MagedDecrypter

1. #This script decrypts .net executables encrypted by Maged Encrypter
2. #Decoder for some obfuscated njRat version
3. #Link:
4. import os,sys,time,hashlib,base64
5. from Crypto.Cipher import DES3
6. import base64
7.  
8.  
9.    
10. def XXcipherDecode3DESXX(encFile,outFile):
11.     fKeyText = "\x35\x00\x35\x00\x36\x00\x20\x00\x4d\x00\x41\x00\x47\x00\x45\x00\x44\x00\x4b\x00\x48\x00\x4f\x00\x41\x00\x47\x06\x2e\x06\x2b\x06\x35\x06\x2a\x06\x42\x06\x2b\x06\x35\x06\x47\x06\x4a\x00\x41\x00\x21\x00\x40\x00\x23\x00\x24\x00\x25\x00\x5e\x00\x33\x06\x4a\x06\x28\x06\x47\x06\x33\x06\x4a\x06\x2a\x06\x35\x06\x2b\x06\x26\x00"
12.    
13.  
14.     keyChars = fKeyText.decode('utf-16').encode("utf-8")
15.     m = hashlib.md5()
16.     m.update(keyChars)
17.     key = m.hexdigest()
18.     key_hex = key.decode('hex')
19.    
20.     cipher = DES3.new( key_hex, DES3.MODE_ECB)
21.     fIn = open(encFile,"rb")
22.     contentX = fIn.read()
23.     contextX_b64 = base64.b64decode(contentX)
24.     fIn.close()
25.    
26.     decryptedX = cipher.decrypt(contextX_b64)
27.    
28.     fOut = open(outFile,"wb")
29.     fOut.write(decryptedX)
30.     fOut.close()
31.     return 0
32.  
33.  
34.  
35. def main():
36.     if len(sys.argv)!=3:
37.         print "Usage: Decode_njRat_3Des.py input_with_base64_text.txt outputfile.exe"
38.         sys.exit(-1)
39.     else:
40.         retX = XXcipherDecode3DESXX(sys.argv[1],sys.argv[2])
41.         sys.exit(retX)
42.  
43. if __name__ == "__main__":
44.     main()