From cf51f5039031a91a602dac8c4ed89aefd3b92741 Mon Sep 17 00:00:00 2001 From: cccs-jh <63320703+cccs-jh@users.noreply.github.com> Date: Mon, 20 Nov 2023 13:07:37 -0500 Subject: [PATCH] Move atob to multidecoder and remove base64 method --- deobs.py | 66 -------------------------------------------------------- 1 file changed, 66 deletions(-) diff --git a/deobs.py b/deobs.py index f9bab9b..9484c4c 100644 --- a/deobs.py +++ b/deobs.py @@ -47,7 +47,6 @@ def filter_iocs( class DeobfuScripter(ServiceBase): """Service for deobfuscating scripts.""" - FILETYPES = ["application", "document", "exec", "image", "Microsoft", "text"] VALIDCHARS = b" 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~" BINCHARS = bytes(list(set(range(256)) - set(VALIDCHARS))) @@ -124,70 +123,6 @@ def hex_constant(text: bytes) -> bytes | None: output = regex.sub(rb"(?i)\b0x([a-f0-9]{1,16})\b", lambda m: str(int(m.group(1), 16)).encode("utf-8"), text) return output if output != text else None - def b64decode_str(self, text: bytes) -> Optional[bytes]: - """Decode base64""" - output = text - - head: bytes - bmatch: bytes - tail: bytes - for head, bmatch, tail in regex.findall(rb"((?:atob\()+)\'([A-Za-z0-9+/]+={0,2})\'(\)+)", text): - iters = min(len(head) // 5, len(tail)) - d = bmatch - for _ in range(iters): - try: - d = binascii.a2b_base64(d) - except binascii.Error: - break - output = output.replace(b"atob(" * iters + b"'" + bmatch + b"'" + b")" * iters, b"'" + d + b"'") - - b64str: list[bytes] = regex.findall(b"((?:[A-Za-z0-9+/]{3,}={0,2}(?:&#[x1][A0];)?[\r]?[\n]?){6,})", text) - for bmatch in b64str: - if bmatch not in output: - continue # was already processed by atob - s = ( - bmatch.replace(b"\n", b"") - .replace(b"\r", b"") - .replace(b" ", b"") - .replace(b" ", b"") - .replace(b" ", b"") - ) - uniq_char = set(s) - if len(uniq_char) <= 6 or len(s) < 16 or len(s) % 4: - continue - try: - d = binascii.a2b_base64(s) - except binascii.Error: - continue - sha256hash = hashlib.sha256(d).hexdigest() - if sha256hash not in self.hashes: - if len(d) > 500: - m = magic.Magic(mime=True) - mag = magic.Magic() - ftype = m.from_buffer(d) - mag_ftype = mag.from_buffer(d) - for file_type in self.FILETYPES: - if (file_type in ftype and "octet-stream" not in ftype) or file_type in mag_ftype: - b64_file_name = f"{sha256hash[0:10]}_b64_decoded" - b64_file_path = os.path.join(self.working_directory, b64_file_name) - with open(b64_file_path, "wb") as b64_file: - b64_file.write(d) - self.files_extracted.add(b64_file_path) - self.hashes.add(sha256hash) - break - - if len(set(d)) > 6 and all(8 < c < 127 for c in d) and len(regex.sub(rb"\s", b"", d)) > 14: - output = output.replace(bmatch, d) - else: - # Test for ASCII seperated by \x00 - p = d.replace(b"\x00", b"") - if len(set(p)) > 6 and all(8 < c < 127 for c in p) and len(regex.sub(rb"\s", b"", p)) > 14: - output = output.replace(bmatch, p) - - if output == text: - return None - return output - @staticmethod def vars_of_fake_arrays(text: bytes) -> bytes | None: """Parse variables of fake arrays.""" @@ -459,7 +394,6 @@ def execute(self, request: ServiceRequest) -> None: ("Array of strings", self.array_of_strings), ("Fake array vars", self.vars_of_fake_arrays), ("Simple XOR function", self.simple_xor_function), - ("B64 Decode", self.b64decode_str), ] second_pass: TechniqueList = [ ("MSWord macro vars", self.mswordmacro_vars),