-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathobfuscator.py
239 lines (182 loc) · 6.84 KB
/
obfuscator.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
import os
import sys
import re
import random
import string
from pprint import pprint
obfuscated = dict()
def get_random_string(length):
tmpstr = ''.join(random.choice(string.lowercase)) + ''.join(random.choice(string.lowercase + string.digits) for i in range(length - 1))
return tmpstr
RANDOM_STRING = get_random_string(8)
RANDOM_FUNCTION_NAME = get_random_string(8)
def yes_no(question, default="yes"):
valid = {"yes": True, "y": True, "ye": True,
"no": False, "n": False}
if default is None:
prompt = " [y/n] "
elif default == "yes":
prompt = " [Y/n] "
elif default == "no":
prompt = " [y/N] "
else:
raise ValueError("invalid default answer: '%s'" % default)
while True:
sys.stdout.write(question + prompt)
choice = raw_input().lower()
if default is not None and choice == '':
return valid[default]
elif choice in valid:
return valid[choice]
else:
sys.stdout.write("Please respond with 'yes' or 'no' "
"(or 'y' or 'n').\n")
def xor(data, key):
return bytearray(a^b for a, b in zip(*map(bytearray, [data, key])))
def str_xor(s1, s2):
return "".join([chr(ord(c1) ^ ord(c2)) for (c1,c2) in zip(s1,s2)])
def ed(data, key):
resultStr = ""
for c in data:
dc = ord(c)
newD = dc
for a in key:
newD = ord(a) ^ newD
resultStr += chr(newD)
return resultStr
content = open(sys.argv[1]).read()
print "[*] Obfuscating strings..."
# Find string not within double quotes only
m = re.findall("(\".+?\")", content)
for n in m:
if (n.strip() != "\"\"") and (n.strip() != "\"\"\""):
print "STRING FOUND: %s" % (n)
tmpstr = n
""" remove first '"' and last '"' """
tmpstr = tmpstr[1:len(tmpstr) - 1]
newline = ""
encrypted_str = ed(tmpstr, RANDOM_STRING)
for c in encrypted_str:
""" randomly decide to convert to chr(xxx) or rename original """
yesno = random.choice([1,2])
if yesno == 1:
newline = newline + "chr(" + str(ord(c)) + ") & "
if random.choice([1,2]) == 2: # Add empty quote randomly
newline += '"" & '
else:
if c == '"':
c = '""' # Fixed "
newline = newline + '"' + c + '" & '
if random.choice([1,2]) == 2: # Add empty quote randomly
newline += '"" & '
""" remove last '&' """
newline = newline[0:len(newline) - 2]
obfuscated[tmpstr] = newline # newline.rstrip()
# Find string not within double-double quotes only
m = re.findall("(\"\".*\"\")", content)
for n in m:
if n.strip() != "":
print "STRING FOUND: %s" % (n)
tmpstr = n
""" remove first '"' and last '"' """
tmpstr = tmpstr[1:len(tmpstr) - 1]
newline = ""
encrypted_str = ed(tmpstr, RANDOM_STRING)
for c in encrypted_str:
""" randomly decide to convert to chr(xxx) or rename original """
yesno = random.choice([1,2])
if yesno == 1:
newline = newline + "chr(" + str(ord(c)) + ") & "
if random.choice([1,2]) == 2: # Add empty quote randomly
newline += '"" & '
else:
if c == '"':
c = '""' # Fixed "
newline = newline + '"' + c + '" & '
if random.choice([1,2]) == 2: # Add empty quote randomly
newline += '"" & '
""" remove last '&' """
newline = newline[0:len(newline) - 2]
obfuscated[tmpstr] = newline # newline.rstrip()
# Write to new content
new_content = content
for o in obfuscated:
new_content = new_content.replace('"' + o + '"', RANDOM_FUNCTION_NAME + "(" + obfuscated[o] + ")")
header = ""
header += 'Function str2byte(str As String) As Variant: Dim bytes() As Byte: bytes = str: str2byte = bytes: End Function\n'
header +='Function byte2str(bytes() As Byte) As String: Dim str As String: str = bytes: byte2str = str: End Function\n'
decrypt_method = """
Function ds(str As String) As String
Const p_ As String = "<KEY>"
Dim sb_() As Byte, pb_() As Byte
sb_ = str2byte(str)
pb_ = str2byte(p_)
Dim uL As Long
uL = UBound(sb_)
ReDim scb_(0 To uL) As Byte
Dim idx As Long
For idx = LBound(sb_) To uL:
If Not sb_(idx) = 0 Then
c = sb_(idx)
For i = 0 To UBound(pb_):
c = c Xor pb_(i)
Next i
scb_(idx) = c
End If
Next idx
ds = byte2str(scb_)
End Function\n
"""
""" Rename function ds with random function name """
decrypt_method = decrypt_method.replace("ds", RANDOM_FUNCTION_NAME)
decrypt_method = decrypt_method.replace("<KEY>", RANDOM_STRING)
""" Rename str2byte with random function name """
RANDOM_FUNCTION_NAME_1 = get_random_string(4)
header = header.replace("str2byte", RANDOM_FUNCTION_NAME_1)
decrypt_method = decrypt_method.replace("str2byte", RANDOM_FUNCTION_NAME_1)
""" Rename byte2str with random function name """
RANDOM_FUNCTION_NAME_2 = get_random_string(4)
header = header.replace("byte2str", RANDOM_FUNCTION_NAME_2)
decrypt_method = decrypt_method.replace("byte2str", RANDOM_FUNCTION_NAME_2)
print
# Rename the variables with random names
print "[*] Obfuscating variables..."
variables = re.findall("[dD]im (.+) [Aa]s .+:?", new_content)
for v in variables:
if len(v) > 3:
print "VARIABLE FOUND: " + v
new_variable_random_name = get_random_string(8)
new_content = new_content.replace(v, new_variable_random_name)
else:
print "SKIPPED VARIABLE: " + v + " (TOO SHORT)"
print
# Obfuscate the function names with random names
print "[*] Obfuscating function names..."
funcs = re.findall("function (.+) as", new_content, re.IGNORECASE)
for f in funcs:
print f
subs = re.findall("sub (.+)", new_content, re.IGNORECASE)
for s in subs:
if len(s) > 3:
if "document_" in s.lower():
print "SKIPPED FUNCTION NAME: " + s + " (VBA DOCUMENT FUNCTION)"
else:
new_function_random_name = get_random_string(8)
if "()" in s:
print "FUNCTION FOUND: " + s
new_content = new_content.replace(s, new_function_random_name + "()")
else:
print "SKIPPED FUNCTION NAME: " + s + " (GOT PARAMETERS SO IGNORED)"
else:
print "SKIPPED FUNCTION NAME: " + s + " (TOO SHORT)"
# Combine header, decrypt method and content
new_content = header + decrypt_method + '\n' + new_content
print
# Print obfuscated
print "[*] Showing obfuscated result..."
pprint(obfuscated)
print
if yes_no('WARNING: Replace the file?') == True:
f = open(sys.argv[1], "w+")
f.write(new_content)
f.close()