in nightMARE/src/nightmare/malware/ghostpulse/payload.py [0:0]
def __extract_idat_blob(data, occur) -> bytes | None:
tag_found = False
encrypted_data = bytes()
for i in range(len(occur)):
tag = cast.u32(utils.get_data(data, occur[i] + TAG_OFFSET, 4))
if tag == TAG:
xor_key = utils.get_data(data, occur[i] + XOR_KEY_OFFSET_IDAT, 4)
total_size = (
cast.u32(utils.get_data(data, occur[i] + TOTAL_SIZE_OFFSET, 4))
& 0xFFFFFFF0
)
tag_found = True
if tag_found:
t = cast.u32(utils.get_data(data, occur[i] + CHUNK_SIZE_OFFSET, 4))
chunk_size = (
(((t >> 8) & 0xFF) << 16)
+ (((t >> 16) & 0xFF) << 8)
+ (t << 24)
+ (t >> 24)
) & 0xFFFFFFFF
chunk_size = (
chunk_size
if len(encrypted_data) + chunk_size < total_size
else total_size - len(encrypted_data) + 16
)
encrypted_data += utils.get_data(data, occur[i] + 4, chunk_size)
if not tag_found:
return None
decrypted_data = bits.xor(encrypted_data[16:], xor_key)
return decrypted_data