[RAT] ROKRAT 악성코드 문자열 복호화 파이썬 스크립트

복호화 스크립트

import struct


def sub_40E716(a1: list[int]) -> str:
    result = ""
    a1_bytes = struct.pack(f"<{len(a1)}I", *a1)
    if a1_bytes.endswith(b'\x00\x00'):
        a1_bytes = a1_bytes[:-2]

    key = a1_bytes[0]
    for i in range(2, len(a1_bytes), 2):
        current_byte = int.from_bytes(a1_bytes[i:i+1])
        decoded = (current_byte - key - 0x800) & 0xFF
        result += chr(decoded)

    return result


def sub_40E6D3(a1: list[int]) -> str:
    result = ""
    a1_bytes = struct.pack(f"<{len(a1)}I", *a1)
    if a1_bytes.endswith(b'\x00\x00'):
        a1_bytes = a1_bytes[:-2]

    key = a1_bytes[0]
    for i in range(2, len(a1_bytes), 2):
        current_byte = int.from_bytes(a1_bytes[i:i+1])
        decoded = (current_byte - key) & 0xFF
        result += chr(decoded)

    return result

분석 대상 ROKRAT SHA-256: bb83597cdf057db754def79d3f94b6cf8837b358178e10e4cc792da56a7523b3