Repository: RedDrip7/SunBurst_DGA_Decode
Branch: main
Commit: 6fe2a6652fa9
Files: 2
Total size: 3.6 KB
Directory structure:
gitextract_3s8hesqs/
├── README.MD
└── decode.py
================================================
FILE CONTENTS
================================================
================================================
FILE: README.MD
================================================
cat test.input | python decode.py
DGA domain names from https://github.com/bambenek/research/blob/main/sunburst/uniq-hostnames.txt
================================================
FILE: decode.py
================================================
# -*- coding:utf-8 -*-
import sys,os
import random
import base64
import random
'''
# author = "QiAnXin_RedDrip"
# twitter = @RedDrip7
# create_date = "2020-12-15"
# update_date = "2020-12-16"
# Thanks QiAnXin CERT for the discovery of decodeable DGA domains
# https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug
'''
def Int2Hex(value,format):
#format 可以是2/4/8
hexStr = ""
hexStr = hex(value)
if(len(hexStr) != format+2):
zero = format+2 - len(hexStr)
for i in range(zero):
hexStr = hexStr[:2] + '0' + hexStr[2:]
return hexStr[2:]
def Base32Encode(tring,rt):
text = "ph2eifo3n5utg1j8d94qrvbmk0sal76c"
text2 = ""
num = 0
ib = 0;
for i in range(len(tring)):
iint = tring[i]
b = "0x" + Int2Hex(ord(iint),2)
num |= (int(b,16) << ib)
ib+=8
while (ib >= 5):
text2 += text[num & 31]
num >>= 5 #将高位的部分右移
ib -= 5
pass
pass
if (ib > 0):
if (rt):
pass
text2 += text[(num & 31)]
pass
return text2;
def Base32Decode(string):
text = "ph2eifo3n5utg1j8d94qrvbmk0sal76c"
restring = ""
datalen = len(string) / 8 * 5
num = 0
ib = 0;
if len(string) < 3:
restring = chr(text.find(string[0]) | text.find(string[1]) << 5 & 255)
return restring
k = text.find(string[0]) | (text.find(string[1]) << 5)
j = 10
index = 2
for i in range(datalen):
restring += chr(k & 255)
k = k >> 8
j -= 8
while( j < 8 and index < len(string)):
k |= (text.find(string[index]) << j)
index += 1
j += 5
return restring
'''OrionImprovementBusinessLayer.CryptoHelper.Base64Decode'''
def Encode(tring):
text = "rq3gsalt6u1iyfzop572d49bnx8cvmkewhj"
text2 = "0_-."
text3 = ""
#print random.randint()
for i in range(len(tring)):
ch = tring[i]
tx_index = -1
tx2_index = -1
if ch in text2:
tx2_index = text2.find(ch)
text3 = text3 + text2[0] + text[tx2_index + (random.randint(0,8) % (len(text) / len(text2))) * len(text2)]
else:
tx_index = text.find(ch)
text3 = text3+text[(tx_index + 4) % len(text)]
return text3
'''OrionImprovementBusinessLayer.CryptoHelper.Base64Decode-decode'''
def Decode(string):
text = "rq3gsalt6u1iyfzop572d49bnx8cvmkewhj"
text2 = "0_-."
retstring = ""
flag = False
for i in range(len(string)):
ch = string[i]
tx_index = -1
tx2_index = -1
if flag:
t1i = text.find(ch)
x = t1i - ((random.randint(0,8) % (len(text) / len(text2))) * len(text2))
retstring = retstring+text2[x % len(text2)]
flag = False
continue
if ch in text2:
tx2_index = text2.find(ch)
flag = True
pass
else:
tx_index = text.find(ch)
oindex = tx_index - 4
retstring = retstring+text[oindex % len(text)]
pass
return retstring
#print Encode("qingmei-inc.com")
#print Decode("aovthro08ove0ge2h")
#print Base32Decode("9tslbqv1ftss4r01eqtobmv1")
'''
1fik67gkncg86q6daovthro0love0oe2.appsync-api.us-west-2.avsvmcloud.com
this.guid --> 1fik67gkncg86q6
单个字符: d
域: qingmei-inc.com --- > aovthro0love0oe2h 但是由于取的是this.dnStrLower而不是this.dnStr,会吞掉一部分字符,所以最终"h"被吞掉了
'''
#在有域的主机中,走GetPreviousString()模式, 拼接方式: CreateSecureString(this.guid, true) + 一个字符 + this.dnStrLower + ".appsync-api.us-west-2.avsvmcloud.com"
for line in sys.stdin:
data = line.rstrip().split(".")[0]
if len(data) < 16:
continue
string = data[16:] #前十六字节: this.guid + 一个字符
if "0" not in string: #如果没有0,说明不是OrionImprovementBusinessLayer.CryptoHelper.Base64Encode和OrionImprovementBusinessLayer.CryptoHelper.Base64Decode,暂时解不开
continue
try:
if "00" in string:
string = string[2:]
comp = Base32Decode(string)
else:
comp = Decode(string)
print "%s,%s" % (line.rstrip(),comp)
except:
pass
gitextract_3s8hesqs/ ├── README.MD └── decode.py
SYMBOL INDEX (5 symbols across 1 files) FILE: decode.py function Int2Hex (line 15) | def Int2Hex(value,format): function Base32Encode (line 25) | def Base32Encode(tring,rt): function Base32Decode (line 50) | def Base32Decode(string): function Encode (line 75) | def Encode(tring): function Decode (line 94) | def Decode(string):
Condensed preview — 2 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (4K chars).
[
{
"path": "README.MD",
"chars": 132,
"preview": "cat test.input | python decode.py\n\nDGA domain names from https://github.com/bambenek/research/blob/main/sunburst/uniq-ho"
},
{
"path": "decode.py",
"chars": 3598,
"preview": "# -*- coding:utf-8 -*- \nimport sys,os\nimport random\nimport base64\nimport random\n''' \n# author = \"QiAnXin_RedDrip\"\n# twi"
}
]
About this extraction
This page contains the full source code of the RedDrip7/SunBurst_DGA_Decode GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 2 files (3.6 KB), approximately 1.5k tokens, and a symbol index with 5 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.