#!/usr/bin/python
#-*- coding: utf-8 -*-

# DaRK DDoSer >= 5.1 (and maybe under :>) config extractor, written in Python 2
# Made by a T4pZ for T4pZ, released under BeerWare licence.
# by aaSSfxxx :þ - thx j0rn for his magic oneliner of xorstr :þ
# This extractor uses the python PEFile library, which can be downloaded here:
# http://code.google.com/p/pefile/ (or in your distribution's repository)

import pefile
import sys

# ============ Crypto routines ===============

def xorstr(s): return ''.join(['%c' % chr(ord(i) ^ 0xbc) for i in s])

def crypto (key, data):
  buffer = 0
  str = ""
  for c in data:
    for k in key:
      buffer = (buffer + ord(k)) ^ 9
    xorkey = (buffer >> 3 & 0xff)
    str += chr (ord(c) ^ xorkey)
  return xorstr(str)

# =========== Let's play faggot ! ============

pe = pefile.PE(sys.argv[1])
rt_res_idx = [
  entry.id for entry in 
  pe.DIRECTORY_ENTRY_RESOURCE.entries].index(pefile.RESOURCE_TYPE['RT_RCDATA'])

rt_res_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_res_idx]

for entry in rt_res_directory.directory.entries:

  if (entry.name.__str__() == "BUBZ"):
    print "[+] DaRK DDoSer resources found"
    data_rva = entry.directory.entries[0].data.struct.OffsetToData
    size = entry.directory.entries[0].data.struct.Size
    data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
    tokens = data.split("[{#}]")
    print "Hostname: " + crypto ("darkddoser", tokens[0])
    print "Port: " + crypto ('darkddoser', tokens[1])
    print "Bot name: " + crypto ('darkddoser', tokens[2])
    print "Connect interval to the server: " + crypto ('darkddoser', tokens[3])
    print "Mutex: " + xorstr (tokens[4])
    print "Registry persistance: " + crypto ('darkddoser', tokens[5])
    print "Startup key (if enabled): " + crypto ('darkddoser', tokens[6])
    print "Startup value: " + crypto ('darkddoser', tokens[7])
    print "Version: " + crypto ('darkddoser', tokens[8])
    print "Use persistance: " + crypto ('darkddoser', tokens[9])