[
  {
    "path": "README.MD",
    "content": "cat test.input | python decode.py\n\nDGA domain names from https://github.com/bambenek/research/blob/main/sunburst/uniq-hostnames.txt\n"
  },
  {
    "path": "decode.py",
    "content": "# -*- coding:utf-8 -*- \nimport sys,os\nimport random\nimport base64\nimport random\n'''  \n# author = \"QiAnXin_RedDrip\"\n# twitter = @RedDrip7\n# create_date = \"2020-12-15\"\n# update_date = \"2020-12-16\"\n# Thanks QiAnXin CERT for the discovery of decodeable DGA domains\n# https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug\n'''\n\ndef Int2Hex(value,format):\n\t#format 可以是2/4/8\n\thexStr = \"\"\n\thexStr = hex(value)\n\tif(len(hexStr) != format+2):\n\t\tzero = format+2 - len(hexStr)\n\t\tfor i in range(zero):\n\t\t\thexStr = hexStr[:2] + '0' + hexStr[2:]\n\treturn hexStr[2:]\n\ndef Base32Encode(tring,rt):\n\ttext = \"ph2eifo3n5utg1j8d94qrvbmk0sal76c\"\n\ttext2 = \"\"\n\tnum = 0\n\tib = 0;\n\tfor i in range(len(tring)):\n\t\tiint = tring[i]\n\t\tb = \"0x\" + Int2Hex(ord(iint),2)\n\t\tnum |= (int(b,16) << ib)\n\t\tib+=8\n\t\twhile (ib >= 5):\n\t\t\ttext2 += text[num & 31]\n\t\t\tnum >>= 5  #将高位的部分右移\n\t\t\tib -= 5\n\t\t\tpass\n\t\tpass\n\n\tif (ib > 0):\n\t\tif (rt):\n\t\t\tpass\n\t\ttext2 += text[(num & 31)]\n\t\tpass\n\n\treturn text2; \n\ndef Base32Decode(string):\n\ttext = \"ph2eifo3n5utg1j8d94qrvbmk0sal76c\"\n\trestring = \"\"\n\tdatalen = len(string) / 8 * 5\n\tnum = 0\n\tib = 0;\n\tif len(string) < 3:\n\t\trestring = chr(text.find(string[0]) | text.find(string[1]) << 5 & 255)\n\t\treturn restring\n\t\n\tk = text.find(string[0]) | (text.find(string[1]) << 5)\n\tj = 10\n\tindex = 2\n\tfor i in range(datalen):\n\t\trestring += chr(k & 255)\n\t\tk = k >> 8\n\t\tj -= 8\n\t\twhile( j < 8 and index < len(string)):\n\t\t\tk |= (text.find(string[index]) << j)\n\t\t\tindex += 1\n\t\t\tj += 5\n\n\treturn restring\n\n'''OrionImprovementBusinessLayer.CryptoHelper.Base64Decode'''\ndef Encode(tring):\n\ttext = \"rq3gsalt6u1iyfzop572d49bnx8cvmkewhj\"\n\ttext2 = \"0_-.\"\n\ttext3 = \"\"\n\t#print random.randint()\n\tfor i in range(len(tring)):\n\t\tch = tring[i]\n\t\ttx_index = -1\n\t\ttx2_index = -1\n\t\tif ch in text2:\n\t\t\ttx2_index = text2.find(ch)\n\t\t\ttext3 = text3 + text2[0] + text[tx2_index + (random.randint(0,8) % (len(text) / len(text2))) * len(text2)]\n\t\telse:\n\t\t\ttx_index = text.find(ch)\n\t\t\ttext3 = text3+text[(tx_index + 4) % len(text)]\n\n\treturn text3\n\n'''OrionImprovementBusinessLayer.CryptoHelper.Base64Decode-decode'''\ndef Decode(string):\n\ttext = \"rq3gsalt6u1iyfzop572d49bnx8cvmkewhj\"\n\ttext2 = \"0_-.\"\n\tretstring = \"\"\n\tflag = False\n\tfor i in range(len(string)):\n\t\tch = string[i]\n\t\ttx_index = -1\n\t\ttx2_index = -1\n\t\tif flag:\n\t\t\tt1i = text.find(ch)\n\t\t\tx = t1i - ((random.randint(0,8) % (len(text) / len(text2))) * len(text2))\n\t\t\tretstring = retstring+text2[x % len(text2)]\n\t\t\tflag = False\n\t\t\tcontinue\n\t\tif ch in text2:\n\t\t\ttx2_index = text2.find(ch)\n\t\t\tflag = True\n\t\t\tpass\n\t\telse:\n\t\t\ttx_index = text.find(ch)\n\t\t\toindex = tx_index - 4\n\t\t\tretstring = retstring+text[oindex % len(text)]\n\n\t\tpass\n\treturn retstring\n\n#print Encode(\"qingmei-inc.com\")\n#print Decode(\"aovthro08ove0ge2h\")\n#print Base32Decode(\"9tslbqv1ftss4r01eqtobmv1\")\n\n'''\n  1fik67gkncg86q6daovthro0love0oe2.appsync-api.us-west-2.avsvmcloud.com\n  this.guid  --> 1fik67gkncg86q6\n  单个字符：  d\n  域： qingmei-inc.com   --- > aovthro0love0oe2h  但是由于取的是this.dnStrLower而不是this.dnStr，会吞掉一部分字符,所以最终\"h\"被吞掉了\n'''\n\n#在有域的主机中，走GetPreviousString()模式, 拼接方式： CreateSecureString(this.guid, true) + 一个字符 + this.dnStrLower + \".appsync-api.us-west-2.avsvmcloud.com\"\nfor line in sys.stdin:\n\tdata = line.rstrip().split(\".\")[0]\n\tif len(data) < 16:\n\t\tcontinue\n\tstring = data[16:] #前十六字节： this.guid + 一个字符\n\tif \"0\" not in string:  #如果没有0，说明不是OrionImprovementBusinessLayer.CryptoHelper.Base64Encode和OrionImprovementBusinessLayer.CryptoHelper.Base64Decode，暂时解不开\n\t\tcontinue\n\ttry:\n\t\tif \"00\" in string:\n\t\t\tstring = string[2:]\n\t\t\tcomp = Base32Decode(string)\n\t\telse:\n\t\t\tcomp = Decode(string)\n\n\t\tprint \"%s,%s\" % (line.rstrip(),comp)\n\texcept:\n\t\tpass\n"
  }
]