From 1480f43b6f5ed9e00353dab4330bde0eac20141f Mon Sep 17 00:00:00 2001
From: wesdawg <5124946+wesdawg@users.noreply.github.com>
Date: Mon, 5 Feb 2018 10:29:07 -0500
Subject: [PATCH] Create decrypt_darkshell.py

Close #1
---
 decrypt_darkshell.py | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 decrypt_darkshell.py

diff --git a/decrypt_darkshell.py b/decrypt_darkshell.py
new file mode 100644
index 0000000..28a0260
--- /dev/null
+++ b/decrypt_darkshell.py
@@ -0,0 +1,16 @@
+def decrypt_darkshell(cipherbytes, start_idx=0x04, stop_idx=0xA8):
+   """     
+   De-obfuscates Darkshell comms encoded using the following method:
+     cipherbyte = 0xDE - [plainbyte - (plainbyte & 0x10) << 1]
+   The obfuscation is reversed as follows:
+     intermediate = 0xDE - cipherbyte
+     plainbyte = intermediate + (intermediate & 0x10) << 1
+   """    
+   len_mesg = len(cipherbytes)
+   if len_mesg != 260:
+       raise RuntimeError("Darkshell bot-to-CnC comms are always 260 bytes")
+   plainbytes = []
+   for cipherbyte in cipherbytes[start_idx:stop_idx]:
+       intermediate= 0xDE - ord(cipherbyte)
+       plainbytes += [chr(intermediate + ((intermediate & 0x10) << 1))]
+   return cipherbytes[:start_idx] + ''.join(plainbytes) + cipherbytes[stop_idx:]