b25cffb2df7c7d1933850b166ffbc3e6e47b6fec00eb11688cad6d55391b29e6c89318d5bcf25c5c1c8eaf537f6cb5761071c9e01a520ed56a135106f329f7c36bedd727c3b2a0fe1c59e8b3e1757774b9402ffddc7c6cfbb5c358915535054a54fee545b1997b5eb680fe67fbf714b1ed7d8b7bd18afd3cfc350583effbc38fcdfe6bea7af3be3d6d4ea7a3635c5624d54acfc1ac4ff938120f50d08f583a942a8aa16902031c13d26819a884280bd14a6bc595eabab6a770f2c284c11414a5cf4fc4f2d326d0cbe1e3e7be4ac8bedebdedf67d2e92c5b23161dad64bec33a086763389626deb33646cea9d1eb3e6ffcd7ef8fe79378dcf3b57054a797e068345e2a9736518c1a35d0a1eab6d6529bb4bef34151310d684685f7be87d2a0c844d551738024467646b46ad4f4e6c5bb6ece0a606ad4ee5a7ad1dc5dd0a595fba45fffd5f7de710dbdb2608537c9e26e489d570e7ba6e6eb50eb02bcb84758eaf9acd554c318cb99be865a24ef50a1545f96cc2487cbd90cf89e403a2917c089ca94a5ed8b44d9977dd5388652f9821b70fed5389597d91b5924ab176b3d8434be8d5372f67f649c1b4a559d2ee2d0d4f7d6fc65cbe5c2e737dbe2d71d3be355624eafba44af445a094f8a335d6bd856c9f33d56ddf154a4a1c8ebe6c4cef714ec46d49ea34c304fc32695f0ce9e102a5c4cb234e036f99a46c63495b496574fa16c731a15a7bb0a0c1f01d103c331058dcadc7df1b347947cbe75846463d0cb1d70e3b24cf734a6295bf3fde24c7a0fff8de2a6f5523d76d99e58ff66600b22767752b9365fe7028f473545309c4ee0dc7c91a2ddbd3f91ac4bf7cecb1dd7f6d81359531f3019ae1161c2ff3fced70ac7cdc7d961d606e3deac79f49fa66d48c58748752dc6d9b1b568744a2b85672ce6b8fc50a2ecb9a173eb3ceac790340fda4a4c480f4d9ba91288c58a32f5ffa5b0b2b4eed4586589e4176d9cb8aef71ce0baa1581530513f7c85a70620c6bf94d577cc19b44746f67eb5698eb2d613739657730b064015b9177969812fb2b7140516f8f25c0bb40121b383bc891a5822a89667720f13f18806d8fb401a85b7ce781bca956465a785b328df3891b86012c9f72c43ce2d0ca2ceb2df3ea89be56b64561061717d74ff678f57f7bc45f005778eadcf4c397a15a48c58e09e59729be01a193b0159b6acca794335e5bb300b19a2bebfac08ee08af3d13f869b0e174fc5b8998d0cc4a95f46f10086f71a03fe28300ca5b2ad065b40f19fc209ae9fc532349cf59c39b6343f0b5451e3422d021865a8fa660fcdf690f5420f67025a21d603610a279f059298bb6a15c595b6b4774e5ebe315502f2c980c7528bf5d5f875b6fddc46e5245c00ab2f33e08f02c3509ebb1c840b54c9e1ec4ea8257841b21fc537603463a5bd5c406c5bd5ad5455c10406e2b0fe535f563151de2e1d5178bb1964b853069747f67515aa354a6d7777f61385a18586da3074b81b7c2cbb5d144751201af6b41c3ec41fc63c5c8b0c41c25b11f7fc8584908a5002092900ed9c1b70192da232c7d724edba8979e5b410666d62313c54022991b7876928ef91743c5b22a11ab9cb39116a1f18f4aa9198676eceedc0b5ef01a083d8920b0cf8a3c0b0206b34d470b7478d09dd5fcfd84b4f829ff53eb7d3a43349294c204cadd08fc19d7837c46470b80c61818fa35970734e15631de283ee20b39520265f061336c108211edf1b3ce25d9c186e22d6b878dcefd94ca0c20149db840fd350de23e978b68c7d651aee4240