in phoreal/phoreal.py [0:0]
def PHOREAL_RC4_key(self, p: ProcessMemory, addr: int):
from malduck import rc4
key_size = 17 # apparently hardcoded in phoreal
key_addr = addr + 6 # offset from start of string
ct_addr = key_addr + 17
max_size = 200
key = bytearray()
ct = bytearray()
logger.info("[+] Found RC4 passphrase @ %X" % key_addr)
for offset in range(0, key_size):
o = p.uint8v(key_addr + offset)
if o:
key.append(o)
logger.info("[+] RC4 passphrase: " + key.hex())
nc = 0 # null counter
for offset in range(0, max_size):
o = p.uint8v(ct_addr + offset)
if o:
ct.append(o)
if o == 0:
nc += 1
else:
nc = 0
if nc == 2:
break
logger.info("[+] RC4 cyphertext: " + ct.hex())
rc4_decode = rc4(key, ct)
logger.info("[+] RC4 decrypted plaintext: %s" % str(rc4_decode))
domains = str(rc4_decode).split(";")
domains[0] = domains[0].split("'")[1]
del domains[-1]
conf = {
"rc4_key": key.hex(),
self.family: {"plaintext": str(rc4_decode), "domains": domains},
}
return conf