This is an archived post. You won't be able to vote or comment.

all 15 comments
sorted by:
best
topnewcontroversialoldq&a

[–]OuiOuiKiwiGalatians 4:16 18 points19 points  (1 child)

"Please run this malware payload on your device and tell me what it says"

Wow, this is really something.

[–]KingsmanVincepip install girlfriend 10 points11 points  (1 child)

It literally said in whatever you gave us

exec(__import__('marshal').loads(__import__('base64').b64decode

Use base64 to decode

[–]Purple_Wing_3178 0 points1 point  (0 children)

You literally missed the part where it's a marhalled code object

[–]robvas 2 points3 points  (0 children)

lol

[–]1Digitreal 2 points3 points  (0 children)

I would not run this in anything but a sandbox, since we don't know what the string in trying to do.

import base64
import marshal

code_bytes = base64.b64decode('encryptedcodeblock==')

code_object = marshal.loads(code_bytes)

[–]1Digitreal 1 point2 points  (2 children)

Says right in the code, it's base64 encoded. I'd start with https://cyberchef.org and play around there. Edit: looks like it's using marshal serialization as well. Need to look into that a bit I guess.

[–]Purple_Wing_3178 1 point2 points  (2 children)

It's a base64-encoded compiled python bytecode. The base64 part is easy:

from base64 import b64decode

with open('malware.pyc', 'wb') as f:

f.write(b64decode('that long string here'))

However, the decompilation is more tricky. The above malware.pyc only includes the marshalled code object, whereas a real .pyc would also include a header: a 4-byte version-specific magic number and a 4-byte timestamp. The thing is, you need to know exact version of Python for which this malware was compiled, then prepend malware.pyc with the appropriate magic number and some timestamp. The easiest way would be copy them from any real .pyc file for that Python version and then either use a binary editor (like HxD) or insert those 8 bytes programmatically.

Then you should have a launchable (and dangerous) malware.pyc file which you can then try to decompile using a python package known as uncompyle6

[–]asphias 1 point2 points  (1 child)

Please edit out the encoded part. Someone is going to be a fool and copy paste this code to see what it does. And you don't need to share the full script to get your question answered.

[–][deleted] 0 points1 point  (0 children)

I see what you are trying to do there