a03c035a35423c29be6293886000042f33e08f022c83e1d7c4d8dd1e35666c10d9eca2b8333688b8f932c083f671aa1807c61e5204954042ee453d37f6905e9052f490c4761c9012797b9886f21e49c7b365ec2107721722010519b4aa11af791c9b46641460188cb726a8eef6a83163d3c8a613c59db169c4cd97011eb48f53c53830368d22a80412722feab9b169f48234a869c4b7e100a46dc1876908ef916c3c4bc666310567b19da03c035a35021e385ef77d343417f3f177ec1b7905f81452e6eeb09b144cf8e340b12093d86d7067c61e04107bace7fddcd8839c936c3c4bc61e240567b19da03c035a3582bcf41cf88b8c313acef3db35183cbf5b3f83ed4ea84514cebcf900b582fa382bede5fc2c50357643bc8bb7ff6b350cb780f10e9765c820e6b976aa354a5d747776ae584ac3a9000fa21a1a34109ac3d2318a07480e1fe20f631eae458620e12d4502a060e686f32e7a3786b1416b5c3ceeb3e962b6e38094c8dbc33494f7483a9e2d91508ddca5ec40c4e010035f35d236fe83ef176ee26681741a2cbfcc803f0a0c0b5249c317747b67f7c85ed0578ce22b6b8a302bede5fc2c5075fe0643053637818148d6ae90e7211891e5faded29f42d9a5afb1c8263ce349c73489f26d881532407d0c33f0a1e542c85f6e0ee084a10f4980f502d026e792ba2b8eab99848fae30bd88b09fd87e7cbd81c03f767efd1c49042590b44df8300de53d928e674b24542377fd0988085420e53673bc7157d41e429e883c17915cce0e553609fc707776ae18afb4e107f1c7dde0e3daeda2c807c7281e20397c883f8c79b8161982bcb7288243ea20afc270ecd31d4e88c8b92ce724d8672991b5a95b5c3f11b981a720080260d96506fc5100211a2c5b8d2c6db0edb1f4e6f6a6314655f5b2fc2c5075fe3a22c5076be4e4ce00b4d10e86fa6ba60877345d8fb75d7873b12f6e20987da08de3f9785e5ed3dee2e8210a666e38837d9a688a979002d0ce090e3f400b8ab1416b5c3c545ef8f3ca6921ccdac41adff45d86743c5b22a11ab98bc28e1d7ea2b2d82dc67eb82ffa7ddf0d74b8b80e6cf16506fc51108f208d345c71b7478d197f4536481ca082746ae6ef2df0e39bff8a2ce94790fa123b6996b443c2138fcf2051404374fba6e4174c04f90704034c89ab5f9cf300375425cf3e820038f6e92ab02f4c2fc2ba227afbf19d2102ffd843f6737ddd5263479b810fd3e8dd23cf7882444235d2b507287cdc00b48491f3dd0b976bc6475a4d4805ea215dfe895d93f673418988b7316275ae0922bde9ac94d965dc645513d4f1d0bf11bff69d34b4165b7281017f5496e7b61a6c01c503777bd498f1fe994d495405e9d4ccdf5be0c71ddc3f33f8517631bca0acfb5e671085099b6084108fef0d36902e4e0c37116b5c3ceeaaf3a37552a301e802a1a7a1bc47d2f16c89846ae42e6507d811ea61c0ab46ec1ef1da1d228a03e6e36fd7248e3f4ce4e283154eb93321b4898501577029313a0cdb9c2b3642f2cd9a496516506b102f5d0b18fe7e338ad2de526c010a666e38efe2e467181bb4c6c5e30e8f6c615e9da177ba4fb2f12c89846ae4ac1306c0e0d8c632fe57fdf592917f5e2066b7aefb5d350ba6a67e685cae6a519c3a7359ee5e334b1b3dac34b6649de4df2ae55c5a27fe27af6e0a3e6409eeef25bc45761efe67f6ae102614c5384f2ef5638443ffca329123df2f4960e65fac9c5fc079a2965dd9d0f5b0dfed5aadd3fc919d01d2b717697d89ba7d1f50f6debed9fa148dcb87