import os
import pefile
import re
import struct as s
from Crypto.Cipher import ARC4
import sys
import hexdump
import argparse


"""
__author__: @tccontre18 - Br3akp0int
date: 04.05.2024
description: a simple python script to extract the headless  wineloader code in dll side loaded dll in vcruntime140.dll
"""

def scan_wineloader_sideload(file_path):
    with open(file_path, 'rb') as file:
        data = file.read()

    byte_sequence = b"\x48\x83\xEC\x08\x48\x8D\x0D????????\x48\xC7\xC2\x28\x80\x00\x00\xE8????????\x48\x8D\x0D????????\x48\x8D\x05????????\x48\x89\x05????????\x48\xC7\x05????????????\x00\x00\x48\xC7\x05????????\x28\x80\x00\x00\xE8????\x00\x00\x48\x83\xC4\x08\xC3"

    # Convert byte sequence to regular expression pattern
    pattern = byte_sequence.hex().replace('3f', '.')

    # Search for the pattern
    match = re.search(pattern, data.hex())

    if match:
        offset = match.start() // 2               
        print(f"[+] Byte sequence found at offset {hex(offset)}")

    else:
        print(f"[+] Byte sequence not found in the file")

    return offset

def extract_struct_four_bytes_data(f, file_offset, num_of_byted_read=4):
    f.seek(file_offset, 0)
    result = s.unpack("<L", f.read(num_of_byted_read))[0]
    return result

def extract_struct_data(f, file_offset, num_of_byted_read):
    f.seek(file_offset, 0)
    result = f.read(num_of_byted_read)
    return result

def extract_wineloader(file_path):
    ENCRYPTED_SHELLCODE_LEN_INDX_ADDRS = 0xE
    PTR_INDX_OF_SHELLCODE_ADDR = 0x7
    SIZE_OF_YARA_PATTERN = 0x4c

    rule_file_ofs = scan_wineloader_sideload(file_path)
    with open(file_path, "rb") as f:
        enc_data_size_ofs = rule_file_ofs + ENCRYPTED_SHELLCODE_LEN_INDX_ADDRS
        encrypted_head_less_shellcode_size = extract_struct_four_bytes_data(f, enc_data_size_ofs, 4)
        print(f"[+] size of encrypted shellcode: {hex(encrypted_head_less_shellcode_size)}")
        
        va_ptr_of_shellcode_address = rule_file_ofs + PTR_INDX_OF_SHELLCODE_ADDR
        indx_addrs_of_shellcode = extract_struct_four_bytes_data(f, va_ptr_of_shellcode_address, 4)
        ofs_ptr_of_shellcode_address = rule_file_ofs + indx_addrs_of_shellcode + 0xb
        print(f"[+] filee offset of encrypted shellcode: {hex(ofs_ptr_of_shellcode_address)}")
    
        rc4_key_ptr = rule_file_ofs + SIZE_OF_YARA_PATTERN
        print(f"[+] ptr to rc4 key: {hex(rc4_key_ptr)}")
        rc4_key = extract_struct_data(f, rc4_key_ptr, 0x100)
        print("[+] Rc4 key:")
        hexdump.hexdump(rc4_key)

        enc_wine_loader = extract_struct_data(f, ofs_ptr_of_shellcode_address, encrypted_head_less_shellcode_size)

        cipher = ARC4.new(rc4_key)
        decrypted_data = cipher.decrypt(enc_wine_loader)
        with open("decrypted_wineloader.bin", "wb") as f:
            f.write(decrypted_data)
        print(f"[+] Decrypted WineLoader saved to decrypted_wineloader.bin")
        print(f"[+] Decrypted WineLoader headless Code first 0xC00 bytes:")
        hexdump.hexdump(decrypted_data[:0xc00])      

    return

def main():

    parser = argparse.ArgumentParser(description = "[@tccontre18 - Br3akp0int] a simple python script to extract the headless  wineloader code in dll side loaded dll in vcruntime140.dll")
    parser.add_argument('-f', '--wine-dll', dest="wine_dll_sideload", help="file path of the specially crafted vcruntime140.dll of wineloader campaign")
    args = parser.parse_args()

    if os.path.isfile(args.wine_dll_sideload):
        extract_wineloader(args.wine_dll_sideload)

    return


if __name__ == "__main__":
    main()