Permalink
Cannot retrieve contributors at this time
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
75 lines (62 sloc)
1.87 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import pprint | |
| import hashlib | |
| from mlib.crypto import aes | |
| from mlib.struct import Structure | |
| cfg_struct_old = Structure.from_cstruct(''' | |
| typedef struct { | |
| DWORD sample_id; | |
| char c2_domain[260]; | |
| char param_name_cid[64]; | |
| char param_name_size[64]; | |
| char param_name_zero[128]; | |
| uint8_t comm_key_1[32]; | |
| uint8_t comm_key_2[32]; | |
| } cfg_struct; | |
| ''') | |
| cfg_struct_new = Structure.from_cstruct(''' | |
| typedef struct { | |
| DWORD sample_id; | |
| char c2_domain[512]; | |
| char param_name_cid[64]; | |
| char param_name_size[64]; | |
| char param_name_zero[128]; | |
| uint8_t comm_key_1[32]; | |
| uint8_t comm_key_2[32]; | |
| } cfg_struct; | |
| ''') | |
| blob_hdr = Structure.from_cstruct(''' | |
| typedef struct { | |
| DWORD random; | |
| DWORD is_compressed; | |
| DWORD size; | |
| DWORD size2; | |
| DWORD padded_size; | |
| BYTE decoded_hash[16]; | |
| DWORD unk_1[4]; | |
| BYTE data_hash[16]; | |
| DWORD unk_2[4]; | |
| } blob_hdr;; | |
| ''') | |
| with open(sys.argv[1],'rb') as f: | |
| d = f.read() | |
| key = hashlib.md5(sys.argv[2]).digest() | |
| off = d.find("\x44\x03\x00\x00\x50\x03\x00\x00") | |
| cfg_struct = cfg_struct_new | |
| if off == -1: | |
| off = d.find("\x48\x02\x00\x00\x50\x02\x00\x00") | |
| cfg_struct = cfg_struct_old | |
| off -= 12 | |
| hdr = d[off:off+0x54] | |
| hdr = blob_hdr.parse(hdr).as_dict() | |
| data = d[off+0x54:off+0x54+hdr['padded_size']] | |
| hdr['decoded_hash'] = bytearray(hdr['decoded_hash']).__str__().encode('hex') | |
| hdr['data_hash'] = bytearray(hdr['data_hash']).__str__().encode('hex') | |
| print('DATA HASH matches: {}'.format(hashlib.md5(data).hexdigest() == hdr['data_hash'])) | |
| cfg_data = aes.decrypt(data, key, 'cbc', None, "\x00"*16)[:hdr['size']] | |
| cfg = cfg_struct.parse(cfg_data).as_dict() | |
| cfg['comm_key_1'] = bytearray(cfg['comm_key_1']).__str__().encode('hex') | |
| cfg['comm_key_2'] = bytearray(cfg['comm_key_2']).__str__().encode('hex') | |
| print('DECODED HASH matches: {}'.format(hashlib.md5(cfg_data).hexdigest() == hdr['decoded_hash'])) | |
| pprint.pprint(hdr) | |
| pprint.pprint(cfg) |