a1c83812fdb2e263eaf1c74753b7cde5d7dcb932fd35be3a772ba9a51e575e0f833df06190fdbdfa7abd23e61a1a32db8b841c174221be7be7491e73e604bc075f699f24c1a01c93e1e97535fede5e8c3a5c08f6400785511d54fa442ec8708a7174489418fc65d6b7d351e467b209456350e20ee9c4064457502db982c5cb3b83ee1857a9c42a197e18797aa99330497c140686aa10cc2d829f743167b86ea4b92c1c0e1e7fce86227e0efc971a258e0bec08321b712f1170aafe836e4b34a732724ea7baad8ea90b2004f1dd61ab44787874f8058b91b235ed14cbfa45fe8485d6463db2097988ee15aa3b898e58bc6e8a739b0d43f8d412c480ca4059dbd77e526553341913966e1b5633fc8cd3a48e2669e4f75e4270fad0a6eb2524c74e28238cd17554ad50f49b9de1a759f41d6fa7970dabc3503d9128da4637dc06e6191f91ee93a66e84771edad3daba759d6678cbc806776019218292ec89176ec2f978272dbd11e14dd166eb1e0db83a13bd3da5501c9a31127f1d87529d6042962126845b728969ea5e3cf2258d2668eafe66d04da1e2fe5c71726a8a5a3ee41d926eabb3d6875ac5a003487cffa1baa38ebb2b38c7d38e044ecaab92febe8d3d80848f8ca26ee4d894683fe77b1da26b36148109bee7093eda88d3a9a8b708d4699f5d70d82678421775372239b0d5376be25ef03cfd1b9a34672b62f2c8a5e2462826e7e977e29e11e6f5ebfbe2bfe72e12abac5602345563edcf03ccea8b222ec46a67a93fe18981b5bc6a4a3d2e451ac2ecc3c91052bc48d023549c154224029be0261242943ffe72775d35bb7ece9a1f5b9964cd779397c3eb7631d9febd3b65e5b7799efd3b9fecde269f87d3e465b3df6f7eecb7d9fbf6b4399d8e05577ffcdaed4fbbcf2f63a6938797c3c7cfdd7efb309dfc79f82c442787e3045b3a6b161622c67c1c5e7fedb7c614520f0ff9e45fcbc943bbf241a4e073f3e18ab7664cb6fbaf6d634a56274e0d5175517e9b1124a0a60acc5678ad5e3f2954956a2a41955442031c23cc3acfe2e15898be94ab6df00d51c967ab75a4a461816c7fe6a93ec6fae32c81ea6f4d92fcffc604324a".replace(` ` "\n", ""` ` )` ` )` ` ).decode()` `)`

Using a longer script, it generated the following to run the payload:

fromstring1 = "-_+!1@2#3$4%5^6&7*8(9)0qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFG"
alphanumeric = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
lIlllllIl = "ihQlwp=="
lIIIIIlI = "e2)dtYTmyh)Eym=="
IlIlIlIIIIllI = "uq*h%(p="
IllIIllIlll = "+p=="

def fromb64(base64str):
    fromstring = (
        "-_+!1@2#3$4%5^6&7*8(9)0qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFG".encode()
    )
    alphanum = (
        "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".encode()
    )
    translatedbytes = bytes.maketrans(fromstring, alphanum)
    return base64.b64decode(base64str.translate(translatedbytes)).decode()

import zlib

exec(
    zlib.decompress(bytes.fromhex(payload.replace("!", "").replace("\n", ""))).decode(
        "utf-8"
    )
)

I'm confident enough saying that this is a new version/schema of pyobfuscate.