in zloader/zloader.py [0:0]
def decrypt_conf(self, p: ProcessMemory, addr: int) -> Config | bool:
conf: Config = {"family": self.family, self.family: {}}
try:
key_addr = p.uint32v(addr + 21)
if not key_addr:
return conf
key = p.asciiz(key_addr)
data_offset = p.uint32v(addr + 26)
if not data_offset:
return conf
config_encrypted = p.readv(addr=data_offset).split(b"\0\0")[0]
config_raw = rc4(key, config_encrypted)
config_items = list(filter(None, config_raw.split(b"\x00\x00")))
for i in range(0, len(config_items)):
config_items[i] = config_items[i].strip(b"\x00")
conf[self.family]["name"] = config_items[1].decode("utf-8")
conf[self.family]["campaign_id"] = config_items[2].decode("utf-8")
conf[self.family]["urls"] = [config_items[3].decode("utf-8")]
except Exception as error:
log.warning(error)
return False
return conf