Skip to content

README.md

Latest commit

 

History

History
41 lines (27 loc) · 1.22 KB

README.md

File metadata and controls

41 lines (27 loc) · 1.22 KB

deGremlin

A tool to decrypt and patch strings obfuscated with Appfuscator. Tested on Gremlin Stealer.

Clown

USAGE


       __          ______                              __    _
      |  ]       .' ___  |                            [  |  (_)
  .--.| | .---. / .'   \_| _ .--.  .---.  _ .--..--.   | |  __   _ .--.
/ /'`\' |/ /__\\| |   ____[ `/'`\]/ /__\\[ `.-. .-. |  | | [  | [ `.-. |
| \__/  || \__.,\ `.___]  || |    | \__., | | | | | |  | |  | |  | | | |
 '.__.;__]'.__.' `._____.'[___]    '.__.'[___||__||__][___][___][___||__]
                                                                        P.S: little bit Appfuscator

Usage:
degremlin.exe [filepath] [method_token_in_hex]

Example

This is from the Gremlin Stealer sample ( https://bazaar.abuse.ch/sample/d21c8a005125a27c49343e7b5b612fc51160b6ae9eefa0a0620f67fa4d0a30f6/ )

IT DOES

  • Patch most obfuscated strings
  • Simplify Addition, Subtraction, Multiplication and XOR mixed boolean arithmetic
  • Eliminate sizeof's
  • Eliminate EmptyType

TO-DO

  • Patch terneary operator
  • Replace variables by their values
  • Cover more patterns