-
Notifications
You must be signed in to change notification settings - Fork 14
/
decrypt_traffic.py
39 lines (33 loc) · 1.23 KB
/
decrypt_traffic.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
from Crypto.Cipher import AES
import zlib
# Base62 global vars
BASE_ALPH = tuple("0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz")
BASE_DICT = dict((c, v) for v, c in enumerate(BASE_ALPH))
BASE_LEN = len(BASE_ALPH)
def base62_decode(data):
if len(data) == 0:
return b""
num = 0
for char in data:
num = num * BASE_LEN + BASE_DICT[char]
return bytes.fromhex(hex(num)[2:])
def decrypt_data(data, key, iv):
# Remove suffix
data = data[:-9]
# Remove dots and skip metadata
data = data.replace('.', '')[7:]
# Base62 decode
b62dec = base62_decode(data)
# AES GCM decrypt and zlib decompress
cipher = AES.new(key, AES.MODE_GCM, iv) # nonce
try:
aesdec = cipher.decrypt_and_verify(b62dec[:-16], b62dec[-16:]) # ciphertext, tag
return zlib.decompress(aesdec).decode()
except ValueError:
return "Decryption failed"
# Embedded into the sample
# Sample sha256: 2385b29489cd9e35f92c072780f903ae2e517ed422eae67246ae50a5cc738a0e
AES_KEY = b"gIdk8tzrHLOM)mPY-R)QgG[;yRXYCZFU"
AES_IV = b"?BVsNqL]S.Ni"
print(decrypt_data("M.X.p.0300EP9Vvq1QffuOaGzQymfeRx5MoEZLV9HOWsxJnRXR1ja.h4ck.cfd", AES_KEY, AES_IV))
# output: "cwd/tmp"