binjo/gen_info.py

## gen_info.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-

"""
gen_info.py

TODO
"""
__author__  = 'Binjo'
__version__ = '0.1'
__date__    = '2012-05-08 07:18:29'

import os, sys
import zlib, binascii, struct

def main():
    """TODO
    """
    if len(sys.argv) == 3 and sys.argv[1] == '-d':
        # decode
        bin = binascii.a2b_hex(sys.argv[2])
        key = ord(bin[0]) ^ 0x78
        print zlib.decompress( ''.join( [chr(ord(x) ^ key) for x in bin] ) )

    elif len(sys.argv) == 2:
        # encode
        print binascii.b2a_hex( zlib.compress(sys.argv[1]) )

    elif len(sys.argv) == 4 and sys.argv[1] == '-m':
        # modify
        info, fname = sys.argv[2], sys.argv[3]
        fh = open( 'x_' + fname, 'wb' )
        xinfo = binascii.b2a_hex( zlib.compress(info) )

        ctn = open( fname, 'rb' ).read()

        pos = ctn.find( 'i\x00n\x00f\x00o\x00=\x00' )
        if pos == -1:
            sys.exit( 'shit happen..' )

        fh.write( ctn[:pos+10] )
        for c in xinfo:
            fh.write( c + '\x00' )

        fh.write( ctn[ctn.find('&\x00', pos):] )

        fh.close()

        print "done..."

    elif len(sys.argv) == 3 and sys.argv[1] == '-i':
        # inspect
        fname = sys.argv[2]

        ctn = open( fname, 'rb' ).read()

        pos = ctn.find( 'ScriptBridge' )
        if pos == -1:
            sys.exit( '[-] ScriptBridge tag not found...' )

        sop = ctn.find( 'h\x00t\x00t\x00p\x00', pos )
        if sop == -1:
            sys.exit( '[-] url not found...' )

        url = ''
        while True:
            if ctn[sop] == '%':
                break
            elif ctn[sop] == '\x00':
                sop += 1
                continue
            else:
                url += ctn[sop]

            sop += 1

        print "[+] url = " + url

        print zlib.decompress( binascii.a2b_hex( url[url.find('=')+1:url.find('&')] ) )

        infosize = struct.unpack( '>I',
                                  struct.pack( '<I', int(url[url.find('infosize=')+9:], 16) )
                                  )[0]

        (tag, exe_off, exe_size) = struct.unpack( '8sII', ctn[infosize:infosize+16] )
        if tag != '\x93\x78\x10\x21\x1B\x7E\xD0\xAC':
            print "[-] exe tag not found..."

        key = ord(ctn[exe_off]) ^ 0x4d

        drop_dir = os.path.join( 'dropped', fname )
        if not os.path.isdir( drop_dir ):
            os.makedirs( drop_dir )

        ename = os.path.join( drop_dir, 'xxx.exe_' )

        with open( ename, 'wb' ) as fh:
            for c in ctn[exe_off:exe_off+exe_size]:
                if c == '\x00' or ord(c) == key:
                    fh.write(c)
                else:
                    fh.write( chr( ord(c) ^ key ) )

        print "[+] exe = (%08x), %s" % (exe_size, ename)

#-------------------------------------------------------------------------------
if __name__ == '__main__':
    main()
#-------------------------------------------------------------------------------
# EOF
	#!/usr/bin/env python
	# -- coding: utf-8 --

	"""
	gen_info.py

	TODO
	"""
	__author__ = 'Binjo'
	__version__ = '0.1'
	__date__ = '2012-05-08 07:18:29'

	import os, sys
	import zlib, binascii, struct

	def main():
	"""TODO
	"""
	if len(sys.argv) == 3 and sys.argv[1] == '-d':
	# decode
	bin = binascii.a2b_hex(sys.argv[2])
	key = ord(bin[0]) ^ 0x78
	print zlib.decompress( ''.join( [chr(ord(x) ^ key) for x in bin] ) )

	elif len(sys.argv) == 2:
	# encode
	print binascii.b2a_hex( zlib.compress(sys.argv[1]) )

	elif len(sys.argv) == 4 and sys.argv[1] == '-m':
	# modify
	info, fname = sys.argv[2], sys.argv[3]
	fh = open( 'x_' + fname, 'wb' )
	xinfo = binascii.b2a_hex( zlib.compress(info) )

	ctn = open( fname, 'rb' ).read()

	pos = ctn.find( 'i\x00n\x00f\x00o\x00=\x00' )
	if pos == -1:
	sys.exit( 'shit happen..' )

	fh.write( ctn[:pos+10] )
	for c in xinfo:
	fh.write( c + '\x00' )

	fh.write( ctn[ctn.find('&\x00', pos):] )

	fh.close()

	print "done..."

	elif len(sys.argv) == 3 and sys.argv[1] == '-i':
	# inspect
	fname = sys.argv[2]

	ctn = open( fname, 'rb' ).read()

	pos = ctn.find( 'ScriptBridge' )
	if pos == -1:
	sys.exit( '[-] ScriptBridge tag not found...' )

	sop = ctn.find( 'h\x00t\x00t\x00p\x00', pos )
	if sop == -1:
	sys.exit( '[-] url not found...' )

	url = ''
	while True:
	if ctn[sop] == '%':
	break
	elif ctn[sop] == '\x00':
	sop += 1
	continue
	else:
	url += ctn[sop]

	sop += 1

	print "[+] url = " + url

	print zlib.decompress( binascii.a2b_hex( url[url.find('=')+1:url.find('&')] ) )

	infosize = struct.unpack( '>I',
	struct.pack( '<I', int(url[url.find('infosize=')+9:], 16) )
	)[0]

	(tag, exe_off, exe_size) = struct.unpack( '8sII', ctn[infosize:infosize+16] )
	if tag != '\x93\x78\x10\x21\x1B\x7E\xD0\xAC':
	print "[-] exe tag not found..."

	key = ord(ctn[exe_off]) ^ 0x4d

	drop_dir = os.path.join( 'dropped', fname )
	if not os.path.isdir( drop_dir ):
	os.makedirs( drop_dir )

	ename = os.path.join( drop_dir, 'xxx.exe_' )

	with open( ename, 'wb' ) as fh:
	for c in ctn[exe_off:exe_off+exe_size]:
	if c == '\x00' or ord(c) == key:
	fh.write(c)
	else:
	fh.write( chr( ord(c) ^ key ) )

	print "[+] exe = (%08x), %s" % (exe_size, ename)

	#-------------------------------------------------------------------------------
	if __name__ == '__main__':
	main()
	#-------------------------------------------------------------------------------
	# EOF